> <div>Of course my intent and my purpose would be to trace these outgoing > attempts to a process number or name in my machine, at the most basic, > so I could know whether this is a cron job or daemon, much less how I > got it. This seems like the very first and most basic step to take in a > case like this, but it seems I am doing New Science. It seems my only > option at this point is to wipe and completely reinstall the OS. As I already pointed out, you can get all this information by: 1. Activating SELinux in "Enforce" mode - you just have to install your kernel with SELinux-related options activated. If you use "standard" kernel (i.e. the one which comes with your distro) at least in Fedora's case SELinux hooks are there. 2. Install the auditd daemon package and activate it at startup (otherwise all of your security-related alerts will be logged in your syslog and you may not be able to "decipher" them). 3. Create a rule - either in Shorewall's "rules" file (use the "NEW" section), or do it manually using the raw or mangle tables - which uses the AUDIT target (Shorewall provides 3 such "macros" - A_ACCEPT, A_REJECT and A_DROP) that matches the source/destination ports and protocol you are interested to inspect, like so:
A_DROP $FW net udp 3333 For that to work though, both your kernel and iptables need the AUDIT target/match present - that comes as "standard" with recent kernels (3.x+ if I remember correctly). 4. (Optional) Install selinux tools package to include "ausearch" so that you would be able to "decipher" your AUDIT logs. If you don't do that, you will get raw values (still readable and you can understand at least most of it). 5. Check your syslog (if you don't have auditd daemon running) or /var/log/audit/audit.log to see whether there are any matches. The lines you should be looking for should have "NETFILTER_PKT" as the message type (if you use ausearch you can specify that as a filter parameter as I indicated in one of my previous replies to you). The end! The above should enable you to see, at the very least, who/what creates that packet by inspecting the AUDIT log properties - executable path, uid, pid,tid, ppid etc, *and* drop the said packet (if you used A_DROP). If you want to dig a bit deeper and inspect the packet contents (useful if you are going after that asshole in WA) then you have to use ulogd2 and activate some of its many plugins available so that you can log the packet contents as well. This is a bit more advanced stuff, so it is not everyones cup of tea. > How I > got infected is a mystery, as is how to prevent it from happening again, > other than learning everything about SELinux.<br><br> </div> > You don't have to "learn everything about SElinux" - just follow the steps above and read what I've sent you previously, that's all. > <div>There has got to be a better way. <br><br> </div> > If you want to find out what process/thread created the packet and get the user credentials used, this is the only reliable way I know of. Netfilter sometimes gives you that information, but this is obscure and incomplete to say the least. ------------------------------------------------------------------------------ Everyone hates slow websites. So do we. Make your web apps faster with AppDynamics Download AppDynamics Lite for free today: http://p.sf.net/sfu/appdyn_sfd2d_oct _______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
