Re: question concerning tcpdump

On 10 Mai, 21:40, ibupro...@xxxxxxxxxxxxxxxxxxxxxx (Moe Trin) wrote:

I ran tcpdump for about 10 hours and wrote all traffic from this host
to a file, using:
tcpdump -n -vv -w ~/tcpdump.txt -C 10 ip src host adress

19:35:30.510098 IP xxxxxxx.32786 > xxxxxxxx.smpppd: S
555971953:555971953(0) win 5840 <mss
1460,sackOK,timestamp 15510435 0,nop,wscale 2>

Hello SuSE - "smpppd" is SuSE Meta PPPD - one of their "improvements"

Is the "win 5840" a sign for tcp ?

Yes, as is the "S" (SYN) flag. UDP doesn't use either one.
So it's tcp.



We don't have a modem or isdn-card on this box.

You can _try_ using 'sbin/chkconfig' (see the man page) to prevent the
service from starting.
First i greped /etc with grep -r smppp.
smpppd seemded to be invoked by /etc/init.d/isdn
chkconfig said for smpppd off, but for isdn on.
I did chkconfig isdn off, because we don't need isdn.


What's the problem, or is this a continuation of the strange IPs
question?
Yes and no.
This is one of these machines.
I tcpdumped for the second night the whole traffic.
I have to say that i like tcpdump. It's powerful and good for
debugging.
The problem here is, beneath the mentioned concerning the logins, that
our apache on this box stopped logging, for me without any clear
reason.
I don't like things like that. I posted this on
http://groups.google.de/group/comp.infosystems.www.servers.unix/browse_thread/thread/3a39ff108e70f1eb?hl=de
,
but did not get any answer.
I'm always concerned about being hacked. If i have the impression, i
always get nervous, and because of missing knowledge, sometimes don't
know what exactly what to do.
I had already a posting here in november 2006 about apprehensions
concerning that. You've been also involved that time.
Thanks again.
Concerning the foreign ip's, i gave up a bit. I don't know else what
to do, and i think it's just a bug.
I got these foreign ip's with a cut-off network cable, so there can't
be an intrusion.

Do you have an idea why apache stopps logging ?

young guy ;-)


.