Re: [gentoo-user] Strange outbound requests
If the machine is running linux, then 'watch lsof -n|grep TCP|grep 3680' as root is a sloppy but effective way to find it. There's probably some way to set up a firewall rule on the host in question that logs out the user and (possibly) PID of the connection, but I don't know. lsof -i is easier, it only shows network connections :) catching it when it happens (if it is very briefly connected) could be hard with lsof... Maybe setup a tarpit firewall rule on that box so the connection stays open for a long time. The connections are only attempted a few times throughout the day. Is a tarpit firewall rule the only way to do this? Can anyone tell me what package 'watch' belongs to if that would work? `watch` isn't going to help too much unless you're looking at it. Append the output to some log file instead. I chose netstat because its output looked easier to parse with a stupid regexp. while true; do netstat -antp | grep ':993 ' mystery.log; sleep 1; done; You'll want to change the port -- I tested to make sure that was really logging my Thunderbird connections. I'm still getting the blocked outbound requests to port 3680 on my firewall and I'm running the above script (changed 993 to 3680) on the local system indicated by SRC in the firewall log, but mystery.log remains empty. I tested the script with other ports and it seems to be working fine. Also the MAC indicated in the firewall log is 14 blocks long and the local system in question has a MAC address 6 blocks long according to ifconfig, but the 6 blocks from ifconfig do match 6 of the blocks reported by the firewall. Does this make sense to anyone? I installed and ran rkhunter and this was the only warning I couldn't disregard: Warning: The command '/usr/sbin/rkhunter' has been replaced and is not a script: /usr/sbin/rkhunter: POSIX shell script, ASCII text executable, with very long lines - Grant
Re: [gentoo-user] Strange outbound requests
On Sunday 22 Jan 2012 17:54:29 Grant wrote: `watch` isn't going to help too much unless you're looking at it. Append the output to some log file instead. I chose netstat because its output looked easier to parse with a stupid regexp. while true; do netstat -antp | grep ':993 ' mystery.log; sleep 1; done; You'll want to change the port -- I tested to make sure that was really logging my Thunderbird connections. I'm still getting the blocked outbound requests to port 3680 on my firewall and I'm running the above script (changed 993 to 3680) on the local system indicated by SRC in the firewall log, but mystery.log remains empty. I tested the script with other ports and it seems to be working fine. Also the MAC indicated in the firewall log is 14 blocks long and the local system in question has a MAC address 6 blocks long according to ifconfig, but the 6 blocks from ifconfig do match 6 of the blocks reported by the firewall. Does this make sense to anyone? Does not make sense to me, sorry. :-( Have you tried running the script on lsof instead? I installed and ran rkhunter and this was the only warning I couldn't disregard: Warning: The command '/usr/sbin/rkhunter' has been replaced and is not a script: /usr/sbin/rkhunter: POSIX shell script, ASCII text executable, with very long lines This warning comes up the first time after rkhunter runs --update for its .dat files. I don't know why this is so - but I have noticed it happening for the last couple of versions at least. -- Regards, Mick signature.asc Description: This is a digitally signed message part.
Re: [gentoo-user] Strange outbound requests
On 01/22/2012 12:54 PM, Grant wrote: `watch` isn't going to help too much unless you're looking at it. Append the output to some log file instead. I chose netstat because its output looked easier to parse with a stupid regexp. while true; do netstat -antp | grep ':993 ' mystery.log; sleep 1; done; You'll want to change the port -- I tested to make sure that was really logging my Thunderbird connections. I'm still getting the blocked outbound requests to port 3680 on my firewall and I'm running the above script (changed 993 to 3680) on the local system indicated by SRC in the firewall log, but mystery.log remains empty. I tested the script with other ports and it seems to be working fine. Also the MAC indicated in the firewall log is 14 blocks long and the local system in question has a MAC address 6 blocks long according to ifconfig, but the 6 blocks from ifconfig do match 6 of the blocks reported by the firewall. Does this make sense to anyone? Are you running it as root? If not, you could be missing some connections. I also typed the 't' in netstat out of habit -- that limits the output to tcp connections. You can remove it to catch the UDP ones.
Re: [gentoo-user] Strange outbound requests
`watch` isn't going to help too much unless you're looking at it. Append the output to some log file instead. I chose netstat because its output looked easier to parse with a stupid regexp. while true; do netstat -antp | grep ':993 ' mystery.log; sleep 1; done; You'll want to change the port -- I tested to make sure that was really logging my Thunderbird connections. I'm still getting the blocked outbound requests to port 3680 on my firewall and I'm running the above script (changed 993 to 3680) on the local system indicated by SRC in the firewall log, but mystery.log remains empty. I tested the script with other ports and it seems to be working fine. Also the MAC indicated in the firewall log is 14 blocks long and the local system in question has a MAC address 6 blocks long according to ifconfig, but the 6 blocks from ifconfig do match 6 of the blocks reported by the firewall. Does this make sense to anyone? Does not make sense to me, sorry. :-( Have you tried running the script on lsof instead? OK I changed 'netstat -antp' to 'lsof -i'. - Grant
Re: [gentoo-user] Strange outbound requests
`watch` isn't going to help too much unless you're looking at it. Append the output to some log file instead. I chose netstat because its output looked easier to parse with a stupid regexp. while true; do netstat -antp | grep ':993 ' mystery.log; sleep 1; done; You'll want to change the port -- I tested to make sure that was really logging my Thunderbird connections. I'm still getting the blocked outbound requests to port 3680 on my firewall and I'm running the above script (changed 993 to 3680) on the local system indicated by SRC in the firewall log, but mystery.log remains empty. I tested the script with other ports and it seems to be working fine. Also the MAC indicated in the firewall log is 14 blocks long and the local system in question has a MAC address 6 blocks long according to ifconfig, but the 6 blocks from ifconfig do match 6 of the blocks reported by the firewall. Does this make sense to anyone? Are you running it as root? If not, you could be missing some connections. I'm running it as root. I also typed the 't' in netstat out of habit -- that limits the output to tcp connections. You can remove it to catch the UDP ones. According to the firewall log, the 3680 requests are TCP connections, but I just switched to 'lsof -i' anyway. - Grant
Re: [gentoo-user] Strange outbound requests
`watch` isn't going to help too much unless you're looking at it. Append the output to some log file instead. I chose netstat because its output looked easier to parse with a stupid regexp. while true; do netstat -antp | grep ':993 ' mystery.log; sleep 1; done; You'll want to change the port -- I tested to make sure that was really logging my Thunderbird connections. I'm still getting the blocked outbound requests to port 3680 on my firewall and I'm running the above script (changed 993 to 3680) on the local system indicated by SRC in the firewall log, but mystery.log remains empty. I tested the script with other ports and it seems to be working fine. Also the MAC indicated in the firewall log is 14 blocks long and the local system in question has a MAC address 6 blocks long according to ifconfig, but the 6 blocks from ifconfig do match 6 of the blocks reported by the firewall. Does this make sense to anyone? Does not make sense to me, sorry. :-( Since my local firewall is rejecting the outbound requests, the time elapsed between the request and the block should be very short. Is it possible the 'sleep 1' portion of the script is causing the failure to log the connection request? The outbound connection is only attempted a few times per day. If so, how would you recommend fixing that? I'm also wondering if there is a command I could run on the router/firewall machine that would log something from the outbound request. Even if the information logged isn't useful, it would be nice to see a confirmation of the outbound requests logged from somewhere besides the firewall. - Grant
Re: [gentoo-user] Strange outbound requests
On Sunday 22 Jan 2012 19:29:47 Grant wrote: `watch` isn't going to help too much unless you're looking at it. Append the output to some log file instead. I chose netstat because its output looked easier to parse with a stupid regexp. while true; do netstat -antp | grep ':993 ' mystery.log; sleep 1; done; You'll want to change the port -- I tested to make sure that was really logging my Thunderbird connections. I'm still getting the blocked outbound requests to port 3680 on my firewall and I'm running the above script (changed 993 to 3680) on the local system indicated by SRC in the firewall log, but mystery.log remains empty. I tested the script with other ports and it seems to be working fine. Also the MAC indicated in the firewall log is 14 blocks long and the local system in question has a MAC address 6 blocks long according to ifconfig, but the 6 blocks from ifconfig do match 6 of the blocks reported by the firewall. Does this make sense to anyone? Does not make sense to me, sorry. :-( Since my local firewall is rejecting the outbound requests, the time elapsed between the request and the block should be very short. Is it possible the 'sleep 1' portion of the script is causing the failure to log the connection request? The outbound connection is only attempted a few times per day. If so, how would you recommend fixing that? I'm the wrong guy to make recommendations on any sort of scripting, but if sleep 1 is not enough, could sleep 2 or 3 be adequate to complete writing what it is that is being watched? I'm also wondering if there is a command I could run on the router/firewall machine that would log something from the outbound request. Even if the information logged isn't useful, it would be nice to see a confirmation of the outbound requests logged from somewhere besides the firewall. tcpdump will show you what the packets look like and their content if they are unencrypted. However, it may consume tonnes of disk space if you leave running all the time. Have you checked if such connection attempts take place when you start up the machine? If yes it may easier to capture it. -- Regards, Mick signature.asc Description: This is a digitally signed message part.
Re: [gentoo-user] Strange outbound requests
On 01/22/2012 02:29 PM, Grant wrote: Since my local firewall is rejecting the outbound requests, the time elapsed between the request and the block should be very short. Is it possible the 'sleep 1' portion of the script is causing the failure to log the connection request? The outbound connection is only attempted a few times per day. If so, how would you recommend fixing that? If the firewall is being nice and rejecting the connection, then yeah, it could be opening/closing in under a second. `sleep` doesn't require an integer[1], so you can probably have it sleep for 0.1s or something like that. I'm also wondering if there is a command I could run on the router/firewall machine that would log something from the outbound request. Even if the information logged isn't useful, it would be nice to see a confirmation of the outbound requests logged from somewhere besides the firewall. What kind of firewall is it? Can you update the rules? If so, make it silently drop outbound connections instead of rejecting them; that way, the connection will hang open for a little bit. [1] This is probably a bash-ism, but it works here.
Re: [gentoo-user] Strange outbound requests
On Sun, Jan 22, 2012 at 2:29 PM, Grant emailgr...@gmail.com wrote: `watch` isn't going to help too much unless you're looking at it. Append the output to some log file instead. I chose netstat because its output looked easier to parse with a stupid regexp. while true; do netstat -antp | grep ':993 ' mystery.log; sleep 1; done; You'll want to change the port -- I tested to make sure that was really logging my Thunderbird connections. I'm still getting the blocked outbound requests to port 3680 on my firewall and I'm running the above script (changed 993 to 3680) on the local system indicated by SRC in the firewall log, but mystery.log remains empty. I tested the script with other ports and it seems to be working fine. Also the MAC indicated in the firewall log is 14 blocks long and the local system in question has a MAC address 6 blocks long according to ifconfig, but the 6 blocks from ifconfig do match 6 of the blocks reported by the firewall. Does this make sense to anyone? Does not make sense to me, sorry. :-( Since my local firewall is rejecting the outbound requests, the time elapsed between the request and the block should be very short. Is it possible the 'sleep 1' portion of the script is causing the failure to log the connection request? The outbound connection is only attempted a few times per day. If so, how would you recommend fixing that? Try configuring your local firewall to log the request. There may be something useful, such as logging an associated PID or user, that you can add there. I don't know. Alternately, you could DROP the outbound packet rather than REJECT it; that should cause the connecting process to wait several seconds until it times out. I'm also wondering if there is a command I could run on the router/firewall machine that would log something from the outbound request. Even if the information logged isn't useful, it would be nice to see a confirmation of the outbound requests logged from somewhere besides the firewall. Ow. We need to get a bit more specific. Is the 'local firewall' on the connecting host, or is it on your router? As far as logging goes, you can set up a rule (prior to your DROP or REJECT) with a target of LOG. The packet will show up in syslog. -- :wq
Re: [gentoo-user] Strange outbound requests
I'm still getting the blocked outbound requests to port 3680 on my firewall and I'm running the above script (changed 993 to 3680) on the local system indicated by SRC in the firewall log, but mystery.log remains empty. I tested the script with other ports and it seems to be working fine. Also the MAC indicated in the firewall log is 14 blocks long and the local system in question has a MAC address 6 blocks long according to ifconfig, but the 6 blocks from ifconfig do match 6 of the blocks reported by the firewall. Does this make sense to anyone? Does not make sense to me, sorry. :-( Since my local firewall is rejecting the outbound requests, the time elapsed between the request and the block should be very short. Is it possible the 'sleep 1' portion of the script is causing the failure to log the connection request? The outbound connection is only attempted a few times per day. If so, how would you recommend fixing that? Try configuring your local firewall to log the request. There may be something useful, such as logging an associated PID or user, that you can add there. I don't know. Alternately, you could DROP the outbound packet rather than REJECT it; that should cause the connecting process to wait several seconds until it times out. I've just done this at your's and Michael Orlitzky's suggestion. Waiting for another connection attempt now. I'm also wondering if there is a command I could run on the router/firewall machine that would log something from the outbound request. Even if the information logged isn't useful, it would be nice to see a confirmation of the outbound requests logged from somewhere besides the firewall. Ow. We need to get a bit more specific. Is the 'local firewall' on the connecting host, or is it on your router? The firewall runs on the router (which is a Gentoo system) in the local network. As far as logging goes, you can set up a rule (prior to your DROP or REJECT) with a target of LOG. The packet will show up in syslog. I just started running this on the router: tcpdump -i eth1 -n | grep the.offending.ip.address where eth1 is my LAN interface. I figure this will tell me if any requests are being made to the offending IP, including any that aren't being logged by the firewall. Nothing yet. - Grant
Re: [gentoo-user] Strange outbound requests
On Sunday 22 Jan 2012 20:26:13 Grant wrote: I just started running this on the router: tcpdump -i eth1 -n | grep the.offending.ip.address where eth1 is my LAN interface. I figure this will tell me if any requests are being made to the offending IP, including any that aren't being logged by the firewall. Nothing yet. Add -s 0 to capture the whole size of packets if you want to see what is being sent/received. -- Regards, Mick signature.asc Description: This is a digitally signed message part.
Re: [gentoo-user] Strange outbound requests
On Jan 23, 2012 12:57 AM, Grant emailgr...@gmail.com wrote: - 8 snip Also the MAC indicated in the firewall log is 14 blocks long and the local system in question has a MAC address 6 blocks long according to ifconfig, but the 6 blocks from ifconfig do match 6 of the blocks reported by the firewall. Does this make sense to anyone? It's (source MAC):(dest MAC):(payload type) (payload type) is usually 08:00 unless you're using SNAP/LLC Rgds,
Re: [gentoo-user] Strange outbound requests
On Jan 23, 2012 12:10 PM, Pandu Poluan pa...@poluan.info wrote: On Jan 23, 2012 12:57 AM, Grant emailgr...@gmail.com wrote: - 8 snip Also the MAC indicated in the firewall log is 14 blocks long and the local system in question has a MAC address 6 blocks long according to ifconfig, but the 6 blocks from ifconfig do match 6 of the blocks reported by the firewall. Does this make sense to anyone? It's (source MAC):(dest MAC):(payload type) (payload type) is usually 08:00 unless you're using SNAP/LLC Rgds, Oops, sorry, it's the other way around (dest):(source):(type). It's the representation of the first 14 octets of the Ethernet frame. Rgds, On Jan 23, 2012 12:10 PM, Pandu Poluan pa...@poluan.info wrote: On Jan 23, 2012 12:57 AM, Grant emailgr...@gmail.com wrote: - 8 snip Also the MAC indicated in the firewall log is 14 blocks long and the local system in question has a MAC address 6 blocks long according to ifconfig, but the 6 blocks from ifconfig do match 6 of the blocks reported by the firewall. Does this make sense to anyone? It's (source MAC):(dest MAC):(payload type) (payload type) is usually 08:00 unless you're using SNAP/LLC Rgds,
[gentoo-user] Strange outbound requests
My firewall is blocking periodic outbound connections to port 3680 on a Rackspace IP. How can I find out more about what's going on? Maybe which program is generating the connection requests? - Grant
Re: [gentoo-user] Strange outbound requests
On 20 January 2012, at 18:34, Grant wrote: My firewall is blocking periodic outbound connections to port 3680 on a Rackspace IP. How can I find out more about what's going on? Maybe which program is generating the connection requests? Uh, a packet sniffer? I have an old laptop here that I have a second (cardbus) network card in. Really cheap and cheerful - the sort of thing you can pick up on freecycle. It's been a while since I've done anything like this, but you should be able to stick a box like that between the router and the rest of your network, run Wireshark and filter on that port. If the connection is encrypted then at least you'll see the originating IP. I don't think it's relevant that the IP belongs to Rackspace - don't they just hire (virtual) servers to anyone that wants one? Stroller.
Re: [gentoo-user] Strange outbound requests
My firewall is blocking periodic outbound connections to port 3680 on a Rackspace IP. How can I find out more about what's going on? Maybe which program is generating the connection requests? Uh, a packet sniffer? I have an old laptop here that I have a second (cardbus) network card in. Really cheap and cheerful - the sort of thing you can pick up on freecycle. It's been a while since I've done anything like this, but you should be able to stick a box like that between the router and the rest of your network, run Wireshark and filter on that port. If the connection is encrypted then at least you'll see the originating IP. I've actually got the originating local IP from the shorewall log. I'm just trying to figure out which program and maybe which user on that system is generating the outbound requests to port 3680. Is there any way to get more info without setting up a new box? I don't think it's relevant that the IP belongs to Rackspace - don't they just hire (virtual) servers to anyone that wants one? Yeah I just meant the request could be going to anyone. - Grant
Re: [gentoo-user] Strange outbound requests
On Friday 20 Jan 2012 19:18:59 Grant wrote: My firewall is blocking periodic outbound connections to port 3680 on a Rackspace IP. How can I find out more about what's going on? Maybe which program is generating the connection requests? Uh, a packet sniffer? I have an old laptop here that I have a second (cardbus) network card in. Really cheap and cheerful - the sort of thing you can pick up on freecycle. It's been a while since I've done anything like this, but you should be able to stick a box like that between the router and the rest of your network, run Wireshark and filter on that port. If the connection is encrypted then at least you'll see the originating IP. I've actually got the originating local IP from the shorewall log. I'm just trying to figure out which program and maybe which user on that system is generating the outbound requests to port 3680. Is there any way to get more info without setting up a new box? I don't think it's relevant that the IP belongs to Rackspace - don't they just hire (virtual) servers to anyone that wants one? Yeah I just meant the request could be going to anyone. - Grant Are you running NPDS in your LAN and is it configured to access any sites on rackspace? -- Regards, Mick signature.asc Description: This is a digitally signed message part.
Re: [gentoo-user] Strange outbound requests
My firewall is blocking periodic outbound connections to port 3680 on a Rackspace IP. How can I find out more about what's going on? Maybe which program is generating the connection requests? Uh, a packet sniffer? I have an old laptop here that I have a second (cardbus) network card in. Really cheap and cheerful - the sort of thing you can pick up on freecycle. It's been a while since I've done anything like this, but you should be able to stick a box like that between the router and the rest of your network, run Wireshark and filter on that port. If the connection is encrypted then at least you'll see the originating IP. I've actually got the originating local IP from the shorewall log. I'm just trying to figure out which program and maybe which user on that system is generating the outbound requests to port 3680. Is there any way to get more info without setting up a new box? I don't think it's relevant that the IP belongs to Rackspace - don't they just hire (virtual) servers to anyone that wants one? Yeah I just meant the request could be going to anyone. - Grant Are you running NPDS in your LAN and is it configured to access any sites on rackspace? -- Regards, Mick I am not running NPDS. I looked it up when I was researching port 3680 and read about it for the first time. I know which machine is making the requests. Any way to drill down further? - Grant
Re: [gentoo-user] Strange outbound requests
On Fri, Jan 20, 2012 at 5:32 PM, Grant emailgr...@gmail.com wrote: My firewall is blocking periodic outbound connections to port 3680 on a Rackspace IP. How can I find out more about what's going on? Maybe which program is generating the connection requests? Uh, a packet sniffer? I have an old laptop here that I have a second (cardbus) network card in. Really cheap and cheerful - the sort of thing you can pick up on freecycle. It's been a while since I've done anything like this, but you should be able to stick a box like that between the router and the rest of your network, run Wireshark and filter on that port. If the connection is encrypted then at least you'll see the originating IP. I've actually got the originating local IP from the shorewall log. I'm just trying to figure out which program and maybe which user on that system is generating the outbound requests to port 3680. Is there any way to get more info without setting up a new box? I don't think it's relevant that the IP belongs to Rackspace - don't they just hire (virtual) servers to anyone that wants one? Yeah I just meant the request could be going to anyone. - Grant Are you running NPDS in your LAN and is it configured to access any sites on rackspace? -- Regards, Mick I am not running NPDS. I looked it up when I was researching port 3680 and read about it for the first time. I know which machine is making the requests. Any way to drill down further? If the machine is running linux, then 'watch lsof -n|grep TCP|grep 3680' as root is a sloppy but effective way to find it. There's probably some way to set up a firewall rule on the host in question that logs out the user and (possibly) PID of the connection, but I don't know. If the machine is running Windows, then I'd suggest SysInternals TCPView: http://technet.microsoft.com/en-us/sysinternals/bb897437 -- :wq
Re: [gentoo-user] Strange outbound requests
My firewall is blocking periodic outbound connections to port 3680 on a Rackspace IP. How can I find out more about what's going on? Maybe which program is generating the connection requests? Uh, a packet sniffer? I have an old laptop here that I have a second (cardbus) network card in. Really cheap and cheerful - the sort of thing you can pick up on freecycle. It's been a while since I've done anything like this, but you should be able to stick a box like that between the router and the rest of your network, run Wireshark and filter on that port. If the connection is encrypted then at least you'll see the originating IP. I've actually got the originating local IP from the shorewall log. I'm just trying to figure out which program and maybe which user on that system is generating the outbound requests to port 3680. Is there any way to get more info without setting up a new box? I don't think it's relevant that the IP belongs to Rackspace - don't they just hire (virtual) servers to anyone that wants one? Yeah I just meant the request could be going to anyone. - Grant Are you running NPDS in your LAN and is it configured to access any sites on rackspace? -- Regards, Mick I am not running NPDS. I looked it up when I was researching port 3680 and read about it for the first time. I know which machine is making the requests. Any way to drill down further? If the machine is running linux, then 'watch lsof -n|grep TCP|grep 3680' as root is a sloppy but effective way to find it. There's probably some way to set up a firewall rule on the host in question that logs out the user and (possibly) PID of the connection, but I don't know. All of my systems run Gentoo. :) Where does watch come from? - Grant
Re: [gentoo-user] Strange outbound requests
On Fri, Jan 20, 2012 at 5:27 PM, Michael Mol mike...@gmail.com wrote: If the machine is running linux, then 'watch lsof -n|grep TCP|grep 3680' as root is a sloppy but effective way to find it. There's probably some way to set up a firewall rule on the host in question that logs out the user and (possibly) PID of the connection, but I don't know. lsof -i is easier, it only shows network connections :) catching it when it happens (if it is very briefly connected) could be hard with lsof... Maybe setup a tarpit firewall rule on that box so the connection stays open for a long time.
Re: [gentoo-user] Strange outbound requests
On Friday 20 Jan 2012 23:34:12 Grant wrote: My firewall is blocking periodic outbound connections to port 3680 on a Rackspace IP. How can I find out more about what's going on? Maybe which program is generating the connection requests? Uh, a packet sniffer? I have an old laptop here that I have a second (cardbus) network card in. Really cheap and cheerful - the sort of thing you can pick up on freecycle. It's been a while since I've done anything like this, but you should be able to stick a box like that between the router and the rest of your network, run Wireshark and filter on that port. If the connection is encrypted then at least you'll see the originating IP. I've actually got the originating local IP from the shorewall log. I'm just trying to figure out which program and maybe which user on that system is generating the outbound requests to port 3680. Is there any way to get more info without setting up a new box? I don't think it's relevant that the IP belongs to Rackspace - don't they just hire (virtual) servers to anyone that wants one? Yeah I just meant the request could be going to anyone. - Grant Are you running NPDS in your LAN and is it configured to access any sites on rackspace? -- Regards, Mick I am not running NPDS. I looked it up when I was researching port 3680 and read about it for the first time. I know which machine is making the requests. Any way to drill down further? If the machine is running linux, then 'watch lsof -n|grep TCP|grep 3680' as root is a sloppy but effective way to find it. There's probably some way to set up a firewall rule on the host in question that logs out the user and (possibly) PID of the connection, but I don't know. All of my systems run Gentoo. :) Where does watch come from? - Grant ps axf and look at the tree that contains the PID of what lsof | grep 3680 showed. -- Regards, Mick signature.asc Description: This is a digitally signed message part.
Re: [gentoo-user] Strange outbound requests
If the machine is running linux, then 'watch lsof -n|grep TCP|grep 3680' as root is a sloppy but effective way to find it. There's probably some way to set up a firewall rule on the host in question that logs out the user and (possibly) PID of the connection, but I don't know. lsof -i is easier, it only shows network connections :) catching it when it happens (if it is very briefly connected) could be hard with lsof... Maybe setup a tarpit firewall rule on that box so the connection stays open for a long time. The connections are only attempted a few times throughout the day. Is a tarpit firewall rule the only way to do this? Can anyone tell me what package 'watch' belongs to if that would work? - Grant
Re: [gentoo-user] Strange outbound requests
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 21.01.2012 01:12, Grant wrote: If the machine is running linux, then 'watch lsof -n|grep TCP|grep 3680' as root is a sloppy but effective way to find it. There's probably some way to set up a firewall rule on the host in question that logs out the user and (possibly) PID of the connection, but I don't know. lsof -i is easier, it only shows network connections :) catching it when it happens (if it is very briefly connected) could be hard with lsof... Maybe setup a tarpit firewall rule on that box so the connection stays open for a long time. The connections are only attempted a few times throughout the day. Is a tarpit firewall rule the only way to do this? Can anyone tell me what package 'watch' belongs to if that would work? - Grant I get: equery b watch * Searching for watch ... net-irc/irssi-0.8.15-r1 (/usr/share/irssi/help/watch) sys-process/procps-3.2.8_p11 (/usr/bin/watch) x11-themes/gnome-themes-standard-3.3.4 (/usr/share/cursors/xorg-x11/Adwaita/cursors/watch) First and third can be ruled out, I think. So one candidate remains: sys-process/procps Available versions: 3.2.8 (~)3.2.8-r1 3.2.8-r2 (~)3.2.8_p10-r1 3.2.8_p11 {unicode} Installed versions: 3.2.8_p11(00:15:18 22.12.2011)(unicode) Homepage:http://procps.sourceforge.net/ Description: Standard informational utilities and process-handling tools -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.18 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQEcBAEBAgAGBQJPGghBAAoJEJwwOFaNFkYc22gH/1hx7MQb/exllk3GhkQSQes/ P6XFg/8dJy3Kag0FReAN/xN6or9SHPHXgUiVUsN+XIYV6Vt94Gbm/ZUHfwkzckJG DP3/z+pQ0E0+xle32Gabo5Hpt47chgzsThdyghVkWVefMqQdkJwJPGwHcQ3yCzC5 LIXgZzmKoPUx5I9BaFnl/KkxRGbtTDYieWdpaxkOPjHiMZ+8wDPO6XDfhSggJPdR 4hMFik2B/04s7OTlqA9Qfvk1PZszSPnFN5t4Ick1PHwi/ZesobJGR5eeBlUfq5av Y9STFvDojCAo3Mjf2IiXWCP8j8Fs9e7ToXvwmhn55t4XjS0v9Y+qhq8B3IsSl7o= =gaPQ -END PGP SIGNATURE-
Re: [gentoo-user] Strange outbound requests
On 01/20/2012 07:12 PM, Grant wrote: If the machine is running linux, then 'watch lsof -n|grep TCP|grep 3680' as root is a sloppy but effective way to find it. There's probably some way to set up a firewall rule on the host in question that logs out the user and (possibly) PID of the connection, but I don't know. lsof -i is easier, it only shows network connections :) catching it when it happens (if it is very briefly connected) could be hard with lsof... Maybe setup a tarpit firewall rule on that box so the connection stays open for a long time. The connections are only attempted a few times throughout the day. Is a tarpit firewall rule the only way to do this? Can anyone tell me what package 'watch' belongs to if that would work? `watch` isn't going to help too much unless you're looking at it. Append the output to some log file instead. I chose netstat because its output looked easier to parse with a stupid regexp. while true; do netstat -antp | grep ':993 ' mystery.log; sleep 1; done; You'll want to change the port -- I tested to make sure that was really logging my Thunderbird connections.
Re: [gentoo-user] Strange outbound requests
If the machine is running linux, then 'watch lsof -n|grep TCP|grep 3680' as root is a sloppy but effective way to find it. There's probably some way to set up a firewall rule on the host in question that logs out the user and (possibly) PID of the connection, but I don't know. lsof -i is easier, it only shows network connections :) catching it when it happens (if it is very briefly connected) could be hard with lsof... Maybe setup a tarpit firewall rule on that box so the connection stays open for a long time. The connections are only attempted a few times throughout the day. Is a tarpit firewall rule the only way to do this? Can anyone tell me what package 'watch' belongs to if that would work? `watch` isn't going to help too much unless you're looking at it. Append the output to some log file instead. I chose netstat because its output looked easier to parse with a stupid regexp. while true; do netstat -antp | grep ':993 ' mystery.log; sleep 1; done; You'll want to change the port -- I tested to make sure that was really logging my Thunderbird connections. Thanks a lot. Test, working, will watch the log and report back. - Grant
Re: [gentoo-user] Strange outbound requests
On Fri, Jan 20, 2012 at 6:34 PM, Grant emailgr...@gmail.com wrote: My firewall is blocking periodic outbound connections to port 3680 on a Rackspace IP. How can I find out more about what's going on? Maybe which program is generating the connection requests? Uh, a packet sniffer? I have an old laptop here that I have a second (cardbus) network card in. Really cheap and cheerful - the sort of thing you can pick up on freecycle. It's been a while since I've done anything like this, but you should be able to stick a box like that between the router and the rest of your network, run Wireshark and filter on that port. If the connection is encrypted then at least you'll see the originating IP. I've actually got the originating local IP from the shorewall log. I'm just trying to figure out which program and maybe which user on that system is generating the outbound requests to port 3680. Is there any way to get more info without setting up a new box? I don't think it's relevant that the IP belongs to Rackspace - don't they just hire (virtual) servers to anyone that wants one? Yeah I just meant the request could be going to anyone. - Grant Are you running NPDS in your LAN and is it configured to access any sites on rackspace? -- Regards, Mick I am not running NPDS. I looked it up when I was researching port 3680 and read about it for the first time. I know which machine is making the requests. Any way to drill down further? If the machine is running linux, then 'watch lsof -n|grep TCP|grep 3680' as root is a sloppy but effective way to find it. There's probably some way to set up a firewall rule on the host in question that logs out the user and (possibly) PID of the connection, but I don't know. All of my systems run Gentoo. :) Where does watch come from? shortcircuit@saffron ~ $ equery b `which watch` /usr/lib64/portage/pym/portage/package/ebuild/config.py:353: UserWarning: 'cache.metadata_overlay.database' is deprecated: /etc/portage/modules (user_auxdbmodule, modules_file)) * Searching for /usr/bin/watch ... sys-process/procps-3.2.8_p11 (/usr/bin/watch) shortcircuit@saffron ~ $ Incidentally, does anyone know why all my portage-related executions get that 'cache.metadata_overlay.database' warning? I've been seeing it for weeks, even on fresh installs. I would have assumed a bug like that would have been fixed by now. -- :wq
Re: [gentoo-user] Strange outbound requests
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 21.01.2012 02:39, Michael Mol wrote: On Fri, Jan 20, 2012 at 6:34 PM, Grant emailgr...@gmail.com wrote: My firewall is blocking periodic outbound connections to port 3680 on a Rackspace IP. How can I find out more about what's going on? Maybe which program is generating the connection requests? Uh, a packet sniffer? I have an old laptop here that I have a second (cardbus) network card in. Really cheap and cheerful - the sort of thing you can pick up on freecycle. It's been a while since I've done anything like this, but you should be able to stick a box like that between the router and the rest of your network, run Wireshark and filter on that port. If the connection is encrypted then at least you'll see the originating IP. I've actually got the originating local IP from the shorewall log. I'm just trying to figure out which program and maybe which user on that system is generating the outbound requests to port 3680. Is there any way to get more info without setting up a new box? I don't think it's relevant that the IP belongs to Rackspace - don't they just hire (virtual) servers to anyone that wants one? Yeah I just meant the request could be going to anyone. - Grant Are you running NPDS in your LAN and is it configured to access any sites on rackspace? -- Regards, Mick I am not running NPDS. I looked it up when I was researching port 3680 and read about it for the first time. I know which machine is making the requests. Any way to drill down further? If the machine is running linux, then 'watch lsof -n|grep TCP|grep 3680' as root is a sloppy but effective way to find it. There's probably some way to set up a firewall rule on the host in question that logs out the user and (possibly) PID of the connection, but I don't know. All of my systems run Gentoo. :) Where does watch come from? shortcircuit@saffron ~ $ equery b `which watch` /usr/lib64/portage/pym/portage/package/ebuild/config.py:353: UserWarning: 'cache.metadata_overlay.database' is deprecated: /etc/portage/modules (user_auxdbmodule, modules_file)) * Searching for /usr/bin/watch ... sys-process/procps-3.2.8_p11 (/usr/bin/watch) shortcircuit@saffron ~ $ Incidentally, does anyone know why all my portage-related executions get that 'cache.metadata_overlay.database' warning? I've been seeing it for weeks, even on fresh installs. I would have assumed a bug like that would have been fixed by now. You get the warning, because you hat a directory /etc/portage/modules - - simply remove it (or move it, if you are afraid to break something). -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.18 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQEcBAEBAgAGBQJPGhmmAAoJEJwwOFaNFkYcBFQIAJlWjVqACiqCSxwNnigFvXfa olRedLttuzZUGcJKsx59gptBeaRxSc/kQ7oEai6QSmFzY7nq5bsz3QMtJEB5QJpo rOwD844f6pKRKv4GWjCg++1W6LJJcbMs4s0TARLM1+o+uaTC8Lgb/tjdJCov6cWF Hhl/KxRpdy/mCL/QB7/kOQRL/lDryy23xoxCln8S60xzD8pWQ/HsPdMNKg2LDpOL RxKyywJQ/y35OTJU60w6vgkPhJnhQQ4WgzrruvsNCSS60t1Mr51XXdmj5ATEChCw qaxml/3x1eHc4L2j5GekjED0PL2fROOTYujoDlpuTHGTUy5tHNvww+/2upqLf9U= =t8zl -END PGP SIGNATURE-