Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I have been trying to use ps, I don't know if top would be better....
I know it is port scanning because I have a linksys router that is logging all the traffic on the network. This machine needs to use the router for internet access. I log files are showing the source ip as this box.
The requests stop when I disable the ethernet interfaces on the box, so it definitely is this box.
When it is already at the point where somebody can use your machine (port scanning) and you have not installed some script or anything that does that it is time for a fresh new install like described at CERT:
I see outbound connections from your HTTP. Could be established connections as most remote ports are ephemeral (unprivileged, over 1024), and don't have "known" services assigned to them.
The two outbound connections for HTTP and HTTPS are for Akamai.
W/o showing details like TCP flags and options, or better: payload, it's hard to assess this correctly. If I where forced to guesstimate chances your box actually is portscanning based on these little details I say chances are low.
If you want to assess the situation "the right way" and have detailed results, you should tcpdump the traffic, then manually inspect traffic with Ethereal or automate it running Snort and inspect those reports.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.