I have a redhat 9.0 box.

This box is doing port scanning. The only way this could have been delivered was via apache or ssh.

I have looked at my processes, my ports (via netstat) and can't find what the process or program that is doing this awful stuff.


I also ran the chkroot program, and it turned up nothing.

Any pointers?

I would rather fix it than do a reinstall - you learn more.

Thanks.

How do you know it is doing port scanning?

Try running top and you might locate to process, then killall -9 <program>

I have been trying to use ps, I don't know if top would be better....

I know it is port scanning because I have a linksys router that is logging all the traffic on the network. This machine needs to use the router for internet access. I log files are showing the source ip as this box.

The requests stop when I disable the ethernet interfaces on the box, so it definitely is this box.

Anything else anyone?
Thanks.

Did this just start on it's own or did you upgrade or install something and it started?

Have you tried capturing the packets with tcpdump or ethereal?

When it is already at the point where somebody can use your machine (port scanning) and you have not installed some script or anything that does that it is time for a fresh new install like described at CERT:

http://www.cert.org/tech_tips/win-UN...ompromise.html

Rhodespc, could you please post a good 20/30 log lines showing the box is port scanning?

My box is the 192.168.1.205



11/5/2003 22:36:54.190 - 192.168.1.205 : 80 >>> 221.10.44.65 : 8409
11/5/2003 22:37:09.510 - 192.168.1.205 : 80 >>> 80.144.242.88 : 17663
11/5/2003 22:37:40.320 - 192.168.1.205 : 80 >>> 68.112.240.3 : 3566
11/5/2003 22:38:15.530 - 192.168.1.205 : 80 >>> 195.14.32.224 : 3956
11/5/2003 22:38:16.240 - 192.168.1.205 : 80 >>> 195.116.208.249 : 3402
11/5/2003 22:38:36.290 - 192.168.1.205 : 80 >>> 219.72.254.18 : 6023
11/5/2003 22:38:46.560 - 192.168.1.205 : 80 >>> 65.110.42.30 : 2376
11/5/2003 22:38:50.900 - 192.168.1.205 : 80 >>> 12.220.134.48 : 32907
11/5/2003 22:38:52.060 - 192.168.1.205 : 80 >>> 219.104.70.210 : 13597
11/5/2003 22:38:53.590 - 192.168.1.205 : 80 >>> 202.127.40.254 : 11019
11/5/2003 22:39:21.170 - 192.168.1.205 : 80 >>> 80.144.242.88 : 19501
11/5/2003 22:40:00.550 - 192.168.1.205 : 80 >>> 24.106.100.132 : 4780
11/5/2003 22:40:41.520 - 192.168.1.205 : 80 >>> 68.112.240.3 : 4167
11/5/2003 22:41:09.810 - 192.168.1.205 : 80 >>> 217.232.57.95 : 52726
11/5/2003 22:41:11.400 - 192.168.1.205 : 3191 >>> 66.77.163.46 : 80
11/5/2003 22:41:17.940 - 192.168.1.205 : 80 >>> 24.186.94.119 : 4764
11/5/2003 22:41:19.480 - 192.168.1.205 : 3194 >>> 208.254.0.49 : 443

I see outbound connections from your HTTP. Could be established connections as most remote ports are ephemeral (unprivileged, over 1024), and don't have "known" services assigned to them.
The two outbound connections for HTTP and HTTPS are for Akamai.

W/o showing details like TCP flags and options, or better: payload, it's hard to assess this correctly. If I where forced to guesstimate chances your box actually is portscanning based on these little details I say chances are low.
If you want to assess the situation "the right way" and have detailed results, you should tcpdump the traffic, then manually inspect traffic with Ethereal or automate it running Snort and inspect those reports.

Are you doing anything with Planet Lab?

It may just be coincidence but I found 2 of the IP's in your list here. The list is updated daily so depending on how old your log is.

Just a wild guess.

am no expert here but somehow it doesnt seem like a port scan, more like http connections with remote host.

try running tcpdump on your box to listen to all outbound connections like so

# tcpdump -i eth0 | tee tcpdump.out

*substitute eth0 with appropriate network device

tcpdump will log all the packet headers

or you could use ngrep to check the packet data

Thanks everyone. I am going to run snort and go from there.
I will post my results

Another command you might enjoy is lsof.