On Sunday 22 Jan 2012 17:54:29 Grant wrote: > > `watch` isn't going to help too much unless you're looking at it. Append > > the output to some log file instead. I chose netstat because its output > > looked easier to parse with a stupid regexp. > > > > while true; do > > netstat -antp | grep ':993 ' >> mystery.log; > > sleep 1; > > done; > > > > You'll want to change the port -- I tested to make sure that was really > > logging my Thunderbird connections. > > I'm still getting the blocked outbound requests to port 3680 on my > firewall and I'm running the above script (changed 993 to 3680) on the > local system indicated by SRC in the firewall log, but mystery.log > remains empty. I tested the script with other ports and it seems to > be working fine. > > Also the MAC indicated in the firewall log is 14 blocks long and the > local system in question has a MAC address 6 blocks long according to > ifconfig, but the 6 blocks from ifconfig do match 6 of the blocks > reported by the firewall. > > Does this make sense to anyone?
Does not make sense to me, sorry. :-( Have you tried running the script on lsof instead? > I installed and ran rkhunter and this was the only warning I couldn't > disregard: > > Warning: The command '/usr/sbin/rkhunter' has been replaced and is not > a script: /usr/sbin/rkhunter: POSIX shell script, ASCII text > executable, with very long lines This warning comes up the first time after rkhunter runs --update for its .dat files. I don't know why this is so - but I have noticed it happening for the last couple of versions at least. -- Regards, Mick
signature.asc
Description: This is a digitally signed message part.
