[lug] outgoing port 220 exploit?

[D. Stimits]

D. Stimits wrote:

> I currently have no use of imap, and routinely block not only incoming
> ports that I do not use, but also outgoing ports. It may be that nothing
> is wrong here, but I need to track which app is trying to send an
> outgoing tcp connect to port 220 on all kinds of machines. Chkrootkit
> says things are fine, no mysterious processes show up, I keep things
> updated, so on. But it bugs me to not be able to see the ipchains output
> tell me exactly what app it is that is that is trying to go to imap. Any
> suggestions? I can't seem to find any published info on any exploit that
> would cause an outbound port 220 attempt (internal port is always 6129).
> I have been unable to find any input chain hits, only output chain.
>
> D. Stimits, stimits AT comcast DOT net
>
Well, netstat seems to work only for existing tcp connects, or if it is 
run right at the instant of a connect attempt. What I have here is a 
period failed connect to outside port 220, it is blocked both on the 
local machine and on the bridge firewall, so it never gets beyond a SYN 
packet. I'm thinking what I need is a tcpdump. Only I'm having a problem 
with the tcpdump syntax. Can anyone tell me the syntax to use tcpdump to 
continuously dump info of any port 220 destination packets? And is there 
a way to give source application info the way netstat does with the 
-lenp argument?

D. Stimits, stimits AT comcast DOT net

PS: This only seems to show up when mozilla is running, but I have 
tested it far too little to know for sure yet.