Re: [Shorewall-users] Suspected Trojan

Sun, 03 Aug 2014 10:53:34 -0700 

On 8/3/2014 10:03 AM, merc1...@f-m.fm wrote:
> 
> Lately I've been noticing that something is hammering away trying to get
> out ports 25 and 110.  Since I don't use those and they are closed, I am
> suspicious.  https://pastee.org/k73u8  The destination IP isn't running
> POP or SMTP either.
> 
> Unfortunately, Shorewall doesn't have a mechanism to associate a PID to
> an attempt, maybe because the info just isn't there.  I do find that it
> is possible to turn on UID reporting, so I added (uid) to each INFO in
> the policy file and restarted Shorewall, but I'm still not getting the
> UID.
> #SOURCE DEST    POLICY          LOG             LIMIT:         
> CONNLIMIT:
> #                               LEVEL           BURST           MASK
> net     $FW     DROP            info(uid)
> net     local   DROP            info(uid)
> $FW     net     DROP            info(uid)
> $FW     local   DROP            info(uid)
> local   net     DROP            info(uid)
> local   $FW     DROP            info(uid)
> #
> # THE FOLLOWING POLICY MUST BE LAST
> #       
> net     all     DROP            info(uid)
> all     all     DROP            info(uid)
> #LAST LINE -- DO NOT REMOVE
> 
> 
> I need to put these 25 and 110 accesses with a PID to try and identify
> this trojan.  I'm trying # netstat -apn|grep -w DPT=25 but that hasn't
> caught anything yet, and it's not a real solution long-term.
> 
> Any suggestions?
> 

Have you tried using netstat or ss?

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________

Attachment: signature.asc
Description: OpenPGP digital signature

------------------------------------------------------------------------------
Want fast and easy access to all the code in your enterprise? Index and
search up to 200,000 lines of code with a free copy of Black Duck
Code Sight - the same software that powers the world's largest code
search on Ohloh, the Black Duck Open Hub! Try it now.
http://p.sf.net/sfu/bds
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Reply via email to