Hi
I'm having an issue that I'm starting to think is suspicious and I'm
wondering if rkhunter should have picked it up.
This is the setup.
* debian jessie amd64, with backports kernel (4.9). rkhunter 1.4.2-0,
rsync 3.1.1-3.
* debsums is happy with the checksums of the rsync & rkhunter package files.
* after boot, rsync daemon starts ok listening on 873/tcp
* something seems to take over the connection so that rsync clients
start failing:
$ rsync localhost::
rsync: failed to connect to localhost (127.0.0.1): Connection refused (111)
rsync error: error in socket IO (code 10) at clientserver.c(128)
[Receiver=3.1.1]
* I get similar failures connecting to the affected host's rsync service
from other machines.
* In netstat -an I see there is a connection to another host on port 2049
$ netstat -anp|grep 873
tcp 0 0 1.2.3.4:873 1.2.3.5:2049 ESTABLISHED -
* however I can't find any associated process,
using lsof, fuser or ss, nor unhide-tcp. rkhunter --check is clean.
Things I tried
* grubbing around in /proc/net/tcp shows the connection
but did not yield any related UIDs other than 0.
* I tried chasing down the inode numbers mentioned
in the /proc/net/tcp entry but the system has multiple filesystems
so I could use some pointers on the use of debugfs.
* If I kill the connection with tcpkill, it comes back after a variable delay;
the delay is a few seconds at least.
* After killing the tcp connection I was able to restart rsync and
get it to bind to port 873, but it gets taken over again not long after.
* stracing the tcpkill process didn't yield any clues about
what is taking over the connection.
* tcpdumping the connection on 1.2.3.4 shows rsync traffic.
Early on I was seeing headers and data, now all I seem to see is
the server startup and MOTD string.
Wireshark flags occasional duplicate ACKs and reused tcp ports.
* tcpdumping the connection on 1.2.3.5 shows much the same.
Does this sound familiar to anyone? Any ideas on what to try next?
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Rkhunter-users mailing list
Rkhunter-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/rkhunter-users
