Re: How do I snoop unauthorised traffic

---

• From: ibuprofin@xxxxxxxxxxxxxxxxxxxxxx (Moe Trin)
• Date: Mon, 11 Sep 2006 14:53:05 -0500

---

On Tue, 12 Sep 2006, in the Usenet newsgroup comp.os.linux.networking, in
article <1462842.YJ72qOBedK@xxxxxxxxxxxxxxx>, Peter Lowrie wrote:

One of the Windows 2000 boxs is sending data out of the network to some host
on the internet.

1. Disconnect the windoze box
2. Ask the luser running it WTF they are doing.

My gateway is Mandrake Linux 8.2

That's over four years old. Why are you running such an ancient UNSUPPORTED
release on the Internet? OK - saw your other post - you shouldn't have a
problem booting with anything current. What happens when you try? Does the
computer catch on fire or something? The packet errors you are reporting
suggest a problem with the NIC - possibly an interrupt being blocked by
some other process. As for the "slow" port 110, use tcpdump to see what
traffic is occurring. Is the POP server trying to Ident you (trying a
connect to your port 113)?

running straight iptables.

OK, but the rules don't make much sense to me.

I've tried tcpdump against the internet facing NIC but the data
are inconclusive.

What is that supposed to mean? Is the stuff encrypted (like SSH traffic)?
Or is it that you merely don't understand IP and TCP headers?

How do I determine what traffic is leaving the network

Disconnect the stupid windoze box, and ask the luser to explain. If they
can't, talk to your legal types, and remove the luser. Then make a copy
of the hard disk, and take the copy to a windoze expert.

and determine what host it is being sent to

What is the source/destination IP address? If you are masquerading, run
tcpdump on the inside NIC, rather than the Internet side. You'd also want
to record what port numbers are being used on the source and destination
sides.

then what string do I use in the /etc/sysconfig/iptables file to block it?

708351 Nov 14 2005 IP-Masquerade-HOWTO
17605 Jul 21 2004 Masquerading-Simple-HOWTO
278012 Jul 23 2002 Security-Quickstart-HOWTO

but the better solution is to find out what is running on the windoze box
and fix that.

Old guy
.

---

• References:
  • How do I snoop unauthorised traffic
    • From: Peter Lowrie

• Prev by Date: Re: port 110 very slow
• Next by Date: Re: Very embarrassing traffic shaping problem.
• Previous by thread: How do I snoop unauthorised traffic
• Next by thread: Re: How do I snoop unauthorised traffic
• Index(es):
  • Date
  • Thread

---

Relevant Pages Re: Will WGA shut down Legit XP Users? Yes ... Windoze is directly responsible for the plague ... 100% of all spam was created by people. ... responsible for all the Denial of Service attacks hitting servers ... toy operating system from the ground up or staying off the damn Internet. ... (microsoft.public.windowsxp.general) Re: Will WGA shut down Legit XP Users? Yes ... Windoze is directly responsible for the plague ... 100% of all spam was created by people. ... responsible for all the Denial of Service attacks hitting servers ... toy operating system from the ground up or staying off the damn Internet. ... (microsoft.public.windowsxp.general) Re: Slow machine O/T ... Windoze XP Home. ... It runs very slowly at times, notably on downloaded games from the ... having removed the old drivers first. ... switched off the antivirus and internet connection and ... (uk.comp.homebuilt) Re: [OT] Linux replacing windoze? ... No internet at present. ... I thought you were going to say something about Linux versus ... windoze, but this is hardware again, an entirely different subject. ... the tons of different providers runs in windoze. ... (rec.arts.sf.written) Re: NaNoWriMo ... line, with internet, which makes me concerned, and unsure. ... On the matter of writing... ... adds 1 to a variable whenever that character is " ". ... Because I have to reboot and start windoze to do internet. ... (rec.arts.sf.composition)

---

We are proud to have Web Hosting and Rack Housing from 9 Net Avenue Deutschland.
(12)