Sign in to follow this  
Halsafar

Idle comp transmitting info over network -- Moniter all traffic

Recommended Posts

Halsafar    205
I am clearly not doing a thing on my comp, nothing running at all. Yet for some reason the router is showing my comp talking to the WAN and the cable modem backs up the log. I can watch the lights blink as my comp is transmitting something somewhere over WAN :) I tried netstat -a and didn't come up with anything foreign I could spot... Maybe Fedora Core 4 likes to chat with its main webpage? I have also been under attempted attacks on my sshd server which is why I have come to ask: How can I moniter all incoming-outgoing traffic in somewhat of a realtime aspect? I would like to know where my vulnerabilities lie as well.

Share this post


Link to post
Share on other sites
Halsafar    205
Found the website...
None of the rmp's will let me install...

They are all missing libpcap, but when I try to install libpcap from the Ethereal site the rpm manager says I have it already... Synaptic says I have it as well.

So I cannot install etheral-10.0a-base for RH9.

Share this post


Link to post
Share on other sites
Halsafar    205
Okay I got it working.
I must say, a lot of stuff is being broadcast to/from my comp.

This is ridiculous, nothing even close to this happens on Windows...

Maybe I'll try this Peer Guardian for Linux, since the Windows version is handy.

Share this post


Link to post
Share on other sites
Halsafar    205
This one happens a ton, my router talking to some addy.
192.168.0.1 239.255.255.250 SSDP NOTIFY * HTTP/1.1


The rest are just examples of the crap, the only one I recognize is the NTP since I update my clock off the closest university NTP server. Otherwise my comp is ONLY running Ethereal while these readings come in.

Also the 6881 port, standard BitTorrent port but I have no BitTorrent Clients running in Linux ever.

Order:
Source, Dest, Protocol, Info

8.209.8.67.cfl.res.rr.com localhost.local UDP Source port: 6882 Destination port: 6881

localhost.local 8.209.8.67.cfl.res.rr.com ICMP Destination unreachable (Host administratively prohibited)

localhost.local SUE.CC.UREGINA.CA NTP NTP

cm209.epsilon173.maxonline.com.sg localhost.local UDP Source port: 49152 Destination port: 6881

70-100-58-188.dsl1.nor.ny.frontiernet.net localhost.local TCP 61372 > 6881 [SYN] Seq=0 Ack=0 Win=5840 Len=0 MSS=1460 TSV=53139044 TSER=0 WS=2

localhost.local 70-100-58-188.dsl1.nor.ny.frontiernet.net ICMP Destination unreachable (Host administratively prohibited)

70-100-58-188.dsl1.nor.ny.frontiernet.net localhost.local TCP 61372 > 6881 [SYN] Seq=0 Ack=0 Win=23360 [TCP CHECKSUM INCORRECT] Len=0 MSS=1460 TSV=53142044 TSER=0 WS=2

p54B10C16.dip0.t-ipconnect.de localhost.local UDP Source port: 6881 Destination port: 6881

dsl-210-69.hive.is localhost.local UDP Source port: 11165 Destination port: 6881

Share this post


Link to post
Share on other sites
Halsafar    205
I do run a BitTorrent program now and then with Windows...
Maybe my IP remains in the tracker and it keeps hitting me or yes your explanation.

Anyway, I installed a fire-wall just to be safe but it causing me some problems... Read my newest post.

Share this post


Link to post
Share on other sites
Halsafar    205
Well I got SNORT and TRIPWIRE rpms installed.

Altho I cannot find instructions on even running them...
'tripwire' and 'snort' both don't work from the shell.

Share this post


Link to post
Share on other sites
Will F    1069
Quote:
Original post by Halsafar
Well I got SNORT and TRIPWIRE rpms installed.


In addition, if you don't have one you might want to consider investing in a NAT router. It won't protect you from everything, but it's not a bad idea.

Wikipedia has an overview of the pros and cons of using one.

Share this post


Link to post
Share on other sites
Halsafar    205
I am behind a router. (Does this differ from NAT Router?)
The router has a firewall but it aint that smart.

I did setup firewall with eth0 disabled, and my firewall (FireStarter) is setup in Restrictive Mode for Outbound, as in only allowed OutBound connections are ones which 'I' confirm.


Okay, so even though 'tripwire' and 'snort' are complicated to use, they are installed on my machine and I'd really like to know how to use them. Altho I do believe creeating a checksum of my entire HD may be a bit over-doing it. I would however like to see all possible attempts to hack my system. I have a comp on my network ready to recieve any logs of possible attacks.

Share this post


Link to post
Share on other sites
Sign in to follow this