[lug] outgoing port 220 exploit?
stimits at comcast.net
Sat Jan 17 22:44:28 MST 2004
D. Stimits wrote:
> I currently have no use of imap, and routinely block not only incoming
> ports that I do not use, but also outgoing ports. It may be that nothing
> is wrong here, but I need to track which app is trying to send an
> outgoing tcp connect to port 220 on all kinds of machines. Chkrootkit
> says things are fine, no mysterious processes show up, I keep things
> updated, so on. But it bugs me to not be able to see the ipchains output
> tell me exactly what app it is that is that is trying to go to imap. Any
> suggestions? I can't seem to find any published info on any exploit that
> would cause an outbound port 220 attempt (internal port is always 6129).
> I have been unable to find any input chain hits, only output chain.
> D. Stimits, stimits AT comcast DOT net
Well, netstat seems to work only for existing tcp connects, or if it is
run right at the instant of a connect attempt. What I have here is a
period failed connect to outside port 220, it is blocked both on the
local machine and on the bridge firewall, so it never gets beyond a SYN
packet. I'm thinking what I need is a tcpdump. Only I'm having a problem
with the tcpdump syntax. Can anyone tell me the syntax to use tcpdump to
continuously dump info of any port 220 destination packets? And is there
a way to give source application info the way netstat does with the
D. Stimits, stimits AT comcast DOT net
PS: This only seems to show up when mozilla is running, but I have
tested it far too little to know for sure yet.
More information about the LUG