RE: loopback device
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 That is not true. P stands for proto not port. - -p proto Shows connections for the protocol specified by proto; proto may be any of: TCP, UDP, TCPv6, or UDPv6. If used with the -s option to display per-protocol statistics, proto may be any of: IP, IPv6, ICMP, ICMPv6, TCP, TCPv6, UDP, or UDPv6. It has nothing to do with ports. Please DO NOT GIVE ADVICE ON THE LIST IF YOU ARE NOT SURE OF WHAT YOU ARE SAYING. Cheers, Leon - -Original Message- From: shawn merdinger [mailto:[EMAIL PROTECTED]] Sent: Friday, January 18, 2002 8:45 PM Cc: Craig Van Tassle; secuirty-basics Subject: Re: loopback device Also, try the following: netstat -anp The p option displays the program bound to that socket/port. From the looks of your snort log, it did not *appear* to be a loopback address. - -scm On 15-Jan-2002 Craig Van Tassle wrote: My loop back is supposed to be 127.0.0.1.. at least that is what my ifconfig shows me.. and i have no idea what program is running on that port. Do you think that i could have a possible intrusin? Thanks Craig On Tue, Jan 15, 2002 at 10:44:48AM -0800, Glenn Pitcher wrote: No, you can't bypass the firewall using the loopback interface. Whats interesting though is the IP address they're using... usually loopback is 127.0.0.1 and the port number, 5460 isn't assigned to anyone so what program is running? -Original Message- From: Craig Van Tassle [mailto:[EMAIL PROTECTED]] Sent: Monday, January 14, 2002 8:48 AM To: secuirty-basics Subject: loopback device Is it possible for someone over a network to use my loopback to by pass my firewall? If so what can i do to mitigate the problem and how damageing can it be? The reason im asking is my Snort sytem is showing badd loopback traffic.. thanks here is a snipit from my snort logs. [**] [1:528:2] BAD TRAFFIC loopback traffic [**] [Classification: Potentially Bad Traffic] [Priority: 2] 01/12-14:10:11.568007 45.253.14.97:49847 - 127.167.228.85:5460 TCP TTL:64 TOS:0x0 ID:37583 IpLen:20 DgmLen:40 **S* Seq: 0x3F4BB00A Ack: 0x0 Win: 0x200 TcpLen: 20 Thanks Craig - -- Phillip O'Donnell Software Engineer, Esphion Limited [EMAIL PROTECTED] -BEGIN PGP SIGNATURE- Version: PGP 6.5.1i iQA/AwUBPEXd7nbXtTBvmfCfEQKNyQCfd08qxIx1+JqoOl47TH/pm74eSRcAoO7g Ky+CD/KuL2KCESveLJw30Gb1 =VjXg -END PGP SIGNATURE- -BEGIN PGP SIGNATURE- Version: PGPfreeware 6.5.8 for non-commercial use http://www.pgp.com iQA/AwUBPExZDdqAgf0xoaEuEQK/AwCgrV/Qlvx1IWJAZTd3Nj8GZv1naOgAnREV KVGYnYIsKnsMNF+zyt4M76cB =jg5K -END PGP SIGNATURE-
Re: loopback device
Ahh that was the problem.. linux and BSD use different versions of netstat and i didnt think of that when i was positing to the list. BTW Im using FreeBSD just thought you should know. Sorry for all the confusion. this just goes for to show how similar yet different versions of OS's use slightley different things. Craig On Mon, Jan 21, 2002 at 01:51:05PM -0600, shawn merdinger wrote: Some of the confusion may be coming from the OSs. I was assuming Linux. version: cartago:/home/shawn# netstat -V net-tools 1.60 netstat 1.42 (2001-04-15) Fred Baumgarten, Alan Cox, Bernd Eckenfels, Phil Blundell, Tuan Hoang and others +NEW_ADDRT +RTF_IRTT +RTF_REJECT +FW_MASQUERADE +I18N AF: (inet) +UNIX +INET +INET6 +IPX +AX25 +NETROM +X25 +ATALK +ECONET +ROSE HW: +ETHER +ARC +SLIP +PPP +TUNNEL +TR +AX25 +NETROM +X25 +FR +ROSE +ASH +SIT +FDDI +HIPPI +HDLC/LAPB Windows netstat -p is for the protocol. heh heh...I'm sure we'll get through this one way or another. :) -scm On Mon, 21 Jan 2002, Craig Van Tassle wrote: Scm I have looked up the netstat man page. snip from man netstat -f address_family, -p protocol Limit display to those records of the specified address_family or a single protocol. The following address families and protocols are recognized: /snip from man netstat If that is what it says on your system then we are using 2 different versions of netstat. The -p option as you can see is the protocol not the program binded to the socket. I have found that the lsof program actually was much better for tracking down what (as it turned out to be noting just grabbed by my firewall and snort system) was using that port and addy on my computer. Thanks for the information. Criag On Mon, Jan 21, 2002 at 01:34:02PM -0600, shawn merdinger wrote: Without resorting to a flame, the p option stands for the following: -p, --programs display PID/Program name for sockets So, it's the program that is bound to the socket. -scm On Mon, 21 Jan 2002, leon wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 That is not true. P stands for proto not port. - -p proto Shows connections for the protocol specified by proto; proto may be any of: TCP, UDP, TCPv6, or UDPv6. If used with the -s option to display per-protocol statistics, proto may be any of: IP, IPv6, ICMP, ICMPv6, TCP, TCPv6, UDP, or UDPv6. It has nothing to do with ports. Please DO NOT GIVE ADVICE ON THE LIST IF YOU ARE NOT SURE OF WHAT YOU ARE SAYING. Cheers, Leon - -Original Message- From: shawn merdinger [mailto:[EMAIL PROTECTED]] Sent: Friday, January 18, 2002 8:45 PM Cc: Craig Van Tassle; secuirty-basics Subject: Re: loopback device Also, try the following: netstat -anp The p option displays the program bound to that socket/port. From the looks of your snort log, it did not *appear* to be a loopback address. - -scm On 15-Jan-2002 Craig Van Tassle wrote: My loop back is supposed to be 127.0.0.1.. at least that is what my ifconfig shows me.. and i have no idea what program is running on that port. Do you think that i could have a possible intrusin? Thanks Craig On Tue, Jan 15, 2002 at 10:44:48AM -0800, Glenn Pitcher wrote: No, you can't bypass the firewall using the loopback interface. Whats interesting though is the IP address they're using... usually loopback is 127.0.0.1 and the port number, 5460 isn't assigned to anyone so what program is running? -Original Message- From: Craig Van Tassle [mailto:[EMAIL PROTECTED]] Sent: Monday, January 14, 2002 8:48 AM To: secuirty-basics Subject: loopback device Is it possible for someone over a network to use my loopback to by pass my firewall? If so what can i do to mitigate the problem and how damageing can it be? The reason im asking is my Snort sytem is showing badd loopback traffic.. thanks here is a snipit from my snort logs. [**] [1:528:2] BAD TRAFFIC loopback traffic [**] [Classification: Potentially Bad Traffic] [Priority: 2] 01/12-14:10:11.568007 45.253.14.97:49847 - 127.167.228.85:5460 TCP TTL:64 TOS:0x0 ID:37583 IpLen:20 DgmLen:40 **S* Seq: 0x3F4BB00A Ack: 0x0 Win: 0x200 TcpLen: 20 Thanks Craig - -- Phillip O'Donnell Software Engineer, Esphion Limited [EMAIL PROTECTED] -BEGIN PGP SIGNATURE- Version: PGP 6.5.1i iQA/AwUBPEXd7nbXtTBvmfCfEQKNyQCfd08qxIx1+JqoOl47TH/pm74eSRcAoO7g Ky+CD/KuL2KCESveLJw30Gb1 =VjXg -END PGP SIGNATURE
Re: loopback device
I found out that the -p is not the port. And i agree with the thought of giveing advice on this list that is why i mostly stay quiet until i know something or i have a question that im not sure of. Thanks for both of your responses Leon. You have been very helpfull in my endevors to secure my box Craig On Mon, Jan 21, 2002 at 01:08:13PM -0500, leon wrote: That is not true. P stands for proto not port. -p proto Shows connections for the protocol specified by proto; proto may be any of: TCP, UDP, TCPv6, or UDPv6. If used with the -s option to display per-protocol statistics, proto may be any of: IP, IPv6, ICMP, ICMPv6, TCP, TCPv6, UDP, or UDPv6. It has nothing to do with ports. Please DO NOT GIVE ADVICE ON THE LIST IF YOU ARE NOT SURE OF WHAT YOU ARE SAYING. Cheers, Leon -Original Message- From: shawn merdinger [mailto:[EMAIL PROTECTED]] Sent: Friday, January 18, 2002 8:45 PM Cc: Craig Van Tassle; secuirty-basics Subject: Re: loopback device Also, try the following: netstat -anp The p option displays the program bound to that socket/port. From the looks of your snort log, it did not *appear* to be a loopback address. -scm On 15-Jan-2002 Craig Van Tassle wrote: My loop back is supposed to be 127.0.0.1.. at least that is what my ifconfig shows me.. and i have no idea what program is running on that port. Do you think that i could have a possible intrusin? Thanks Craig On Tue, Jan 15, 2002 at 10:44:48AM -0800, Glenn Pitcher wrote: No, you can't bypass the firewall using the loopback interface. Whats interesting though is the IP address they're using... usually loopback is 127.0.0.1 and the port number, 5460 isn't assigned to anyone so what program is running? -Original Message- From: Craig Van Tassle [mailto:[EMAIL PROTECTED]] Sent: Monday, January 14, 2002 8:48 AM To: secuirty-basics Subject: loopback device Is it possible for someone over a network to use my loopback to by pass my firewall? If so what can i do to mitigate the problem and how damageing can it be? The reason im asking is my Snort sytem is showing badd loopback traffic.. thanks here is a snipit from my snort logs. [**] [1:528:2] BAD TRAFFIC loopback traffic [**] [Classification: Potentially Bad Traffic] [Priority: 2] 01/12-14:10:11.568007 45.253.14.97:49847 - 127.167.228.85:5460 TCP TTL:64 TOS:0x0 ID:37583 IpLen:20 DgmLen:40 **S* Seq: 0x3F4BB00A Ack: 0x0 Win: 0x200 TcpLen: 20 Thanks Craig - -- Phillip O'Donnell Software Engineer, Esphion Limited [EMAIL PROTECTED] -BEGIN PGP SIGNATURE- Version: PGP 6.5.1i iQA/AwUBPEXd7nbXtTBvmfCfEQKNyQCfd08qxIx1+JqoOl47TH/pm74eSRcAoO7g Ky+CD/KuL2KCESveLJw30Gb1 =VjXg -END PGP SIGNATURE-
Re: loopback device
Also, try the following: netstat -anp The p option displays the program bound to that socket/port. From the looks of your snort log, it did not *appear* to be a loopback address. -scm On 15-Jan-2002 Craig Van Tassle wrote: My loop back is supposed to be 127.0.0.1.. at least that is what my ifconfig shows me.. and i have no idea what program is running on that port. Do you think that i could have a possible intrusin? Thanks Craig On Tue, Jan 15, 2002 at 10:44:48AM -0800, Glenn Pitcher wrote: No, you can't bypass the firewall using the loopback interface. Whats interesting though is the IP address they're using... usually loopback is 127.0.0.1 and the port number, 5460 isn't assigned to anyone so what program is running? -Original Message- From: Craig Van Tassle [mailto:[EMAIL PROTECTED]] Sent: Monday, January 14, 2002 8:48 AM To: secuirty-basics Subject: loopback device Is it possible for someone over a network to use my loopback to by pass my firewall? If so what can i do to mitigate the problem and how damageing can it be? The reason im asking is my Snort sytem is showing badd loopback traffic.. thanks here is a snipit from my snort logs. [**] [1:528:2] BAD TRAFFIC loopback traffic [**] [Classification: Potentially Bad Traffic] [Priority: 2] 01/12-14:10:11.568007 45.253.14.97:49847 - 127.167.228.85:5460 TCP TTL:64 TOS:0x0 ID:37583 IpLen:20 DgmLen:40 **S* Seq: 0x3F4BB00A Ack: 0x0 Win: 0x200 TcpLen: 20 Thanks Craig - -- Phillip O'Donnell Software Engineer, Esphion Limited [EMAIL PROTECTED] -BEGIN PGP SIGNATURE- Version: PGP 6.5.1i iQA/AwUBPEXd7nbXtTBvmfCfEQKNyQCfd08qxIx1+JqoOl47TH/pm74eSRcAoO7g Ky+CD/KuL2KCESveLJw30Gb1 =VjXg -END PGP SIGNATURE-
Re: loopback device
Ok The port was a typeo. but do you think that my computer could be compromised or this could just be a mis-configuration on my computer or a atempt at a hack?How is it that my computer is catcheing this loopback traffic? could someone be bouncing off my computer or what? Thanks Craig On Thu, Jan 17, 2002 at 02:11:15PM -0500, leon wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 What do you mean by what program is running on this port? I am not sure if you consider the loop back address a port as much as what it is (ie; a loopback address). I don't know if you can bind running process to the loopback addy. Even if you possibly could, an attacker never would because you would be unable to route traffic to it. HTH, Leon - -Original Message- From: Craig Van Tassle [mailto:[EMAIL PROTECTED]] Sent: Tuesday, January 15, 2002 2:35 PM To: secuirty-basics Subject: Re: loopback device My loop back is supposed to be 127.0.0.1.. at least that is what my ifconfig shows me.. and i have no idea what program is running on that port. Do you think that i could have a possible intrusin? Thanks Craig On Tue, Jan 15, 2002 at 10:44:48AM -0800, Glenn Pitcher wrote: No, you can't bypass the firewall using the loopback interface. Whats interesting though is the IP address they're using... usually loopback is 127.0.0.1 and the port number, 5460 isn't assigned to anyone so what program is running? -Original Message- From: Craig Van Tassle [mailto:[EMAIL PROTECTED]] Sent: Monday, January 14, 2002 8:48 AM To: secuirty-basics Subject: loopback device Is it possible for someone over a network to use my loopback to by pass my firewall? If so what can i do to mitigate the problem and how damageing can it be? The reason im asking is my Snort sytem is showing badd loopback traffic.. thanks here is a snipit from my snort logs. [**] [1:528:2] BAD TRAFFIC loopback traffic [**] [Classification: Potentially Bad Traffic] [Priority: 2] 01/12-14:10:11.568007 45.253.14.97:49847 - 127.167.228.85:5460 TCP TTL:64 TOS:0x0 ID:37583 IpLen:20 DgmLen:40 **S* Seq: 0x3F4BB00A Ack: 0x0 Win: 0x200 TcpLen: 20 Thanks Craig -BEGIN PGP SIGNATURE- Version: PGPfreeware 6.5.8 for non-commercial use http://www.pgp.com iQA/AwUBPEchztqAgf0xoaEuEQJ4TACfeH/voSSUxDHrssH2yxJzHMZwmBcAnAlF 0A9v/M5EMTD2QQeYsszeN2Dq =tCcQ -END PGP SIGNATURE- msg03046/pgp0.pgp Description: PGP signature
Re: loopback device
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Actually, most loopback devices respond to any IP within the 127/8 IP range, because the entire /8 block is reserved for loopback purposes. The fact that a program is using it isn't a ''bad'' thing, although it is extremely odd. I do have a few concerns though. Is 45.253.14.97 an IP address on the system? If not, you may want to investigate as to why traffic to the loopback subnet is being routed there. Also, f you're running a *NIX varient (Being snort, I guess so)... See if there is a version of a utility called 'lsof' available for your system. What that does is list information about open filedescriptors, including sockets (tcp, udp, unix, etc), pipes, fifos, normal files, and more. The output from that may be able to give you some insight as to what is binding to that port on your system, if indeed anything is. On 15-Jan-2002 Craig Van Tassle wrote: My loop back is supposed to be 127.0.0.1.. at least that is what my ifconfig shows me.. and i have no idea what program is running on that port. Do you think that i could have a possible intrusin? Thanks Craig On Tue, Jan 15, 2002 at 10:44:48AM -0800, Glenn Pitcher wrote: No, you can't bypass the firewall using the loopback interface. Whats interesting though is the IP address they're using... usually loopback is 127.0.0.1 and the port number, 5460 isn't assigned to anyone so what program is running? -Original Message- From: Craig Van Tassle [mailto:[EMAIL PROTECTED]] Sent: Monday, January 14, 2002 8:48 AM To: secuirty-basics Subject: loopback device Is it possible for someone over a network to use my loopback to by pass my firewall? If so what can i do to mitigate the problem and how damageing can it be? The reason im asking is my Snort sytem is showing badd loopback traffic.. thanks here is a snipit from my snort logs. [**] [1:528:2] BAD TRAFFIC loopback traffic [**] [Classification: Potentially Bad Traffic] [Priority: 2] 01/12-14:10:11.568007 45.253.14.97:49847 - 127.167.228.85:5460 TCP TTL:64 TOS:0x0 ID:37583 IpLen:20 DgmLen:40 **S* Seq: 0x3F4BB00A Ack: 0x0 Win: 0x200 TcpLen: 20 Thanks Craig - -- Phillip O'Donnell Software Engineer, Esphion Limited [EMAIL PROTECTED] -BEGIN PGP SIGNATURE- Version: PGP 6.5.1i iQA/AwUBPEXd7nbXtTBvmfCfEQKNyQCfd08qxIx1+JqoOl47TH/pm74eSRcAoO7g Ky+CD/KuL2KCESveLJw30Gb1 =VjXg -END PGP SIGNATURE-
Re: loopback device
I no the ip of my comp is totaly different that is why i was part of the reason i was wondering about the loop back traffic. I do have and lsof and i will look in to that to see what is going on.. And yesterday i saw a lot of traffic going in to and out of my DSL modem (physicaly seperate from my box) and i didnt show any new usage of the internet via netstat and my firwall monitoring utilitys.. do you think this could be a break in attempt or could i have already been broken in to? Thanks Craig On Thu, Jan 17, 2002 at 09:09:19AM +1300, [EMAIL PROTECTED] wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Actually, most loopback devices respond to any IP within the 127/8 IP range, because the entire /8 block is reserved for loopback purposes. The fact that a program is using it isn't a ''bad'' thing, although it is extremely odd. I do have a few concerns though. Is 45.253.14.97 an IP address on the system? If not, you may want to investigate as to why traffic to the loopback subnet is being routed there. Also, f you're running a *NIX varient (Being snort, I guess so)... See if there is a version of a utility called 'lsof' available for your system. What that does is list information about open filedescriptors, including sockets (tcp, udp, unix, etc), pipes, fifos, normal files, and more. The output from that may be able to give you some insight as to what is binding to that port on your system, if indeed anything is. On 15-Jan-2002 Craig Van Tassle wrote: My loop back is supposed to be 127.0.0.1.. at least that is what my ifconfig shows me.. and i have no idea what program is running on that port. Do you think that i could have a possible intrusin? Thanks Craig On Tue, Jan 15, 2002 at 10:44:48AM -0800, Glenn Pitcher wrote: No, you can't bypass the firewall using the loopback interface. Whats interesting though is the IP address they're using... usually loopback is 127.0.0.1 and the port number, 5460 isn't assigned to anyone so what program is running? -Original Message- From: Craig Van Tassle [mailto:[EMAIL PROTECTED]] Sent: Monday, January 14, 2002 8:48 AM To: secuirty-basics Subject: loopback device Is it possible for someone over a network to use my loopback to by pass my firewall? If so what can i do to mitigate the problem and how damageing can it be? The reason im asking is my Snort sytem is showing badd loopback traffic.. thanks here is a snipit from my snort logs. [**] [1:528:2] BAD TRAFFIC loopback traffic [**] [Classification: Potentially Bad Traffic] [Priority: 2] 01/12-14:10:11.568007 45.253.14.97:49847 - 127.167.228.85:5460 TCP TTL:64 TOS:0x0 ID:37583 IpLen:20 DgmLen:40 **S* Seq: 0x3F4BB00A Ack: 0x0 Win: 0x200 TcpLen: 20 Thanks Craig - -- Phillip O'Donnell Software Engineer, Esphion Limited [EMAIL PROTECTED] -BEGIN PGP SIGNATURE- Version: PGP 6.5.1i iQA/AwUBPEXd7nbXtTBvmfCfEQKNyQCfd08qxIx1+JqoOl47TH/pm74eSRcAoO7g Ky+CD/KuL2KCESveLJw30Gb1 =VjXg -END PGP SIGNATURE- msg03001/pgp0.pgp Description: PGP signature
Re: loopback device
My loop back is supposed to be 127.0.0.1.. at least that is what my ifconfig shows me.. and i have no idea what program is running on that port. Do you think that i could have a possible intrusin? Thanks Craig On Tue, Jan 15, 2002 at 10:44:48AM -0800, Glenn Pitcher wrote: No, you can't bypass the firewall using the loopback interface. Whats interesting though is the IP address they're using... usually loopback is 127.0.0.1 and the port number, 5460 isn't assigned to anyone so what program is running? -Original Message- From: Craig Van Tassle [mailto:[EMAIL PROTECTED]] Sent: Monday, January 14, 2002 8:48 AM To: secuirty-basics Subject: loopback device Is it possible for someone over a network to use my loopback to by pass my firewall? If so what can i do to mitigate the problem and how damageing can it be? The reason im asking is my Snort sytem is showing badd loopback traffic.. thanks here is a snipit from my snort logs. [**] [1:528:2] BAD TRAFFIC loopback traffic [**] [Classification: Potentially Bad Traffic] [Priority: 2] 01/12-14:10:11.568007 45.253.14.97:49847 - 127.167.228.85:5460 TCP TTL:64 TOS:0x0 ID:37583 IpLen:20 DgmLen:40 **S* Seq: 0x3F4BB00A Ack: 0x0 Win: 0x200 TcpLen: 20 Thanks Craig msg02959/pgp0.pgp Description: PGP signature