Tons more traffic ppping from root.

This is a discussion on Tons more traffic ppping from root. within the Linux Security forums, part of the System Security and Security Related category; Greetings, I run Slackware 9.1 with dialup internet access. I typically access my ISP by either utilizing a script ...


Go Back   Usenet Forums > System Security and Security Related > Linux Security

Reload this Page Tons more traffic ppping from root.

FAQ Members List Calendar Search Today's Posts Mark Forums Read

Reply

 

LinkBack Thread Tools Search this Thread Display Modes
  #1 (permalink)  
Old 12-10-2004
Mark A Framness
 
Posts: n/a
Default Tons more traffic ppping from root.
Greetings,

I run Slackware 9.1 with dialup internet access.

I typically access my ISP by either utilizing a script run from root this
has the advantage that all system users have access to the connection. I
also use kppp from KDE.

One thing I started to notice was everything took longer via ppp script
fired up from root. I d'loaded ethereal and performed a couple of captures
one with KPPP and one from the root-run script.

Sure enough, the root-run script connection registered a fairly steady
stream of traffic over ppp0 regardless if anything apparent was going on or
not (i.e. when my e-mail client was checking for e-mail it was obvious
there would be traffic, but in the quite times in between e-mail checks the
traffic kept up a steady pace) whereas the KPPP connection's traffic was
very explainable by my activity on the system.

Looking at the conversations I see numerous conversations happening between
different clients on the same domain talking out of various ports to my port
1898. Each conversation is three packets going each way for a total of six
packets.

There are other systems that are scanning my port 1898 in a similar fashion.

I have run numerous virus scans of late. I found an HTML exploit on my
system which I have deleted (it was sitting in my mozilla cache) also found
was the "Linux/OSF-8759 virus" in various files sitting in a directory I
use to process downloads. I deleted all offending files (I do not execute
anything fom this directory). My ethereal traces turn up some remote tcp
ports near 3049 but nothing on my system. Numerous virus scans turn up
nothing and I just ran chkrootkit which also turns up nothing.

It appears I have something which gets executed along with ppp-go when I
root-run it. Have any of you ever seen any similar activity? I guess
tomorrow I repeat the same captures to see if I get the same results, I
guess I will.

Thanks
Mark
Reply With Quote
  #2 (permalink)  
Old 12-10-2004
/dev/null
 
Posts: n/a
Default Re: Tons more traffic ppping from root.
> It appears I have something which gets executed along with ppp-go when I
> root-run it. Have any of you ever seen any similar activity? I guess
> tomorrow I repeat the same captures to see if I get the same results, I
> guess I will.

# netstat -nlp | grep 1898

get the PID, and do

# ps ax | grep $PID

then you can see what is listening there. The fact that other clients are
connecting to you and not the other way around sounds a little funny to me.
How would they know you are running Cymtec secure management on your box?

The 6 packets sound like a tcp handshake and then tear-down.


Reply With Quote
Reply
Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes
Linear Mode Linear Mode

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are Off
[IMG] code is Off
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are On



All times are GMT +1. The time now is 11:07 PM.

Contact Us - Usenet Forums - Archive - Top

Powered by vBulletin® Version 3.7.3
Copyright ©2000 - 2008, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO 3.0.0