Print

Please login or register.
1 Hour 1 Day 1 Week 1 Month Forever
Login with username, password and session length

[radfoj]

Hi guys,

     I really love your work on amule. I know some nice series and I am downloading them with this app. I use it for about half an year.
     Bat few days ago, my provider asked me, what am I sending to destination port 25 and IP adress 210.58.165.32. But I dont know. I use Kmail for sending emails and my smtp server is 192.168.1.1.
    So I tried dropp every packet send from my box to port 25 except to destination IP of my smtp server. OK?
   In /var/log/messages I can see now something like this:

Nov 15 06:47:56 radfoj kernel: DROPPED IN= OUT=eth0 SRC=192.168.50.13 DST=210.58.165.32 LEN=52 TOS=0x00 PREC=0x00 TTL=64 ID=1491 DF PROTO=TCP SPT=2533 DPT=25 SEQ=1688180444 ACK=0 WINDOW=5840 RES=0x00 SYN URGP=0 OPT (020405B40101040201030300)

   In that time, amule was on. I stopped it about in 6:50. PC was still up and i start amule again in 17:30. And what the hell .... in log again :

Nov 15 17:35:23 radfoj kernel: DROPPED IN= OUT=eth0 SRC=192.168.50.13 DST=210.58.165.32 LEN=52 TOS=0x00 PREC=0x00 TTL=64 ID=7141 DF PROTO=TCP SPT=2320 DPT=25 SEQ=4014174419 ACK=0 WINDOW=5840 RES=0x00 SYN URGP=0 OPT (020405B40101040201030300)

   12 x something like this.

 
   When amule wass off, there isn't any dropped packet to port 25. And I am sure, that next dropp will come in next 0.5 - 3 hours.


Is there somebody, who can help me with this? I dont anderstand, what it is. I tried tcpdump and ethereal to capture packet on eth0 and port 25 .. but there was nothing about the source process of it.

I am using Mandrakelinux,  I have private IP adress. I tried some tests for rootkins. Nothing.   Please, I want know, whats going on.    I am not good in English, so be patient.

I dont want to do disgrace to GNU/Linux.

Thanks a lot.          By

[GonoszTopi]

If you could capture a number of packets with ethereal, and save to file, send it to me in e-mail. I'll try to figure out what those packets are.

You may have to re-enable outgoing port 25 to capture them.

[radfoj]

Hi,

I am here again. At first I would like to thank GonoszTopi for his support. Yes I send email to him, but becouse freemail at @seznam.cz have some problems these days, incoming mails have a big retard (hold off), I dont know, wheather he had another qustion.

Yesterday I was not sure. So today I started amule and was waiting. In few minutes it begin:

Nov 16 11:20:54 radfoj kernel: DROPPED IN= OUT=eth0 SRC=192.168.50.13 DST=210.58.165.32 LEN=52 TOS=0x00 PREC=0x00 TTL=64 ID=11641 DF PROTO=TCP SPT=5673 DPT=25 SEQ=4045892544 ACK=0 WINDOW=5840 RES=0x00 SYN URGP=0 OPT (020405B40101040201030300)
Nov 16 11:21:13 radfoj kernel: DROPPED IN= OUT=eth0 SRC=192.168.50.13 DST=210.58.165.32 LEN=52 TOS=0x00 PREC=0x00 TTL=64 ID=26987 DF PROTO=TCP SPT=5679 DPT=25 SEQ=4095183594 ACK=0 WINDOW=5840 RES=0x00 SYN URGP=0 OPT (020405B40101040201030300)

So i tried:
[root@radfoj radfoj]# netstat -natup
Aktivní Internetová spojení (servery a navázaná spojení)
Proto P?ích-F Odch-F Místní Adresa          Vzdálená Adresa         Stav      PID/Program name
tcp        0      0 0.0.0.0:5000            0.0.0.0:*               LISTEN      19313/amule
tcp        0      0 0.0.0.0:4712            0.0.0.0:*               LISTEN      19313/amule
tcp        0      0 0.0.0.0:111             0.0.0.0:*               LISTEN      2165/portmap
tcp        0      0 0.0.0.0:6000            0.0.0.0:*               LISTEN      2720/X
tcp        0      0 0.0.0.0:44117           0.0.0.0:*               LISTEN      3750/sim
tcp        0      0 0.0.0.0:21              0.0.0.0:*               LISTEN      3071/proftpd: (acce
tcp        0      0 192.168.50.13:2856      64.12.24.12:5190        SPOJENO     3750/sim
tcp        0      0 192.168.50.13:5621      81.218.10.9:5662        TIME_WAIT   -
tcp        0      0 192.168.50.13:4727      153.19.206.148:4662     SPOJENO     19313/amule
tcp        0      0 192.168.50.13:5595      80.59.165.34:4662       TIME_WAIT   -
tcp        0      0 192.168.50.13:5439      192.168.3.43:1032       SPOJENO     3750/sim
tcp        0      1 192.168.50.13:5682      213.54.185.86:779       SYN_SENT    19313/amule
tcp        0      0 192.168.50.13:5614      82.122.88.219:9500      TIME_WAIT   -
tcp        0      0 192.168.50.13:5709      66.102.9.99:80          TIME_WAIT   -
tcp        0      0 192.168.50.13:4732      82.255.16.104:11036     SPOJENO     19313/amule
tcp        0      0 192.168.50.13:4708      81.23.250.167:4242      SPOJENO     19313/amule
tcp        0      1 192.168.50.13:5683      172.178.70.27:11        SYN_SENT    19313/amule
tcp        0      0 192.168.50.13:5620      81.218.242.237:5662     TIME_WAIT   -
tcp        0      0 192.168.50.13:5690      216.239.59.99:80        TIME_WAIT   -
tcp        0      1 192.168.50.13:5679      210.58.165.32:25        SYN_SENT    19313/amule
tcp        0      0 192.168.50.13:4723      80.118.70.215:4662      SPOJENO     19313/amule
tcp        0      0 192.168.50.13:5689      82.149.231.177:80       TIME_WAIT   -
tcp        0      0 192.168.50.13:5702      82.149.231.177:80       TIME_WAIT   -
tcp        0      0 192.168.50.13:5704      82.149.231.177:80       TIME_WAIT   -
tcp        0      0 192.168.50.13:1029      207.46.106.192:1863     SPOJENO     3750/sim
tcp        0      1 192.168.50.13:5680      84.135.137.178:4662     SYN_SENT    19313/amule
tcp        0      0 192.168.50.13:5739      62.4.98.2:80            TIME_WAIT   -
tcp        0      0 192.168.50.13:5738      62.4.98.2:80            TIME_WAIT   -
tcp        0      0 192.168.50.13:5736      62.4.98.2:80            TIME_WAIT   -
tcp        0      0 192.168.50.13:5743      62.4.98.2:80            TIME_WAIT   -
tcp        0      0 192.168.50.13:5113      82.216.248.195:1069     SPOJENO     19313/amule
tcp        0      0 192.168.50.13:5742      62.4.98.2:80            TIME_WAIT   -
tcp        0      0 192.168.50.13:5741      62.4.98.2:80            TIME_WAIT   -
tcp        0      0 192.168.50.13:5740      62.4.98.2:80            TIME_WAIT   -
tcp        0      0 192.168.50.13:5735      62.4.98.2:80            TIME_WAIT   -
tcp        0      0 192.168.50.13:5734      62.4.98.2:80            TIME_WAIT   -
tcp        0      0 192.168.50.13:5733      62.4.98.2:80            TIME_WAIT   -
tcp        0      0 192.168.50.13:5732      62.4.98.2:80            TIME_WAIT   -
tcp        0      0 192.168.50.13:5755      62.4.98.2:80            SPOJENO     19311/konquerorK5H1
tcp        0      0 192.168.50.13:5754      62.4.98.2:80            SPOJENO     19335/konqueror32qO
tcp        0      0 192.168.50.13:5753      62.4.98.2:80            SPOJENO     19306/konquerorEIw2
tcp        0      0 192.168.50.13:5752      62.4.98.2:80            TIME_WAIT   -
tcp        0      0 192.168.50.13:5756      62.4.98.2:80            TIME_WAIT   -
tcp        0      0 192.168.50.13:5745      62.4.98.2:80            TIME_WAIT   -
tcp        0      0 192.168.50.13:5744      62.4.98.2:80            TIME_WAIT   -
tcp        0      0 192.168.50.13:5751      62.4.98.2:80            TIME_WAIT   -
tcp        0      0 192.168.50.13:5750      62.4.98.2:80            TIME_WAIT   -
tcp        0      0 192.168.50.13:5749      62.4.98.2:80            TIME_WAIT   -
tcp        0      0 192.168.50.13:5748      62.4.98.2:80            TIME_WAIT   -
tcp        0      0 192.168.50.13:5695      62.4.98.2:80            TIME_WAIT   -
tcp        0      0 192.168.50.13:5607      83.38.215.114:4662      TIME_WAIT   -
tcp        0      1 192.168.50.13:5681      84.129.62.164:92        SYN_SENT    19313/amule
tcp        0      1 192.168.50.13:5594      217.228.174.251:4662    FIN_WAIT1   -
tcp        0      0 192.168.50.13:5615      80.212.187.219:4662     TIME_WAIT   -
tcp        0      0 :::6000                 :::*                    LISTEN      2720/X
udp        0      0 0.0.0.0:1025            0.0.0.0:*                           3750/sim
udp        0      0 0.0.0.0:5003            0.0.0.0:*                           19313/amule
udp        0      0 0.0.0.0:5005            0.0.0.0:*                           19313/amule
udp        0      0 127.0.0.1:53            0.0.0.0:*                           2780/tmdns
udp        0      0 224.0.0.251:5353        0.0.0.0:*                           2780/tmdns
udp        0      0 192.168.50.13:5353      0.0.0.0:*                           2780/tmdns
udp        0      0 127.0.0.1:5353          0.0.0.0:*                           2780/tmdns
udp        0      0 0.0.0.0:111             0.0.0.0:*                           2165/portmap
udp        0      0 192.168.50.13:123       0.0.0.0:*                           2755/ntpd
udp        0      0 127.0.0.1:123           0.0.0.0:*                           2755/ntpd
udp        0      0 0.0.0.0:123             0.0.0.0:*                           2755/ntpd
udp        0      0 :::123                  :::*                                2755/ntpd

So what about this:
tcp   0   1 192.168.50.13:5679    210.58.165.32:25     SYN_SENT  19313/amule

((((((((   and whats this:
tcp 0 1 192.168.50.13:5683  172.178.70.27:11 SYN_SENT 9313/amule

Nov 16 11:21:23 radfoj kernel: DROPPED IN= OUT=eth0 SRC=192.168.50.13 DST=172.178.70.27 LEN=52 TOS=0x00 PREC=0x00 TTL=64 ID=46941 DF PROTO=TCP SPT=5683 DPT=11 SEQ=4100308472 ACK=0 WINDOW=5840 RES=0x00 SYN URGP=0 OPT (020405B40101040201030300)    ))))))))))


Should my box be broken? Should I have firewall not configured properly? Or what?
Please.

[GonoszTopi]

At IP 210.58.165.32 there is probably a heavily misconfigured ed2k client.

do `iptables -I OUTPUT 1 -p tcp -d 210.58.165.32 --dport 25 -j REJECT` as root to disable this traffic without disturbing anything else.

btw, mail sent.

Have fun!

[radfoj]

Thanks GonoszTopi a lot,

I worried these days ?( , but also I hoped, that it will be only some little mistake.

Your last answer here makes me really happy.    

I will try and I believe you are right. So this topic is over  :] .
If not, I will ask once more, OK?

btw, mail yet not delievered  X(

I wish you fun too.  Thanks. Bye.   :baby: