[plug] ip_conntrack suspicious connection

Bob Linus bob0linus at gmail.com
Tue Jul 26 23:44:43 WST 2005


You didn't specify if 192.168.0.251 is your system's IP or not.

If it is your system's ip, then likely yes your system has something
in it that isn't normal.  A lot of viruses scan port 80.

Verify that the IP packet isn't a fake source address and actually
coming from the machine identified as 192.168.0.251.  (it probably
isn't faked though)

Also, if you are not running snort, you should install it or similar
IDS on that machine.  It may identify the packet with known problems.

Sorry, I've had security concerns weighing over me and don't like
posting frequently, but someone should have replied to this easy one.
:)

On 7/23/05, Al Agawa <aaagawa at yahoo.com> wrote:
> Hi!  It's my first time to post here in PLUG.
> 
> I am Al and I'm a new system administrator but I have
> a 3 year experience in linux system.  Most of my
> experience was using it's desktop capabilities but I
> know also about administration.
> 
> I am using Redhat 9.0, Kernal is 2.4.20-8 and iptables
> is v1.2.7a.
> 
> My question, I have these suspicious entries on my
> ip_conntrack file:
> 
> ************************************************
> tcp      6 425766 ESTABLISHED src=192.168.0.251
> dst=192.168.0.69 sport=43121 dport=80 [UNREPLIED]
> src=192.168.0.69 dst=192.168.0.251 sport=80
> dport=43121 use=1
> tcp      6 425328 ESTABLISHED src=192.168.0.251
> dst=192.168.0.97 sport=34857 dport=80 [UNREPLIED]
> src=192.168.0.97 dst=192.168.0.251 sport=80
> dport=34857 use=1
> tcp      6 425766 ESTABLISHED src=192.168.0.251
> dst=192.168.0.70 sport=43121 dport=80 [UNREPLIED]
> src=192.168.0.70 dst=192.168.0.251 sport=80
> dport=43121 use=1
> tcp      6 425328 ESTABLISHED src=192.168.0.251
> dst=192.168.0.98 sport=34857 dport=80 [UNREPLIED]
> src=192.168.0.98 dst=192.168.0.251 sport=80
> dport=34857 use=1
> tcp      6 425271 ESTABLISHED src=192.168.0.251
> dst=192.168.0.71 sport=43121 dport=80 [UNREPLIED]
> src=192.168.0.71 dst=192.168.0.251 sport=80
> dport=43121 use=1
> tcp      6 424833 ESTABLISHED src=192.168.0.251
> dst=192.168.0.99 sport=34857 dport=80 [UNREPLIED]
> src=192.168.0.99 dst=192.168.0.251 sport=80
> dport=34857 use=1
> ****************************************************
> 
> Is my computer hacked? or it is a virus on the
> network?
> 
> Thanks.
> 
> Al
> 
> 
> 
> __________________________________
> Do you Yahoo!?
> Yahoo! Mail - Helps protect you from nasty viruses.
> http://promotions.yahoo.com/new_mail
> _______________________________________________
> PLUG discussion list: plug at plug.org.au
> http://www.plug.org.au/mailman/listinfo/plug
> Committee e-mail: committee at plug.linux.org.au
>



More information about the plug mailing list