Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Security-Basics
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: how to trace what is accessing the nic ?

from [Burton Strauss] Network Security [Permanent Link]
Subject: RE: how to trace what is accessing the nic ?
Date: Sat, 23 Apr 2005 09:20:30 -0500 
netstat -a  

That will show you (unless you've been rootkitted) which process has what
port open.


Also, you might want to dump the packet details - that might have
interesting data.

-----Burton



-----Original Message-----
From: Bonmariage, Serge [mailto:serge.bonmariage@GETRONICS.com] 
Sent: Friday, April 22, 2005 8:45 AM
To: security-basics@securityfocus.com
Subject: how to trace what is accessing the nic ?

Hi everyone,

There is happening something very strange on one of our Linux SMTP gateway.
We've recently discovered that it is sending some strange TCP packets to
always the same private address.

[root@server1 root]# tcpdump -i eth0
tcpdump: listening on eth0
14:29:50.226313 server1.mysite.com.59806 > 192.168.234.236.5860: S
312929991:312929991(0) win 5840 <mss 1460,sackOK,timestamp 1658853393
0,nop,wscale 0> (DF) 14:29:53.222040 server1.mysite.com.59806 >
192.168.234.236.5860: S
312929991:312929991(0) win 5840 <mss 1460,sackOK,timestamp 1658853693
0,nop,wscale 0> (DF)
14:29:59.222028 server1.mysite.com.59806 > 192.168.234.236.5860: S
312929991:312929991(0) win 5840 <mss 1460,sackOK,timestamp 1658854293
0,nop,wscale 0> (DF)

However we don't detect any other abnormal acvtivity.

The question is quite basic but is there a way to trace which process is
trying to send these packets?

Thanks,

Serge Bonmariage
Getronics Belgium NV
www.getronics.com
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: VoIP security, Champ Clark [Vistech]
Next by Date:  access to files at the filesystem, Lars Weste
Previous by Thread:  how to trace what is accessing the nic ?, Bonmariage, Serge
Next by Thread:  Re: how to trace what is accessing the nic ?, Andreas Putzo
Indexes:  [Date] [Thread] [Top] [All Lists]