[lug] outgoing port 220 exploit?

Jordan Crouse jordan at cosmicpenguin.net
Sun Jan 18 13:19:05 MST 2004


> Well, netstat seems to work only for existing tcp connects, or if it
> is run right at the instant of a connect attempt. What I have here is
> a period failed connect to outside port 220, it is blocked both on the
> local machine and on the bridge firewall, so it never gets beyond a
> SYN packet. I'm thinking what I need is a tcpdump. Only I'm having a
> problem with the tcpdump syntax. Can anyone tell me the syntax to use
> tcpdump to continuously dump info of any port 220 destination packets?
> And is there a way to give source application info the way netstat
> does with the -lenp argument?

You can also use ethereal if you want something a little bit more "user
friendly".  It does most of the ugly work for you in terms of figuring
out the different layers.  its a GTK user interface, so its requires the
overhead of any GUI app and the user interaction, but its invaluable at
figuring out the gooey innards of the packets (unless you can remember
how big an 802.1D packet is from memory.. :D ).

Another option is to use iptables to log any outgoing attempts on port
220.  The advantage here is that it will be logged automatically,
without having to run tcpdump or ethereal.  For example, here is the
chain that I use to log incoming ICMP packets that get dropped (I
like to know when people try to ping me): 

iptables -A LDROP --proto icmp -j LOG --log-level info \
                                           --log-prefix "ICMP Drop "

iptables -A ICMP -p icmp --icmp-type echo-request  -J LDROP

Check the iptables man pages for more information on the
--log-level and--log-prefix params.

As for determining which specific processes are sending the offending
ports, thats a bit more difficult.  You might need to end up writing a
program or a script that monitors /proc/net/udp and /proc/net/tcp for
the right numbers, and then either logs the information, sends you an
email, or sounds an alarm (or maybe all three).

Good luck,
Jordan

-- 
http://www.cosmicpenguin.net

** No penguins were harmed in the making of this message



More information about the LUG mailing list