On 8/3/2014 10:03 AM, merc1...@f-m.fm wrote: > > Lately I've been noticing that something is hammering away trying to get > out ports 25 and 110. Since I don't use those and they are closed, I am > suspicious. https://pastee.org/k73u8 The destination IP isn't running > POP or SMTP either. > > Unfortunately, Shorewall doesn't have a mechanism to associate a PID to > an attempt, maybe because the info just isn't there. I do find that it > is possible to turn on UID reporting, so I added (uid) to each INFO in > the policy file and restarted Shorewall, but I'm still not getting the > UID. > #SOURCE DEST POLICY LOG LIMIT: > CONNLIMIT: > # LEVEL BURST MASK > net $FW DROP info(uid) > net local DROP info(uid) > $FW net DROP info(uid) > $FW local DROP info(uid) > local net DROP info(uid) > local $FW DROP info(uid) > # > # THE FOLLOWING POLICY MUST BE LAST > # > net all DROP info(uid) > all all DROP info(uid) > #LAST LINE -- DO NOT REMOVE > > > I need to put these 25 and 110 accesses with a PID to try and identify > this trojan. I'm trying # netstat -apn|grep -w DPT=25 but that hasn't > caught anything yet, and it's not a real solution long-term. > > Any suggestions? >
Have you tried using netstat or ss? -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ Want fast and easy access to all the code in your enterprise? Index and search up to 200,000 lines of code with a free copy of Black Duck Code Sight - the same software that powers the world's largest code search on Ohloh, the Black Duck Open Hub! Try it now. http://p.sf.net/sfu/bds
_______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users