Re: [Shorewall-users] Suspected Trojan

Sun, 03 Aug 2014 12:01:05 -0700 

On 8/3/2014 10:48 AM, Tom Eastep wrote:
> On 8/3/2014 10:03 AM, merc1...@f-m.fm wrote:
>>
>> Lately I've been noticing that something is hammering away trying to get
>> out ports 25 and 110.  Since I don't use those and they are closed, I am
>> suspicious.  https://pastee.org/k73u8  The destination IP isn't running
>> POP or SMTP either.
>>
>> Unfortunately, Shorewall doesn't have a mechanism to associate a PID to
>> an attempt, maybe because the info just isn't there.  I do find that it
>> is possible to turn on UID reporting, so I added (uid) to each INFO in
>> the policy file and restarted Shorewall, but I'm still not getting the
>> UID.
>> #SOURCE DEST    POLICY          LOG             LIMIT:         
>> CONNLIMIT:
>> #                               LEVEL           BURST           MASK
>> net     $FW     DROP            info(uid)
>> net     local   DROP            info(uid)
>> $FW     net     DROP            info(uid)
>> $FW     local   DROP            info(uid)
>> local   net     DROP            info(uid)
>> local   $FW     DROP            info(uid)
>> #
>> # THE FOLLOWING POLICY MUST BE LAST
>> #       
>> net     all     DROP            info(uid)
>> all     all     DROP            info(uid)
>> #LAST LINE -- DO NOT REMOVE
>>
>>
>> I need to put these 25 and 110 accesses with a PID to try and identify
>> this trojan.  I'm trying # netstat -apn|grep -w DPT=25 but that hasn't
>> caught anything yet, and it's not a real solution long-term.
>>
>> Any suggestions?
>>
> 
> Please disregard my suggestion -- I missed that you are already doing that.
> 

But your command is wrong. Should be:

        netstat -tnap | fgrep :25

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________

Attachment: signature.asc
Description: OpenPGP digital signature

------------------------------------------------------------------------------
Want fast and easy access to all the code in your enterprise? Index and
search up to 200,000 lines of code with a free copy of Black Duck
Code Sight - the same software that powers the world's largest code
search on Ohloh, the Black Duck Open Hub! Try it now.
http://p.sf.net/sfu/bds
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Reply via email to