Find the answer to your Linux question:
Results 1 to 2 of 2
Hi Everybody, This is my first post here so please let me know if I do anything wrong or post in wrong place etc :] Anyways, I have a Fedora ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. 11-17-2009 #1
    milonic
    milonic is offline
    Just Joined!
    Join Date
    Nov 2009
    Posts
    1

    Strange Requests On Fedora Server

    Hi Everybody,

    This is my first post here so please let me know if I do anything wrong or post in wrong place etc :]

    Anyways, I have a Fedora server [Fedora 8 I think] and once per week [it's random days but usually Monday or Tuesday] it makes some very strange requests to what appear to be search engines. My concern is that this box is fully firewalled both at the router and by way of IPTables so NOTHING should be getting in from the outside world. However, something is happening that I'm not happy about, I just can't seem to find it though.

    I see quite a few requests from addresses like 72.30.186.25, 78.33.33.80, 209.202.254.14

    Has anybody come across this before?

    If not, what's the best way of finding out which process this is coming from?

    Here's a copy of the logwatch report from yesterday:


    --------------------- iptables firewall Begin ------------------------

    Dropped 203 packets on interface eth0
    From 0.0.0.0 - 11 packets
    To 255.255.255.255 - 11 packets
    Service: bootps [udp/67] [Dropwall:] - 11 packets
    From 72.30.186.25 - 1 packet
    To 192.168.0.2 - 1 packet
    Service: 50801 [tcp/50801] [Dropwall:] - 1 packet
    From 78.33.33.80 - 66 packets
    To 192.168.0.2 - 66 packets
    Service: 35582 [tcp/35582] [Dropwall:] - 1 packet
    Service: 35699 [tcp/35699] [Dropwall:] - 1 packet
    Service: 35725 [tcp/35725] [Dropwall:] - 1 packet
    Service: 35738 [tcp/35738] [Dropwall:] - 1 packet
    Service: 36303 [tcp/36303] [Dropwall:] - 1 packet
    Service: 36328 [tcp/36328] [Dropwall:] - 1 packet
    Service: 36339 [tcp/36339] [Dropwall:] - 1 packet
    Service: 36348 [tcp/36348] [Dropwall:] - 1 packet
    Service: 36379 [tcp/36379] [Dropwall:] - 1 packet
    Service: 36394 [tcp/36394] [Dropwall:] - 1 packet
    Service: 37739 [tcp/37739] [Dropwall:] - 1 packet
    Service: 37750 [tcp/37750] [Dropwall:] - 1 packet
    Service: 38311 [tcp/38311] [Dropwall:] - 1 packet
    Service: 39509 [tcp/39509] [Dropwall:] - 1 packet
    Service: 40781 [tcp/40781] [Dropwall:] - 1 packet
    Service: 41202 [tcp/41202] [Dropwall:] - 1 packet
    Service: 41333 [tcp/41333] [Dropwall:] - 1 packet
    Service: 41344 [tcp/41344] [Dropwall:] - 1 packet
    Service: 41959 [tcp/41959] [Dropwall:] - 1 packet
    Service: 42543 [tcp/42543] [Dropwall:] - 1 packet
    Service: 42596 [tcp/42596] [Dropwall:] - 1 packet
    Service: 43607 [tcp/43607] [Dropwall:] - 1 packet
    Service: 43616 [tcp/43616] [Dropwall:] - 1 packet
    Service: 44095 [tcp/44095] [Dropwall:] - 1 packet
    Service: 45173 [tcp/45173] [Dropwall:] - 1 packet
    Service: 45186 [tcp/45186] [Dropwall:] - 1 packet
    Service: 45199 [tcp/45199] [Dropwall:] - 1 packet
    Service: 45621 [tcp/45621] [Dropwall:] - 1 packet
    Service: 46362 [tcp/46362] [Dropwall:] - 1 packet
    Service: 46472 [tcp/46472] [Dropwall:] - 1 packet
    Service: 47334 [tcp/47334] [Dropwall:] - 1 packet
    Service: 47503 [tcp/47503] [Dropwall:] - 1 packet
    Service: 48562 [tcp/48562] [Dropwall:] - 1 packet
    Service: 48571 [tcp/48571] [Dropwall:] - 1 packet
    Service: 48580 [tcp/48580] [Dropwall:] - 1 packet
    Service: 49525 [tcp/49525] [Dropwall:] - 1 packet
    Service: 49534 [tcp/49534] [Dropwall:] - 1 packet
    Service: 49543 [tcp/49543] [Dropwall:] - 1 packet
    Service: 49824 [tcp/49824] [Dropwall:] - 1 packet
    Service: 49837 [tcp/49837] [Dropwall:] - 1 packet
    Service: 50194 [tcp/50194] [Dropwall:] - 1 packet
    Service: 50205 [tcp/50205] [Dropwall:] - 1 packet
    Service: 50214 [tcp/50214] [Dropwall:] - 1 packet
    Service: 50495 [tcp/50495] [Dropwall:] - 1 packet
    Service: 51165 [tcp/51165] [Dropwall:] - 1 packet
    Service: 51174 [tcp/51174] [Dropwall:] - 1 packet
    Service: 51277 [tcp/51277] [Dropwall:] - 1 packet
    Service: 51286 [tcp/51286] [Dropwall:] - 1 packet
    Service: 52340 [tcp/52340] [Dropwall:] - 1 packet
    Service: 52351 [tcp/52351] [Dropwall:] - 1 packet
    Service: 52654 [tcp/52654] [Dropwall:] - 1 packet
    Service: 53248 [tcp/53248] [Dropwall:] - 1 packet
    Service: 53257 [tcp/53257] [Dropwall:] - 1 packet
    Service: 53266 [tcp/53266] [Dropwall:] - 1 packet
    Service: 53455 [tcp/53455] [Dropwall:] - 1 packet
    Service: 53784 [tcp/53784] [Dropwall:] - 1 packet
    Service: 54812 [tcp/54812] [Dropwall:] - 1 packet
    Service: 55131 [tcp/55131] [Dropwall:] - 1 packet
    Service: 58342 [tcp/58342] [Dropwall:] - 1 packet
    Service: 58351 [tcp/58351] [Dropwall:] - 1 packet
    Service: 58389 [tcp/58389] [Dropwall:] - 1 packet
    Service: 58711 [tcp/58711] [Dropwall:] - 1 packet
    Service: 60859 [tcp/60859] [Dropwall:] - 1 packet
    Service: 60870 [tcp/60870] [Dropwall:] - 1 packet
    Service: 60879 [tcp/60879] [Dropwall:] - 1 packet
    Service: 60935 [tcp/60935] [Dropwall:] - 1 packet
    From 192.168.0.1 - 15 packets
    To 255.255.255.255 - 15 packets
    Service: bootpc [udp/68] [Dropwall:] - 15 packets
    From 192.168.0.11 - 8 packets
    To 255.255.255.255 - 8 packets
    Service: bootps [udp/67] [Dropwall:] - 8 packets
    From 192.168.0.21 - 4 packets
    To 255.255.255.255 - 4 packets
    Service: bootps [udp/67] [Dropwall:] - 4 packets
    From 192.168.0.123 - 5 packets
    To 224.0.0.251 - 5 packets
    Service: mdns [udp/5353] [Dropwall:] - 5 packets
    From 209.202.254.14 - 93 packets
    To 192.168.0.2 - 93 packets
    Service: 33497 [tcp/33497] [Dropwall:] - 1 packet
    Service: 33498 [tcp/33498] [Dropwall:] - 1 packet
    Service: 33544 [tcp/33544] [Dropwall:] - 1 packet
    Service: 33554 [tcp/33554] [Dropwall:] - 1 packet
    Service: 34457 [tcp/34457] [Dropwall:] - 1 packet
    Service: 34625 [tcp/34625] [Dropwall:] - 1 packet
    Service: 34636 [tcp/34636] [Dropwall:] - 1 packet
    Service: 34637 [tcp/34637] [Dropwall:] - 1 packet
    Service: 34759 [tcp/34759] [Dropwall:] - 1 packet
    Service: 34768 [tcp/34768] [Dropwall:] - 1 packet
    Service: 34871 [tcp/34871] [Dropwall:] - 1 packet
    Service: 34872 [tcp/34872] [Dropwall:] - 1 packet
    Service: 34897 [tcp/34897] [Dropwall:] - 1 packet
    Service: 34906 [tcp/34906] [Dropwall:] - 1 packet
    Service: 35444 [tcp/35444] [Dropwall:] - 1 packet
    Service: 35445 [tcp/35445] [Dropwall:] - 1 packet
    Service: 36131 [tcp/36131] [Dropwall:] - 1 packet
    Service: 36142 [tcp/36142] [Dropwall:] - 1 packet
    Service: 36143 [tcp/36143] [Dropwall:] - 1 packet
    Service: 36151 [tcp/36151] [Dropwall:] - 1 packet
    Service: 37180 [tcp/37180] [Dropwall:] - 1 packet
    Service: 37181 [tcp/37181] [Dropwall:] - 1 packet
    Service: 37189 [tcp/37189] [Dropwall:] - 1 packet
    Service: 38344 [tcp/38344] [Dropwall:] - 1 packet
    Service: 38355 [tcp/38355] [Dropwall:] - 1 packet
    Service: 38356 [tcp/38356] [Dropwall:] - 1 packet
    Service: 39442 [tcp/39442] [Dropwall:] - 1 packet
    Service: 39451 [tcp/39451] [Dropwall:] - 1 packet
    Service: 39452 [tcp/39452] [Dropwall:] - 1 packet
    Service: 40341 [tcp/40341] [Dropwall:] - 1 packet
    Service: 40352 [tcp/40352] [Dropwall:] - 1 packet
    Service: 40355 [tcp/40355] [Dropwall:] - 1 packet
    Service: 40363 [tcp/40363] [Dropwall:] - 1 packet
    Service: 40475 [tcp/40475] [Dropwall:] - 1 packet
    Service: 40485 [tcp/40485] [Dropwall:] - 1 packet
    Service: 40493 [tcp/40493] [Dropwall:] - 1 packet
    Service: 40572 [tcp/40572] [Dropwall:] - 1 packet
    Service: 40584 [tcp/40584] [Dropwall:] - 1 packet
    Service: 40627 [tcp/40627] [Dropwall:] - 1 packet
    Service: 40636 [tcp/40636] [Dropwall:] - 1 packet
    Service: 41106 [tcp/41106] [Dropwall:] - 1 packet
    Service: 41230 [tcp/41230] [Dropwall:] - 1 packet
    Service: 42512 [tcp/42512] [Dropwall:] - 1 packet
    Service: 44544 [tcp/44544] [Dropwall:] - 1 packet
    Service: 45470 [tcp/45470] [Dropwall:] - 1 packet
    Service: 45500 [tcp/45500] [Dropwall:] - 1 packet
    Service: 45511 [tcp/45511] [Dropwall:] - 1 packet
    Service: 46959 [tcp/46959] [Dropwall:] - 1 packet
    Service: 46960 [tcp/46960] [Dropwall:] - 1 packet
    Service: 48285 [tcp/48285] [Dropwall:] - 1 packet
    Service: 48295 [tcp/48295] [Dropwall:] - 1 packet
    Service: 49025 [tcp/49025] [Dropwall:] - 1 packet
    Service: 49026 [tcp/49026] [Dropwall:] - 1 packet
    Service: 49835 [tcp/49835] [Dropwall:] - 1 packet
    Service: 49846 [tcp/49846] [Dropwall:] - 1 packet
    Service: 49983 [tcp/49983] [Dropwall:] - 1 packet
    Service: 50001 [tcp/50001] [Dropwall:] - 1 packet
    Service: 50734 [tcp/50734] [Dropwall:] - 1 packet
    Service: 50754 [tcp/50754] [Dropwall:] - 1 packet
    Service: 50766 [tcp/50766] [Dropwall:] - 1 packet
    Service: 50767 [tcp/50767] [Dropwall:] - 1 packet
    Service: 51015 [tcp/51015] [Dropwall:] - 1 packet
    Service: 51023 [tcp/51023] [Dropwall:] - 1 packet
    Service: 51676 [tcp/51676] [Dropwall:] - 1 packet
    Service: 52390 [tcp/52390] [Dropwall:] - 1 packet
    Service: 52413 [tcp/52413] [Dropwall:] - 1 packet
    Service: 52425 [tcp/52425] [Dropwall:] - 1 packet
    Service: 53709 [tcp/53709] [Dropwall:] - 1 packet
    Service: 53720 [tcp/53720] [Dropwall:] - 1 packet
    Service: 53735 [tcp/53735] [Dropwall:] - 1 packet
    Service: 53736 [tcp/53736] [Dropwall:] - 1 packet
    Service: 54110 [tcp/54110] [Dropwall:] - 1 packet
    Service: 55000 [tcp/55000] [Dropwall:] - 1 packet
    Service: 55001 [tcp/55001] [Dropwall:] - 1 packet
    Service: 55009 [tcp/55009] [Dropwall:] - 1 packet
    Service: 55010 [tcp/55010] [Dropwall:] - 1 packet
    Service: 55024 [tcp/55024] [Dropwall:] - 1 packet
    Service: 55025 [tcp/55025] [Dropwall:] - 1 packet
    Service: 55637 [tcp/55637] [Dropwall:] - 1 packet
    Service: 55650 [tcp/55650] [Dropwall:] - 1 packet
    Service: 56544 [tcp/56544] [Dropwall:] - 1 packet
    Service: 56553 [tcp/56553] [Dropwall:] - 1 packet
    Service: 56554 [tcp/56554] [Dropwall:] - 1 packet
    Service: 57576 [tcp/57576] [Dropwall:] - 1 packet
    Service: 57577 [tcp/57577] [Dropwall:] - 1 packet
    Service: 57589 [tcp/57589] [Dropwall:] - 1 packet
    Service: 58177 [tcp/58177] [Dropwall:] - 1 packet
    Service: 58675 [tcp/58675] [Dropwall:] - 1 packet
    Service: 59934 [tcp/59934] [Dropwall:] - 1 packet
    Service: 59935 [tcp/59935] [Dropwall:] - 1 packet
    Service: 59949 [tcp/59949] [Dropwall:] - 1 packet
    Service: 59950 [tcp/59950] [Dropwall:] - 1 packet
    Service: 60297 [tcp/60297] [Dropwall:] - 1 packet

    ---------------------- iptables firewall End -------------------------


    Looking forward to any replies,
    -- Andy
    Reply With Quote Reply With Quote
  2. 11-18-2009 #2
    RobinVossen
    RobinVossen is offline
    Linux Engineer RobinVossen's Avatar
    Join Date
    Aug 2007
    Location
    The Netherlands
    Posts
    1,429
    It looks like a Portscan?
    However those domains are pretty "harmless".

    What kind of server is it?
    I don't suspect a compromise to be honest.
    New Users, please read this..
    Google first, then ask..
    Reply With Quote Reply With Quote
« Previous Thread | Next Thread »

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

Forum Rules