Il 2017-08-24 20:48 Tom Eastep ha scritto:
As far as I am aware, neither UDP port 1370 nor TCP port 1328 have
anything to do with Postfix. [..]
Well, this is already something..
Il 2017-08-24 21:47 Tom Eastep ha scritto:
On 08/24/2017 11:48 AM, Tom Eastep wrote:
As far as I am aware, neither UDP port 1370 nor TCP port 1328 have
anything to do with Postfix. Port 1370 is us-gv (Unix Shell to
GlobalView) while 1328 is echoserver (and also used by malware). I
suggest that you use netstat to try to determine the process that is
using these ports:
On SERVER1
netstat -unap | fgrep 1370
On SERVER2
netstat -tnap | fgrep 1328
[..]
Actually, those are backwards. You want:
On SERVER1
netstat -tnap | fgrep 1328
On SERVER2
netstat -unap | fgrep 1360
-Tom
Thanks again for your help, I am not expert and I appreciate very much
what you do that allows me to learn ;-)
Well, I've make as you suggested, but the netstat output seem null,
except for port 23.
You may have to repeat each command multiple times to catch a
process
that is bound to the specific port.
Is there a way to continuously make listen netstat on a particular port
and record its output?
---------------------------- SERVER1 -------------------------------
[..]
Aug 25 11:25:16 server kernel: [17880669.219599]
Shorewall:net-fw:DROP:IN=eth0 OUT=
MAC=00:50:56:3c:a8:50:00:08:e3:ff:fd:90:08:00 SRC=5.189.144.220
DST=91.205.175.213 LEN=55 TOS=0x00 PREC=0x00 TTL=58 ID=0 DF PROTO=UDP
SPT=38443 DPT=1370 LEN=35
Aug 25 11:25:53 server kernel: [17880706.456383]
Shorewall:net-fw:DROP:IN=eth0 OUT=
MAC=00:50:56:3c:a8:50:00:08:e3:ff:fd:90:08:00 SRC=5.189.144.220
DST=91.205.175.213 LEN=55 TOS=0x00 PREC=0x00 TTL=58 ID=0 DF PROTO=UDP
SPT=47055 DPT=1370 LEN=35
Aug 25 11:25:57 server kernel: [17880710.177281]
Shorewall:net-fw:DROP:IN=eth0 OUT=
MAC=00:50:56:3c:a8:50:00:08:e3:ff:fd:90:08:00 SRC=5.236.38.63
DST=91.205.175.213 LEN=40 TOS=0x00 PREC=0x00 TTL=244 ID=44240 PROTO=TCP
SPT=64626 DPT=23 WINDOW=14600 RES=0x00 SYN URGP=0
Aug 25 11:25:57 server kernel: [17880710.245664]
Shorewall:net-fw:DROP:IN=eth0 OUT=
MAC=00:50:56:3c:a8:50:00:08:e3:ff:fd:90:08:00 SRC=91.211.0.103
DST=91.205.175.213 LEN=40 TOS=0x00 PREC=0x00 TTL=250 ID=52662 PROTO=TCP
SPT=52212 DPT=3389 WINDOW=1024 RES=0x00 SYN URGP=0
Aug 25 11:26:04 server kernel: [17880717.162323]
Shorewall:net-fw:DROP:IN=eth0 OUT=
MAC=00:50:56:3c:a8:50:00:08:e3:ff:fd:90:08:00 SRC=189.219.254.21
DST=91.205.175.213 LEN=40 TOS=0x08 PREC=0x20 TTL=235 ID=5462 PROTO=TCP
SPT=19429 DPT=23 WINDOW=14600 RES=0x00 SYN URGP=0
Aug 25 11:26:16 server kernel: [17880729.255432]
Shorewall:net-fw:DROP:IN=eth0 OUT=
MAC=00:50:56:3c:a8:50:00:08:e3:ff:fd:90:08:00 SRC=5.189.144.220
DST=91.205.175.213 LEN=55 TOS=0x00 PREC=0x00 TTL=58 ID=0 DF PROTO=UDP
SPT=38443 DPT=1370 LEN=35
Aug 25 11:26:53 server kernel: [17880766.484037]
Shorewall:net-fw:DROP:IN=eth0 OUT=
MAC=00:50:56:3c:a8:50:00:08:e3:ff:fd:90:08:00 SRC=5.189.144.220
DST=91.205.175.213 LEN=55 TOS=0x00 PREC=0x00 TTL=58 ID=0 DF PROTO=UDP
SPT=47055 DPT=1370 LEN=35
Aug 25 11:27:05 server dovecot:
imap(book...@hotelsangiorgioriccione.com): save: box=Drafts, uid=435,
msgid=<d416e588-fdb7-fedc-e907-ba2f87ff2...@hotelsangiorgioriccione.com>,
size=113827
Aug 25 11:27:12 server kernel: [17880785.159752]
Shorewall:net-fw:DROP:IN=eth0 OUT=
MAC=00:50:56:3c:a8:50:00:08:e3:ff:fd:90:08:00 SRC=91.223.82.136
DST=91.205.175.213 LEN=66 TOS=0x08 PREC=0x40 TTL=58 ID=0 DF PROTO=UDP
SPT=51884 DPT=161 LEN=46
Aug 25 11:27:16 server kernel: [17880789.285575]
Shorewall:net-fw:DROP:IN=eth0 OUT=
MAC=00:50:56:3c:a8:50:00:08:e3:ff:fd:90:08:00 SRC=5.189.144.220
DST=91.205.175.213 LEN=55 TOS=0x00 PREC=0x00 TTL=58 ID=0 DF PROTO=UDP
SPT=38443 DPT=1370 LEN=35
netstat -unap | fgrep 161
root@server:/home/vage# netstat -unap | fgrep 1370
root@server:/home/vage# netstat -unap | fgrep 3389
root@server:/home/vage# netstat -tnap | fgrep 1328
netstat -unap | fgrep 23
udp 0 0 91.205.175.213:123 0.0.0.0:*
522/ntpd
udp 0 0 127.0.0.1:123 0.0.0.0:*
522/ntpd
udp 0 0 0.0.0.0:123 0.0.0.0:*
522/ntpd
udp6 0 0 fe80::250:56ff:fe3c:123 :::*
522/ntpd
udp6 0 0 2a02:c205:2008:934::123 :::*
522/ntpd
udp6 0 0 ::1:123 :::*
522/ntpd
udp6 0 0 :::123 :::*
522/ntpd
netstat -tnap | fgrep 23
tcp 0 0 0.0.0.0:3306 0.0.0.0:*
LISTEN 12310/mysqld
tcp 0 0 127.0.0.1:3306 127.0.0.1:52641
ESTABLISHED 12310/mysqld
tcp 0 0 127.0.0.1:3306 127.0.0.1:52646
ESTABLISHED 12310/mysqld
tcp 0 0 91.205.175.213:3306 5.189.166.16:53435
ESTABLISHED 12310/mysqld
tcp 0 0 127.0.0.1:3306 127.0.0.1:52644
ESTABLISHED 12310/mysqld
tcp 0 0 127.0.0.1:3306 127.0.0.1:52645
ESTABLISHED 12310/mysqld
tcp 0 0 127.0.0.1:3306 127.0.0.1:52643
ESTABLISHED 12310/mysqld
tcp 0 0 127.0.0.1:3306 127.0.0.1:52640
ESTABLISHED 12310/mysqld
tcp 0 0 127.0.0.1:3306 127.0.0.1:52648
ESTABLISHED 12310/mysqld
tcp 0 0 127.0.0.1:3306 127.0.0.1:52642
ESTABLISHED 12310/mysqld
----------------------- SERVER2 ----------------------------
[..]
Aug 25 11:34:18 server2 kernel: [11724555.361345]
Shorewall:net-fw:DROP:IN=eth0 OUT=
MAC=00:50:56:3c:fb:65:28:99:3a:4d:23:91:08:00 SRC=113.111.6.15
DST=5.189.166.16 LEN=44 TOS=0x00 PREC=0x00 TTL=53 ID=17270 DF PROTO=TCP
SPT=7356 DPT=3128 WINDOW=65535 RES=0x00 SYN URGP=0
Aug 25 11:34:19 server2 kernel: [11724556.342860]
Shorewall:net-fw:DROP:IN=eth0 OUT=
MAC=00:50:56:3c:fb:65:28:99:3a:4d:23:91:08:00 SRC=113.111.6.15
DST=5.189.166.16 LEN=44 TOS=0x00 PREC=0x00 TTL=53 ID=31661 DF PROTO=TCP
SPT=7356 DPT=3128 WINDOW=65535 RES=0x00 SYN URGP=0
Aug 25 11:34:20 server2 kernel: [11724556.829862]
Shorewall:net-fw:DROP:IN=eth0 OUT=
MAC=00:50:56:3c:fb:65:28:99:3a:4d:23:91:08:00 SRC=113.111.6.15
DST=5.189.166.16 LEN=44 TOS=0x00 PREC=0x00 TTL=53 ID=25278 DF PROTO=TCP
SPT=7356 DPT=3128 WINDOW=65535 RES=0x00 SYN URGP=0
Aug 25 11:34:20 server2 kernel: [11724557.345019]
Shorewall:net-fw:DROP:IN=eth0 OUT=
MAC=00:50:56:3c:fb:65:28:99:3a:4d:23:91:08:00 SRC=113.111.6.15
DST=5.189.166.16 LEN=44 TOS=0x00 PREC=0x00 TTL=53 ID=64471 DF PROTO=TCP
SPT=7356 DPT=3128 WINDOW=65535 RES=0x00 SYN URGP=0
Aug 25 11:34:27 server2 kernel: [11724564.111568]
Shorewall:net-fw:DROP:IN=eth0 OUT=
MAC=00:50:56:3c:fb:65:28:99:3a:4d:23:91:08:00 SRC=62.210.162.192
DST=5.189.166.16 LEN=52 TOS=0x02 PREC=0x00 TTL=123 ID=10751 DF PROTO=TCP
SPT=55487 DPT=3128 WINDOW=8192 RES=0x00 CWR ECE SYN URGP=0
Aug 25 11:34:30 server2 kernel: [11724567.119137]
Shorewall:net-fw:DROP:IN=eth0 OUT=
MAC=00:50:56:3c:fb:65:28:99:3a:4d:23:91:08:00 SRC=62.210.162.192
DST=5.189.166.16 LEN=52 TOS=0x02 PREC=0x00 TTL=123 ID=10752 DF PROTO=TCP
SPT=55487 DPT=3128 WINDOW=8192 RES=0x00 CWR ECE SYN URGP=0
Aug 25 11:34:36 server2 kernel: [11724573.119060]
Shorewall:net-fw:DROP:IN=eth0 OUT=
MAC=00:50:56:3c:fb:65:28:99:3a:4d:23:91:08:00 SRC=62.210.162.192
DST=5.189.166.16 LEN=48 TOS=0x00 PREC=0x00 TTL=123 ID=10753 DF PROTO=TCP
SPT=55487 DPT=3128 WINDOW=8192 RES=0x00 SYN URGP=0
SERVER2
netstat -tnap | fgrep 1328
root@server2:/home/vage# netstat -tnap | fgrep 5376
root@server2:/home/vage# netstat -tnap | fgrep 5060
root@server2:/home/vage# netstat -tnap | fgrep 16045
root@server2:/home/vage# netstat -unap | fgrep 1360
root@server2:/home/vage# netstat -unap | fgrep 5060
root@server2:/home/vage# netstat -unap | fgrep 3128
Thanks again
Davide
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users
