Results 1 to 7 of 7

Thread: iptables dropping a lot of outgoing connections

  1. #1
    Join Date
    Jul 2007
    Location
    127.0.0.1
    Posts
    392

    Default iptables dropping a lot of outgoing connections

    Can someone tell me how to identify what's making these outgoing connection attempts? I'm pretty freaked out as to why my server is trying to communicate with all these random hosts on random ports..

    Columns: what iptables did, protocol, destination port, destination address.

    In other words, all these tcp connections attempts are originating from my server, but fortunately, iptables is blocking most of them I believe. I'd just like to know how I can identify the source of the traffic, which I'm assuming is a php script (most likely), or I'm just r00ted, lol.

    Code:
    DROP 	TCP	10080 (amanda)	icerocket.com
    DROP 	TCP	10080 (amanda)	icerocket.com
    DROP 	TCP	10080 (amanda)	icerocket.com
    DROP 	TCP	10080 (amanda)	icerocket.com
    DROP 	TCP	35564 	61.247.217.38
    DROP 	TCP	35564 	61.247.217.38
    DROP 	TCP	8510 	142.166.3.122
    DROP 	TCP	52549 	209.60.41.122
    DROP 	TCP	52549 	209.60.41.122
    DROP 	TCP	52549 	209.60.41.122
    DROP 	TCP	10471 	142.166.3.122
    DROP 	TCP	10471 	142.166.3.122
    DROP 	TCP	50194 	fau42-1-82-232-178-26.fbx.proxad.net
    DROP 	TCP	1201 (nucleus-sand)	75-147-52-26-NewEngland.hfc.comcastbusiness.net
    DROP 	TCP	1201 (nucleus-sand)	75-147-52-26-NewEngland.hfc.comcastbusiness.net
    DROP 	TCP	50147 	fau42-1-82-232-178-26.fbx.proxad.net
    DROP 	TCP	1201 (nucleus-sand)	75-147-52-26-NewEngland.hfc.comcastbusiness.net
    DROP 	TCP	1201 (nucleus-sand)	75-147-52-26-NewEngland.hfc.comcastbusiness.net
    DROP 	TCP	50147 	fau42-1-82-232-178-26.fbx.proxad.net
    DROP 	TCP	1201 (nucleus-sand)	75-147-52-26-NewEngland.hfc.comcastbusiness.net
    DROP 	TCP	1201 (nucleus-sand)	75-147-52-26-NewEngland.hfc.comcastbusiness.net
    DROP 	TCP	50147 	fau42-1-82-232-178-26.fbx.proxad.net
    DROP 	TCP	18965 	142.166.170.104
    DROP 	TCP	18965 	142.166.170.104
    DROP 	TCP	1133 	75-147-52-26-NewEngland.hfc.comcastbusiness.net
    DROP 	TCP	1133 	75-147-52-26-NewEngland.hfc.comcastbusiness.net
    DROP 	TCP	12380 	ABTS-TN-dynamic-205.36.164.122.airtelbroadband.in
    DROP 	TCP	40520 	97-80-242-112.dhcp.sffl.va.charter.com
    DROP 	TCP	40520 	97-80-242-112.dhcp.sffl.va.charter.com
    DROP 	TCP	3629 	82.124.in-addr.arpa.tm.net.my
    DROP 	TCP	50697 	pool-71-251-242-87.char.east.verizon.net
    DROP 	TCP	50697 	pool-71-251-242-87.char.east.verizon.net
    DROP 	TCP	46689 	lj513210.crawl.yahoo.net
    DROP 	TCP	46689 	lj513210.crawl.yahoo.net
    DROP 	TCP	46689 	lj513210.crawl.yahoo.net
    DROP 	TCP	46689 	lj513210.crawl.yahoo.net
    DROP 	TCP	46689 	lj513210.crawl.yahoo.net
    DROP 	TCP	46689 	lj513210.crawl.yahoo.net
    DROP 	TCP	46689 	lj513210.crawl.yahoo.net
    DROP 	TCP	46689 	lj513210.crawl.yahoo.net
    DROP 	TCP	46689 	lj513210.crawl.yahoo.net
    DROP 	TCP	46689 	lj513210.crawl.yahoo.net
    DROP 	TCP	46689 	lj513210.crawl.yahoo.net
    DROP 	TCP	46689 	lj513210.crawl.yahoo.net
    DROP 	TCP	46689 	lj513210.crawl.yahoo.net
    DROP 	TCP	46689 	lj513210.crawl.yahoo.net
    DROP 	TCP	10523 	142.166.170.104
    DROP 	TCP	10523 	142.166.170.104
    DROP 	TCP	61788 	c-66-176-162-247.hsd1.fl.comcast.net
    DROP 	TCP	61788 	c-66-176-162-247.hsd1.fl.comcast.net
    DROP 	TCP	61788 	c-66-176-162-247.hsd1.fl.comcast.net
    DROP 	TCP	60258 	121.91.112.249
    DROP 	TCP	60258 	121.91.112.249
    DROP 	TCP	60258 	121.91.112.249
    DROP 	TCP	60258 	121.91.112.249
    DROP 	TCP	44809 	75-169-166-50.slkc.qwest.net
    DROP 	TCP	44809 	75-169-166-50.slkc.qwest.net
    DROP 	TCP	44787 	75-169-166-50.slkc.qwest.net
    DROP 	TCP	44809 	75-169-166-50.slkc.qwest.net
    DROP 	TCP	44787 	75-169-166-50.slkc.qwest.net
    DROP 	TCP	44809 	75-169-166-50.slkc.qwest.net
    DROP 	TCP	44787 	75-169-166-50.slkc.qwest.net
    DROP 	TCP	44787 	75-169-166-50.slkc.qwest.net
    DROP 	TCP	44809 	75-169-166-50.slkc.qwest.net
    DROP 	TCP	44809 	75-169-166-50.slkc.qwest.net
    DROP 	TCP	44787 	75-169-166-50.slkc.qwest.net
    DROP 	TCP	44787 	75-169-166-50.slkc.qwest.net
    DROP 	TCP	60662 	61.247.217.44
    DROP 	TCP	60662 	61.247.217.44
    DROP 	TCP	1069 (cognex-insight)	95-90.60-67-cpe.cableone.net
    DROP 	TCP	1067 (instl_boots)	95-90.60-67-cpe.cableone.net
    DROP 	TCP	1069 (cognex-insight)	95-90.60-67-cpe.cableone.net
    DROP 	TCP	1067 (instl_boots)	95-90.60-67-cpe.cableone.net
    DROP 	TCP	1069 (cognex-insight)	95-90.60-67-cpe.cableone.net
    DROP 	TCP	1067 (instl_boots)	95-90.60-67-cpe.cableone.net
    DROP 	TCP	1067 (instl_boots)	95-90.60-67-cpe.cableone.net
    DROP 	TCP	1069 (cognex-insight)	95-90.60-67-cpe.cableone.net
    DROP 	TCP	1069 (cognex-insight)	95-90.60-67-cpe.cableone.net
    DROP 	TCP	1067 (instl_boots)	95-90.60-67-cpe.cableone.net
    DROP 	TCP	1067 (instl_boots)	95-90.60-67-cpe.cableone.net
    DROP 	TCP	1069 (cognex-insight)	95-90.60-67-cpe.cableone.net
    DROP 	TCP	4549 	static-74-41-93-26.sdsl01.roch.ny.frontiernet.net
    DROP 	TCP	4549 	static-74-41-93-26.sdsl01.roch.ny.frontiernet.net
    DROP 	TCP	4549 	static-74-41-93-26.sdsl01.roch.ny.frontiernet.net
    DROP 	TCP	4549 	static-74-41-93-26.sdsl01.roch.ny.frontiernet.net
    DROP 	TCP	4977 	95-90.60-67-cpe.cableone.net
    DROP 	TCP	4976 	95-90.60-67-cpe.cableone.net
    DROP 	TCP	4977 	95-90.60-67-cpe.cableone.net
    DROP 	TCP	4976 	95-90.60-67-cpe.cableone.net
    DROP 	TCP	4977 	95-90.60-67-cpe.cableone.net
    DROP 	TCP	4976 	95-90.60-67-cpe.cableone.net
    DROP 	TCP	4977 	95-90.60-67-cpe.cableone.net
    DROP 	TCP	4976 	95-90.60-67-cpe.cableone.net
    DROP 	TCP	4977 	95-90.60-67-cpe.cableone.net
    DROP 	TCP	4976 	95-90.60-67-cpe.cableone.net
    DROP 	TCP	4977 	95-90.60-67-cpe.cableone.net
    DROP 	TCP	4976 	95-90.60-67-cpe.cableone.net
    DROP 	TCP	4935 	95-90.60-67-cpe.cableone.net
    DROP 	TCP	4933 	95-90.60-67-cpe.cableone.net
    DROP 	TCP	4935 	95-90.60-67-cpe.cableone.net

  2. #2
    Join Date
    Feb 2006
    Posts
    773

    Default

    I'd give lsof a shot.

  3. #3
    Join Date
    Jul 2007
    Location
    127.0.0.1
    Posts
    392

    Default

    Quote Originally Posted by vpslinkdotcom View Post
    I'd give lsof a shot.
    ok, I read up on lsof, but I can only get it to output php5-cgi, not a specific file. There are hundreds of php files, some of which are probably encrypted with zen or base64 or something, so searching within those files for the destination wouldn't work.

    Any further suggestions?

  4. #4
    Join Date
    Jul 2007
    Location
    127.0.0.1
    Posts
    392

    Default

    No one on IRC has any suggestions either. Have I found something Linux CAN'T do? I hate using that word...

  5. #5
    Join Date
    Apr 2008
    Posts
    5

    Default

    Try using tcpdump to ascertain what the traffic is attempting.

  6. #6
    Join Date
    Jul 2008
    Location
    The Internet
    Posts
    6

    Default

    Hello Guy,

    Maybe try searching for those IP addresses in files like /var/log/messages . Also look for any succeeded logins there. For example, by default (fresh install by vpslink) apparently some logins may be not disabled have guessable passwords.

    You can also lower the number of failed login attempts before IP addresses are blocked, using lxadmin (if you have it).

    A big problem with PHP are also writable directories/files in your http tree (sometimes used for uploads). Some scripts detect these and write their own php code in these to give them access. Search for writable files and directories, e.g. using the command

    Code:
    find / -noleaf -perm /o+w \( -type f -o -type d \) -print0 | xargs -0 ls -ld > world-writeable-files.list
    <off-topic>Wow, I just did that and there are 4583 world writable files by lxadmin! Is that a security risk, should I change that?</off-topic>

    You can check connections with netstat (also try netstat -a / -n), but maybe you have done that already.

    It may also be useful to write more info on these connections to your log file so that you can analyse better.

    Hope this helps, nts.
    Last edited by nts; 07-09-2008 at 05:14 PM. Reason: fixed typos

  7. #7
    Join Date
    Jul 2007
    Location
    127.0.0.1
    Posts
    392

    Default

    wh00ps... nevermind, haha.
    Last edited by GuyPatterson; 12-02-2009 at 12:47 AM.

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •