[lug] outgoing port 220 exploit?
stimits at comcast.net
Sun Jan 18 17:31:54 MST 2004
Jordan Crouse wrote:
> >Well, netstat seems to work only for existing tcp connects, or if it
> >is run right at the instant of a connect attempt. What I have here is
> >a period failed connect to outside port 220, it is blocked both on the
> >local machine and on the bridge firewall, so it never gets beyond a
> >SYN packet. I'm thinking what I need is a tcpdump. Only I'm having a
> >problem with the tcpdump syntax. Can anyone tell me the syntax to use
> >tcpdump to continuously dump info of any port 220 destination packets?
> >And is there a way to give source application info the way netstat
> >does with the -lenp argument?
> You can also use ethereal if you want something a little bit more "user
> friendly". It does most of the ugly work for you in terms of figuring
> out the different layers. its a GTK user interface, so its requires the
> overhead of any GUI app and the user interaction, but its invaluable at
> figuring out the gooey innards of the packets (unless you can remember
> how big an 802.1D packet is from memory.. :D ).
So far this has proved useless, as the firewall rules prevent any actual
outbound traffic...apparently this is blocked prior to tcpdump or
ethereal seeing the traffic (tested from both the machine in question
and a transparent bridge/firewall). It seems to be an attempt to relay
without port 25 being involved, and with all the commonly exploited
ports firewalled in 2 locations.
> Another option is to use iptables to log any outgoing attempts on port
> 220. The advantage here is that it will be logged automatically,
> without having to run tcpdump or ethereal. For example, here is the
> chain that I use to log incoming ICMP packets that get dropped (I
> like to know when people try to ping me):
I am using ipchains on this particular machine (don't worry, packages
are updated), which I have gone through for days and concluded is not
hacked or rooted. Most people don't block outgoing ports, but I do block
outgoing ports if they are related to a service not used (and I don't
use imap so 220 is blocked both locally and at the bridge, with both
logging). The inbound source is eluding me.
> iptables -A LDROP --proto icmp -j LOG --log-level info \
> --log-prefix "ICMP Drop "
> iptables -A ICMP -p icmp --icmp-type echo-request -J LDROP
> Check the iptables man pages for more information on the
> --log-level and--log-prefix params.
> As for determining which specific processes are sending the offending
> ports, thats a bit more difficult. You might need to end up writing a
> program or a script that monitors /proc/net/udp and /proc/net/tcp for
> the right numbers, and then either logs the information, sends you an
> email, or sounds an alarm (or maybe all three).
Whatever it is has to work to log even on an attempt to send outbound
traffic, as the ipchains is blocking it before tcpdump or ethereal or
netstat can track anything.
D. Stimits, stimits AT comcast DOT net
More information about the LUG