Re: [Shorewall-users] Suspected Trojan

Tom Eastep Thu, 07 Aug 2014 13:36:12 -0700

On 8/7/2014 9:35 AM, merc1...@f-m.fm wrote:
> Tom, attached please find my # shorewall dump.
> 
> This machine is my laptop.  I have it set up, a number of reverse SSH
> tunnels to the server to extend ports for services to this laptop.  This
> is a very good and secure method of running daemons in one place for a
> LAN.
> 631 - cups
> 3128 - Squid
> 654? - MythTV
> 22306 - mariadb
> 
> 91?? - TOR service channels
> 4444 - i2p
> 4445 - i2p
> 6668 - i2p
> 7657 - i2p
> 7658 - i2p
> 7659 - i2p
> 7660 - i2p
> 9327 - coin miner
> 9332 - litecoin
> 6566 - sane
> 7070 - bittorrent
> 
> i2p, litecoin mining, sane and bittorrent do not have any daemon running
> at the other end.
> 
> Got these this morning:
> # dmesg
> ...
> [57691.920943] Shorewall:fw-net:ACCEPT:IN= OUT=wlan0 SRC=192.168.111.1
> DST=141.0.173.173 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=21619 DF PROTO=TCP
> SPT=57346 DPT=25 WINDOW=29200 RES=0x00 SYN URGP=0 UID=1004 GID=999 
> [57692.917882] Shorewall:fw-net:ACCEPT:IN= OUT=wlan0 SRC=192.168.111.1
> DST=141.0.173.173 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=21620 DF PROTO=TCP
> SPT=57346 DPT=25 WINDOW=29200 RES=0x00 SYN URGP=0 UID=1004 GID=999 
> [57694.923604] Shorewall:fw-net:ACCEPT:IN= OUT=wlan0 SRC=192.168.111.1
> DST=141.0.173.173 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=21621 DF PROTO=TCP
> SPT=57346 DPT=25 WINDOW=29200 RES=0x00 SYN URGP=0 UID=1004 GID=999 
> [57698.931001] Shorewall:fw-net:ACCEPT:IN= OUT=wlan0 SRC=192.168.111.1
> DST=141.0.173.173 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=21622 DF PROTO=TCP
> SPT=57346 DPT=25 WINDOW=29200 RES=0x00 SYN URGP=0 UID=1004 GID=999 
> [57706.953863] Shorewall:fw-net:ACCEPT:IN= OUT=wlan0 SRC=192.168.111.1
> DST=141.0.173.173 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=21623 DF PROTO=TCP
> SPT=57346 DPT=25 WINDOW=29200 RES=0x00 SYN URGP=0 UID=1004 GID=999 
> [57722.999518] Shorewall:fw-net:ACCEPT:IN= OUT=wlan0 SRC=192.168.111.1
> DST=141.0.173.173 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=21624 DF PROTO=TCP
> SPT=57346 DPT=25 WINDOW=29200 RES=0x00 SYN URGP=0 UID=1004 GID=999 
> [57755.090829] Shorewall:fw-net:ACCEPT:IN= OUT=wlan0 SRC=192.168.111.1
> DST=141.0.173.173 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=21625 DF PROTO=TCP
> SPT=57346 DPT=25 WINDOW=29200 RES=0x00 SYN URGP=0 UID=1004 GID=999 
> [57997.351443] Shorewall:fw-net:ACCEPT:IN= OUT=wlan0 SRC=192.168.111.1
> DST=141.0.173.173 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=1179 DF PROTO=TCP
> SPT=57425 DPT=25 WINDOW=29200 RES=0x00 SYN URGP=0 UID=1004 GID=999 
> [57998.349862] Shorewall:fw-net:ACCEPT:IN= OUT=wlan0 SRC=192.168.111.1
> DST=141.0.173.173 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=1180 DF PROTO=TCP
> SPT=57425 DPT=25 WINDOW=29200 RES=0x00 SYN URGP=0 UID=1004 GID=999 
> [58000.355520] Shorewall:fw-net:ACCEPT:IN= OUT=wlan0 SRC=192.168.111.1
> DST=141.0.173.173 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=1181 DF PROTO=TCP
> SPT=57425 DPT=25 WINDOW=29200 RES=0x00 SYN URGP=0 UID=1004 GID=999 
> [58004.366962] Shorewall:fw-net:ACCEPT:IN= OUT=wlan0 SRC=192.168.111.1
> DST=141.0.173.173 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=1182 DF PROTO=TCP
> SPT=57425 DPT=25 WINDOW=29200 RES=0x00 SYN URGP=0 UID=1004 GID=999 
> [58012.397800] Shorewall:fw-net:ACCEPT:IN= OUT=wlan0 SRC=192.168.111.1
> DST=141.0.173.173 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=1183 DF PROTO=TCP
> SPT=57425 DPT=25 WINDOW=29200 RES=0x00 SYN URGP=0 UID=1004 GID=999 
> [58028.443408] Shorewall:fw-net:ACCEPT:IN= OUT=wlan0 SRC=192.168.111.1
> DST=141.0.173.173 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=1184 DF PROTO=TCP
> SPT=57425 DPT=25 WINDOW=29200 RES=0x00 SYN URGP=0 UID=1004 GID=999 
> [58060.566751] Shorewall:fw-net:ACCEPT:IN= OUT=wlan0 SRC=192.168.111.1
> DST=141.0.173.173 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=1185 DF PROTO=TCP
> SPT=57425 DPT=25 WINDOW=29200 RES=0x00 SYN URGP=0 UID=1004 GID=999 
> # ps aux |grep ossec
> 1004      1749  0.0  0.0  19124   776 ?        S    Aug06   0:00
> /var/ossec/bin/ossec-maild
> root      1753  0.0  0.0  12688   504 ?        S    Aug06   0:00
> /var/ossec/bin/ossec-execd
> 1003      1757  0.0  0.0  17604  2564 ?        S    Aug06   0:05
> /var/ossec/bin/ossec-analysisd
> root      1761  0.0  0.0   4424   548 ?        S    Aug06   0:00
> /var/ossec/bin/ossec-logcollector
> root      1772  0.0  0.0   5816  2280 ?        S    Aug06   0:39
> /var/ossec/bin/ossec-syscheckd
> 1003      1776  0.0  0.0  12948   808 ?        S    Aug06   0:00
> /var/ossec/bin/ossec-monitord
> root      4200  0.0  0.0  12684   964 pts/9    S+   09:29   0:00 grep
> --color=auto ossec
> 
> I'd deinstalled ossec yesterday so ps doesn't know the usernames,
> although for some reason the deinstall did not shut down the daemons. 
> Clearly ossec-maild that was doing it.


Once you stopped the daemons, the worrying messages also stopped?

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________

signature.asc
Description: OpenPGP digital signature

------------------------------------------------------------------------------
Infragistics Professional
Build stunning WinForms apps today!
Reboot your WinForms applications with our WinForms controls. 
Build a bridge from your legacy apps to the future.
http://pubads.g.doubleclick.net/gampad/clk?id=153845071&iu=/4140/ostg.clktrk

_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Re: [Shorewall-users] Suspected Trojan

Reply via email to