aMule Forum
English => en_Linux => Topic started by: radfoj on November 15, 2004, 06:23:03 PM
-
Hi guys,
I really love your work on amule. I know some nice series and I am downloading them with this app. I use it for about half an year.
Bat few days ago, my provider asked me, what am I sending to destination port 25 and IP adress 210.58.165.32. But I dont know. I use Kmail for sending emails and my smtp server is 192.168.1.1.
So I tried dropp every packet send from my box to port 25 except to destination IP of my smtp server. OK?
In /var/log/messages I can see now something like this:
Nov 15 06:47:56 radfoj kernel: DROPPED IN= OUT=eth0 SRC=192.168.50.13 DST=210.58.165.32 LEN=52 TOS=0x00 PREC=0x00 TTL=64 ID=1491 DF PROTO=TCP SPT=2533 DPT=25 SEQ=1688180444 ACK=0 WINDOW=5840 RES=0x00 SYN URGP=0 OPT (020405B40101040201030300)
In that time, amule was on. I stopped it about in 6:50. PC was still up and i start amule again in 17:30. And what the hell .... in log again :
Nov 15 17:35:23 radfoj kernel: DROPPED IN= OUT=eth0 SRC=192.168.50.13 DST=210.58.165.32 LEN=52 TOS=0x00 PREC=0x00 TTL=64 ID=7141 DF PROTO=TCP SPT=2320 DPT=25 SEQ=4014174419 ACK=0 WINDOW=5840 RES=0x00 SYN URGP=0 OPT (020405B40101040201030300)
12 x something like this.
When amule wass off, there isn't any dropped packet to port 25. And I am sure, that next dropp will come in next 0.5 - 3 hours.
Is there somebody, who can help me with this? I dont anderstand, what it is. I tried tcpdump and ethereal to capture packet on eth0 and port 25 .. but there was nothing about the source process of it.
I am using Mandrakelinux, I have private IP adress. I tried some tests for rootkins. Nothing. Please, I want know, whats going on. I am not good in English, so be patient.
I dont want to do disgrace to GNU/Linux.
Thanks a lot. By
-
If you could capture a number of packets with ethereal, and save to file, send it to me in e-mail. I'll try to figure out what those packets are.
You may have to re-enable outgoing port 25 to capture them.
-
Hi,
I am here again. At first I would like to thank GonoszTopi for his support. Yes I send email to him, but becouse freemail at @seznam.cz have some problems these days, incoming mails have a big retard (hold off), I dont know, wheather he had another qustion.
Yesterday I was not sure. So today I started amule and was waiting. In few minutes it begin:
Nov 16 11:20:54 radfoj kernel: DROPPED IN= OUT=eth0 SRC=192.168.50.13 DST=210.58.165.32 LEN=52 TOS=0x00 PREC=0x00 TTL=64 ID=11641 DF PROTO=TCP SPT=5673 DPT=25 SEQ=4045892544 ACK=0 WINDOW=5840 RES=0x00 SYN URGP=0 OPT (020405B40101040201030300)
Nov 16 11:21:13 radfoj kernel: DROPPED IN= OUT=eth0 SRC=192.168.50.13 DST=210.58.165.32 LEN=52 TOS=0x00 PREC=0x00 TTL=64 ID=26987 DF PROTO=TCP SPT=5679 DPT=25 SEQ=4095183594 ACK=0 WINDOW=5840 RES=0x00 SYN URGP=0 OPT (020405B40101040201030300)
So i tried:
[root@radfoj radfoj]# netstat -natup
Aktivní Internetová spojení (servery a navázaná spojení)
Proto P?ích-F Odch-F Místní Adresa Vzdálená Adresa Stav PID/Program name
tcp 0 0 0.0.0.0:5000 0.0.0.0:* LISTEN 19313/amule
tcp 0 0 0.0.0.0:4712 0.0.0.0:* LISTEN 19313/amule
tcp 0 0 0.0.0.0:111 0.0.0.0:* LISTEN 2165/portmap
tcp 0 0 0.0.0.0:6000 0.0.0.0:* LISTEN 2720/X
tcp 0 0 0.0.0.0:44117 0.0.0.0:* LISTEN 3750/sim
tcp 0 0 0.0.0.0:21 0.0.0.0:* LISTEN 3071/proftpd: (acce
tcp 0 0 192.168.50.13:2856 64.12.24.12:5190 SPOJENO 3750/sim
tcp 0 0 192.168.50.13:5621 81.218.10.9:5662 TIME_WAIT -
tcp 0 0 192.168.50.13:4727 153.19.206.148:4662 SPOJENO 19313/amule
tcp 0 0 192.168.50.13:5595 80.59.165.34:4662 TIME_WAIT -
tcp 0 0 192.168.50.13:5439 192.168.3.43:1032 SPOJENO 3750/sim
tcp 0 1 192.168.50.13:5682 213.54.185.86:779 SYN_SENT 19313/amule
tcp 0 0 192.168.50.13:5614 82.122.88.219:9500 TIME_WAIT -
tcp 0 0 192.168.50.13:5709 66.102.9.99:80 TIME_WAIT -
tcp 0 0 192.168.50.13:4732 82.255.16.104:11036 SPOJENO 19313/amule
tcp 0 0 192.168.50.13:4708 81.23.250.167:4242 SPOJENO 19313/amule
tcp 0 1 192.168.50.13:5683 172.178.70.27:11 SYN_SENT 19313/amule
tcp 0 0 192.168.50.13:5620 81.218.242.237:5662 TIME_WAIT -
tcp 0 0 192.168.50.13:5690 216.239.59.99:80 TIME_WAIT -
tcp 0 1 192.168.50.13:5679 210.58.165.32:25 SYN_SENT 19313/amule
tcp 0 0 192.168.50.13:4723 80.118.70.215:4662 SPOJENO 19313/amule
tcp 0 0 192.168.50.13:5689 82.149.231.177:80 TIME_WAIT -
tcp 0 0 192.168.50.13:5702 82.149.231.177:80 TIME_WAIT -
tcp 0 0 192.168.50.13:5704 82.149.231.177:80 TIME_WAIT -
tcp 0 0 192.168.50.13:1029 207.46.106.192:1863 SPOJENO 3750/sim
tcp 0 1 192.168.50.13:5680 84.135.137.178:4662 SYN_SENT 19313/amule
tcp 0 0 192.168.50.13:5739 62.4.98.2:80 TIME_WAIT -
tcp 0 0 192.168.50.13:5738 62.4.98.2:80 TIME_WAIT -
tcp 0 0 192.168.50.13:5736 62.4.98.2:80 TIME_WAIT -
tcp 0 0 192.168.50.13:5743 62.4.98.2:80 TIME_WAIT -
tcp 0 0 192.168.50.13:5113 82.216.248.195:1069 SPOJENO 19313/amule
tcp 0 0 192.168.50.13:5742 62.4.98.2:80 TIME_WAIT -
tcp 0 0 192.168.50.13:5741 62.4.98.2:80 TIME_WAIT -
tcp 0 0 192.168.50.13:5740 62.4.98.2:80 TIME_WAIT -
tcp 0 0 192.168.50.13:5735 62.4.98.2:80 TIME_WAIT -
tcp 0 0 192.168.50.13:5734 62.4.98.2:80 TIME_WAIT -
tcp 0 0 192.168.50.13:5733 62.4.98.2:80 TIME_WAIT -
tcp 0 0 192.168.50.13:5732 62.4.98.2:80 TIME_WAIT -
tcp 0 0 192.168.50.13:5755 62.4.98.2:80 SPOJENO 19311/konquerorK5H1
tcp 0 0 192.168.50.13:5754 62.4.98.2:80 SPOJENO 19335/konqueror32qO
tcp 0 0 192.168.50.13:5753 62.4.98.2:80 SPOJENO 19306/konquerorEIw2
tcp 0 0 192.168.50.13:5752 62.4.98.2:80 TIME_WAIT -
tcp 0 0 192.168.50.13:5756 62.4.98.2:80 TIME_WAIT -
tcp 0 0 192.168.50.13:5745 62.4.98.2:80 TIME_WAIT -
tcp 0 0 192.168.50.13:5744 62.4.98.2:80 TIME_WAIT -
tcp 0 0 192.168.50.13:5751 62.4.98.2:80 TIME_WAIT -
tcp 0 0 192.168.50.13:5750 62.4.98.2:80 TIME_WAIT -
tcp 0 0 192.168.50.13:5749 62.4.98.2:80 TIME_WAIT -
tcp 0 0 192.168.50.13:5748 62.4.98.2:80 TIME_WAIT -
tcp 0 0 192.168.50.13:5695 62.4.98.2:80 TIME_WAIT -
tcp 0 0 192.168.50.13:5607 83.38.215.114:4662 TIME_WAIT -
tcp 0 1 192.168.50.13:5681 84.129.62.164:92 SYN_SENT 19313/amule
tcp 0 1 192.168.50.13:5594 217.228.174.251:4662 FIN_WAIT1 -
tcp 0 0 192.168.50.13:5615 80.212.187.219:4662 TIME_WAIT -
tcp 0 0 :::6000 :::* LISTEN 2720/X
udp 0 0 0.0.0.0:1025 0.0.0.0:* 3750/sim
udp 0 0 0.0.0.0:5003 0.0.0.0:* 19313/amule
udp 0 0 0.0.0.0:5005 0.0.0.0:* 19313/amule
udp 0 0 127.0.0.1:53 0.0.0.0:* 2780/tmdns
udp 0 0 224.0.0.251:5353 0.0.0.0:* 2780/tmdns
udp 0 0 192.168.50.13:5353 0.0.0.0:* 2780/tmdns
udp 0 0 127.0.0.1:5353 0.0.0.0:* 2780/tmdns
udp 0 0 0.0.0.0:111 0.0.0.0:* 2165/portmap
udp 0 0 192.168.50.13:123 0.0.0.0:* 2755/ntpd
udp 0 0 127.0.0.1:123 0.0.0.0:* 2755/ntpd
udp 0 0 0.0.0.0:123 0.0.0.0:* 2755/ntpd
udp 0 0 :::123 :::* 2755/ntpd
So what about this:
tcp 0 1 192.168.50.13:5679 210.58.165.32:25 SYN_SENT 19313/amule
(((((((( and whats this:
tcp 0 1 192.168.50.13:5683 172.178.70.27:11 SYN_SENT 9313/amule
Nov 16 11:21:23 radfoj kernel: DROPPED IN= OUT=eth0 SRC=192.168.50.13 DST=172.178.70.27 LEN=52 TOS=0x00 PREC=0x00 TTL=64 ID=46941 DF PROTO=TCP SPT=5683 DPT=11 SEQ=4100308472 ACK=0 WINDOW=5840 RES=0x00 SYN URGP=0 OPT (020405B40101040201030300) ))))))))))
Should my box be broken? Should I have firewall not configured properly? Or what?
Please.
-
At IP 210.58.165.32 there is probably a heavily misconfigured ed2k client.
do `iptables -I OUTPUT 1 -p tcp -d 210.58.165.32 --dport 25 -j REJECT` as root to disable this traffic without disturbing anything else.
btw, mail sent.
Have fun!
-
Thanks GonoszTopi a lot,
I worried these days ?( , but also I hoped, that it will be only some little mistake.
Your last answer here makes me really happy. :D :D :D :D
I will try and I believe you are right. So this topic is over :] .
If not, I will ask once more, OK?
btw, mail yet not delievered X(
I wish you fun too. Thanks. Bye. :baby: