sysautomation
asked on
Outgoing Traffic
Hi
I am using an unmanaged dedicated server running Centos 6 hosted with a company in the US. The sent an email today that my machine is doing port scan or attack to other IPs in some other network in Germany.
##########################
# Netscan detected from host <MYIP> #
##########################
time protocol src_ip src_port dest_ip dest_port
--------------------------
Wed Nov 4 03:04:12 2015 TCP <MYIP> 42590 => 88.198.42.1 5038
Wed Nov 4 03:04:35 2015 TCP <MYIP> 42590 => 88.198.42.2 5038
Wed Nov 4 03:04:24 2015 TCP <MYIP> 42590 => 88.198.42.4 5038
Wed Nov 4 03:04:19 2015 TCP <MYIP> 42590 => 88.198.42.6 5038
Wed Nov 4 03:04:25 2015 TCP <MYIP> 42590 => 88.198.42.7 5038
.
.
.
.
.
I am unable to find what is causing this. I run tcpdump and it is showing something similar:
00:00:15.176309 IP 88.28.137.37.5038 > <MYIP>.42590: Flags [R.], seq 0, ack 283258138, win 0, length 0
00:00:32.450385 IP <MYIP>.50753 > 216.58.216.106.https: Flags [P.], seq 2864547828:2864548480, ack 3171020239, win 203, options [nop,nop,TS val 699210 ecr 1242244467], length 652
00:01:21.924192 IP 217.243.229.235.5038 > <MYIP>.49655: Flags [R], seq 828476470, win 0, length 0
00:01:33.925463 IP 217.243.229.238.5038 > <MYIP>.49655: Flags [R], seq 3213308371, win 0, length 0
But I am unable to find what process is doing this. I run netstat -p | grep 5038 but it does not show anything.
Can someone please help me as I am stuck.
Thanks
I am using an unmanaged dedicated server running Centos 6 hosted with a company in the US. The sent an email today that my machine is doing port scan or attack to other IPs in some other network in Germany.
##########################
# Netscan detected from host <MYIP> #
##########################
time protocol src_ip src_port dest_ip dest_port
--------------------------
Wed Nov 4 03:04:12 2015 TCP <MYIP> 42590 => 88.198.42.1 5038
Wed Nov 4 03:04:35 2015 TCP <MYIP> 42590 => 88.198.42.2 5038
Wed Nov 4 03:04:24 2015 TCP <MYIP> 42590 => 88.198.42.4 5038
Wed Nov 4 03:04:19 2015 TCP <MYIP> 42590 => 88.198.42.6 5038
Wed Nov 4 03:04:25 2015 TCP <MYIP> 42590 => 88.198.42.7 5038
.
.
.
.
.
I am unable to find what is causing this. I run tcpdump and it is showing something similar:
00:00:15.176309 IP 88.28.137.37.5038 > <MYIP>.42590: Flags [R.], seq 0, ack 283258138, win 0, length 0
00:00:32.450385 IP <MYIP>.50753 > 216.58.216.106.https: Flags [P.], seq 2864547828:2864548480, ack 3171020239, win 203, options [nop,nop,TS val 699210 ecr 1242244467], length 652
00:01:21.924192 IP 217.243.229.235.5038 > <MYIP>.49655: Flags [R], seq 828476470, win 0, length 0
00:01:33.925463 IP 217.243.229.238.5038 > <MYIP>.49655: Flags [R], seq 3213308371, win 0, length 0
But I am unable to find what process is doing this. I run netstat -p | grep 5038 but it does not show anything.
Can someone please help me as I am stuck.
Thanks
ASKER
Thanks Burhan but the complete list of IPs I have received includes hundreds of IPs in range 88.198.42.1 to 88.198.249.15. This makes me think this is some attack/scanning going on.
I have now blocked outgoing traffic on port 5038 on my machine and tried it with wireshark:
The above output looks like the other IPs are sending packets to my machine on port 5038. Isn't it?
I have now blocked outgoing traffic on port 5038 on my machine and tried it with wireshark:
# tshark -f "port 5038" -i any
Running as user "root" and group "root". This could be dangerous.
Capturing on Pseudo-device that captures on all interfaces
0.000000000 178.139.177.226 -> <MYIP> TCP 62 5038 > 46101 [RST, ACK] Seq=1 Ack=1 Win=0 Len=0
240.022640933 178.139.24.213 -> <MYIP> TCP 62 5038 > 46101 [RST, ACK] Seq=1 Ack=1 Win=0 Len=0
631.958010353 178.139.203.146 -> <MYIP> TCP 62 5038 > 46101 [RST, ACK] Seq=1 Ack=1 Win=0 Len=0
781.609887534 188.140.43.131 -> <MYIP> TCP 62 5038 > 46717 [RST, ACK] Seq=1 Ack=1 Win=0 Len=0
1047.720082374 188.140.120.148 -> <MYIP> TCP 62 5038 > 46717 [RST, ACK] Seq=1 Ack=1 Win=0 Len=0
1094.126239696 89.214.32.169 -> <MYIP> TCP 62 5038 > 43184 [RST, ACK] Seq=1 Ack=1 Win=0 Len=0
1094.879239210 188.140.91.15 -> <MYIP> TCP 62 5038 > 46717 [RST, ACK] Seq=1 Ack=1 Win=0 Len=0
1156.542606975 89.214.6.50 -> <MYIP> TCP 62 5038 > 43184 [RST, ACK] Seq=1 Ack=1 Win=0 Len=0
1179.882361554 178.55.20.81 -> <MYIP> TCP 62 5038 > 46101 [RST, ACK] Seq=1 Ack=1 Win=0 Len=0
1442.216376066 178.139.246.208 -> <MYIP> TCP 62 5038 > 46101 [RST, ACK] Seq=1 Ack=1 Win=0 Len=0
1595.194450408 88.29.173.101 -> <MYIP> TCP 62 5038 > 42590 [RST, ACK] Seq=1 Ack=1 Win=0 Len=0
1656.518486681 188.140.94.11 -> <MYIP> TCP 62 5038 > 46717 [RST, ACK] Seq=1 Ack=1 Win=0 Len=0
1713.676418034 88.29.248.195 -> <MYIP> TCP 62 5038 > 42590 [RST, ACK] Seq=1 Ack=1 Win=0 Len=0
1752.325387553 89.214.196.152 -> <MYIP> TCP 62 5038 > 43184 [RST, ACK] Seq=1 Ack=1 Win=0 Len=0
2038.452804084 89.214.254.136 -> <MYIP> TCP 62 5038 > 43184 [RST, ACK] Seq=1 Ack=1 Win=0 Len=0
2324.742858675 89.214.122.208 -> <MYIP> TCP 62 5038 > 43184 [RST, ACK] Seq=1 Ack=1 Win=0 Len=0
2463.274046253 89.214.242.227 -> <MYIP> TCP 62 5038 > 43184 [RST, ACK] Seq=1 Ack=1 Win=0 Len=0
2783.274792506 89.214.142.115 -> <MYIP> TCP 62 5038 > 43184 [RST, ACK] Seq=1 Ack=1 Win=0 Len=0
3240.842506431 178.139.89.55 -> <MYIP> TCP 62 5038 > 46101 [RST, ACK] Seq=1 Ack=1 Win=0 Len=0
3299.975133866 178.139.122.229 -> <MYIP> TCP 62 5038 > 46101 [RST, ACK] Seq=1 Ack=1 Win=0 Len=0
3404.203793189 178.55.18.240 -> <MYIP> TCP 62 5038 > 46101 [RST, ACK] Seq=1 Ack=1 Win=0 Len=0
3728.401211542 89.214.1.27 -> <MYIP> TCP 62 5038 > 43184 [RST, ACK] Seq=1 Ack=1 Win=0 Len=0
4030.151726605 188.140.1.38 -> <MYIP> TCP 62 5038 > 46717 [RST, ACK] Seq=1 Ack=1 Win=0 Len=0
4231.793687951 188.69.224.57 -> <MYIP> TCP 62 5038 > 46717 [RST, ACK] Seq=1 Ack=1 Win=0 Len=0
4700.716779468 89.214.206.108 -> <MYIP> TCP 62 5038 > 43184 [RST, ACK] Seq=1 Ack=1 Win=0 Len=0
5114.830558627 89.214.12.30 -> <MYIP> TCP 62 5038 > 43184 [RST, ACK] Seq=1 Ack=1 Win=0 Len=0
5393.964430742 188.140.9.4 -> <MYIP> TCP 62 5038 > 46717 [RST, ACK] Seq=1 Ack=1 Win=0 Len=0The above output looks like the other IPs are sending packets to my machine on port 5038. Isn't it?
did you have any Voip services in-house ?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Could be Asterisk, can you try:
# /etc/init.d/asterisk status
and post the reply?
# /etc/init.d/asterisk status
and post the reply?
ASKER
# /etc/init.d/asterisk status
-bash: /etc/init.d/asterisk: No such file or directory
-bash: /etc/init.d/asterisk: No such file or directory
Ok, can you do a ps and check whether there are processes that might belong to Asterisk (last check):
ps -ef | grep -i asteris
and post the reply?
ps -ef | grep -i asteris
and post the reply?
ASKER
# ps -ef | grep -i asteris
root 7646 7630 0 04:49 pts/2 00:00:00 grep -i asteris
root 7646 7630 0 04:49 pts/2 00:00:00 grep -i asteris
Ok, likely no asterisk. Machine may have been hacked, do a "ps -ef" and check for unknown processes / process descriptions. Any that you don't recognize? Is your machine up to date, what is the update strategy?
ASKER
> Machine may have been hacked
Is there a way to verify this? Through logs or something like that? Will changing the passwords workd?
Is there a way to verify this? Through logs or something like that? Will changing the passwords workd?
>> Is there a way to verify this?
Difficult to say without looking at processes etc.
Do a "ps -ef" and check for unknown processes / process descriptions. Any that you don't recognize? Is your machine up to date, what is the update strategy?
Difficult to say without looking at processes etc.
Do a "ps -ef" and check for unknown processes / process descriptions. Any that you don't recognize? Is your machine up to date, what is the update strategy?
88.198.42.1
both are the ISPs,
and may be the traffic is like voip services or something.