finding the culprit ..

Hi all,

I am a bit stumped as to how I can find a process on a linux server
that is making connections to another server every 5-10 seconds on port
110 ?

I have a linux server that is acting as a gateway server and it is
making connection on port 110 to another server - but there are no
email clients configured or any processes in "ps axuuwf" that point to
anything that could connect to port 110 ?

What I am asking is WHERE do I start looking ?
How do I find this process that could be making connections to port 110
?

As I said - it is a gateway server- BUT all the other machines have
been turned off to try and track where the netowrk traffic is comming
from ...

please can anyone shed some light ?

Thanks
Tonino

Tonino Greco wrote:

>Hi all,
>
>I am a bit stumped as to how I can find a process on a linux server
>that is making connections to another server every 5-10 seconds on port
>110 ?
>
>I have a linux server that is acting as a gateway server and it is
>making connection on port 110 to another server - but there are no
>email clients configured or any processes in "ps axuuwf" that point to
>anything that could connect to port 110 ?
>
>What I am asking is WHERE do I start looking ?
>How do I find this process that could be making connections to port 110
>?
>
>As I said - it is a gateway server- BUT all the other machines have
>been turned off to try and track where the netowrk traffic is comming
>from ...
>
>please can anyone shed some light ?
>
>Thanks
>Tonino
>
>
>

You can check the connections initiated by the server itself with
"netstat -tup". If you suspect that there might still be a client
machine behind the gateway, you have several options, like iptraf or
netstat-nat, maybe ethereal.

Hope this helps
Mihai

Mihai Osian wrote:

> Tonino Greco wrote:
>
>> Hi all,
>>
>> I am a bit stumped as to how I can find a process on a linux server
>> that is making connections to another server every 5-10 seconds on port
>> 110 ?
>>
>> I have a linux server that is acting as a gateway server and it is
>> making connection on port 110 to another server - but there are no
>> email clients configured or any processes in "ps axuuwf" that point to
>> anything that could connect to port 110 ?
>>
>> What I am asking is WHERE do I start looking ?
>> How do I find this process that could be making connections to port 110
>> ?
>>
>> As I said - it is a gateway server- BUT all the other machines have
>> been turned off to try and track where the netowrk traffic is comming
>> from ...
>>
>> please can anyone shed some light ?
>>
>> Thanks
>> Tonino
>>
>>
>>
>
> You can check the connections initiated by the server itself with
> "netstat -tup". If you suspect that there might still be a client
> machine behind the gateway, you have several options, like iptraf or
> netstat-nat, maybe ethereal.
>
> Hope this helps
> Mihai


...and by the way: port 110 is POP3 mail. The offending process is
probably a mail checker.

Mihai

yeah - I know it is a pop3 connection and it turns out it was the
friggin imap server that was causing the issues ...

thanks for the netstat command - it helped

T