Re: nmap Xmas scans and unrecognized outcoming connections

[Maximilian Wilhelm <max@rfc2324.org>]

Am Friday, den  7 December hub Martín Peluso folgendes in die Tasten:

Hi!

> Two days ago one of my machines started to receive several nmap Xmas 
> scans from 73.23.32.79. Later, in another machine which is running under 
> Debian etch, Firestarter showed me four outcoming connections to the 
> same ip address with destination ports 80, 44285, 41182 and 43275. Those 
> connections are not used by any client application and they are not 
> recognized by netstat. In addition, the target ip address (a comcast 
> range address) don't seem to be giving http access, and it have all of 
> its ports filtered.
> I don't know how to proceed in order to determine what application is 
> using those connections or what are they used for. They are still active 
> since two days ago.
> Any suggestion?

You should check the md5sum of netstat if it's still the one you would
expect it to be. The same might be interesting for things like ls,
lsof and such.

If you have a machine with two NICs you could setup a bridge and place
it between the machine in question and its switchport and fireup
wireshark to have a look whats going on.

Ciao
Max
-- 
	Follow the white penguin.