Re: Bizarre connections from and to a FC7 unattended

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Mon, 23 Jul 2007 14:53:35 -0300
Thomas TS <[email protected]> wrote:

> This is a FC7 full updated.
> The system is running with no user logged in.
> Just some default daemons and services:
> 
> # netstat -apn | grep LIST | grep tcp
> 
> tcp        0      0 127.0.0.1:8000                
> 0.0.0.0:*                  LISTEN      2580/nasd
> tcp        0      0 192.168.122.1:53            
> 0.0.0.0:*                  LISTEN      2834/dnsmasq
> tcp        0      0 0.0.0.0:821                       
> 0.0.0.0:*                  LISTEN      2335/rpc.statd
> tcp        0      0 127.0.0.1:631                   
> 0.0.0.0:*                  LISTEN      2525/cupsd
> tcp        0      0 127.0.0.1:25                     
> 0.0.0.0:*                  LISTEN      2559/sendmail: acce
> tcp        0      0 :::111                                 
> :::*                           LISTEN      2301/rpcbind
> tcp        0      0 :::22                                   
> :::*                           LISTEN      2539/sshd
> 
> 
> This box is behind a NAT and from the gateway one can look the 
> connections to/from the FC7 system.
> 
> After some time monitoring with iptraf several - for me - strange 
> connections appears...
> 
> ┌ TCP Connections (Source Host:Port) ───────────── Packets ─── Bytes
> ─── Flags ──── Iface ─────┐
> │┌192.168.1.254:42977                                                    
> =     695           45740     --A-                  eth2       │
> │└192.168.1.129:22                                            
>                =     575           96948     -PA-                
> eth2       │
> │┌193.28.235.40:80                                                
>            =       0               0            ----                  
> eth2       │
> │└192.168.1.129:45869                                                    
> =       4             240          S---                 eth2       │
> │┌192.168.1.129:44799                                                    
> =       8             565          --A-                 eth2       │
> │└131.252.208.96:80                                                
>         =       7            2730    CLOSED             eth2       │
> │┌193.140.100.100:21                                            
>           =       0               0             ----                 
> eth2       │
> │└192.168.1.129:55991                                                    
> =       1              46       RESET               eth2       │
> │┌192.168.1.129:56462                                                    
> =       0               0            ----                  eth2
>
> │└64.90.181.77:55979                                                   
>    >       1              52           --A-
>    > eth2       │
> │┌192.168.1.129:22                                                     
>      =      49            6668     CLOSED           eth2       │
> │└192.168.1.254:36544                                                    
> =      64            7008     CLOSED           eth2       │
> │┌192.168.1.129:44507                                                    
> =       9             641          --A-                 eth2       │
> │└209.132.176.120:80                                                  
>     =       9            4689     CLOSED            eth2       │
> 
> Some are obviously acceptable, as 209.132.176.120  
> admin.fedora.redhat.com  but a lot ones are to places very strange !!!
> 
> I am already blocking all to/from
> 
> 198.82.161.0/24
> 193.28.235.0/24
> 147.102.222.0/24
> 131.252.208.0/24
> 
> because could not figure out why and witch program was doing a lot of 
> uploads from my system to hosts at IPs at those class B and C nets...
> 
> Am i to paranoid ?
> 

It is possible, depending on how you are logging the TCP packets
that you are seeing failed attempts rather than actual connections.  

I am not an expert (or even very knowledgeable)  but I would be
concerned or at least investigate.

Run 
"/sbin/ausearch -i -ts yesterday | grep -i fail | less"

I suspect you will see lots of hits on ssh.  Perhaps someone succeeded.

"/sbin/ausearch -i -ts yesterday | grep -i ssh | grep -i success"

I think Fedora locks down the sendmail server by default, but you could
check it as well.  Spammers are always looking for open relays, and
it is another exposure to the web for crackers to exploit.

You can get more info on ausearch with man ausearch.

Remove any chkrootkit in case it is compromised and install again.

yum remove chkrootkit*
yum install chkrootkit*

Then run it with the fresh copy to see if it finds any infestations.
Not perfect, but should catch crackers that aren't skilled.





[Index of Archives]     [Current Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite News]     [Yosemite Photos]     [KDE Users]     [Fedora Tools]     [Fedora Docs]

  Powered by Linux