Strange capture of my eth0 interface.

I am running Mandrake Linux 10.1 on a single desktop computer on ADSL and
have GuardDog firewall installed, with a fairly standard selection of ports
open. I have an ADSL modem on 192.168.1.1 and my computer becomes
192.168.1.7.

Twice today the ADSL connection has shown traffic at about 30 KB/s ( which
is usually the best I can get). The traffic is with 18.120.0.102. "Host"
with that address produces

102.0.120.18.in-addr.arpa domain name pointer MOREL.MIT.EDU.

MIT sounds lihe a non-hacker address. Typing it as a http:// address
connects me to an Apache server running under BSD, still with the initial
default page.

Ethereal seems to be saying that they are downloading via http on port 80 to
my computer, which is sending ACKs, apparently on port 32771.
Unfortunately I can't select details from the screen by copy/paste.
Chkrootkit shows a nil result. I haven't yet checked the HD for any new
files, but my system is working normally.

I disconnected the line on both occasions. I reconnnected to do the host
check and they were back almost immediately.

Any ideas please? I will connect only as long as absolutely necessary until
this is sorted out.

Doug.
--
ICQ Number 178748389. Registered Linux User No. 277548.
Black as the devil, hot as hell,
Pure as an angel, sweet as love.
-- Talleyrand's recipe for coffee.

Doug Laidlaw wrote:

> I am running Mandrake Linux 10.1 on a single desktop computer on ADSL and
> have GuardDog firewall installed, with a fairly standard selection of
> ports
> open. I have an ADSL modem on 192.168.1.1 and my computer becomes
> 192.168.1.7.
>
> Twice today the ADSL connection has shown traffic at about 30 KB/s ( which
> is usually the best I can get). The traffic is with 18.120.0.102. "Host"
> with that address produces
>
> 102.0.120.18.in-addr.arpa domain name pointer MOREL.MIT.EDU.
>
> MIT sounds lihe a non-hacker address. Typing it as a http:// address
> connects me to an Apache server running under BSD, still with the initial
> default page.
>
Hmm. It's just a ".edu" address, with maybe talented hackers/crackers on the
campus :).
Now why not use/activate shorewall? It will also log the events and which
target port?

--
Longhorn error#4711: TCPA / NGSCP VIOLATION: Microsoft optical mouse
detected penguin patterns on mousepad. Partition scan in progress
*to*remove*offending*incompatible*products.**React ivate*MS*software.
Linux woodpecker.homnet.at 2.6.11-mm1[LinuxCounter#295241,ICQ#4918962]

I just went to disable guarddog and it said that iptables didn't seem to be
installed. Surely a hacker couldn't do that! I installed iptables with the
initial choice of packages, and it is a dependency for any firewall. I
will uninstall it and reinstall it, just to make sure. I just tried to run
Mandrake's file finder and it hung. Sounds as though I need a reinstall.

I suppose that my fundamental question is: what practical defence can I
have against HTTP on port 80, the port assigned to HTTP, without firewalling
off the entire Web? I can block this one address.

Doug.

Walter Mautner wrote:

> Doug Laidlaw wrote:
>
>> I am running Mandrake Linux 10.1 on a single desktop computer on ADSL and
>> have GuardDog firewall installed, with a fairly standard selection of
>> ports
>> open. I have an ADSL modem on 192.168.1.1 and my computer becomes
>> 192.168.1.7.
>>
>> Twice today the ADSL connection has shown traffic at about 30 KB/s (
>> which
>> is usually the best I can get). The traffic is with 18.120.0.102.
>> "Host" with that address produces
>>
>> 102.0.120.18.in-addr.arpa domain name pointer MOREL.MIT.EDU.
>>
>> MIT sounds lihe a non-hacker address. Typing it as a http:// address
>> connects me to an Apache server running under BSD, still with the initial
>> default page.
>>
> Hmm. It's just a ".edu" address, with maybe talented hackers/crackers on
> the campus :).
> Now why not use/activate shorewall? It will also log the events and which
> target port?
>

--
ICQ Number 178748389. Registered Linux User No. 277548.
Anger is one letter away from danger.
- Eleanor Roosevelt.

Doug Laidlaw <laidlaws@myaccess.com.au> writes:

>Ethereal seems to be saying that they are downloading via http on port 80 to
>my computer, which is sending ACKs, apparently on port 32771.

Are you running a browser that tries to be "smart" about updating
cache copy of pages you have recently seen, or does other "smart"
preloading tricks?

In article <uib2h2-2a8.ln1@dougshost.mydomain.org.au>, Doug Laidlaw wrote:

>>> Twice today the ADSL connection has shown traffic at about 30 KB/s (
>>> which
>>> is usually the best I can get). The traffic is with 18.120.0.102.
>>> "Host" with that address produces

>>> MIT sounds lihe a non-hacker address.

Doug, you owe me a keyboard for that. See the jargon file after this is
over. mit.edu and hackers indeed!

>>> Typing it as a http:// address connects me to an Apache server running
>>> under BSD, still with the initial default page.

Many possibilities - including the dumb one that you could have been reaching
a virtual page on the server.

>>> Ethereal seems to be saying that they are downloading via http on port 80
>>> to my computer, which is sending ACKs, apparently on port 32771.

Well, it's to late now, but

/usr/sbin/fuser -vn tcp 32771
/usr/sbin/lsof -i :32771

Those commands would identify the process that is using port 32771. In the
case of lsof, it gives a process ID - which you would then look up with ps
or even pstree.

>I just went to disable guarddog and it said that iptables didn't seem to be
>installed. Surely a hacker couldn't do that!

Why not? If the system is owned, it's owned, and they can do as they wish.
On the other hand - is iptables in your PATH?

>I installed iptables with the initial choice of packages, and it is a
>dependency for any firewall.

What does rpm tell you? '/bin/rpm -q iptables' If it reports being
installed, move (REPEAT: move) one of the files to some other name (example
'/bin/mv /usr/sbin/iptables /some/safe/location/') and then copy any other
file to the old filename (example '/bin/cp /etc/groups //usr/sbin/iptables')
and then see if the package manager see this (/bin/rpm -V iptables). BEFORE
DOING ANYTHING ELSE, move the tested file back - lest you forget to do so.

>I will uninstall it and reinstall it, just to make sure. I just tried to
>run Mandrake's file finder and it hung. Sounds as though I need a reinstall.

Possibly. Then it sounds as if you may want to review those firewall rules.

>I suppose that my fundamental question is: what practical defence can I
>have against HTTP on port 80, the port assigned to HTTP, without firewalling
>off the entire Web? I can block this one address.

You don't need to block external port 80 - you need to see that you don't
get owned in the first place.

A bit old, but see

278012 Jul 23 2002 Security-Quickstart-HOWTO

Old guy

Neil W Rickert wrote:

> Doug Laidlaw <laidlaws@myaccess.com.au> writes:
>
>>Ethereal seems to be saying that they are downloading via http on port 80
>>to my computer, which is sending ACKs, apparently on port 32771.
>
> Are you running a browser that tries to be "smart" about updating
> cache copy of pages you have recently seen, or does other "smart"
> preloading tricks?

No, I am running standard Mozilla as my default browser, and only to browse
the Web. It wasn't running during the traffic. I have saved the capture,
but it doesn't mean anything to me. Sometimes it is there as soon as I
boot. Last night (early evening my time at GMT+11) it suddenly stopped.
Walter's suggestion of some students would fit this, if they packed up for
the day. It was there again this morning between 2200 and 2300 GMT but
isn't there at the moment (0400 GMT.)

I noticed that port 32771 isn't listed in /etc/services, if that means
anything.

Doug L.
--
ICQ Number 178748389. Registered Linux User No. 277548.
Maturity begins to grow when you can sense your concern for others
outweighing your concern for yourself.
- John Macnaughton.

Moe Trin wrote:

> In article <uib2h2-2a8.ln1@dougshost.mydomain.org.au>, Doug Laidlaw wrote:
>
>>>> Twice today the ADSL connection has shown traffic at about 30 KB/s (
>>>> which
>>>> is usually the best I can get). The traffic is with 18.120.0.102.
>>>> "Host" with that address produces
>
>>>> MIT sounds lihe a non-hacker address.
>
> Doug, you owe me a keyboard for that. See the jargon file after this is
> over. mit.edu and hackers indeed!
>
>>>> Typing it as a http:// address connects me to an Apache server running
>>>> under BSD, still with the initial default page.
>
> Many possibilities - including the dumb one that you could have been
> reaching a virtual page on the server.
>
>>>> Ethereal seems to be saying that they are downloading via http on port
>>>> 80 to my computer, which is sending ACKs, apparently on port 32771.
>
> Well, it's to late now, but
>
> /usr/sbin/fuser -vn tcp 32771
> /usr/sbin/lsof -i :32771
>
> Those commands would identify the process that is using port 32771. In the
> case of lsof, it gives a process ID - which you would then look up with ps
> or even pstree.
>
>>I just went to disable guarddog and it said that iptables didn't seem to
>>be
>>installed. Surely a hacker couldn't do that!
>
> Why not? If the system is owned, it's owned, and they can do as they wish.
> On the other hand - is iptables in your PATH?
>
>>I installed iptables with the initial choice of packages, and it is a
>>dependency for any firewall.
>
> What does rpm tell you? '/bin/rpm -q iptables' If it reports being
> installed, move (REPEAT: move) one of the files to some other name
> (example '/bin/mv /usr/sbin/iptables /some/safe/location/') and then copy
> any other file to the old filename (example '/bin/cp /etc/groups
> //usr/sbin/iptables') and then see if the package manager see this
> (/bin/rpm -V iptables). BEFORE DOING ANYTHING ELSE, move the tested file
> back - lest you forget to do so.
>
>>I will uninstall it and reinstall it, just to make sure. I just tried to
>>run Mandrake's file finder and it hung. Sounds as though I need a
>>reinstall.
>
> Possibly. Then it sounds as if you may want to review those firewall
> rules.
>
>>I suppose that my fundamental question is: what practical defence can I
>>have against HTTP on port 80, the port assigned to HTTP, without
>>firewalling
>>off the entire Web? I can block this one address.
>
> You don't need to block external port 80 - you need to see that you don't
> get owned in the first place.
>
> A bit old, but see
>
> 278012 Jul 23 2002 Security-Quickstart-HOWTO
>
> Old guy

Thanks. I have reinstalled Iptables before I read the first part of your
reply. I have installed Shorewall with the standard one-interface rules,
while I read up the docs. lsat points out that I don't have ALL:ALL in my
hosts.deny. It seems to be a fundamental thing to do, but it isn't put
there by default. I will try the tests on that port number next time they
catch me (with updated numbers, if need be.) The file finder is working OK
now. I must have something using up resources, and the GUI loses its
detail. I am on a DHCP connection to my ISP, but the address seems to be
the same pretty well every time I boot and connect.

Doug L.
--
ICQ Number 178748389. Registered Linux User No. 277548.
In [any kind of] relationship two people are never at a standstill. They are
either moving closer or further apart.
--Schwartz and Olds: Marriage in Motion.

Why don't you just add the IP to your iptables DENY list.
Port 32771 is just an arbitrary high port number that your system has
selected for the continued conversation.

Doug Laidlaw wrote:
> Neil W Rickert wrote:
>
>
>>Doug Laidlaw <laidlaws@myaccess.com.au> writes:
>>
>>
>>>Ethereal seems to be saying that they are downloading via http on port 80
>>>to my computer, which is sending ACKs, apparently on port 32771.
>>
>>Are you running a browser that tries to be "smart" about updating
>>cache copy of pages you have recently seen, or does other "smart"
>>preloading tricks?
>
>
> No, I am running standard Mozilla as my default browser, and only to browse
> the Web. It wasn't running during the traffic. I have saved the capture,
> but it doesn't mean anything to me. Sometimes it is there as soon as I
> boot. Last night (early evening my time at GMT+11) it suddenly stopped.
> Walter's suggestion of some students would fit this, if they packed up for
> the day. It was there again this morning between 2200 and 2300 GMT but
> isn't there at the moment (0400 GMT.)
>
> I noticed that port 32771 isn't listed in /etc/services, if that means
> anything.
>
> Doug L.

In article <aci4h2-2g7.ln1@dougshost.mydomain.org.au>, Doug Laidlaw wrote:

>I have reinstalled Iptables before I read the first part of your reply.
>I have installed Shorewall with the standard one-interface rules, while
>I read up the docs.

If you have tested the package manager for sanity (by moving a file and
thus not screwing up the time stamps, substituting some other file, and
then seeing that the package manager does indeed detect the switch - don't
forget to put the moved file back where it belongs immediately after doing
the test), you can use rpm to check the files and packages that is knows
how to check. The syntax as root is 'rpm -Va > files.to.check' and it may
take a few minutes to run. Don't be surprised to find some files listed
in 'files.to.check' - generally ownership and permission changes. Also be
aware that rpm can't test everything. Package managers can only test those
packages that they have installed, and as yet, I haven't heard about a
r00tkit-3.1.i386.rpm or the equivalent Debian package, so they won't be
detected/tested.

[compton ~]$ rpm -Vf /etc/passwd
S.5....T c /etc/hosts.allow
S.5....T c /etc/hosts.deny
S.5....T c /etc/printcap
S.5....T c /etc/profile
...?..... c /etc/securetty
S.5....T c /etc/services
[compton ~]$

Here, I wasn't root (so /etc/securetty could not be tested), but I told rpm
to test the package that /etc/passwd belongs to. Notice that it did not say
anything about /etc/passwd (or /etc/group), but you _know_ those files can't
be in "out-of-box" condition - or does Mandrake include my account name on
your distribution too?

>lsat points out that I don't have ALL:ALL in my hosts.deny. It seems to be
>a fundamental thing to do, but it isn't put there by default.

Please scan the man page for 'hosts_access(5)' (man 5 hosts_access). The
hosts.allow and hosts.deny files are only consulted by those applications
that are using tcp_wrappers or have been compiled with libwrap support.
Not very many packages do. Yes, /etc/hosts.deny should exist (note that
it's part of a specific package as noted above), and it should only have
that single line (other than comments) that says "ALL: ALL", but it's not
the panacea.

>I will try the tests on that port number next time they catch me (with
>updated numbers, if need be.)

Port numbers are like telephones. Port numbers from zero to 1023 are
basically used for incoming services. These are the "well known ports"
that you'll find listed in http://www.iana.org/assignments/port-numbers
(a simplified copy of which in included with 'nmap' if you have that
installed). Because *nix restricts access to ports below 1024 (only
root can bind processes to them), you will almost never see an _outgoing_
connection _from_ these ports. Ports above 1023 are userland ports -
meaning that anyone can use them. While the IANA or nmap port list includes
a large number of ports above 1023:

[compton ~]$ zcat rfcs/port-numbers.gz | sed -n '/1024\/tcp/,/49151/p' |
grep -Ev '(Reserved|Unassigned)' | grep -c tcp
3666
[compton ~]$

not many services are run from these ports. The purpose of "well known
ports" is so that you can _find_ them - if your news tool didn't know to
connect to port 119 on the news server, how do you think it would find it?
If or when you see a portnumber above 1024 that is not commonly known,
then it's odds on to be a user trying to connect to something out there.
Thus, your connection from (your) 32771 to someone else's 80 is _highly_
unlikely to be initiated from the other system. It's not impossible, but
I'd certainly be looking to see what initiated the connection on your end
long before I'd think that the remote box started things.

>The file finder is working OK now. I must have something using up resources,
>and the GUI loses its detail.

GUIs are able to do what the author considered. If some condition or task is
not what the author planned for, the GUI may be unable to help. As for
what is using the resources, 'top', 'ps auxw | sort -n +2' (for CPU use, +3
for memory use) and 'pstree' will show that's going on.

>I am on a DHCP connection to my ISP, but the address seems to be the same
>pretty well every time I boot and connect.

That's not uncommon. In your copious free time (wait, you're retired, aren't
you), another document is

212647 Jul 22 2002 DSL-HOWTO

though it covers some of the same ground as the Security-Quickstart-HOWTO.
As a home user, I would not expect you to be running any services (other
than 113/tcp - the ident or auth server that might be required by your ISP
or mail server), so even the fundamental 'netstat -tupan' shouldn't show
much if anything open to the world. Your firewall should be rejecting (or
denying) all "new" connections (except perhaps to 113/tcp if needed) to
everything except your loopback.

Old guy

Thanks. They haven't been back since about the time i installed Shorewall,
but I doubt if there is any connection. They seem to have generally messed
things up, so I did a fresh install.

There is a chkrootkit ver 0.43 RPM available for Mandrake in the "contrib"
repository, and I think that the most recent release from the site is 0.45.

Doug.

Moe Trin wrote:

> In article <aci4h2-2g7.ln1@dougshost.mydomain.org.au>, Doug Laidlaw wrote:
>
>>I have reinstalled Iptables before I read the first part of your reply.
>>I have installed Shorewall with the standard one-interface rules, while
>>I read up the docs.
>
> If you have tested the package manager for sanity (by moving a file and
> thus not screwing up the time stamps, substituting some other file, and
> then seeing that the package manager does indeed detect the switch - don't
> forget to put the moved file back where it belongs immediately after doing
> the test), you can use rpm to check the files and packages that is knows
> how to check. The syntax as root is 'rpm -Va > files.to.check' and it may
> take a few minutes to run. Don't be surprised to find some files listed
> in 'files.to.check' - generally ownership and permission changes. Also be
> aware that rpm can't test everything. Package managers can only test those
> packages that they have installed, and as yet, I haven't heard about a
> r00tkit-3.1.i386.rpm or the equivalent Debian package, so they won't be
> detected/tested.
>
> [compton ~]$ rpm -Vf /etc/passwd
> S.5....T c /etc/hosts.allow
> S.5....T c /etc/hosts.deny
> S.5....T c /etc/printcap
> S.5....T c /etc/profile
> ..?..... c /etc/securetty
> S.5....T c /etc/services
> [compton ~]$
>
> Here, I wasn't root (so /etc/securetty could not be tested), but I told
> rpm
> to test the package that /etc/passwd belongs to. Notice that it did not
> say anything about /etc/passwd (or /etc/group), but you _know_ those files
> can't be in "out-of-box" condition - or does Mandrake include my account
> name on your distribution too?
>
>>lsat points out that I don't have ALL:ALL in my hosts.deny. It seems to
>>be a fundamental thing to do, but it isn't put there by default.
>
> Please scan the man page for 'hosts_access(5)' (man 5 hosts_access). The
> hosts.allow and hosts.deny files are only consulted by those applications
> that are using tcp_wrappers or have been compiled with libwrap support.
> Not very many packages do. Yes, /etc/hosts.deny should exist (note that
> it's part of a specific package as noted above), and it should only have
> that single line (other than comments) that says "ALL: ALL", but it's not
> the panacea.
>
>>I will try the tests on that port number next time they catch me (with
>>updated numbers, if need be.)
>
> Port numbers are like telephones. Port numbers from zero to 1023 are
> basically used for incoming services. These are the "well known ports"
> that you'll find listed in http://www.iana.org/assignments/port-numbers
> (a simplified copy of which in included with 'nmap' if you have that
> installed). Because *nix restricts access to ports below 1024 (only
> root can bind processes to them), you will almost never see an _outgoing_
> connection _from_ these ports. Ports above 1023 are userland ports -
> meaning that anyone can use them. While the IANA or nmap port list
> includes a large number of ports above 1023:
>
> [compton ~]$ zcat rfcs/port-numbers.gz | sed -n '/1024\/tcp/,/49151/p' |
> grep -Ev '(Reserved|Unassigned)' | grep -c tcp
> 3666
> [compton ~]$
>
> not many services are run from these ports. The purpose of "well known
> ports" is so that you can _find_ them - if your news tool didn't know to
> connect to port 119 on the news server, how do you think it would find it?
> If or when you see a portnumber above 1024 that is not commonly known,
> then it's odds on to be a user trying to connect to something out there.
> Thus, your connection from (your) 32771 to someone else's 80 is _highly_
> unlikely to be initiated from the other system. It's not impossible, but
> I'd certainly be looking to see what initiated the connection on your end
> long before I'd think that the remote box started things.
>
>>The file finder is working OK now. I must have something using up
>>resources, and the GUI loses its detail.
>
> GUIs are able to do what the author considered. If some condition or task
> is
> not what the author planned for, the GUI may be unable to help. As for
> what is using the resources, 'top', 'ps auxw | sort -n +2' (for CPU use,
> +3 for memory use) and 'pstree' will show that's going on.
>
>>I am on a DHCP connection to my ISP, but the address seems to be the same
>>pretty well every time I boot and connect.
>
> That's not uncommon. In your copious free time (wait, you're retired,
> aren't you), another document is
>
> 212647 Jul 22 2002 DSL-HOWTO
>
> though it covers some of the same ground as the Security-Quickstart-HOWTO.
> As a home user, I would not expect you to be running any services (other
> than 113/tcp - the ident or auth server that might be required by your ISP
> or mail server), so even the fundamental 'netstat -tupan' shouldn't show
> much if anything open to the world. Your firewall should be rejecting (or
> denying) all "new" connections (except perhaps to 113/tcp if needed) to
> everything except your loopback.
>
> Old guy

--
ICQ Number 178748389. Registered Linux User No. 277548.
As you grow older, you'll discover that you have two hands: one for helping
yourself, the second for helping others.
- Author Unknown (Attributed to Audrey Hepburn).