| View previous topic :: View next topic |
| Author |
Message |
ohaleck
n00b
Joined: 26 Mar 2003
Posts: 46
Location: Krakow, Poland
|
 Posted: Mon Jul 26, 2004 8:45 pm Post subject: Strange packets on my network |
 |
|
I've been detecting strange packets on my network. I run tcpdump on local interface of my Gentoo machine (router, apache etc.) and it displays packets sent from 127.0.0.1 port 80 to random local addresses:
| Code: | 22:21:34.620425 127.0.0.1.80 > 192.168.75.252.1102: R 0:0(0) ack 741670913 win 0
22:21:34.626941 127.0.0.1.80 > 192.168.28.68.1862: R 0:0(0) ack 456458241 win 0
22:21:34.640833 127.0.0.1.80 > 192.168.140.252.1938: R 0:0(0) ack 1376256001 win 0
22:21:34.647035 127.0.0.1.80 > 192.168.97.234.1794: R 0:0(0) ack 1767047169 win 0
22:21:34.660576 127.0.0.1.80 > 192.168.205.125.1773: R 0:0(0) ack 2010906625 win 0
22:21:34.667069 127.0.0.1.80 > 192.168.162.106.1629: R 0:0(0) ack 254214145 win 0
22:21:34.680694 127.0.0.1.80 > 192.168.16.125.1609: R 0:0(0) ack 498008065 win 0
22:21:34.687150 127.0.0.1.80 > 192.168.228.106.1465: R 0:0(0) ack 888799233 win 0
22:21:34.700734 127.0.0.1.80 > 192.168.81.252.1444: R 0:0(0) ack 1132658689 win 0
22:21:34.707212 127.0.0.1.80 > 192.168.38.233.1300: R 0:0(0) ack 1523449857 win 0
22:21:34.720835 127.0.0.1.80 > 192.168.146.124.1279: R 0:0(0) ack 1767243777 win 0
22:21:34.727262 127.0.0.1.80 > 192.168.103.233.1904: R 0:0(0) ack 10551297 win 0
22:21:34.741151 127.0.0.1.80 > 192.168.212.124.1115: R 0:0(0) ack 254410753 win 0
22:21:34.747331 127.0.0.1.80 > 192.168.169.105.1739: R 0:0(0) ack 645201921 win 0
22:21:34.760967 127.0.0.1.80 > 192.168.22.251.1950: R 0:0(0) ack 888995841 win 0
22:21:34.767401 127.0.0.1.80 > 192.168.234.105.1575: R 0:0(0) ack 1279787009 win 0
22:21:34.781016 127.0.0.1.80 > 192.168.87.251.1786: R 0:0(0) ack 1523646465 win 0
22:21:34.787452 127.0.0.1.80 > 192.168.44.233.1410: R 0:0(0) ack 1914437633 win 0
22:21:34.800987 127.0.0.1.80 > 192.168.152.123.1621: R 0:0(0) ack 10747905 win 0
22:21:34.807522 127.0.0.1.80 > 192.168.109.233.1245: R 0:0(0) ack 401539073 win 0
22:21:34.821066 127.0.0.1.80 > 192.168.218.124.1225: R 0:0(0) ack 645398529 win 0
22:21:34.827575 127.0.0.1.80 > 192.168.175.105.1081: R 0:0(0) ack 1036189697 win 0
22:21:34.841654 127.0.0.1.80 > 192.168.28.251.1060: R 0:0(0) ack 1279983617 win 0
22:21:34.847657 127.0.0.1.80 > 192.168.240.232.1916: R 0:0(0) ack 1670774785 win 0
22:21:34.861175 127.0.0.1.80 > 192.168.93.251.1895: R 0:0(0) ack 1914634241 win 0
22:21:34.867701 127.0.0.1.80 > 192.168.50.232.1752: R 0:0(0) ack 157941761 win 0
22:21:34.881373 127.0.0.1.80 > 192.168.159.123.1731: R 0:0(0) ack 401735681 win 0
22:21:34.887766 127.0.0.1.80 > 192.168.116.104.1587: R 0:0(0) ack 792526849 win 0
22:21:34.901302 127.0.0.1.80 > 192.168.224.250.1566: R 0:0(0) ack 1036386305 win 0
22:21:34.907847 127.0.0.1.80 > 192.168.181.104.1423: R 0:0(0) ack 1427177473 win 0
22:21:34.921427 127.0.0.1.80 > 192.168.34.250.1402: R 0:0(0) ack 1670971393 win 0
22:21:34.927903 127.0.0.1.80 > 192.168.246.231.1026: R 0:0(0) ack 2061762561 win 0
|
There are no such addresses on my network like the destinations of the packets, neither are there such networks like 192.168.245.0.
netstat -l gives me only one line with source port 80:
| Code: | | tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN |
Any idea what could case this strange behavior? Is there some way to check which process binds to port 80? I thought packets cannot be routed from 127.0.0.1 to other networks. Am I wrong?
Thanks for any help
O. |
|
| Back to top |
|
 |
ohaleck
n00b
Joined: 26 Mar 2003
Posts: 46
Location: Krakow, Poland
|
| Posted: Mon Jul 26, 2004 8:56 pm Post subject: |
|
|
I have just checked that despite what tcpdump shows ifconfig and iptraf show absolutely no activity on lo interface.
Could this be another virus sending packets with fake source IP's through the gateway? |
|
| Back to top |
|
|
|
Networking & Security
