Yesterday SNORT got messages of this kind :
BAD-TRAFFIC same SRC/DST [Classification: Potentially Bad Traffic].
It's about communication where source and target are the same IP.
There's weird communication between ports on private server IP
(192.168.1.1):
192.168.1.1:3306(mysql) -> 192.168.1.1:62321
192.168.1.1:62321(mysql) -> 192.168.1.1:3306
192.168.1.1:3306(mysql) -> 192.168.1.1:62322
192.168.1.1:62322(mysql) -> 192.168.1.1:3306
and so on...
The same is with public IP:
123.45.67.8:80 -> 123.45.67.8:34124
123.45.67.8:34124 -> 123.45.67.8:80
MySQL daemon is stopped.
Apache daemon is running bound on both interfaces.
In log there is trace (made by SNORT) of this every 5 minutes.
Tried chkrootkit -- no help.
Here is output of `tcpdump -nei lo dst host 192.168.1.1`
09:30:02.752314 00:00:00:00:00:00 > 00:00:00:00:00:00, ethertype IPv4
(0x0800), length 75: IP 192.168.1.1.3306 > 192.168.1.1.47408: P
4422:4431(9) ack 2482 win 8192 nop,nop,timestamp 83528538 83528538.
Here is output of `netstat -atp`
tcp 0 0 *:imaps *:* LISTEN
tcp 0 0 192.168.1.1:mysql *:* LISTEN
tcp 0 0 *:http *:* LISTEN
tcp 0 0 *:ftp *:* LISTEN
tcp 0 0 *:smtp *:* LISTEN
tcp 0 0 *:https *:* LISTEN
I tried restart mysqld many times.
Server was not shutdown correctly due to power failure.
Thanks for any help to resolve this problem.
--
[email protected] mailing list
