RE: how to trace what is accessing the nic ?

["Burton Strauss" <BStrauss3 () comcast net>]

netstat -a  

That will show you (unless you've been rootkitted) which process has what
port open.


Also, you might want to dump the packet details - that might have
interesting data.

-----Burton



-----Original Message-----
From: Bonmariage, Serge [mailto:serge.bonmariage () GETRONICS com] 
Sent: Friday, April 22, 2005 8:45 AM
To: security-basics () securityfocus com
Subject: how to trace what is accessing the nic ?

Hi everyone,

There is happening something very strange on one of our Linux SMTP gateway.
We've recently discovered that it is sending some strange TCP packets to
always the same private address.

[root@server1 root]# tcpdump -i eth0
tcpdump: listening on eth0
14:29:50.226313 server1.mysite.com.59806 > 192.168.234.236.5860: S
312929991:312929991(0) win 5840 <mss 1460,sackOK,timestamp 1658853393
0,nop,wscale 0> (DF) 14:29:53.222040 server1.mysite.com.59806 >
192.168.234.236.5860: S
312929991:312929991(0) win 5840 <mss 1460,sackOK,timestamp 1658853693
0,nop,wscale 0> (DF)
14:29:59.222028 server1.mysite.com.59806 > 192.168.234.236.5860: S
312929991:312929991(0) win 5840 <mss 1460,sackOK,timestamp 1658854293
0,nop,wscale 0> (DF)

However we don't detect any other abnormal acvtivity.

The question is quite basic but is there a way to trace which process is
trying to send these packets?

Thanks,

Serge Bonmariage
Getronics Belgium NV
www.getronics.com