Greetings the List,
Firstly, I would like to endorse the work done by the UbuntuLinux team with their distribution based on Gnu/Debian. My organisation, MeWe, has chosen this distribution for installation on all workstations in our office, youth centre and educational facilities.
Installing UbuntuLinux across several laptops & workstations (some of them PII 266) was a relaxed process with a few minor obstacles that my team & I solved easily.
However, our internal LEAF router is now showing intermittent packets (approx. every 17 mins.) coming from UbuntuLinux machines and destined for an upstream server's port 40118.
Examples:
Nov 13 11:11:00 malcolmx Shorewall:all2all:REJECT: IN=eth1 OUT=eth0 MAC=aa.bb.cc.dd.ee SRC=192.x.y.z DST=192.p.q.r LEN=60 TOS=00 PREC=0x00 TTL=63 ID=54420 DF PROTO=TCP SPT=1022 DPT=40118 SEQ=3719141646 ACK=0 WINDOW=5840 SYN URGP=0
Nov 13 11:28:12 malcolmx Shorewall:all2all:REJECT: IN=eth1 OUT=eth0 MAC=aa.bb.cc.dd.ee SRC=192.x.y.z DST=192.p.q.r LEN=60 TOS=00 PREC=0x00 TTL=63 ID=22359 DF PROTO=TCP SPT=1022 DPT=40118 SEQ=492158226 ACK=0 WINDOW=5840 SYN URGP=0
This happens regardless of whether applications have been started (e.g. browser, email, etc) or not.
Can any user on this list suggest a means of discovering which process is responsible for these SYN packets? This is an area with which I am unfamiliar and any help would be appreciated.
There are, to my knowledge, no simple "magic trick" sorts of answers to your question. But let me suggest a few basic things you might try. I apologize in advance if this advice seems to underestimate your degree of expertise; I am responding based on your statement that "This is an area with which I am unfamiliar and any help would be appreciated".
1. Consult the right group of experts. We here are LEAF experts and, to a degree, general experts on routing and networking. We are not UbuntuLinux experts, and your problem is more a UbuntuLinux problem than a LEAF one. So first suggestion is that you pose you question on a Ubuntu support list; this may turn out to be one of those things that "everyone" knows about.
2. Run a sniffer (tcpdump, ethereal) to capture the odd packets and see what they are. In principle, you can do this anywhere on your LAN where the packets can be seen (which depends on your hardware; switches, for example, make it hard to listen in than do hubs). In practice, surely the easiest place to do this is on one of the Ubuntu hosts that is generating the odd packets.
3. Check for a process that has source port 1022 open. Use "netstat -an" (on a Ubuntu host) to do this. You can run netstat to update this list every second ("netstat -anc") to catch transient port use ... probably easiest to do if you redirect output to a file.
4. Examine the details of the packet pattern more closely for hints. You've chosen to give us too little information (only 2 packets; concealing addresses) for me to do this for real, but a couple of examples will give you the idea.
A. You say the packets come "approx. every 17 mins.". If the two example packets you provided are both from the same host (as your use of "192.x.y.z" in both would imply), then they are 1032 seconds apart. Do succeeding packets from this host come every 1032 (+/-2) seconds? Or do they always come at minutes 0, 17, and 34, plus a few seconds? If the first, look for an active process that sleeps a lot. If the second, look for a cron job that runs, at low priority, 3 times per hour.
B. The sample packets go to destination "192.p.q.r". (You might check which Shorewell rule is REJECT'ing them; I had initially assumed that (p==168 && q != y, with a /24 netmask everywhere) and you were hitting the RFC1918 rule, but the samples you've supplied say it is all2all that is doing the REJECT, so now I wonder.) Is the destination address always the same "192.p.q.r" or do the destinations very? If the first, check for an init script (probably /etc/init.d/ if Ubuntu retains that Debian convention) with that address in it, or a config script (somewhere in /etc/ probably) that contains it. Or, just possibly, something in /root . (Non-root users are unlikely to be running the relevant process, since its source port is a privileged port, but that too is possible if the process involved is suid capable ... ssh, for example, in some configurations.) If the second ... well, I really have no ideas then, since these apparently are packets intended to initiate a TCP connection (SYN but not ACK), not respond to one, so I can't think of where the initiating process would get multiple addresses.
C. Depending on what the real values behind "192.p.q.r" are, you might want to ask why the packets are being routed to the router at all. If, for example, "192.p.q.r" = 192.168.1.254 and "192.x.y.z" = 192.168.0.1, then there is no puzzle here ... but the interpretation does depend on details you've chosen to keep from us, so I can't really say.
4. Look for clues based on the source and destination ports. I tried this a bit and came up almost empty ... got a few hits associating port 1022 with the Sasser worm, but that's not a convincing explanation for Linux hosts. (Especially since you haven't actually said that 1022 is always the source port; that's just what we see in your two example packets.)
5. If the "192.p.q.r" address is actually a routable address, try telnet'ing to port 40118 at it and see what it says it running on that port.
------------------------------------------------------- This SF.Net email is sponsored by: InterSystems CACHE FREE OODBMS DOWNLOAD - A multidimensional database that combines robust object and relational technologies, making it a perfect match for Java, C++,COM, XML, ODBC and JDBC. www.intersystems.com/match8 ------------------------------------------------------------------------ leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
