LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Home Forums Tutorials Articles Register
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
Reload this Page TCP DUMP question
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 12-29-2003, 02:43 PM   #1
sopiaz57
Member
 
Registered: Apr 2003
Distribution: RH 8
Posts: 246

Rep: Reputation: 30
Lightbulb TCP DUMP question

Here is a piece from my dump: is this a microsoft RPC worm?

15:31:40.196775 mx14.glamorsex.com.2686 > host01.135: S 3564693896:3564693896(0) win 16384 <mss 1460,nop,nop,sackOK> (DF)

15:31:40.196796 host01.135 > mx14.glamorsex.com.2686: R 0:0(0) ack 3564693897 win 0 (DF)

15:31:40.743568 mx14.glamorsex.com.2686 > host01.135: S 3564693896:3564693896(0) win 16384 <mss 1460,nop,nop,sackOK> (DF)

15:31:40.743580 host01.135 > mx14.glamorsex.com.2686: R 0:0(0) ack 1 win 0 (DF)


Thanks All
 
Old 12-29-2003, 02:50 PM   #2
sopiaz57
Member
 
Registered: Apr 2003
Distribution: RH 8
Posts: 246

Original Poster
Rep: Reputation: 30
http://isc.incidents.org

port 135 is always getting slammed

what does everyone do to just block these from any response/cpu time?
How can I see more information from my TCPDUMP, something simular to ethereal?
Last edited by sopiaz57; 12-29-2003 at 03:08 PM.
 
Old 12-30-2003, 02:05 AM   #3
chort
Senior Member
 
Registered: Jul 2003
Location: Silicon Valley, USA
Distribution: OpenBSD 4.6, OS X 10.6.2, CentOS 4 & 5
Posts: 3,660

Rep: Reputation: 76
# tcpdump -nXs 1500

That should get the information in format similar to how Ethereal displays it.

Just write an iptables rule to drop all the Microsoft protcols on your external interface, and don't log those dropped packets. That will avoid spamming your kernel log.
 
Old 12-30-2003, 07:58 AM   #4
sopiaz57
Member
 
Registered: Apr 2003
Distribution: RH 8
Posts: 246

Original Poster
Rep: Reputation: 30
cool. I will need to work on writing IPTABLES, never done that before.


Thanks
 
  


Reply



Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
easy question about TCP SACK djcham Linux - Networking 0 09-30-2005 12:09 PM
tough question about receiver window in TCP djcham Linux - Networking 0 09-20-2005 07:13 PM
rsync error AND/OR dump question Sinope Linux - General 4 08-26-2004 05:57 PM
Woody 3.0 Open Ports 1470/tcp/uaiact 1518/tcp/vpvd What for?How can I remove them? alexxxis Debian 5 07-05-2004 05:18 PM
How to forcely dump the history of user commands to the admin dump file. mcp_achindra Linux - Security 1 03-19-2004 12:04 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 10:53 AM.

Contact Us - Advertising Info - Rules - Privacy - LQ Merchandise - Donations - Contributing Member - LQ Sitemap -
Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration