Networking Forums
Home Register Members Search Links
Member Login:

Networking Forums > Computer Networking > Linux Networking > is someone attacking me?

Reply
Thread Tools Display Modes

is someone attacking me?

 
 
Fernando Peral
Guest
Posts: n/a

 
      03-20-2006, 05:12 PM

i've a mail server behind a nat router (fixed ip) in a network with manu
computers. recently sent mail return to me becouse my ip is in a
blacklist. i'm searching for something strange. I've passed chkrootkit
and rkhunter and i am passing ethereal looking smtp traffic by now the
only strange thing i see is than one i put down. first packet is a
conexion from port 25 of my server to port 80 of a remote host (it seems
hotmail), the other are conections from port 80 on the remote host to
port 25 of my server... it seeems the samen packet sent 6 times.
i've no idea what it may be. any help?

TIA


No. Time Source Destination Protocol
Info
1 0.000000 66.90.71.151 192.168.2.2 TCP
http > smtp [SYN] Seq=0 Ack=0 Win=512 Len=0

Frame 1 (54 bytes on wire, 54 bytes captured)
Ethernet II, Src: XnetTech_0a:f1:71 (00:05:1c:0a:f1:71), Dst:
AsustekC_a2:00:f7 (00:0c:6e:a2:00:f7)
Internet Protocol, Src: 66.90.71.151 (66.90.71.151), Dst: 192.168.2.2
(192.168.2.2)
Transmission Control Protocol, Src Port: http (80), Dst Port: smtp (25),
Seq: 0, Ack: 0, Len: 0

No. Time Source Destination Protocol
Info
2 0.000134 192.168.2.2 66.90.71.151 TCP
smtp > http [SYN, ACK] Seq=0 Ack=1 Win=5840 Len=0 MSS=1460

Frame 2 (60 bytes on wire, 60 bytes captured)
Ethernet II, Src: AsustekC_a2:00:f7 (00:0c:6e:a2:00:f7), Dst:
XnetTech_0a:f1:71 (00:05:1c:0a:f1:71)
Internet Protocol, Src: 192.168.2.2 (192.168.2.2), Dst: 66.90.71.151
(66.90.71.151)
Transmission Control Protocol, Src Port: smtp (25), Dst Port: http (80),
Seq: 0, Ack: 1, Len: 0

No. Time Source Destination Protocol
Info
3 3.199040 192.168.2.2 66.90.71.151 TCP
smtp > http [SYN, ACK] Seq=0 Ack=1 Win=5840 Len=0 MSS=1460

Frame 3 (60 bytes on wire, 60 bytes captured)
Ethernet II, Src: AsustekC_a2:00:f7 (00:0c:6e:a2:00:f7), Dst:
XnetTech_0a:f1:71 (00:05:1c:0a:f1:71)
Internet Protocol, Src: 192.168.2.2 (192.168.2.2), Dst: 66.90.71.151
(66.90.71.151)
Transmission Control Protocol, Src Port: smtp (25), Dst Port: http (80),
Seq: 0, Ack: 1, Len: 0

No. Time Source Destination Protocol
Info
4 9.198076 192.168.2.2 66.90.71.151 TCP
smtp > http [SYN, ACK] Seq=0 Ack=1 Win=5840 Len=0 MSS=1460

Frame 4 (60 bytes on wire, 60 bytes captured)
Ethernet II, Src: AsustekC_a2:00:f7 (00:0c:6e:a2:00:f7), Dst:
XnetTech_0a:f1:71 (00:05:1c:0a:f1:71)
Internet Protocol, Src: 192.168.2.2 (192.168.2.2), Dst: 66.90.71.151
(66.90.71.151)
Transmission Control Protocol, Src Port: smtp (25), Dst Port: http (80),
Seq: 0, Ack: 1, Len: 0

No. Time Source Destination Protocol
Info
5 21.196145 192.168.2.2 66.90.71.151 TCP
smtp > http [SYN, ACK] Seq=0 Ack=1 Win=5840 Len=0 MSS=1460

Frame 5 (60 bytes on wire, 60 bytes captured)
Ethernet II, Src: AsustekC_a2:00:f7 (00:0c:6e:a2:00:f7), Dst:
XnetTech_0a:f1:71 (00:05:1c:0a:f1:71)
Internet Protocol, Src: 192.168.2.2 (192.168.2.2), Dst: 66.90.71.151
(66.90.71.151)
Transmission Control Protocol, Src Port: smtp (25), Dst Port: http (80),
Seq: 0, Ack: 1, Len: 0

No. Time Source Destination Protocol
Info
6 45.392243 192.168.2.2 66.90.71.151 TCP
smtp > http [SYN, ACK] Seq=0 Ack=1 Win=5840 Len=0 MSS=1460

Frame 6 (60 bytes on wire, 60 bytes captured)
Ethernet II, Src: AsustekC_a2:00:f7 (00:0c:6e:a2:00:f7), Dst:
XnetTech_0a:f1:71 (00:05:1c:0a:f1:71)
Internet Protocol, Src: 192.168.2.2 (192.168.2.2), Dst: 66.90.71.151
(66.90.71.151)
Transmission Control Protocol, Src Port: smtp (25), Dst Port: http (80),
Seq: 0, Ack: 1, Len: 0

No. Time Source Destination Protocol
Info
7 93.584482 192.168.2.2 66.90.71.151 TCP
smtp > http [SYN, ACK] Seq=0 Ack=1 Win=5840 Len=0 MSS=1460

Frame 7 (60 bytes on wire, 60 bytes captured)
Ethernet II, Src: AsustekC_a2:00:f7 (00:0c:6e:a2:00:f7), Dst:
XnetTech_0a:f1:71 (00:05:1c:0a:f1:71)
Internet Protocol, Src: 192.168.2.2 (192.168.2.2), Dst: 66.90.71.151
(66.90.71.151)
Transmission Control Protocol, Src Port: smtp (25), Dst Port: http (80),
Seq: 0, Ack: 1, Len: 0
 
Reply With Quote
 
 
 
 
Eric Teuber
Guest
Posts: n/a

 
      03-20-2006, 10:11 PM
Fernando Peral wrote:
>
> i've a mail server behind a nat router (fixed ip) in a network with manu
> computers. recently sent mail return to me becouse my ip is in a
> blacklist. i'm searching for something strange. I've passed chkrootkit
> and rkhunter and i am passing ethereal looking smtp traffic by now the
> only strange thing i see is than one i put down. first packet is a
> conexion from port 25 of my server to port 80 of a remote host (it seems
> hotmail), the other are conections from port 80 on the remote host to
> port 25 of my server... it seeems the samen packet sent 6 times.
> i've no idea what it may be. any help?
>
> TIA
>
>
> No. Time Source Destination Protocol
> Info
> 1 0.000000 66.90.71.151 192.168.2.2 TCP http
>> smtp [SYN] Seq=0 Ack=0 Win=512 Len=0
>
> Frame 1 (54 bytes on wire, 54 bytes captured)
> Ethernet II, Src: XnetTech_0a:f1:71 (00:05:1c:0a:f1:71), Dst:
> AsustekC_a2:00:f7 (00:0c:6e:a2:00:f7)
> Internet Protocol, Src: 66.90.71.151 (66.90.71.151), Dst: 192.168.2.2
> (192.168.2.2)
> Transmission Control Protocol, Src Port: http (80), Dst Port: smtp (25),
> Seq: 0, Ack: 0, Len: 0
>
> No. Time Source Destination Protocol
> Info
> 2 0.000134 192.168.2.2 66.90.71.151 TCP smtp
>> http [SYN, ACK] Seq=0 Ack=1 Win=5840 Len=0 MSS=1460
>
> Frame 2 (60 bytes on wire, 60 bytes captured)
> Ethernet II, Src: AsustekC_a2:00:f7 (00:0c:6e:a2:00:f7), Dst:
> XnetTech_0a:f1:71 (00:05:1c:0a:f1:71)
> Internet Protocol, Src: 192.168.2.2 (192.168.2.2), Dst: 66.90.71.151
> (66.90.71.151)
> Transmission Control Protocol, Src Port: smtp (25), Dst Port: http (80),
> Seq: 0, Ack: 1, Len: 0
>
> No. Time Source Destination Protocol
> Info
> 3 3.199040 192.168.2.2 66.90.71.151 TCP smtp
>> http [SYN, ACK] Seq=0 Ack=1 Win=5840 Len=0 MSS=1460
>
> Frame 3 (60 bytes on wire, 60 bytes captured)
> Ethernet II, Src: AsustekC_a2:00:f7 (00:0c:6e:a2:00:f7), Dst:
> XnetTech_0a:f1:71 (00:05:1c:0a:f1:71)
> Internet Protocol, Src: 192.168.2.2 (192.168.2.2), Dst: 66.90.71.151
> (66.90.71.151)
> Transmission Control Protocol, Src Port: smtp (25), Dst Port: http (80),
> Seq: 0, Ack: 1, Len: 0
>
> No. Time Source Destination Protocol
> Info
> 4 9.198076 192.168.2.2 66.90.71.151 TCP smtp
>> http [SYN, ACK] Seq=0 Ack=1 Win=5840 Len=0 MSS=1460
>
> Frame 4 (60 bytes on wire, 60 bytes captured)
> Ethernet II, Src: AsustekC_a2:00:f7 (00:0c:6e:a2:00:f7), Dst:
> XnetTech_0a:f1:71 (00:05:1c:0a:f1:71)
> Internet Protocol, Src: 192.168.2.2 (192.168.2.2), Dst: 66.90.71.151
> (66.90.71.151)
> Transmission Control Protocol, Src Port: smtp (25), Dst Port: http (80),
> Seq: 0, Ack: 1, Len: 0
>
> No. Time Source Destination Protocol
> Info
> 5 21.196145 192.168.2.2 66.90.71.151 TCP smtp
>> http [SYN, ACK] Seq=0 Ack=1 Win=5840 Len=0 MSS=1460
>
> Frame 5 (60 bytes on wire, 60 bytes captured)
> Ethernet II, Src: AsustekC_a2:00:f7 (00:0c:6e:a2:00:f7), Dst:
> XnetTech_0a:f1:71 (00:05:1c:0a:f1:71)
> Internet Protocol, Src: 192.168.2.2 (192.168.2.2), Dst: 66.90.71.151
> (66.90.71.151)
> Transmission Control Protocol, Src Port: smtp (25), Dst Port: http (80),
> Seq: 0, Ack: 1, Len: 0
>
> No. Time Source Destination Protocol
> Info
> 6 45.392243 192.168.2.2 66.90.71.151 TCP smtp
>> http [SYN, ACK] Seq=0 Ack=1 Win=5840 Len=0 MSS=1460
>
> Frame 6 (60 bytes on wire, 60 bytes captured)
> Ethernet II, Src: AsustekC_a2:00:f7 (00:0c:6e:a2:00:f7), Dst:
> XnetTech_0a:f1:71 (00:05:1c:0a:f1:71)
> Internet Protocol, Src: 192.168.2.2 (192.168.2.2), Dst: 66.90.71.151
> (66.90.71.151)
> Transmission Control Protocol, Src Port: smtp (25), Dst Port: http (80),
> Seq: 0, Ack: 1, Len: 0
>
> No. Time Source Destination Protocol
> Info
> 7 93.584482 192.168.2.2 66.90.71.151 TCP smtp
>> http [SYN, ACK] Seq=0 Ack=1 Win=5840 Len=0 MSS=1460
>
> Frame 7 (60 bytes on wire, 60 bytes captured)
> Ethernet II, Src: AsustekC_a2:00:f7 (00:0c:6e:a2:00:f7), Dst:
> XnetTech_0a:f1:71 (00:05:1c:0a:f1:71)
> Internet Protocol, Src: 192.168.2.2 (192.168.2.2), Dst: 66.90.71.151
> (66.90.71.151)
> Transmission Control Protocol, Src Port: smtp (25), Dst Port: http (80),
> Seq: 0, Ack: 1, Len: 0

You're wrong.

The first request is sent by port 80 SYN (webmail i guess) to your smtp
server. All other packets are replies for that particular connection
(SYN, ACK) from smtp to port 80.

Since you are running a mail server, i do not see any suspicious
activity here.

Eric

--
replace NOSPAM.com by w e b . d e
 
Reply With Quote
Reply

« Resolving host names on a moveable laptop | SuSE SLES 9 NIS master issue »
Thread Tools
Display Modes
Linear Mode Linear Mode

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Forum Software Powered by vBulletin®, Copyright Jelsoft Enterprises Ltd.
SEO by vBSEO 3.3.2 ©2009, Crawlability, Inc.
Contact Us - Archive - Privacy Statement - Top

1 2 3 4 5 6 7 8 9 10 11