I got the following output from "netstat -elpn" on my firewall (kernel 2.4.2, iptables).
/-([EMAIL PROTECTED])-(166/ttyS0)-(17:56:42:Friday Apr 20)- \-(/var/log)- ROOT : netstat -elpn Active Internet connections (only servers) Proto Recv-Q Send-Q Local Address Foreign Address State User Inode PID/Program name tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 0 1229 427/sshd tcp 0 0 0.0.0.0:25 0.0.0.0:* LISTEN 0 1542 487/sendmail: accep udp 0 0 0.0.0.0:1112 0.0.0.0:* 0 127022 16024/send-mail Active UNIX domain sockets (only servers) Proto RefCnt Flags Type State I-Node PID/Program name Path unix 2 [ ACC ] STREAM LISTENING 125202 15009/pump /var/run/pump.sock What's up with the send-mail process listening on port 1112 ? That looks really bad to me. A few seconds later the process is gone. Further netstat command only show sshd and sendmail. Then I did a "find / -inum 127022" but there is no file with that inode. Uh oh. That can't be good either. The firewall runs an old redhat 6.2 install (haven't converted everything to debian, but I'm working on it!) with most everything turned off, as seen from the netstat output. My iptables rules log and then drop everything by default, with ssh and mail rerouted to a server on the internal LAN using NAT. The following lines show up in my logfiles ( "UNKNOWN CONNECTION ATTEMPT" is a prefix added by my iptables rule). Apr 20 17:41:28 cerberus kernel: UNKNOWN CONNECTION ATTEMPT IN=eth0 OUT= MAC=[snip] SRC=24.92.226.174 DST=66.66.82.158 LEN=69 TOS=0x00 PREC=0x00 TTL=247 ID=27145 DF PROTO=UDP SPT=53 DPT=1112 LEN=49 Apr 20 17:41:45 cerberus kernel: UNKNOWN CONNECTION ATTEMPT IN=eth0 OUT= MAC=[snip] SRC=24.92.226.13 DST=66.66.82.158 LEN=69 TOS=0x00 PREC=0x00 TTL=247 ID=7141 DF PROTO=UDP SPT=53 DPT=1112 LEN=49 The SRC= addresses in the above are valid RoadRunner DNS servers. They are the ones I use. -- Jonathan Freiermuth [EMAIL PROTECTED]
pgp1360tsbews.pgp
Description: PGP signature
