LinuxQuestions.org
Review your favorite Linux distribution.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 12-02-2010, 01:03 AM   #1
kross301
LQ Newbie
 
Registered: Nov 2010
Posts: 4

Rep: Reputation: 0
strange ports on public ip


looking at my router logs i've noticed for the past while a range of source ports from 60000 to about 65000 from my source external ip to destination external ip always on port 80. I have 3 boxes on this network and this only seems to happen when i connect the one laptop. I even reinstalled the distro downloaded from trusted source but the router is still logging this.. netstat -ntulp shows nothing operating in this range. chkrootkit shows nothing.. Was thinking maybe someone was spoofing the external address but it's been happening on network startup for a month now.. Any ideas on how to find out what this is?
 
Old 12-02-2010, 02:29 AM   #2
acid_kewpie
Moderator
 
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,417

Rep: Reputation: 1977Reputation: 1977Reputation: 1977Reputation: 1977Reputation: 1977Reputation: 1977Reputation: 1977Reputation: 1977Reputation: 1977Reputation: 1977Reputation: 1977
you're seeing outbound web connections from your machine on high ephemeral port numbers? That would be totally normal by my understanding of it. Possbily just yum checking for updates or something? What makes you think that this is explicitly bad? Where does spoofing come into it?
 
Old 12-02-2010, 03:59 AM   #3
Noway2
Senior Member
 
Registered: Jul 2007
Distribution: Ubuntu 10.10, Slackware 64-current
Posts: 2,124

Rep: Reputation: 780Reputation: 780Reputation: 780Reputation: 780Reputation: 780Reputation: 780Reputation: 780
You mentioned that these are the router logs. It sounds to me like these are the ports that your router is using to perform NAT(*). When you access a web page, which is defaults to port 80, your router will establish a connection on a different outbound port number and relay the information between the destination and your LAN host. This way, your router can maintain multiple simultaneous connections to the same or several web sites and properly route the traffic back to the destination.

(*) If on your LAN you are using a private address range, e.g. 192.168.x.x, these addresses are not valid on the global networks and there are thousands, if not millions, of devices all using this address range at the same time. Your router will translate this address to your public IP at some port. It makes sense to pick a high number for the port because these ports are not used to standard services.
 
Old 12-03-2010, 02:18 PM   #4
kross301
LQ Newbie
 
Registered: Nov 2010
Posts: 4

Original Poster
Rep: Reputation: 0
Basically I got the "bad" assumption because i've been using this distro for two years now and i've never seen a log like this before.Its only been happening in the last month. none with my ip in both the source and destination. I thought it might be the update manager and i checked it by using the other two systems.. when they came online, nothing like that was logged. But about a week ago i logged into my one system via ssh and noticed the logs were cleared... I was thinking spoof in the way of sniffing internet traffic.. ie the router sees the right ext address and everything outgoing is for the sniffing.. I dont know if this is even possible mind you. It was just my assumption.
Okay so the issue sort of fixed it's self. get this. After i posted the first msg. The next day i look at my router logs and.. issue solved.. i've checked and checked.. havent seen the same port activity. I'm just saying thats weird is all. Coincidence? also it should be noted i own the crappiest router on the market... maybe that has something to do with it.
To finish this up. I've looked and cant find a decent tutorial to install nessus on mandriva. Can you post a link?
 
Old 12-03-2010, 07:03 PM   #5
Noway2
Senior Member
 
Registered: Jul 2007
Distribution: Ubuntu 10.10, Slackware 64-current
Posts: 2,124

Rep: Reputation: 780Reputation: 780Reputation: 780Reputation: 780Reputation: 780Reputation: 780Reputation: 780
Quote:
i logged into my one system via ssh and noticed the logs were cleared
Are you saying that you are having logs disappear on one (or more) of your machines behind the router?
If so, I think you are thinking along the correct lines when you suggest nessus, however, if this is what happened, you are a little beyond that.

I don't think you are at the 'sound the alarm' point yet, but caution is advised here. I would suggest taking minimal action on the system, but keep watch on things. In the mean time, take a look at the CERT check list. Here is a link: The CERT Intruder Detection Checklist. While a little dated, it will help bring you up to speed on the things that you should be on the look out for. If you did have unexpected modification of a system behind your router, then you will need to start taking the steps in the check list. We can and will certainly help you with that process.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Very strange problem with my front USB ports boris-78 Linux - Hardware 3 08-02-2007 03:44 PM
samba ports open to public - i think i'm screwed davalos Linux - Security 11 12-26-2004 11:06 PM
mdk 10 strange open ports bardinjw Mandriva 1 04-05-2004 08:02 PM
Mac OS X strange ports. uniQ General 2 01-24-2004 02:43 PM
Strange Ports in windows 98 lub0 General 7 10-05-2003 06:59 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 09:49 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration