Bizarre connections from and to a FC7 unattended
stan
stanl at cox.net
Mon Jul 23 19:59:05 UTC 2007
On Mon, 23 Jul 2007 14:53:35 -0300
Thomas TS <ttsoares at cristhom.com.br> wrote:
> This is a FC7 full updated.
> The system is running with no user logged in.
> Just some default daemons and services:
>
> # netstat -apn | grep LIST | grep tcp
>
> tcp 0 0 127.0.0.1:8000
> 0.0.0.0:* LISTEN 2580/nasd
> tcp 0 0 192.168.122.1:53
> 0.0.0.0:* LISTEN 2834/dnsmasq
> tcp 0 0 0.0.0.0:821
> 0.0.0.0:* LISTEN 2335/rpc.statd
> tcp 0 0 127.0.0.1:631
> 0.0.0.0:* LISTEN 2525/cupsd
> tcp 0 0 127.0.0.1:25
> 0.0.0.0:* LISTEN 2559/sendmail: acce
> tcp 0 0 :::111
> :::* LISTEN 2301/rpcbind
> tcp 0 0 :::22
> :::* LISTEN 2539/sshd
>
>
> This box is behind a NAT and from the gateway one can look the
> connections to/from the FC7 system.
>
> After some time monitoring with iptraf several - for me - strange
> connections appears...
>
> ┌ TCP Connections (Source Host:Port) ───────────── Packets ─── Bytes
> ─── Flags ──── Iface ─────┐
> │┌192.168.1.254:42977
> = 695 45740 --A- eth2 │
> │└192.168.1.129:22
> = 575 96948 -PA-
> eth2 │
> │┌193.28.235.40:80
> = 0 0 ----
> eth2 │
> │└192.168.1.129:45869
> = 4 240 S--- eth2 │
> │┌192.168.1.129:44799
> = 8 565 --A- eth2 │
> │└131.252.208.96:80
> = 7 2730 CLOSED eth2 │
> │┌193.140.100.100:21
> = 0 0 ----
> eth2 │
> │└192.168.1.129:55991
> = 1 46 RESET eth2 │
> │┌192.168.1.129:56462
> = 0 0 ---- eth2
> │
> │└64.90.181.77:55979
> > 1 52 --A-
> > eth2 │
> │┌192.168.1.129:22
> = 49 6668 CLOSED eth2 │
> │└192.168.1.254:36544
> = 64 7008 CLOSED eth2 │
> │┌192.168.1.129:44507
> = 9 641 --A- eth2 │
> │└209.132.176.120:80
> = 9 4689 CLOSED eth2 │
>
> Some are obviously acceptable, as 209.132.176.120
> admin.fedora.redhat.com but a lot ones are to places very strange !!!
>
> I am already blocking all to/from
>
> 198.82.161.0/24
> 193.28.235.0/24
> 147.102.222.0/24
> 131.252.208.0/24
>
> because could not figure out why and witch program was doing a lot of
> uploads from my system to hosts at IPs at those class B and C nets...
>
> Am i to paranoid ?
>
It is possible, depending on how you are logging the TCP packets
that you are seeing failed attempts rather than actual connections.
I am not an expert (or even very knowledgeable) but I would be
concerned or at least investigate.
Run
"/sbin/ausearch -i -ts yesterday | grep -i fail | less"
I suspect you will see lots of hits on ssh. Perhaps someone succeeded.
"/sbin/ausearch -i -ts yesterday | grep -i ssh | grep -i success"
I think Fedora locks down the sendmail server by default, but you could
check it as well. Spammers are always looking for open relays, and
it is another exposure to the web for crackers to exploit.
You can get more info on ausearch with man ausearch.
Remove any chkrootkit in case it is compromised and install again.
yum remove chkrootkit*
yum install chkrootkit*
Then run it with the fresh copy to see if it finds any infestations.
Not perfect, but should catch crackers that aren't skilled.
More information about the fedora-list
mailing list