[gentoo-user] Strange outbound requests

[gentoo-user] Strange outbound requests

[Grant]

My firewall is blocking periodic outbound connections to port 3680 on
a Rackspace IP.  How can I find out more about what's going on?  Maybe
which program is generating the connection requests?

- Grant

Re: [gentoo-user] Strange outbound requests

[Stroller]

On 20 January 2012, at 18:34, Grant wrote:

> My firewall is blocking periodic outbound connections to port 3680 on
> a Rackspace IP.  How can I find out more about what's going on?  Maybe
> which program is generating the connection requests?

Uh, a packet sniffer?

I have an old laptop here that I have a second (cardbus) network card in. Really cheap and cheerful - the sort of thing you can pick up on freecycle. It's been a while since I've done anything like this, but you should be able to stick a box like that between the router and the rest of your network, run Wireshark and filter on that port. If the connection is encrypted then at least you'll see the originating IP.

I don't think it's relevant that the IP belongs to Rackspace - don't they just hire (virtual) servers to anyone that wants one?

Stroller.

Re: [gentoo-user] Strange outbound requests

[Grant]

>> My firewall is blocking periodic outbound connections to port 3680 on
>> a Rackspace IP.  How can I find out more about what's going on?  Maybe
>> which program is generating the connection requests?
>
> Uh, a packet sniffer?
>
> I have an old laptop here that I have a second (cardbus) network card in. Really cheap and cheerful - the sort of thing you can pick up on freecycle. It's been a while since I've done anything like this, but you should be able to stick a box like that between the router and the rest of your network, run Wireshark and filter on that port. If the connection is encrypted then at least you'll see the originating IP.

I've actually got the originating local IP from the shorewall log.
I'm just trying to figure out which program and maybe which user on
that system is generating the outbound requests to port 3680.  Is
there any way to get more info without setting up a new box?

> I don't think it's relevant that the IP belongs to Rackspace - don't they just hire (virtual) servers to anyone that wants one?

Yeah I just meant the request could be going to "anyone".

- Grant

Re: [gentoo-user] Strange outbound requests

[Mick]

[-- Attachment #1: Type: Text/Plain, Size: 1356 bytes --]

On Friday 20 Jan 2012 19:18:59 Grant wrote:
> >> My firewall is blocking periodic outbound connections to port 3680 on
> >> a Rackspace IP.  How can I find out more about what's going on?  Maybe
> >> which program is generating the connection requests?
> > 
> > Uh, a packet sniffer?
> > 
> > I have an old laptop here that I have a second (cardbus) network card in.
> > Really cheap and cheerful - the sort of thing you can pick up on
> > freecycle. It's been a while since I've done anything like this, but you
> > should be able to stick a box like that between the router and the rest
> > of your network, run Wireshark and filter on that port. If the
> > connection is encrypted then at least you'll see the originating IP.
> 
> I've actually got the originating local IP from the shorewall log.
> I'm just trying to figure out which program and maybe which user on
> that system is generating the outbound requests to port 3680.  Is
> there any way to get more info without setting up a new box?
> 
> > I don't think it's relevant that the IP belongs to Rackspace - don't they
> > just hire (virtual) servers to anyone that wants one?
> 
> Yeah I just meant the request could be going to "anyone".
> 
> - Grant

Are you running NPDS in your LAN and is it configured to access any sites on 
rackspace?
-- 
Regards,
Mick

[-- Attachment #2: This is a digitally signed message part. --]
[-- Type: application/pgp-signature, Size: 198 bytes --]

Re: [gentoo-user] Strange outbound requests

[Grant]

>> >> My firewall is blocking periodic outbound connections to port 3680 on
>> >> a Rackspace IP.  How can I find out more about what's going on?  Maybe
>> >> which program is generating the connection requests?
>> >
>> > Uh, a packet sniffer?
>> >
>> > I have an old laptop here that I have a second (cardbus) network card in.
>> > Really cheap and cheerful - the sort of thing you can pick up on
>> > freecycle. It's been a while since I've done anything like this, but you
>> > should be able to stick a box like that between the router and the rest
>> > of your network, run Wireshark and filter on that port. If the
>> > connection is encrypted then at least you'll see the originating IP.
>>
>> I've actually got the originating local IP from the shorewall log.
>> I'm just trying to figure out which program and maybe which user on
>> that system is generating the outbound requests to port 3680.  Is
>> there any way to get more info without setting up a new box?
>>
>> > I don't think it's relevant that the IP belongs to Rackspace - don't they
>> > just hire (virtual) servers to anyone that wants one?
>>
>> Yeah I just meant the request could be going to "anyone".
>>
>> - Grant
>
> Are you running NPDS in your LAN and is it configured to access any sites on
> rackspace?
> --
> Regards,
> Mick

I am not running NPDS.  I looked it up when I was researching port
3680 and read about it for the first time.  I know which machine is
making the requests.  Any way to drill down further?

- Grant

Re: [gentoo-user] Strange outbound requests

[Michael Mol]

On Fri, Jan 20, 2012 at 5:32 PM, Grant <emailgrant@gmail.com> wrote:
>>> >> My firewall is blocking periodic outbound connections to port 3680 on
>>> >> a Rackspace IP.  How can I find out more about what's going on?  Maybe
>>> >> which program is generating the connection requests?
>>> >
>>> > Uh, a packet sniffer?
>>> >
>>> > I have an old laptop here that I have a second (cardbus) network card in.
>>> > Really cheap and cheerful - the sort of thing you can pick up on
>>> > freecycle. It's been a while since I've done anything like this, but you
>>> > should be able to stick a box like that between the router and the rest
>>> > of your network, run Wireshark and filter on that port. If the
>>> > connection is encrypted then at least you'll see the originating IP.
>>>
>>> I've actually got the originating local IP from the shorewall log.
>>> I'm just trying to figure out which program and maybe which user on
>>> that system is generating the outbound requests to port 3680.  Is
>>> there any way to get more info without setting up a new box?
>>>
>>> > I don't think it's relevant that the IP belongs to Rackspace - don't they
>>> > just hire (virtual) servers to anyone that wants one?
>>>
>>> Yeah I just meant the request could be going to "anyone".
>>>
>>> - Grant
>>
>> Are you running NPDS in your LAN and is it configured to access any sites on
>> rackspace?
>> --
>> Regards,
>> Mick
>
> I am not running NPDS.  I looked it up when I was researching port
> 3680 and read about it for the first time.  I know which machine is
> making the requests.  Any way to drill down further?

If the machine is running linux, then 'watch "lsof -n|grep TCP|grep
3680"' as root is a sloppy but effective way to find it. There's
probably some way to set up a firewall rule on the host in question
that logs out the user and (possibly) PID of the connection, but I
don't know.

If the machine is running Windows, then I'd suggest SysInternals
TCPView: http://technet.microsoft.com/en-us/sysinternals/bb897437

-- 
:wq

Re: [gentoo-user] Strange outbound requests

[Grant]

>>>> >> My firewall is blocking periodic outbound connections to port 3680 on
>>>> >> a Rackspace IP.  How can I find out more about what's going on?  Maybe
>>>> >> which program is generating the connection requests?
>>>> >
>>>> > Uh, a packet sniffer?
>>>> >
>>>> > I have an old laptop here that I have a second (cardbus) network card in.
>>>> > Really cheap and cheerful - the sort of thing you can pick up on
>>>> > freecycle. It's been a while since I've done anything like this, but you
>>>> > should be able to stick a box like that between the router and the rest
>>>> > of your network, run Wireshark and filter on that port. If the
>>>> > connection is encrypted then at least you'll see the originating IP.
>>>>
>>>> I've actually got the originating local IP from the shorewall log.
>>>> I'm just trying to figure out which program and maybe which user on
>>>> that system is generating the outbound requests to port 3680.  Is
>>>> there any way to get more info without setting up a new box?
>>>>
>>>> > I don't think it's relevant that the IP belongs to Rackspace - don't they
>>>> > just hire (virtual) servers to anyone that wants one?
>>>>
>>>> Yeah I just meant the request could be going to "anyone".
>>>>
>>>> - Grant
>>>
>>> Are you running NPDS in your LAN and is it configured to access any sites on
>>> rackspace?
>>> --
>>> Regards,
>>> Mick
>>
>> I am not running NPDS.  I looked it up when I was researching port
>> 3680 and read about it for the first time.  I know which machine is
>> making the requests.  Any way to drill down further?
>
> If the machine is running linux, then 'watch "lsof -n|grep TCP|grep
> 3680"' as root is a sloppy but effective way to find it. There's
> probably some way to set up a firewall rule on the host in question
> that logs out the user and (possibly) PID of the connection, but I
> don't know.

All of my systems run Gentoo. :)  Where does watch come from?

- Grant

Re: [gentoo-user] Strange outbound requests

[Paul Hartman]

On Fri, Jan 20, 2012 at 5:27 PM, Michael Mol <mikemol@gmail.com> wrote:
> If the machine is running linux, then 'watch "lsof -n|grep TCP|grep
> 3680"' as root is a sloppy but effective way to find it. There's
> probably some way to set up a firewall rule on the host in question
> that logs out the user and (possibly) PID of the connection, but I
> don't know.

"lsof -i" is easier, it only shows network connections :)

catching it when it happens (if it is very briefly connected) could be
hard with lsof... Maybe setup a tarpit firewall rule on that box so
the connection stays open for a long time.

Re: [gentoo-user] Strange outbound requests

[Mick]

[-- Attachment #1: Type: Text/Plain, Size: 2237 bytes --]

On Friday 20 Jan 2012 23:34:12 Grant wrote:
> >>>> >> My firewall is blocking periodic outbound connections to port 3680
> >>>> >> on a Rackspace IP.  How can I find out more about what's going on?
> >>>> >>  Maybe which program is generating the connection requests?
> >>>> > 
> >>>> > Uh, a packet sniffer?
> >>>> > 
> >>>> > I have an old laptop here that I have a second (cardbus) network
> >>>> > card in. Really cheap and cheerful - the sort of thing you can pick
> >>>> > up on freecycle. It's been a while since I've done anything like
> >>>> > this, but you should be able to stick a box like that between the
> >>>> > router and the rest of your network, run Wireshark and filter on
> >>>> > that port. If the connection is encrypted then at least you'll see
> >>>> > the originating IP.
> >>>> 
> >>>> I've actually got the originating local IP from the shorewall log.
> >>>> I'm just trying to figure out which program and maybe which user on
> >>>> that system is generating the outbound requests to port 3680.  Is
> >>>> there any way to get more info without setting up a new box?
> >>>> 
> >>>> > I don't think it's relevant that the IP belongs to Rackspace - don't
> >>>> > they just hire (virtual) servers to anyone that wants one?
> >>>> 
> >>>> Yeah I just meant the request could be going to "anyone".
> >>>> 
> >>>> - Grant
> >>> 
> >>> Are you running NPDS in your LAN and is it configured to access any
> >>> sites on rackspace?
> >>> --
> >>> Regards,
> >>> Mick
> >> 
> >> I am not running NPDS.  I looked it up when I was researching port
> >> 3680 and read about it for the first time.  I know which machine is
> >> making the requests.  Any way to drill down further?
> > 
> > If the machine is running linux, then 'watch "lsof -n|grep TCP|grep
> > 3680"' as root is a sloppy but effective way to find it. There's
> > probably some way to set up a firewall rule on the host in question
> > that logs out the user and (possibly) PID of the connection, but I
> > don't know.
> 
> All of my systems run Gentoo. :)  Where does watch come from?
> 
> - Grant

ps axf and look at the tree that contains the PID of what lsof | grep 3680 
showed.
-- 
Regards,
Mick

[-- Attachment #2: This is a digitally signed message part. --]
[-- Type: application/pgp-signature, Size: 198 bytes --]

Re: [gentoo-user] Strange outbound requests

[Grant]

>> If the machine is running linux, then 'watch "lsof -n|grep TCP|grep
>> 3680"' as root is a sloppy but effective way to find it. There's
>> probably some way to set up a firewall rule on the host in question
>> that logs out the user and (possibly) PID of the connection, but I
>> don't know.
>
> "lsof -i" is easier, it only shows network connections :)
>
> catching it when it happens (if it is very briefly connected) could be
> hard with lsof... Maybe setup a tarpit firewall rule on that box so
> the connection stays open for a long time.

The connections are only attempted a few times throughout the day.  Is
a tarpit firewall rule the only way to do this?  Can anyone tell me
what package 'watch' belongs to if that would work?

- Grant

Re: [gentoo-user] Strange outbound requests

[Hinnerk van Bruinehsen]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 21.01.2012 01:12, Grant wrote:
>>> If the machine is running linux, then 'watch "lsof -n|grep
>>> TCP|grep 3680"' as root is a sloppy but effective way to find
>>> it. There's probably some way to set up a firewall rule on the
>>> host in question that logs out the user and (possibly) PID of
>>> the connection, but I don't know.
>> 
>> "lsof -i" is easier, it only shows network connections :)
>> 
>> catching it when it happens (if it is very briefly connected)
>> could be hard with lsof... Maybe setup a tarpit firewall rule on
>> that box so the connection stays open for a long time.
> 
> The connections are only attempted a few times throughout the day.
> Is a tarpit firewall rule the only way to do this?  Can anyone tell
> me what package 'watch' belongs to if that would work?
> 
> - Grant
> 
I get:

equery b watch
 * Searching for watch ...
net-irc/irssi-0.8.15-r1 (/usr/share/irssi/help/watch)
sys-process/procps-3.2.8_p11 (/usr/bin/watch)
x11-themes/gnome-themes-standard-3.3.4
(/usr/share/cursors/xorg-x11/Adwaita/cursors/watch)

First and third can be ruled out, I think. So one candidate remains:

sys-process/procps
     Available versions:  3.2.8 (~)3.2.8-r1 3.2.8-r2 (~)3.2.8_p10-r1
3.2.8_p11 {unicode}
     Installed versions:  3.2.8_p11(00:15:18 22.12.2011)(unicode)
     Homepage:            http://procps.sourceforge.net/
     Description:         Standard informational utilities and
process-handling tools
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.18 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQEcBAEBAgAGBQJPGghBAAoJEJwwOFaNFkYc22gH/1hx7MQb/exllk3GhkQSQes/
P6XFg/8dJy3Kag0FReAN/xN6or9SHPHXgUiVUsN+XIYV6Vt94Gbm/ZUHfwkzckJG
DP3/z+pQ0E0+xle32Gabo5Hpt47chgzsThdyghVkWVefMqQdkJwJPGwHcQ3yCzC5
LIXgZzmKoPUx5I9BaFnl/KkxRGbtTDYieWdpaxkOPjHiMZ+8wDPO6XDfhSggJPdR
4hMFik2B/04s7OTlqA9Qfvk1PZszSPnFN5t4Ick1PHwi/ZesobJGR5eeBlUfq5av
Y9STFvDojCAo3Mjf2IiXWCP8j8Fs9e7ToXvwmhn55t4XjS0v9Y+qhq8B3IsSl7o=
=gaPQ
-----END PGP SIGNATURE-----

Re: [gentoo-user] Strange outbound requests

[Michael Orlitzky]

On 01/20/2012 07:12 PM, Grant wrote:
>>> If the machine is running linux, then 'watch "lsof -n|grep TCP|grep
>>> 3680"' as root is a sloppy but effective way to find it. There's
>>> probably some way to set up a firewall rule on the host in question
>>> that logs out the user and (possibly) PID of the connection, but I
>>> don't know.
>>
>> "lsof -i" is easier, it only shows network connections :)
>>
>> catching it when it happens (if it is very briefly connected) could be
>> hard with lsof... Maybe setup a tarpit firewall rule on that box so
>> the connection stays open for a long time.
>
> The connections are only attempted a few times throughout the day.  Is
> a tarpit firewall rule the only way to do this?  Can anyone tell me
> what package 'watch' belongs to if that would work?
>

`watch` isn't going to help too much unless you're looking at it. Append 
the output to some log file instead. I chose netstat because its output 
looked easier to parse with a stupid regexp.

   while true; do
     netstat -antp | grep ':993 ' >> mystery.log;
     sleep 1;
   done;

You'll want to change the port -- I tested to make sure that was really 
logging my Thunderbird connections.

Re: [gentoo-user] Strange outbound requests

[Grant]

>>>> If the machine is running linux, then 'watch "lsof -n|grep TCP|grep
>>>> 3680"' as root is a sloppy but effective way to find it. There's
>>>> probably some way to set up a firewall rule on the host in question
>>>> that logs out the user and (possibly) PID of the connection, but I
>>>> don't know.
>>>
>>>
>>> "lsof -i" is easier, it only shows network connections :)
>>>
>>> catching it when it happens (if it is very briefly connected) could be
>>> hard with lsof... Maybe setup a tarpit firewall rule on that box so
>>> the connection stays open for a long time.
>>
>>
>> The connections are only attempted a few times throughout the day.  Is
>> a tarpit firewall rule the only way to do this?  Can anyone tell me
>> what package 'watch' belongs to if that would work?
>>
>
> `watch` isn't going to help too much unless you're looking at it. Append the
> output to some log file instead. I chose netstat because its output looked
> easier to parse with a stupid regexp.
>
>  while true; do
>    netstat -antp | grep ':993 ' >> mystery.log;
>    sleep 1;
>  done;
>
> You'll want to change the port -- I tested to make sure that was really
> logging my Thunderbird connections.

Thanks a lot.  Test, working, will watch the log and report back.

- Grant

Re: [gentoo-user] Strange outbound requests

[Michael Mol]

On Fri, Jan 20, 2012 at 6:34 PM, Grant <emailgrant@gmail.com> wrote:
>>>>> >> My firewall is blocking periodic outbound connections to port 3680 on
>>>>> >> a Rackspace IP.  How can I find out more about what's going on?  Maybe
>>>>> >> which program is generating the connection requests?
>>>>> >
>>>>> > Uh, a packet sniffer?
>>>>> >
>>>>> > I have an old laptop here that I have a second (cardbus) network card in.
>>>>> > Really cheap and cheerful - the sort of thing you can pick up on
>>>>> > freecycle. It's been a while since I've done anything like this, but you
>>>>> > should be able to stick a box like that between the router and the rest
>>>>> > of your network, run Wireshark and filter on that port. If the
>>>>> > connection is encrypted then at least you'll see the originating IP.
>>>>>
>>>>> I've actually got the originating local IP from the shorewall log.
>>>>> I'm just trying to figure out which program and maybe which user on
>>>>> that system is generating the outbound requests to port 3680.  Is
>>>>> there any way to get more info without setting up a new box?
>>>>>
>>>>> > I don't think it's relevant that the IP belongs to Rackspace - don't they
>>>>> > just hire (virtual) servers to anyone that wants one?
>>>>>
>>>>> Yeah I just meant the request could be going to "anyone".
>>>>>
>>>>> - Grant
>>>>
>>>> Are you running NPDS in your LAN and is it configured to access any sites on
>>>> rackspace?
>>>> --
>>>> Regards,
>>>> Mick
>>>
>>> I am not running NPDS.  I looked it up when I was researching port
>>> 3680 and read about it for the first time.  I know which machine is
>>> making the requests.  Any way to drill down further?
>>
>> If the machine is running linux, then 'watch "lsof -n|grep TCP|grep
>> 3680"' as root is a sloppy but effective way to find it. There's
>> probably some way to set up a firewall rule on the host in question
>> that logs out the user and (possibly) PID of the connection, but I
>> don't know.
>
> All of my systems run Gentoo. :)  Where does watch come from?

shortcircuit@saffron ~ $ equery b `which watch`
/usr/lib64/portage/pym/portage/package/ebuild/config.py:353:
UserWarning: 'cache.metadata_overlay.database' is deprecated:
/etc/portage/modules
  (user_auxdbmodule, modules_file))
 * Searching for /usr/bin/watch ...
sys-process/procps-3.2.8_p11 (/usr/bin/watch)
shortcircuit@saffron ~ $

Incidentally, does anyone know why all my portage-related executions
get that 'cache.metadata_overlay.database' warning? I've been seeing
it for weeks, even on fresh installs. I would have assumed a bug like
that would have been fixed by now.


-- 
:wq

Re: [gentoo-user] Strange outbound requests

[Hinnerk van Bruinehsen]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 21.01.2012 02:39, Michael Mol wrote:
> On Fri, Jan 20, 2012 at 6:34 PM, Grant <emailgrant@gmail.com>
> wrote:
>>>>>>>> My firewall is blocking periodic outbound connections
>>>>>>>> to port 3680 on a Rackspace IP.  How can I find out
>>>>>>>> more about what's going on?  Maybe which program is
>>>>>>>> generating the connection requests?
>>>>>>> 
>>>>>>> Uh, a packet sniffer?
>>>>>>> 
>>>>>>> I have an old laptop here that I have a second
>>>>>>> (cardbus) network card in. Really cheap and cheerful -
>>>>>>> the sort of thing you can pick up on freecycle. It's
>>>>>>> been a while since I've done anything like this, but
>>>>>>> you should be able to stick a box like that between the
>>>>>>> router and the rest of your network, run Wireshark and
>>>>>>> filter on that port. If the connection is encrypted
>>>>>>> then at least you'll see the originating IP.
>>>>>> 
>>>>>> I've actually got the originating local IP from the
>>>>>> shorewall log. I'm just trying to figure out which
>>>>>> program and maybe which user on that system is generating
>>>>>> the outbound requests to port 3680.  Is there any way to
>>>>>> get more info without setting up a new box?
>>>>>> 
>>>>>>> I don't think it's relevant that the IP belongs to
>>>>>>> Rackspace - don't they just hire (virtual) servers to
>>>>>>> anyone that wants one?
>>>>>> 
>>>>>> Yeah I just meant the request could be going to
>>>>>> "anyone".
>>>>>> 
>>>>>> - Grant
>>>>> 
>>>>> Are you running NPDS in your LAN and is it configured to
>>>>> access any sites on rackspace? -- Regards, Mick
>>>> 
>>>> I am not running NPDS.  I looked it up when I was researching
>>>> port 3680 and read about it for the first time.  I know which
>>>> machine is making the requests.  Any way to drill down
>>>> further?
>>> 
>>> If the machine is running linux, then 'watch "lsof -n|grep
>>> TCP|grep 3680"' as root is a sloppy but effective way to find
>>> it. There's probably some way to set up a firewall rule on the
>>> host in question that logs out the user and (possibly) PID of
>>> the connection, but I don't know.
>> 
>> All of my systems run Gentoo. :)  Where does watch come from?
> 
> shortcircuit@saffron ~ $ equery b `which watch` 
> /usr/lib64/portage/pym/portage/package/ebuild/config.py:353: 
> UserWarning: 'cache.metadata_overlay.database' is deprecated: 
> /etc/portage/modules (user_auxdbmodule, modules_file)) * Searching
> for /usr/bin/watch ... sys-process/procps-3.2.8_p11
> (/usr/bin/watch) shortcircuit@saffron ~ $
> 
> Incidentally, does anyone know why all my portage-related
> executions get that 'cache.metadata_overlay.database' warning? I've
> been seeing it for weeks, even on fresh installs. I would have
> assumed a bug like that would have been fixed by now.
> 
> 

You get the warning, because you hat a directory /etc/portage/modules
- - simply remove it (or move it, if you are afraid to break something).
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.18 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQEcBAEBAgAGBQJPGhmmAAoJEJwwOFaNFkYcBFQIAJlWjVqACiqCSxwNnigFvXfa
olRedLttuzZUGcJKsx59gptBeaRxSc/kQ7oEai6QSmFzY7nq5bsz3QMtJEB5QJpo
rOwD844f6pKRKv4GWjCg++1W6LJJcbMs4s0TARLM1+o+uaTC8Lgb/tjdJCov6cWF
Hhl/KxRpdy/mCL/QB7/kOQRL/lDryy23xoxCln8S60xzD8pWQ/HsPdMNKg2LDpOL
RxKyywJQ/y35OTJU60w6vgkPhJnhQQ4WgzrruvsNCSS60t1Mr51XXdmj5ATEChCw
qaxml/3x1eHc4L2j5GekjED0PL2fROOTYujoDlpuTHGTUy5tHNvww+/2upqLf9U=
=t8zl
-----END PGP SIGNATURE-----

Re: [gentoo-user] Strange outbound requests

[Grant]

>>>> If the machine is running linux, then 'watch "lsof -n|grep TCP|grep
>>>> 3680"' as root is a sloppy but effective way to find it. There's
>>>> probably some way to set up a firewall rule on the host in question
>>>> that logs out the user and (possibly) PID of the connection, but I
>>>> don't know.
>>>
>>>
>>> "lsof -i" is easier, it only shows network connections :)
>>>
>>> catching it when it happens (if it is very briefly connected) could be
>>> hard with lsof... Maybe setup a tarpit firewall rule on that box so
>>> the connection stays open for a long time.
>>
>>
>> The connections are only attempted a few times throughout the day.  Is
>> a tarpit firewall rule the only way to do this?  Can anyone tell me
>> what package 'watch' belongs to if that would work?
>>
>
> `watch` isn't going to help too much unless you're looking at it. Append the
> output to some log file instead. I chose netstat because its output looked
> easier to parse with a stupid regexp.
>
>  while true; do
>    netstat -antp | grep ':993 ' >> mystery.log;
>    sleep 1;
>  done;
>
> You'll want to change the port -- I tested to make sure that was really
> logging my Thunderbird connections.

I'm still getting the blocked outbound requests to port 3680 on my
firewall and I'm running the above script (changed 993 to 3680) on the
local system indicated by SRC in the firewall log, but mystery.log
remains empty.  I tested the script with other ports and it seems to
be working fine.

Also the MAC indicated in the firewall log is 14 blocks long and the
local system in question has a MAC address 6 blocks long according to
ifconfig, but the 6 blocks from ifconfig do match 6 of the blocks
reported by the firewall.

Does this make sense to anyone?

I installed and ran rkhunter and this was the only warning I couldn't disregard:

Warning: The command '/usr/sbin/rkhunter' has been replaced and is not
a script: /usr/sbin/rkhunter: POSIX shell script, ASCII text
executable, with very long lines

- Grant

Re: [gentoo-user] Strange outbound requests

[Mick]

[-- Attachment #1: Type: Text/Plain, Size: 1665 bytes --]

On Sunday 22 Jan 2012 17:54:29 Grant wrote:

> > `watch` isn't going to help too much unless you're looking at it. Append
> > the output to some log file instead. I chose netstat because its output
> > looked easier to parse with a stupid regexp.
> > 
> >  while true; do
> >    netstat -antp | grep ':993 ' >> mystery.log;
> >    sleep 1;
> >  done;
> > 
> > You'll want to change the port -- I tested to make sure that was really
> > logging my Thunderbird connections.
> 
> I'm still getting the blocked outbound requests to port 3680 on my
> firewall and I'm running the above script (changed 993 to 3680) on the
> local system indicated by SRC in the firewall log, but mystery.log
> remains empty.  I tested the script with other ports and it seems to
> be working fine.
> 
> Also the MAC indicated in the firewall log is 14 blocks long and the
> local system in question has a MAC address 6 blocks long according to
> ifconfig, but the 6 blocks from ifconfig do match 6 of the blocks
> reported by the firewall.
> 
> Does this make sense to anyone?

Does not make sense to me, sorry.  :-(

Have you tried running the script on lsof instead?


> I installed and ran rkhunter and this was the only warning I couldn't
> disregard:
> 
> Warning: The command '/usr/sbin/rkhunter' has been replaced and is not
> a script: /usr/sbin/rkhunter: POSIX shell script, ASCII text
> executable, with very long lines

This warning comes up the first time after rkhunter runs --update for its .dat 
files.  I don't know why this is so - but I have noticed it happening for the 
last couple of versions at least.
-- 
Regards,
Mick

[-- Attachment #2: This is a digitally signed message part. --]
[-- Type: application/pgp-signature, Size: 198 bytes --]

Re: [gentoo-user] Strange outbound requests

[Michael Orlitzky]

On 01/22/2012 12:54 PM, Grant wrote:
>>
>> `watch` isn't going to help too much unless you're looking at it. Append the
>> output to some log file instead. I chose netstat because its output looked
>> easier to parse with a stupid regexp.
>>
>>   while true; do
>>     netstat -antp | grep ':993 '>>  mystery.log;
>>     sleep 1;
>>   done;
>>
>> You'll want to change the port -- I tested to make sure that was really
>> logging my Thunderbird connections.
>
> I'm still getting the blocked outbound requests to port 3680 on my
> firewall and I'm running the above script (changed 993 to 3680) on the
> local system indicated by SRC in the firewall log, but mystery.log
> remains empty.  I tested the script with other ports and it seems to
> be working fine.
>
> Also the MAC indicated in the firewall log is 14 blocks long and the
> local system in question has a MAC address 6 blocks long according to
> ifconfig, but the 6 blocks from ifconfig do match 6 of the blocks
> reported by the firewall.
>
> Does this make sense to anyone?
>

Are you running it as root? If not, you could be missing some connections.

I also typed the 't' in netstat out of habit -- that limits the output 
to tcp connections. You can remove it to catch the UDP ones.

Re: [gentoo-user] Strange outbound requests

[Grant]

>> > `watch` isn't going to help too much unless you're looking at it. Append
>> > the output to some log file instead. I chose netstat because its output
>> > looked easier to parse with a stupid regexp.
>> >
>> >  while true; do
>> >    netstat -antp | grep ':993 ' >> mystery.log;
>> >    sleep 1;
>> >  done;
>> >
>> > You'll want to change the port -- I tested to make sure that was really
>> > logging my Thunderbird connections.
>>
>> I'm still getting the blocked outbound requests to port 3680 on my
>> firewall and I'm running the above script (changed 993 to 3680) on the
>> local system indicated by SRC in the firewall log, but mystery.log
>> remains empty.  I tested the script with other ports and it seems to
>> be working fine.
>>
>> Also the MAC indicated in the firewall log is 14 blocks long and the
>> local system in question has a MAC address 6 blocks long according to
>> ifconfig, but the 6 blocks from ifconfig do match 6 of the blocks
>> reported by the firewall.
>>
>> Does this make sense to anyone?
>
> Does not make sense to me, sorry.  :-(
>
> Have you tried running the script on lsof instead?

OK I changed 'netstat -antp' to 'lsof -i'.

- Grant

Re: [gentoo-user] Strange outbound requests

[Grant]

>>> `watch` isn't going to help too much unless you're looking at it. Append
>>> the
>>> output to some log file instead. I chose netstat because its output
>>> looked
>>> easier to parse with a stupid regexp.
>>>
>>>  while true; do
>>>    netstat -antp | grep ':993 '>>  mystery.log;
>>>    sleep 1;
>>>  done;
>>>
>>> You'll want to change the port -- I tested to make sure that was really
>>> logging my Thunderbird connections.
>>
>>
>> I'm still getting the blocked outbound requests to port 3680 on my
>> firewall and I'm running the above script (changed 993 to 3680) on the
>> local system indicated by SRC in the firewall log, but mystery.log
>> remains empty.  I tested the script with other ports and it seems to
>> be working fine.
>>
>> Also the MAC indicated in the firewall log is 14 blocks long and the
>> local system in question has a MAC address 6 blocks long according to
>> ifconfig, but the 6 blocks from ifconfig do match 6 of the blocks
>> reported by the firewall.
>>
>> Does this make sense to anyone?
>>
>
> Are you running it as root? If not, you could be missing some connections.

I'm running it as root.

> I also typed the 't' in netstat out of habit -- that limits the output to
> tcp connections. You can remove it to catch the UDP ones.

According to the firewall log, the 3680 requests are TCP connections,
but I just switched to 'lsof -i' anyway.

- Grant

Re: [gentoo-user] Strange outbound requests

[Grant]

>> > `watch` isn't going to help too much unless you're looking at it. Append
>> > the output to some log file instead. I chose netstat because its output
>> > looked easier to parse with a stupid regexp.
>> >
>> >  while true; do
>> >    netstat -antp | grep ':993 ' >> mystery.log;
>> >    sleep 1;
>> >  done;
>> >
>> > You'll want to change the port -- I tested to make sure that was really
>> > logging my Thunderbird connections.
>>
>> I'm still getting the blocked outbound requests to port 3680 on my
>> firewall and I'm running the above script (changed 993 to 3680) on the
>> local system indicated by SRC in the firewall log, but mystery.log
>> remains empty.  I tested the script with other ports and it seems to
>> be working fine.
>>
>> Also the MAC indicated in the firewall log is 14 blocks long and the
>> local system in question has a MAC address 6 blocks long according to
>> ifconfig, but the 6 blocks from ifconfig do match 6 of the blocks
>> reported by the firewall.
>>
>> Does this make sense to anyone?
>
> Does not make sense to me, sorry.  :-(

Since my local firewall is rejecting the outbound requests, the time
elapsed between the request and the block should be very short.  Is it
possible the 'sleep 1' portion of the script is causing the failure to
log the connection request?  The outbound connection is only attempted
a few times per day.  If so, how would you recommend fixing that?

I'm also wondering if there is a command I could run on the
router/firewall machine that would log something from the outbound
request.  Even if the information logged isn't useful, it would be
nice to see a confirmation of the outbound requests logged from
somewhere besides the firewall.

- Grant

Re: [gentoo-user] Strange outbound requests

[Mick]

[-- Attachment #1: Type: Text/Plain, Size: 2395 bytes --]

On Sunday 22 Jan 2012 19:29:47 Grant wrote:
> >> > `watch` isn't going to help too much unless you're looking at it.
> >> > Append the output to some log file instead. I chose netstat because
> >> > its output looked easier to parse with a stupid regexp.
> >> > 
> >> >  while true; do
> >> >    netstat -antp | grep ':993 ' >> mystery.log;
> >> >    sleep 1;
> >> >  done;
> >> > 
> >> > You'll want to change the port -- I tested to make sure that was
> >> > really logging my Thunderbird connections.
> >> 
> >> I'm still getting the blocked outbound requests to port 3680 on my
> >> firewall and I'm running the above script (changed 993 to 3680) on the
> >> local system indicated by SRC in the firewall log, but mystery.log
> >> remains empty.  I tested the script with other ports and it seems to
> >> be working fine.
> >> 
> >> Also the MAC indicated in the firewall log is 14 blocks long and the
> >> local system in question has a MAC address 6 blocks long according to
> >> ifconfig, but the 6 blocks from ifconfig do match 6 of the blocks
> >> reported by the firewall.
> >> 
> >> Does this make sense to anyone?
> > 
> > Does not make sense to me, sorry.  :-(
> 
> Since my local firewall is rejecting the outbound requests, the time
> elapsed between the request and the block should be very short.  Is it
> possible the 'sleep 1' portion of the script is causing the failure to
> log the connection request?  The outbound connection is only attempted
> a few times per day.  If so, how would you recommend fixing that?

I'm the wrong guy to make recommendations on any sort of scripting, but if 
sleep 1 is not enough, could sleep 2 or 3 be adequate to complete writing what 
it is that is being watched?

> I'm also wondering if there is a command I could run on the
> router/firewall machine that would log something from the outbound
> request.  Even if the information logged isn't useful, it would be
> nice to see a confirmation of the outbound requests logged from
> somewhere besides the firewall.

tcpdump will show you what the packets look like and their content if they are 
unencrypted.  However, it may consume tonnes of disk space if you leave 
running all the time.

Have you checked if such connection attempts take place when you start up the 
machine?  If yes it may easier to capture it.
-- 
Regards,
Mick

[-- Attachment #2: This is a digitally signed message part. --]
[-- Type: application/pgp-signature, Size: 198 bytes --]

Re: [gentoo-user] Strange outbound requests

[Michael Orlitzky]

On 01/22/2012 02:29 PM, Grant wrote:
>
> Since my local firewall is rejecting the outbound requests, the time
> elapsed between the request and the block should be very short.  Is it
> possible the 'sleep 1' portion of the script is causing the failure to
> log the connection request?  The outbound connection is only attempted
> a few times per day.  If so, how would you recommend fixing that?

If the firewall is being nice and rejecting the connection, then yeah, 
it could be opening/closing in under a second. `sleep` doesn't require 
an integer[1], so you can probably have it sleep for 0.1s or something 
like that.


> I'm also wondering if there is a command I could run on the
> router/firewall machine that would log something from the outbound
> request.  Even if the information logged isn't useful, it would be
> nice to see a confirmation of the outbound requests logged from
> somewhere besides the firewall.

What kind of firewall is it? Can you update the rules? If so, make it 
silently drop outbound connections instead of rejecting them; that way, 
the connection will hang open for a little bit.



[1] This is probably a bash-ism, but it works here.

Re: [gentoo-user] Strange outbound requests

[Michael Mol]

On Sun, Jan 22, 2012 at 2:29 PM, Grant <emailgrant@gmail.com> wrote:
>>> > `watch` isn't going to help too much unless you're looking at it. Append
>>> > the output to some log file instead. I chose netstat because its output
>>> > looked easier to parse with a stupid regexp.
>>> >
>>> >  while true; do
>>> >    netstat -antp | grep ':993 ' >> mystery.log;
>>> >    sleep 1;
>>> >  done;
>>> >
>>> > You'll want to change the port -- I tested to make sure that was really
>>> > logging my Thunderbird connections.
>>>
>>> I'm still getting the blocked outbound requests to port 3680 on my
>>> firewall and I'm running the above script (changed 993 to 3680) on the
>>> local system indicated by SRC in the firewall log, but mystery.log
>>> remains empty.  I tested the script with other ports and it seems to
>>> be working fine.
>>>
>>> Also the MAC indicated in the firewall log is 14 blocks long and the
>>> local system in question has a MAC address 6 blocks long according to
>>> ifconfig, but the 6 blocks from ifconfig do match 6 of the blocks
>>> reported by the firewall.
>>>
>>> Does this make sense to anyone?
>>
>> Does not make sense to me, sorry.  :-(
>
> Since my local firewall is rejecting the outbound requests, the time
> elapsed between the request and the block should be very short.  Is it
> possible the 'sleep 1' portion of the script is causing the failure to
> log the connection request?  The outbound connection is only attempted
> a few times per day.  If so, how would you recommend fixing that?

Try configuring your local firewall to log the request. There may be
something useful, such as logging an associated PID or user, that you
can add there. I don't know.

Alternately, you could DROP the outbound packet rather than REJECT it;
that should cause the connecting process to wait several seconds until
it times out.

>
> I'm also wondering if there is a command I could run on the
> router/firewall machine that would log something from the outbound
> request.  Even if the information logged isn't useful, it would be
> nice to see a confirmation of the outbound requests logged from
> somewhere besides the firewall.

Ow. We need to get a bit more specific. Is the 'local firewall' on the
connecting host, or is it on your router?

As far as logging goes, you can set up a rule (prior to your DROP or
REJECT) with a target of LOG. The packet will show up in syslog.

-- 
:wq

Re: [gentoo-user] Strange outbound requests

[Grant]

>>>> I'm still getting the blocked outbound requests to port 3680 on my
>>>> firewall and I'm running the above script (changed 993 to 3680) on the
>>>> local system indicated by SRC in the firewall log, but mystery.log
>>>> remains empty.  I tested the script with other ports and it seems to
>>>> be working fine.
>>>>
>>>> Also the MAC indicated in the firewall log is 14 blocks long and the
>>>> local system in question has a MAC address 6 blocks long according to
>>>> ifconfig, but the 6 blocks from ifconfig do match 6 of the blocks
>>>> reported by the firewall.
>>>>
>>>> Does this make sense to anyone?
>>>
>>> Does not make sense to me, sorry.  :-(
>>
>> Since my local firewall is rejecting the outbound requests, the time
>> elapsed between the request and the block should be very short.  Is it
>> possible the 'sleep 1' portion of the script is causing the failure to
>> log the connection request?  The outbound connection is only attempted
>> a few times per day.  If so, how would you recommend fixing that?
>
> Try configuring your local firewall to log the request. There may be
> something useful, such as logging an associated PID or user, that you
> can add there. I don't know.
>
> Alternately, you could DROP the outbound packet rather than REJECT it;
> that should cause the connecting process to wait several seconds until
> it times out.

I've just done this at your's and Michael Orlitzky's suggestion.
Waiting for another connection attempt now.

>> I'm also wondering if there is a command I could run on the
>> router/firewall machine that would log something from the outbound
>> request.  Even if the information logged isn't useful, it would be
>> nice to see a confirmation of the outbound requests logged from
>> somewhere besides the firewall.
>
> Ow. We need to get a bit more specific. Is the 'local firewall' on the
> connecting host, or is it on your router?

The firewall runs on the router (which is a Gentoo system) in the local network.

> As far as logging goes, you can set up a rule (prior to your DROP or
> REJECT) with a target of LOG. The packet will show up in syslog.

I just started running this on the router:

tcpdump -i eth1 -n | grep the.offending.ip.address

where eth1 is my LAN interface.  I figure this will tell me if any
requests are being made to the offending IP, including any that aren't
being logged by the firewall.  Nothing yet.

- Grant

Re: [gentoo-user] Strange outbound requests

[Mick]

[-- Attachment #1: Type: Text/Plain, Size: 466 bytes --]

On Sunday 22 Jan 2012 20:26:13 Grant wrote:

> I just started running this on the router:
> 
> tcpdump -i eth1 -n | grep the.offending.ip.address
> 
> where eth1 is my LAN interface.  I figure this will tell me if any
> requests are being made to the offending IP, including any that aren't
> being logged by the firewall.  Nothing yet.

Add -s 0 to capture the whole size of packets if you want to see what is being 
sent/received.
-- 
Regards,
Mick

[-- Attachment #2: This is a digitally signed message part. --]
[-- Type: application/pgp-signature, Size: 198 bytes --]

Re: [gentoo-user] Strange outbound requests

[Pandu Poluan]

[-- Attachment #1: Type: text/plain, Size: 476 bytes --]

On Jan 23, 2012 12:57 AM, "Grant" <emailgrant@gmail.com> wrote:
>

----- >8 snip

>
> Also the MAC indicated in the firewall log is 14 blocks long and the
> local system in question has a MAC address 6 blocks long according to
> ifconfig, but the 6 blocks from ifconfig do match 6 of the blocks
> reported by the firewall.
>
> Does this make sense to anyone?
>

It's (source  MAC):(dest MAC):(payload type)

(payload type) is usually 08:00 unless you're using SNAP/LLC

Rgds,

[-- Attachment #2: Type: text/html, Size: 672 bytes --]

Re: [gentoo-user] Strange outbound requests

[Pandu Poluan]

[-- Attachment #1: Type: text/plain, Size: 1306 bytes --]

On Jan 23, 2012 12:10 PM, "Pandu Poluan" <pandu@poluan.info> wrote:
>
>
> On Jan 23, 2012 12:57 AM, "Grant" <emailgrant@gmail.com> wrote:
> >
>
> ----- >8 snip
>
> >
> > Also the MAC indicated in the firewall log is 14 blocks long and the
> > local system in question has a MAC address 6 blocks long according to
> > ifconfig, but the 6 blocks from ifconfig do match 6 of the blocks
> > reported by the firewall.
> >
> > Does this make sense to anyone?
> >
>
> It's (source  MAC):(dest MAC):(payload type)
>
> (payload type) is usually 08:00 unless you're using SNAP/LLC
>
> Rgds,

Oops, sorry, it's the other way around (dest):(source):(type).

It's the representation of the first 14 octets of the Ethernet frame.

Rgds,
 On Jan 23, 2012 12:10 PM, "Pandu Poluan" <pandu@poluan.info> wrote:

>
> On Jan 23, 2012 12:57 AM, "Grant" <emailgrant@gmail.com> wrote:
> >
>
> ----- >8 snip
>
> >
> > Also the MAC indicated in the firewall log is 14 blocks long and the
> > local system in question has a MAC address 6 blocks long according to
> > ifconfig, but the 6 blocks from ifconfig do match 6 of the blocks
> > reported by the firewall.
> >
> > Does this make sense to anyone?
> >
>
> It's (source  MAC):(dest MAC):(payload type)
>
> (payload type) is usually 08:00 unless you're using SNAP/LLC
>
> Rgds,
>

[-- Attachment #2: Type: text/html, Size: 2075 bytes --]