Neurochirurgie minim invazivă
"Primum non nocere" este ideea ce a deschis drumul medicinei spre minim invaziv. Avansul tehnologic extraordinar din ultimele decenii a permis dezvoltarea tuturor domeniilor medicinei. Microscopul operator, neuronavigația, tehnicile anestezice avansate permit intervenții chirurgicale tot mai precise, tot mai sigure. Neurochirurgia minim invazivă, sau prin "gaura cheii", oferă pacienților posibilitatea de a se opera cu riscuri minime, fie ele neurologice, infecțioase, medicale sau estetice. www.neurohope.ro |
[Rezolvat] Trafic TCP port 11111
Last Updated: Jul 11 2017 11:06, Started by
GhostWolf
, Jul 10 2017 11:23
·
0
#1
Posted 10 July 2017 - 11:23
Salut,
Jucandu-ma cu iptables-ul am gasit in journal urmatoarele linii: Quote
[REJECT TCPv4] IN=lo OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=127.0.0.1 DST=127.0.0.1 LEN=52 TOS=0x08 PREC=0x00 TTL=64 ID=5399 DF PROTO=TCP SPT=42134 DPT=11111 WINDOW=43690 RES=0x00 SYN URGP=0 OPT (0204FFD70101040201030307) nmap, ps ax, htop, netstat, nu gasesc nimic in neregula, 127.0.0.1 nu asculta pe acel port. A mai avut cineva de a face cu astfel de mesaje in log-uri in caz ca s-a jucat cineva cu firewall-ul? Ma gandesc ca este ceva in neregula cu sistemul si nu imi dau seama ce ar fi. mai ales ca am mai gasit si ceva trafic destinat catre portul 631/tcp originat tot local si fara logica din moment ce nu am cups instalat. Idei careva? De unde sa ma apuc si unde sa ajung? |
#2
Posted 10 July 2017 - 12:42
OutlawCountry linux Exploit
https://www.sunnyhoi...ountry-exploit/ scuze daca nu este la obiect, e referitor la reguli iptables invizibile utilizatorului vezi output la lsmod | grep nf_table Edited by neoliviu, 10 July 2017 - 12:46. |
#3
Posted 10 July 2017 - 14:22
Salve,
nu este legat de Outlaw Country. Fie e ceva local care incearca sa comunice pe portul ala, sper eu, fie sistemul este spart si ceva incearca sa comunice local pentru a initia ceva actiune. Problema e ca nu imi dau seama ce aplicatie incearca sa comuice cu acel port pentru a verifica in continuare daca aplicatia aia comunica legitim sau nu. Trebuie sa sap dar incep sa raman in pana de ideei. |
#4
Posted 10 July 2017 - 18:23
Poate te ajută:
https://serverfault.com/a/193088 Pe pagină sunt și alte posibile soluții/idei, care folosesc systemtap (stap). Eventual adugă o regulă să dea drop cu -j LOG --log-uid, măcar să poți observa user id-ul. Edited by mhanor, 10 July 2017 - 18:26. |
#5
Posted 10 July 2017 - 20:50
O sa incerc sa log-ez si UID-ul sa vad daca e de la user-ul meu sau altceva.
|
#6
Posted 11 July 2017 - 08:34
LE: Cred ca am rezolvat misterul. Din cate vad eu problema mea se traduce prin rtorrent, am pornit beleaua de client in timp ce rulam tcpdump pe loopback. Cand porneste rtorrent-ul, pachet binar instalat din repozitor, vad traficul ala nenorocit catre portul 11111/tcp:
Quote
2017-07-11 09:24:59.028283 00:00:00:00:00:00 > 00:00:00:00:00:00, ethertype IPv4 (0x0800), length 66: (tos 0x8, ttl 64, id 23267, offset 0, flags [DF], proto TCP (6), length 52) 127.0.0.1.51142 > 127.0.0.1.11111: Flags [S], cksum 0xfe28 (incorrect -> 0xb917), seq 369560052, win 43690, options [mss 65495,nop,nop,sackOK,nop,wscale 7], length 0 2017-07-11 09:24:59.028354 00:00:00:00:00:00 > 00:00:00:00:00:00, ethertype IPv4 (0x0800), length 54: (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 40) 127.0.0.1.11111 > 127.0.0.1.51142: Flags [R.], cksum 0xfe1c (incorrect -> 0x9ea4), seq 0, ack 369560053, win 0, length 0 2017-07-11 09:24:59.028630 00:00:00:00:00:00 > 00:00:00:00:00:00, ethertype IPv4 (0x0800), length 66: (tos 0x8, ttl 64, id 25109, offset 0, flags [DF], proto TCP (6), length 52) 127.0.0.1.51150 > 127.0.0.1.11111: Flags [S], cksum 0xfe28 (incorrect -> 0x538b), seq 1417490690, win 43690, options [mss 65495,nop,nop,sackOK,nop,wscale 7], length 0 2017-07-11 09:24:59.028651 00:00:00:00:00:00 > 00:00:00:00:00:00, ethertype IPv4 (0x0800), length 54: (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 40) 127.0.0.1.11111 > 127.0.0.1.51150: Flags [R.], cksum 0xfe1c (incorrect -> 0x3918), seq 0, ack 1417490691, win 0, length 0 2017-07-11 09:24:59.028743 00:00:00:00:00:00 > 00:00:00:00:00:00, ethertype IPv4 (0x0800), length 66: (tos 0x8, ttl 64, id 65051, offset 0, flags [DF], proto TCP (6), length 52) 127.0.0.1.51154 > 127.0.0.1.11111: Flags [S], cksum 0xfe28 (incorrect -> 0x6817), seq 3286412556, win 43690, options [mss 65495,nop,nop,sackOK,nop,wscale 7], length 0 2017-07-11 09:24:59.028762 00:00:00:00:00:00 > 00:00:00:00:00:00, ethertype IPv4 (0x0800), length 54: (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 40) 127.0.0.1.11111 > 127.0.0.1.51154: Flags [R.], cksum 0xfe1c (incorrect -> 0x4da4), seq 0, ack 3286412557, win 0, length 0 2017-07-11 09:24:59.028871 00:00:00:00:00:00 > 00:00:00:00:00:00, ethertype IPv4 (0x0800), length 66: (tos 0x8, ttl 64, id 12276, offset 0, flags [DF], proto TCP (6), length 52) 127.0.0.1.51158 > 127.0.0.1.11111: Flags [S], cksum 0xfe28 (incorrect -> 0xb640), seq 2782821603, win 43690, options [mss 65495,nop,nop,sackOK,nop,wscale 7], length 0 2017-07-11 09:24:59.028889 00:00:00:00:00:00 > 00:00:00:00:00:00, ethertype IPv4 (0x0800), length 54: (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 40) 127.0.0.1.11111 > 127.0.0.1.51158: Flags [R.], cksum 0xfe1c (incorrect -> 0x9bcd), seq 0, ack 2782821604, win 0, length 0 2017-07-11 09:24:59.029286 00:00:00:00:00:00 > 00:00:00:00:00:00, ethertype IPv4 (0x0800), length 66: (tos 0x8, ttl 64, id 51101, offset 0, flags [DF], proto TCP (6), length 52) 127.0.0.1.51216 > 127.0.0.1.11111: Flags [S], cksum 0xfe28 (incorrect -> 0x4e15), seq 4129854602, win 43690, options [mss 65495,nop,nop,sackOK,nop,wscale 7], length 0 2017-07-11 09:24:59.029306 00:00:00:00:00:00 > 00:00:00:00:00:00, ethertype IPv4 (0x0800), length 54: (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 40) 127.0.0.1.11111 > 127.0.0.1.51216: Flags [R.], cksum 0xfe1c (incorrect -> 0x33a2), seq 0, ack 4129854603, win 0, length 0 2017-07-11 09:24:59.029432 00:00:00:00:00:00 > 00:00:00:00:00:00, ethertype IPv4 (0x0800), length 66: (tos 0x8, ttl 64, id 59160, offset 0, flags [DF], proto TCP (6), length 52) 127.0.0.1.51230 > 127.0.0.1.11111: Flags [S], cksum 0xfe28 (incorrect -> 0xc449), seq 1617015823, win 43690, options [mss 65495,nop,nop,sackOK,nop,wscale 7], length 0 2017-07-11 09:24:59.029448 00:00:00:00:00:00 > 00:00:00:00:00:00, ethertype IPv4 (0x0800), length 54: (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 40) 127.0.0.1.11111 > 127.0.0.1.51230: Flags [R.], cksum 0xfe1c (incorrect -> 0xa9d6), seq 0, ack 1617015824, win 0, length 0 2017-07-11 09:24:59.029553 00:00:00:00:00:00 > 00:00:00:00:00:00, ethertype IPv4 (0x0800), length 66: (tos 0x8, ttl 64, id 12715, offset 0, flags [DF], proto TCP (6), length 52) 127.0.0.1.51234 > 127.0.0.1.11111: Flags [S], cksum 0xfe28 (incorrect -> 0xabdf), seq 3390726844, win 43690, options [mss 65495,nop,nop,sackOK,nop,wscale 7], length 0 2017-07-11 09:24:59.029568 00:00:00:00:00:00 > 00:00:00:00:00:00, ethertype IPv4 (0x0800), length 54: (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 40) 127.0.0.1.11111 > 127.0.0.1.51234: Flags [R.], cksum 0xfe1c (incorrect -> 0x916c), seq 0, ack 3390726845, win 0, length 0 |
#7
Posted 11 July 2017 - 10:56
[Solved]
Dupa cum am zis mai sus, rtorrent este vinovat pentru traficul ciudat observat in log-uri si cu tcpdump. Am rulat un strace pe el si am gasit ca face el ceva, inca nu stiu de ce, ma asteptam la ceva RPC ca de aia e compilat cu suport pentru RPC dar vad ca nu e chiar asa: Quote
4617 11:44:34.776782 connect(141<TCP:[136313]>, {sa_family=AF_INET, sin_port=htons(11111), sin_addr=inet_addr("127.0.0.1")}, 16) = -1 EINPROGRESS (Operation now in progress) 4617 11:44:34.781047 connect(144<TCP:[134202]>, {sa_family=AF_INET, sin_port=htons(11111), sin_addr=inet_addr("127.0.0.1")}, 16) = -1 EINPROGRESS (Operation now in progress) 4617 11:44:34.798350 connect(161<TCP:[133498]>, {sa_family=AF_INET, sin_port=htons(11111), sin_addr=inet_addr("127.0.0.1")}, 16) = -1 EINPROGRESS (Operation now in progress) 4617 11:44:34.799929 connect(162<TCP:[133499]>, {sa_family=AF_INET, sin_port=htons(11111), sin_addr=inet_addr("127.0.0.1")}, 16) = -1 EINPROGRESS (Operation now in progress) 4617 11:44:34.802172 connect(164<TCP:[133501]>, {sa_family=AF_INET, sin_port=htons(11111), sin_addr=inet_addr("127.0.0.1")}, 16) = -1 EINPROGRESS (Operation now in progress) 4617 11:44:34.812064 connect(173<TCP:[133510]>, {sa_family=AF_INET, sin_port=htons(11111), sin_addr=inet_addr("127.0.0.1")}, 16) = -1 EINPROGRESS (Operation now in progress) 4617 11:44:34.813554 connect(174<TCP:[133511]>, {sa_family=AF_INET, sin_port=htons(11111), sin_addr=inet_addr("127.0.0.1")}, 16) = -1 EINPROGRESS (Operation now in progress) |
#8
Posted 11 July 2017 - 11:06
Multumim pentru feedback, am modificat titlul precizand ca ai rezolvat problema.
|
Anunturi
▶ 0 user(s) are reading this topic
0 members, 0 guests, 0 anonymous users