Outgoing Traffic

Hi

I am using an unmanaged dedicated server running Centos 6 hosted with a company in the US. The sent an email today that my machine is doing port scan or attack to other IPs in some other network in Germany.

##########################################################################
#               Netscan detected from host <MYIP>               #
##########################################################################

time                protocol src_ip src_port          dest_ip dest_port
---------------------------------------------------------------------------
Wed Nov  4 03:04:12 2015 TCP <MYIP> 42590 =>     88.198.42.1 5038
Wed Nov  4 03:04:35 2015 TCP <MYIP> 42590 =>     88.198.42.2 5038
Wed Nov  4 03:04:24 2015 TCP <MYIP> 42590 =>     88.198.42.4 5038
Wed Nov  4 03:04:19 2015 TCP <MYIP> 42590 =>     88.198.42.6 5038
Wed Nov  4 03:04:25 2015 TCP <MYIP> 42590 =>     88.198.42.7 5038
.
.
.
.
.

I am unable to find what is causing this. I run tcpdump and it is showing something similar:

00:00:15.176309 IP 88.28.137.37.5038 > <MYIP>.42590: Flags [R.], seq 0, ack 283258138, win 0, length 0
00:00:32.450385 IP <MYIP>.50753 > 216.58.216.106.https: Flags [P.], seq 2864547828:2864548480, ack 3171020239, win 203, options [nop,nop,TS val 699210 ecr 1242244467], length 652
00:01:21.924192 IP 217.243.229.235.5038 > <MYIP>.49655: Flags [R], seq 828476470, win 0, length 0
00:01:33.925463 IP 217.243.229.238.5038 > <MYIP>.49655: Flags [R], seq 3213308371, win 0, length 0


But I am unable to find what process is doing this. I run netstat -p | grep 5038 but it does not show anything.

Can someone please help me as I am stuck.

Thanks
sysautomationAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Muhammad BurhanManager I.T.Commented:
217.243.229.235
88.198.42.1
both are the ISPs,
and may be the traffic is like voip services or something.
sysautomationAuthor Commented:
Thanks Burhan but the complete list of IPs I have received includes hundreds of IPs in range 88.198.42.1 to 88.198.249.15.  This makes me think this is some attack/scanning going on.

I have now blocked outgoing traffic on port 5038 on my machine and tried it with wireshark:

# tshark -f "port 5038" -i any
Running as user "root" and group "root". This could be dangerous.
Capturing on Pseudo-device that captures on all interfaces
0.000000000 178.139.177.226 -> <MYIP> TCP 62 5038 > 46101 [RST, ACK] Seq=1 Ack=1 Win=0 Len=0
240.022640933 178.139.24.213 -> <MYIP> TCP 62 5038 > 46101 [RST, ACK] Seq=1 Ack=1 Win=0 Len=0
631.958010353 178.139.203.146 -> <MYIP> TCP 62 5038 > 46101 [RST, ACK] Seq=1 Ack=1 Win=0 Len=0
781.609887534 188.140.43.131 -> <MYIP> TCP 62 5038 > 46717 [RST, ACK] Seq=1 Ack=1 Win=0 Len=0
1047.720082374 188.140.120.148 -> <MYIP> TCP 62 5038 > 46717 [RST, ACK] Seq=1 Ack=1 Win=0 Len=0
1094.126239696 89.214.32.169 -> <MYIP> TCP 62 5038 > 43184 [RST, ACK] Seq=1 Ack=1 Win=0 Len=0
1094.879239210 188.140.91.15 -> <MYIP> TCP 62 5038 > 46717 [RST, ACK] Seq=1 Ack=1 Win=0 Len=0
1156.542606975  89.214.6.50 -> <MYIP> TCP 62 5038 > 43184 [RST, ACK] Seq=1 Ack=1 Win=0 Len=0
1179.882361554 178.55.20.81 -> <MYIP> TCP 62 5038 > 46101 [RST, ACK] Seq=1 Ack=1 Win=0 Len=0
1442.216376066 178.139.246.208 -> <MYIP> TCP 62 5038 > 46101 [RST, ACK] Seq=1 Ack=1 Win=0 Len=0
1595.194450408 88.29.173.101 -> <MYIP> TCP 62 5038 > 42590 [RST, ACK] Seq=1 Ack=1 Win=0 Len=0
1656.518486681 188.140.94.11 -> <MYIP> TCP 62 5038 > 46717 [RST, ACK] Seq=1 Ack=1 Win=0 Len=0
1713.676418034 88.29.248.195 -> <MYIP> TCP 62 5038 > 42590 [RST, ACK] Seq=1 Ack=1 Win=0 Len=0
1752.325387553 89.214.196.152 -> <MYIP> TCP 62 5038 > 43184 [RST, ACK] Seq=1 Ack=1 Win=0 Len=0
2038.452804084 89.214.254.136 -> <MYIP> TCP 62 5038 > 43184 [RST, ACK] Seq=1 Ack=1 Win=0 Len=0
2324.742858675 89.214.122.208 -> <MYIP> TCP 62 5038 > 43184 [RST, ACK] Seq=1 Ack=1 Win=0 Len=0
2463.274046253 89.214.242.227 -> <MYIP> TCP 62 5038 > 43184 [RST, ACK] Seq=1 Ack=1 Win=0 Len=0
2783.274792506 89.214.142.115 -> <MYIP> TCP 62 5038 > 43184 [RST, ACK] Seq=1 Ack=1 Win=0 Len=0
3240.842506431 178.139.89.55 -> <MYIP> TCP 62 5038 > 46101 [RST, ACK] Seq=1 Ack=1 Win=0 Len=0
3299.975133866 178.139.122.229 -> <MYIP> TCP 62 5038 > 46101 [RST, ACK] Seq=1 Ack=1 Win=0 Len=0
3404.203793189 178.55.18.240 -> <MYIP> TCP 62 5038 > 46101 [RST, ACK] Seq=1 Ack=1 Win=0 Len=0
3728.401211542  89.214.1.27 -> <MYIP> TCP 62 5038 > 43184 [RST, ACK] Seq=1 Ack=1 Win=0 Len=0
4030.151726605 188.140.1.38 -> <MYIP> TCP 62 5038 > 46717 [RST, ACK] Seq=1 Ack=1 Win=0 Len=0
4231.793687951 188.69.224.57 -> <MYIP> TCP 62 5038 > 46717 [RST, ACK] Seq=1 Ack=1 Win=0 Len=0
4700.716779468 89.214.206.108 -> <MYIP> TCP 62 5038 > 43184 [RST, ACK] Seq=1 Ack=1 Win=0 Len=0
5114.830558627 89.214.12.30 -> <MYIP> TCP 62 5038 > 43184 [RST, ACK] Seq=1 Ack=1 Win=0 Len=0
5393.964430742  188.140.9.4 -> <MYIP> TCP 62 5038 > 46717 [RST, ACK] Seq=1 Ack=1 Win=0 Len=0

Open in new window


The above output looks like the other IPs are sending packets to my machine on port 5038. Isn't it?
Muhammad BurhanManager I.T.Commented:
did you have any Voip services in-house ?
Webinar: Cyber Crime Becomes Big Business

The rising threat of malware-as-a-service is not one to be overlooked. Malware-as-a-service is growing and easily purchased from a full-service cyber-criminal store in a “Virus Depot” fashion. Join us in our upcoming webinar as we discuss how to best defend against these attacks!

Pallavi GodseSr. Digital Marketing ExecutiveCommented:
Hi,

Here's a solution on how you can prevent port scan - http://www.techworld.com/security/defending-yourself-against-port-scanners-490/

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Gerwin Jansen, EE MVETopic Advisor Commented:
Could be Asterisk, can you try:

# /etc/init.d/asterisk status

and post the reply?
sysautomationAuthor Commented:
#  /etc/init.d/asterisk status
-bash: /etc/init.d/asterisk: No such file or directory
Gerwin Jansen, EE MVETopic Advisor Commented:
Ok, can you do a ps and check whether there are processes that might belong to Asterisk (last check):

ps -ef | grep -i asteris

and post the reply?
sysautomationAuthor Commented:
# ps -ef | grep -i asteris
root      7646  7630  0 04:49 pts/2    00:00:00 grep -i asteris
Gerwin Jansen, EE MVETopic Advisor Commented:
Ok, likely no asterisk. Machine may have been hacked, do a "ps -ef" and check for unknown processes / process descriptions. Any that you don't recognize? Is your machine up to date, what is the update strategy?
sysautomationAuthor Commented:
> Machine may have been hacked

Is there a way to verify this? Through logs or something like that? Will changing the passwords workd?
Gerwin Jansen, EE MVETopic Advisor Commented:
>> Is there a way to verify this?
Difficult to say without looking at processes etc.

Do a "ps -ef" and check for unknown processes / process descriptions. Any that you don't recognize? Is your machine up to date, what is the update strategy?
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Linux Security

From novice to tech pro — start learning today.