| 1 |
Yesterday SNORT got messages of this kind : |
| 2 |
BAD-TRAFFIC same SRC/DST [Classification: Potentially Bad Traffic]. |
| 3 |
|
| 4 |
It's about communication where source and target are the same IP. |
| 5 |
|
| 6 |
There's weird communication between ports on private server IP |
| 7 |
(192.168.1.1): |
| 8 |
192.168.1.1:3306(mysql) -> 192.168.1.1:62321 |
| 9 |
192.168.1.1:62321(mysql) -> 192.168.1.1:3306 |
| 10 |
192.168.1.1:3306(mysql) -> 192.168.1.1:62322 |
| 11 |
192.168.1.1:62322(mysql) -> 192.168.1.1:3306 |
| 12 |
and so on... |
| 13 |
|
| 14 |
The same is with public IP: |
| 15 |
123.45.67.8:80 -> 123.45.67.8:34124 |
| 16 |
123.45.67.8:34124 -> 123.45.67.8:80 |
| 17 |
|
| 18 |
MySQL daemon is stopped. |
| 19 |
Apache daemon is running bound on both interfaces. |
| 20 |
|
| 21 |
In log there is trace (made by SNORT) of this every 5 minutes. |
| 22 |
|
| 23 |
Tried chkrootkit -- no help. |
| 24 |
|
| 25 |
Here is output of `tcpdump -nei lo dst host 192.168.1.1` |
| 26 |
|
| 27 |
09:30:02.752314 00:00:00:00:00:00 > 00:00:00:00:00:00, ethertype IPv4 |
| 28 |
(0x0800), length 75: IP 192.168.1.1.3306 > 192.168.1.1.47408: P |
| 29 |
4422:4431(9) ack 2482 win 8192 nop,nop,timestamp 83528538 83528538. |
| 30 |
|
| 31 |
Here is output of `netstat -atp` |
| 32 |
|
| 33 |
tcp 0 0 *:imaps *:* LISTEN |
| 34 |
|
| 35 |
tcp 0 0 192.168.1.1:mysql *:* LISTEN |
| 36 |
|
| 37 |
tcp 0 0 *:http *:* LISTEN |
| 38 |
|
| 39 |
tcp 0 0 *:ftp *:* LISTEN |
| 40 |
|
| 41 |
|
| 42 |
tcp 0 0 *:smtp *:* LISTEN |
| 43 |
|
| 44 |
tcp 0 0 *:https *:* LISTEN |
| 45 |
|
| 46 |
I tried restart mysqld many times. |
| 47 |
|
| 48 |
Server was not shutdown correctly due to power failure. |
| 49 |
|
| 50 |
Thanks for any help to resolve this problem. |
| 51 |
-- |
| 52 |
gentoo-server@g.o mailing list |
Archives