Security Basics mailing list archives

RE: how to trace what is accessing the nic ?

From: "Simon Li" <simon.li () themachineroom co uk>
Date: Mon, 25 Apr 2005 09:47:02 +0100

-----Original Message-----
From: Bonmariage, Serge [mailto:serge.bonmariage () GETRONICS com] 
Sent: 22 April 2005 14:45
To: security-basics () securityfocus com
Subject: how to trace what is accessing the nic ?

Hi everyone,

There is happening something very strange on one of our Linux 
SMTP gateway.
We've recently discovered that it is sending some strange TCP 
packets to always the same private address.

[root@server1 root]# tcpdump -i eth0
tcpdump: listening on eth0
14:29:50.226313 server1.mysite.com.59806 > 192.168.234.236.5860: S
312929991:312929991(0) win 5840 <mss 1460,sackOK,timestamp 
1658853393 0,nop,wscale 0> (DF) 14:29:53.222040 
server1.mysite.com.59806 > 192.168.234.236.5860: S
312929991:312929991(0) win 5840 <mss 1460,sackOK,timestamp 
1658853693 0,nop,wscale 0> (DF)
14:29:59.222028 server1.mysite.com.59806 > 192.168.234.236.5860: S
312929991:312929991(0) win 5840 <mss 1460,sackOK,timestamp 
1658854293 0,nop,wscale 0> (DF)

However we don't detect any other abnormal acvtivity.

The question is quite basic but is there a way to trace which 
process is trying to send these packets?


If you can catch the process in the middle of it sending some packets,
try running
netstat --inet -nap
as root. I think this gives you a list of all processes with network
sockets open, together with the process id and name.

Simon


This e-mail message (including its attachments) is private, is intended for the recipient named in it and may contain 
material which is confidential and privileged. 
No-one other than the named recipient may read, copy, rely on, redirect, save or alter the message or any part of it or 
any attachment to it in any way. 
VMS does not accept legal responsibility for the contents of this message.
Any views or opinions presented are solely those of the author and do not represent those of VMS unless otherwise 
specifically stated. 
While reasonable effort has been made to ensure this message is free of viruses, opening and using this message is at 
the risk of the recipient.

Current thread:

how to trace what is accessing the nic ? Bonmariage, Serge (Apr 22)
- RE: how to trace what is accessing the nic ? Burton Strauss (Apr 25)
- Re: how to trace what is accessing the nic ? Andreas Putzo (Apr 25)
- <Possible follow-ups>
- RE: how to trace what is accessing the nic ? Joshua Berry (Apr 25)
- Re: how to trace what is accessing the nic ? H Carvey (Apr 25)
- RE: how to trace what is accessing the nic ? Bonmariage, Serge (Apr 25)
- RE: how to trace what is accessing the nic ? Simon Li (Apr 25)