Suspicion de compromission. [résolu]

[fgh30]

[edit : résolu. C'était une mise à jour clamav foireuse]



Bonjour,

Question aux spécialistes en sécurité.

Petit souci, ce matin. Je rentre de congé. Et je constate que ma machine (SME server 7.5.1 à utilisation exclusivement personelle en configuration serveur/passerelle) a un comportement plutôt étrange. J'ai peur qu'"ils" l'aient attaqué en mon absence et qu'"ils" aient réussi.

En effet, toutes les 30 secondes exactement, elle rentre en communication avec une ip appartenant, d'après le whois, à une plage d’adresses d'une entreprise française spécialisée dans la sécurité (tiens, tiens ?). Uniquement coté extérieur. Côté local, elle ne le fait pas.

Pour l'instant, j'ai juste bloqué la plage au niveau du modem/routeur/firewall Netgear. Malgré ce blocage, la SME continue a vouloir communiquer avec cette adresse. Par contre, aucune tentative en entrée. (Quoique cela supposerait qu'"ils" utilisent la même plage d'IP pour rentrer ).

Que puis-je faire pour voir ce qui ne va pas ? Les journaux n'indiquent rien de spécial. Quand je lance un ps ou un top, je ne vois pas, à première vue , de processus suspects... Mais n'étant pas un spécialiste de la sécurité, je préfère me tourner vers vous.


Merci d'avance pour votre aide.

[jdh]

Faute d'informations ...

Quelques infos minimales à donner :
- liste des process (ps fax ?)
- liste des services (ls /etc/init.d/ ... ?)
- liste des programmes à l'écoute (netstat -l ou -a ?)

[fgh30]

Pardon

ps fax :

PID TTY STAT TIME COMMAND
1 ? S 0:00 init [7]
2 ? S 0:00 [migration/0]
3 ? SN 0:00 [ksoftirqd/0]
4 ? S 0:00 [migration/1]
5 ? SN 0:00 [ksoftirqd/1]
6 ? S< 0:00 [events/0]
7 ? S< 0:00 [events/1]
8 ? S< 0:00 [khelper]
9 ? S< 0:00 [kthread]
10 ? S< 0:00 \_ [kacpid]
30 ? S< 0:00 \_ [kblockd/0]
31 ? S< 0:00 \_ [kblockd/1]
49 ? S 0:00 \_ [pdflush]
50 ? S 0:00 \_ [pdflush]
52 ? S< 0:00 \_ [aio/0]
53 ? S< 0:00 \_ [aio/1]
436 ? S< 0:00 \_ [ata/0]
437 ? S< 0:00 \_ [ata/1]
438 ? S< 0:00 \_ [ata_aux]
1039 ? S< 0:00 \_ [kauditd]
32 ? S 0:00 [khubd]
51 ? S 0:00 [kswapd0]
199 ? S 0:00 [kseriod]
468 ? S 0:00 [md1_raid1]
470 ? S 0:00 [md2_raid1]
475 ? D 0:02 [kjournald]
1140 ? Ss 0:00 udevd
2859 ? S 0:00 [kjournald]
3134 tty2 Ss+ 0:00 /sbin/mingetty tty2
3136 tty3 Ss+ 0:00 /sbin/mingetty tty3
3137 ? Ss 0:00 runsvdir -P /service log: ....................................................................................................................................................
3375 ? Ss 0:00 \_ runsv cvm-unix-local
3515 ? S 0:00 | \_ /usr/local/bin/multilog t s5000000 /var/log/cvm
3517 ? S 0:00 | \_ /usr/bin/cvm-unix cvm-local:/var/lib/cvm/cvm-unix-local.socket
3376 ? Ss 0:00 \_ runsv clamd
3488 ? S 0:00 | \_ /usr/local/bin/multilog t s5000000 /var/log/clamd
4519 ? Sl 0:11 | \_ /usr/sbin/clamd
3403 ? Ss 0:00 \_ runsv wan
3518 ? S 0:00 | \_ /usr/local/bin/multilog t s5000000 /var/log/wan
4231 ? S 0:00 | \_ /usr/bin/perl /var/service/wan/run.static
3404 ? Ss 0:00 \_ runsv dnscache.forwarder
3516 ? S 0:00 | \_ /usr/local/bin/multilog t s5000000 /var/log/dnscache.forwarder
4442 ? S 0:00 | \_ /usr/local/bin/dnscache
3433 ? Ss 0:00 \_ runsv tinydns
3489 ? S 0:00 | \_ /usr/local/bin/multilog t s5000000 /var/log/tinydns
4454 ? S 0:00 | \_ /usr/local/bin/tinydns
3464 ? Ss 0:00 \_ runsv httpd-e-smith
4737 ? Ss 0:04 | \_ /usr/sbin/httpd -f /etc/httpd/conf/httpd.conf -D FOREGROUND
10614 ? S 0:01 | \_ /usr/sbin/httpd -f /etc/httpd/conf/httpd.conf -D FOREGROUND
10615 ? S 0:02 | \_ /usr/sbin/httpd -f /etc/httpd/conf/httpd.conf -D FOREGROUND
10616 ? S 0:01 | \_ /usr/sbin/httpd -f /etc/httpd/conf/httpd.conf -D FOREGROUND
10617 ? S 0:01 | \_ /usr/sbin/httpd -f /etc/httpd/conf/httpd.conf -D FOREGROUND
10618 ? S 0:01 | \_ /usr/sbin/httpd -f /etc/httpd/conf/httpd.conf -D FOREGROUND
10619 ? S 0:00 | \_ /usr/sbin/httpd -f /etc/httpd/conf/httpd.conf -D FOREGROUND
10620 ? S 0:00 | \_ /usr/sbin/httpd -f /etc/httpd/conf/httpd.conf -D FOREGROUND
10621 ? S 0:00 | \_ /usr/sbin/httpd -f /etc/httpd/conf/httpd.conf -D FOREGROUND
10622 ? S 0:01 | \_ /usr/sbin/httpd -f /etc/httpd/conf/httpd.conf -D FOREGROUND
10623 ? S 0:01 | \_ /usr/sbin/httpd -f /etc/httpd/conf/httpd.conf -D FOREGROUND
11049 ? S 0:00 | \_ /usr/sbin/httpd -f /etc/httpd/conf/httpd.conf -D FOREGROUND
3483 ? Ss 0:00 \_ runsv pop3s
3524 ? S 0:00 | \_ /usr/local/bin/multilog t s5000000 /var/log/pop3s
4426 ? S 0:00 | \_ tcpsvd -v -i ./peers -c 40 -C 4:421 per host concurrency limit reached\r\n -l 0 0 pop3s sslio -vv -/ /service/imap/ssl -u stunnel -C imapd.pem /var/qmail/bin/qmail-po
3484 ? Ss 0:00 \_ runsv radiusd
3520 ? S 0:00 | \_ /usr/local/bin/multilog t s5000000 /var/log/radiusd
4774 ? Sl 0:00 | \_ /usr/sbin/radiusd -f
3485 ? Ss 0:00 \_ runsv smbd
3521 ? S 0:00 | \_ /usr/local/bin/multilog t s5000000 /var/log/smbd
4880 ? Ss 0:01 | \_ /usr/sbin/smbd -F
4940 ? S 0:00 | \_ /usr/sbin/smbd -F
3486 ? Ss 0:00 \_ runsv mysqld
3519 ? S 0:00 | \_ /usr/local/bin/multilog t s5000000 /var/log/mysqld
4341 ? Sl 0:04 | \_ /usr/libexec/mysqld --defaults-file=/etc/my.cnf --basedir=/usr --datadir=/var/lib/mysql --user=mysql --pid-file=/var/run/mysqld/mysqld.pid
3487 ? Ss 0:00 \_ runsv httpd-admin
3545 ? S 0:00 | \_ /usr/local/bin/multilog t s5000000 /var/log/httpd-admin
4690 ? Ss 0:00 | \_ /usr/sbin/httpd-admin -f /etc/httpd/admin-conf/httpd.conf -D FOREGROUND
4898 ? S 0:00 | \_ /usr/sbin/httpd-admin -f /etc/httpd/admin-conf/httpd.conf -D FOREGROUND
9216 ? S 0:00 | \_ /usr/sbin/httpd-admin -f /etc/httpd/admin-conf/httpd.conf -D FOREGROUND
9223 ? S 0:00 | \_ /usr/sbin/httpd-admin -f /etc/httpd/admin-conf/httpd.conf -D FOREGROUND
3490 ? Ss 0:00 \_ runsv oidentd
3522 ? S 0:00 | \_ multilog t /var/log/oidentd
3491 ? Ss 0:00 \_ runsv imap
3523 ? S 0:00 | \_ /usr/local/bin/multilog t s5000000 /var/log/imap
4381 ? S 0:00 | \_ /usr/bin/tcpsvd -v -i ./peers -c 400 -C 12:421 per host concurrency limit reached\r\n -l 0 0 imap makesock stunnel-tls -/ ssl -s 451 -g 451 -N imap -i -p imapd.pem -n
3492 ? Ss 0:00 \_ runsv ldap
4557 ? Sl 0:00 | \_ /usr/sbin/slapd -4 -u ldap -d 0
3493 ? Ss 0:00 \_ runsv ntpd
3533 ? S 0:00 | \_ /usr/local/bin/multilog t s5000000 /var/log/ntpd
4575 ? SL 0:00 | \_ ntpd -n -l /dev/stdout
3494 ? Ss 0:00 \_ runsv spamd
3534 ? S 0:00 | \_ /usr/local/bin/multilog t s5000000 /var/log/spamd
6764 ? S 0:04 | \_ /usr/bin/perl -T -w /usr/bin/spamd -u spamd --syslog=stderr
6819 ? S 0:00 | \_ spamd child
6820 ? S 0:00 | \_ spamd child
3495 ? Ss 0:00 \_ runsv ulogd
3532 ? S 0:00 | \_ /usr/local/bin/multilog t s5000000 /var/log/iptables
3536 ? S 0:00 | \_ /usr/sbin/ulogd
3496 ? Ss 0:00 \_ runsv pop3
3535 ? S 0:00 | \_ /usr/local/bin/multilog t s5000000 /var/log/pop3
4418 ? S 0:00 | \_ tcpsvd -v -i ./peers -c 40 -C 4:421 per host concurrency limit reached\r\n -l 0 0 pop3 /var/qmail/bin/qmail-popup nomduserveur.nomdudomaine.dyndns.org checkpassword /var/qmail
3497 ? Ss 0:00 \_ runsv qpsmtpd
3530 ? S 0:00 | \_ /usr/local/bin/multilog t s5000000 /var/log/qpsmtpd
4682 ? S 0:00 | \_ /usr/bin/perl -Tw /usr/bin/qpsmtpd-forkserver -u qpsmtpd -l 0.0.0.0 -p 25 -c 40 -m 5
3498 ? Ss 0:00 \_ runsv pptpd
3548 ? S 0:00 | \_ /usr/local/bin/multilog t s5000000 /var/log/pptpd
3499 ? Ss 0:00 \_ runsv freshclam
3531 ? S 0:22 | \_ /usr/local/bin/multilog t s5000000 /var/log/freshclam
4538 ? S 0:38 | \_ /usr/bin/freshclam --daemon
3500 ? Ss 0:00 \_ runsv lpd
4470 ? S 0:00 | \_ /usr/sbin/lpd -F
4731 ? Ss 0:00 | \_ lpd Waiting
3501 ? Ss 0:00 \_ runsv dnscache
3529 ? S 0:00 | \_ /usr/local/bin/multilog t s5000000 /var/log/dnscache
4353 ? S 0:00 | \_ /usr/local/bin/dnscache
3502 ? Ss 0:00 \_ runsv ippp
3525 ? S 0:00 | \_ /usr/local/bin/multilog t s5000000 /var/log/ippp
3503 ? Ss 0:00 \_ runsv qmail
3528 ? S 0:00 | \_ /usr/local/bin/multilog t s5000000 /var/log/qmail
4599 ? S 0:00 | \_ qmail-send
4777 ? S 0:00 | \_ qmail-lspawn ./Maildir/
4778 ? S 0:00 | \_ qmail-rspawn
4779 ? S 0:00 | \_ qmail-clean
3504 ? Ss 0:00 \_ runsv raidmonitor
3544 ? S 0:00 | \_ /usr/local/bin/multilog t s5000000 /var/log/raidmonitor
3665 ? S 0:00 | \_ /sbin/mdadm --monitor --scan --program /sbin/e-smith/mdevent
3505 ? Ss 0:00 \_ runsv dhcpd
3526 ? S 0:00 | \_ /usr/local/bin/multilog t s5000000 /var/log/dhcpd
4490 ? S 0:00 | \_ /usr/sbin/dhcpd -d -f -cf /etc/dhcpd.conf -lf /var/lib/dhcp/dhcpd.leases eth0
3506 ? Ss 0:00 \_ runsv smtp-auth-proxy
3542 ? S 0:00 | \_ /usr/local/bin/multilog t s5000000 /var/log/smtp-auth-proxy
3543 ? S 0:00 | \_ /usr/bin/perl -w -T /usr/local/sbin/smtp-auth-proxy.pl
3507 ? Ss 0:00 \_ runsv sqpsmtpd
3539 ? S 0:00 | \_ /usr/local/bin/multilog t s5000000 /var/log/sqpsmtpd
4652 ? S 0:00 | \_ /usr/bin/perl -Tw /usr/bin/qpsmtpd-forkserver -u qpsmtpd -l 0.0.0.0 -p 465 -c 10 -m 5
3508 ? Ss 0:00 \_ runsv sshd
3527 ? S 0:00 | \_ /usr/local/bin/multilog t s5000000 /var/log/sshd
11089 ? S 0:00 | \_ /usr/sbin/sshd -D -e
3509 ? Ss 0:00 \_ runsv yum
3546 ? S 0:00 | \_ /usr/local/bin/multilog t s5000000 /var/log/yum
3510 ? Ss 0:00 \_ runsv imaps
3547 ? S 0:00 | \_ /usr/local/bin/multilog t s5000000 /var/log/imaps
4389 ? S 0:00 | \_ /usr/bin/tcpsvd -v -i ./peers -c 400 -C 12:421 per host concurrency limit reached\r\n -l 0 0 imaps sslio -vv -/ ../imap/ssl -C imapd.pem -u stunnel /usr/bin/imapfront
3511 ? Ss 0:00 \_ runsv squid
3540 ? S 0:00 | \_ /usr/local/bin/multilog t s5000000 /var/log/squid.run
4825 ? S 0:08 | \_ /usr/sbin/squid -f /etc/squid/squid.conf -sN -D
4939 ? Ss 0:00 | \_ (unlinkd)
3512 ? Ss 0:00 \_ runsv ftp
3537 ? S 0:00 | \_ /usr/local/bin/multilog t s5000000 /var/log/ftp
4627 ? S 0:00 | \_ /usr/bin/tcpsvd -v -i ./peers -c 40 -C 4:421 per host concurrency limit reached\r\n -l 0 0 ftp /usr/sbin/in.proftpd
3513 ? Ss 0:00 \_ runsv nmbd
3538 ? S 0:00 \_ /usr/local/bin/multilog t s5000000 /var/log/nmbd
4860 ? Ss 0:01 \_ /usr/sbin/nmbd -F -S
3626 ? Ss 0:00 syslogd -m 0 -a /var/empty/sshd/dev/log
3630 ? Ss 0:00 klogd -c 1 -2
4275 ? Ss 0:00 irqbalance
4294 ? Ss 0:00 crond
4317 ? Ss 0:00 /usr/sbin/acpid
4859 ? S 0:00 /usr/sbin/atalkd
4913 ? Ss 0:00 dbus-daemon-1 --system
4941 ? Ss 0:19 hald
5116 tty1 Ss+ 0:00 /sbin/mingetty tty1
5234 ? S 0:00 /usr/sbin/papd
5238 ? S 0:00 /usr/sbin/cnid_metad
5242 ? S 0:00 /usr/sbin/afpd -U uams_dhx.so,uams_pgp.so -c 20 -n nomduserveur
9380 ? Ss 0:00 sshd: maintenance [priv]
9383 ? S 0:00 \_ sshd: maintenance@pts/0
9384 pts/0 Ss 0:00 \_ -bash
9406 pts/0 S 0:00 \_ su -
9407 pts/0 S 0:00 \_ -bash
11100 pts/0 R+ 0:00 \_ ps fax
10934 ? Ss 0:00 /usr/bin/perl -w /sbin/e-smith/signal-event yum-update
10935 ? S 0:00 \_ /usr/bin/logger -p local1.info -t e-smith-bg
10955 ? S 0:00 \_ /usr/bin/perl -w /etc/e-smith/events/yum-update/S20yum-action yum-update
10956 ? D 0:47 \_ /usr/bin/python /usr/bin/yum -d 2 -e 2 -y update apr.i386 bash.i386 bind-libs.i386 bind-utils.i386 centos-release.i386 clamav-db.i386 clamav.i386 clamd.i386 coreutils

ls /etc/init.d/ :

acpid clamd diald halt iptables-trace local mysqld oidentd qpsmtpd readahead_early snmpd syslog
anacron cpuspeed dnscache httpd irqbalance lpd mysql.init pcmcia qpsmtpd-forkserver saslauthd snmptrapd tinydns
apmd crond dovecot httpd-admin isdn lvm2-monitor netfs pop3 radiusd single spamassassin ulogd
atalk daemontools e-smith-service httpd-e-smith keytable masq netplugd pop3s raidmonitor smartd spamd ups
atd dc_client freshclam identd killall mdmonitor network pptpd rawdevices smb sqpsmtpd wan
auditd dc_server functions imap kudzu mdmpd nmbd proftpd rdisc smbd squid winbind
bootstrap-console dhcpd gpm imaps ldap messagebus ntpd psacct rdisc.condrestart smolt sshd xfs
capi dhcrelay haldaemon iptables lm_sensors microcode_ctl nut qmail readahead smtp-auth-proxy supervise yum

netstat -l :

Connexions Internet actives (seulement serveurs)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 *:imaps *:* LISTEN
tcp 0 0 *:printer *:* LISTEN
tcp 0 0 *:pop3s *:* LISTEN
tcp 0 0 *:afpovertcp *:* LISTEN
tcp 0 0 *:ldap *:* LISTEN
tcp 0 0 *:netbios-ssn *:* LISTEN
tcp 0 0 *:pop3 *:* LISTEN
tcp 0 0 localhost:783 *:* LISTEN
tcp 0 0 *:imap *:* LISTEN
tcp 0 0 *:http *:* LISTEN
tcp 0 0 *:smtps *:* LISTEN
tcp 0 0 localhost:http-admin *:* LISTEN
tcp 0 0 *:ftp *:* LISTEN
tcp 0 0 127.0.0.2:domain *:* LISTEN
tcp 0 0 nomduserveur.nomdudomaine.dyn:domain *:* LISTEN
tcp 0 0 nomduserveur.nomdudomaine.dyndns:ssh *:* LISTEN
tcp 0 0 localhost:squid *:* LISTEN
tcp 0 0 nomduserveur.nomdudomaine.dynd:squid *:* LISTEN
tcp 0 0 *:smtp *:* LISTEN
tcp 0 0 localhost:26 *:* LISTEN
tcp 0 0 *:https *:* LISTEN
tcp 0 0 localhost:4700 *:* LISTEN
udp 0 0 nomduserveur.nomdudomaineabrégé:netbios-ns *:*
udp 0 0 *:netbios-ns *:*
udp 0 0 nomduserveur.nomdudomaineabrégé:netbios-dgm *:*
udp 0 0 *:netbios-dgm *:*
udp 0 0 *:radius *:*
udp 0 0 *:radius-acct *:*
udp 0 0 *:59435 *:*
udp 0 0 localhost:domain *:*
udp 0 0 127.0.0.2:domain *:*
udp 0 0 nomduserveur.nomdudomaine:domain *:*
udp 0 0 *:icpv2 *:*
udp 0 0 nomduserveur.nomdudomaine.:icpv2 *:*
udp 0 0 *:bootps *:*
udp 0 0 192.168.0.10:ntp *:*
udp 0 0 nomduserveur.nomdudomaine.dy:ntp *:*
udp 0 0 localhost:ntp *:*
udp 0 0 *:ntp *:*
raw 0 0 *:icmp *:* 7
Sockets du domaine UNIX actives(seulement serveurs)
Proto RefCpt Indicatrs Type Etat I-Node Chemin
unix 2 [ ACC ] STREAM LISTENING 577941 /var/clamav/clamd.socket
unix 2 [ ACC ] STREAM LISTENING 11169 /var/run/lprng
unix 2 [ ACC ] STREAM LISTENING 11367 /var/lib/mysql/mysql.sock
unix 2 [ ACC ] STREAM LISTENING 9501 /var/lib/cvm/cvm-unix-local.socket
unix 2 [ ACC ] STREAM LISTENING 11636 /var/run/dbus/system_bus_socket
unix 2 [ ACC ] STREAM LISTENING 10548 /var/run/acpid.socket

netstat -a :

Connexions Internet actives (serveurs et �tablies)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 *:imaps *:* LISTEN
tcp 0 0 *:printer *:* LISTEN
tcp 0 0 *:pop3s *:* LISTEN
tcp 0 0 *:afpovertcp *:* LISTEN
tcp 0 0 *:ldap *:* LISTEN
tcp 0 0 *:netbios-ssn *:* LISTEN
tcp 0 0 *:pop3 *:* LISTEN
tcp 0 0 localhost:783 *:* LISTEN
tcp 0 0 *:imap *:* LISTEN
tcp 0 0 *:http *:* LISTEN
tcp 0 0 *:smtps *:* LISTEN
tcp 0 0 localhost:http-admin *:* LISTEN
tcp 0 0 *:ftp *:* LISTEN
tcp 0 0 127.0.0.2:domain *:* LISTEN
tcp 0 0 nomduserveur.nomdudomaine.dyn:domain *:* LISTEN
tcp 0 0 nomduserveur.nomdudomaine.dyndns:ssh *:* LISTEN
tcp 0 0 localhost:squid *:* LISTEN
tcp 0 0 nomduserveur.nomdudomaine.dynd:squid *:* LISTEN
tcp 0 0 *:smtp *:* LISTEN
tcp 0 0 localhost:26 *:* LISTEN
tcp 0 0 *:https *:* LISTEN
tcp 0 0 localhost:4700 *:* LISTEN
tcp 0 0 localhost:35521 localhost:imap TIME_WAIT
tcp 0 0 localhost:35522 localhost:imap TIME_WAIT
tcp 0 736 nomduserveur.nomdudomaine.dyndns:ssh pc-00153.nomdudomaine.dy:32781 ESTABLISHED
tcp 0 0 192.168.0.10:35477 ww-in-f101.1e100.net:http TIME_WAIT
tcp 0 0 nomduserveur.nomdudomainv.dynd:https pc-00153.nomdudomaine.dy:59866 TIME_WAIT
tcp 0 0 nomduserveur.nomdudomaine.dynd:https pc-00153.nomdudomaine.dy:59867 TIME_WAIT
tcp 0 0 nomduserveur.nomdudomaine.dynd:https pc-00153.nomdudomaine.dy:38314 TIME_WAIT
tcp 1 1 192.168.0.10:35347 kimsufi.pialasse.com:http LAST_ACK
tcp 0 0 nomduserveur.nomdudomaine.dynd:squid pc-00153.nomdudomaine.dy:58046 TIME_WAIT
tcp 0 0 nomduserveur.nomdudomaine.dynd:squid pc-00153.nomdudomaine.dy:58045 TIME_WAIT
tcp 1 1 192.168.0.10:35349 D522AE0E.static.ziggoz:http LAST_ACK
tcp 0 1 192.168.0.10:35523 109.205.64.121:http SYN_SENT
tcp 0 0 192.168.0.10:35476 ww-in-f102.1e100.net:http TIME_WAIT
tcp 1 1 192.168.0.10:35458 http://www.chiropratique.org:http LAST_ACK
tcp 1 1 192.168.0.10:35348 distro.ibiblio.org:http LAST_ACK
tcp 1 1 192.168.0.10:35346 distro.ibiblio.org:http LAST_ACK
tcp 1 1 192.168.0.10:35339 distro.ibiblio.org:http LAST_ACK
tcp 1 1 192.168.0.10:35337 distro.ibiblio.org:http LAST_ACK
udp 0 0 nomduserveur.nomdudomaineabrégé:netbios-ns *:*
udp 0 0 *:netbios-ns *:*
udp 0 0 nomduserveur.nomdudomaineabrégé:netbios-dgm *:*
udp 0 0 *:netbios-dgm *:*
udp 0 0 *:radius *:*
udp 0 0 *:radius-acct *:*
udp 0 0 *:59435 *:*
udp 0 0 localhost:domain *:*
udp 0 0 127.0.0.2:domain *:*
udp 0 0 nomduserveur.nomdudomaine:domain *:*
udp 0 0 *:icpv2 *:*
udp 0 0 nomduserveur.nomdudomaine.:icpv2 *:*
udp 0 0 *:bootps *:*
udp 0 0 192.168.0.10:ntp *:*
udp 0 0 nomduserveur.nomdudomaine.dy:ntp *:*
udp 0 0 localhost:ntp *:*
udp 0 0 *:ntp *:*
raw 0 0 *:icmp *:* 7
Sockets du domaine UNIX actives(serveurs et �tablies)
Proto RefCpt Indicatrs Type Etat I-Node Chemin
unix 3 [ ] DGRAM 578385 /dev/log
unix 2 [ ] DGRAM 578387 /var/empty/sshd/dev/log
unix 2 [ ] DGRAM 577956 @/var/run/hal/hotplug_socket
unix 2 [ ACC ] STREAM LISTENING 577941 /var/clamav/clamd.socket
unix 2 [ ] DGRAM 566295 @udevd
unix 2 [ ACC ] STREAM LISTENING 11169 /var/run/lprng
unix 2 [ ACC ] STREAM LISTENING 11367 /var/lib/mysql/mysql.sock
unix 2 [ ACC ] STREAM LISTENING 9501 /var/lib/cvm/cvm-unix-local.socket
unix 2 [ ACC ] STREAM LISTENING 11636 /var/run/dbus/system_bus_socket
unix 2 [ ACC ] STREAM LISTENING 10548 /var/run/acpid.socket
unix 2 [ ] DGRAM 581197
unix 2 [ ] DGRAM 578397
unix 2 [ ] DGRAM 578195
unix 3 [ ] STREAM CONNECTE 577955 /var/run/dbus/system_bus_socket
unix 3 [ ] STREAM CONNECTE 577954
unix 2 [ ] DGRAM 577738
unix 2 [ ] DGRAM 566296
unix 3 [ ] STREAM CONNECTE 559236 /var/lib/mysql/mysql.sock
unix 3 [ ] STREAM CONNECTE 559235
unix 3 [ ] STREAM CONNECTE 557092 /var/lib/mysql/mysql.sock
unix 3 [ ] STREAM CONNECTE 557091
unix 3 [ ] STREAM CONNECTE 557090 /var/lib/mysql/mysql.sock
unix 3 [ ] STREAM CONNECTE 557089
unix 3 [ ] STREAM CONNECTE 556624 /var/lib/mysql/mysql.sock
unix 3 [ ] STREAM CONNECTE 556623
unix 3 [ ] STREAM CONNECTE 556622 /var/lib/mysql/mysql.sock
unix 3 [ ] STREAM CONNECTE 556621
unix 3 [ ] STREAM CONNECTE 556034 /var/lib/mysql/mysql.sock
unix 3 [ ] STREAM CONNECTE 556033
unix 3 [ ] STREAM CONNECTE 556032 /var/lib/mysql/mysql.sock
unix 3 [ ] STREAM CONNECTE 556031
unix 3 [ ] STREAM CONNECTE 555661 /var/lib/mysql/mysql.sock
unix 3 [ ] STREAM CONNECTE 555660
unix 3 [ ] STREAM CONNECTE 555659 /var/lib/mysql/mysql.sock
unix 3 [ ] STREAM CONNECTE 555658
unix 3 [ ] STREAM CONNECTE 527498
unix 3 [ ] STREAM CONNECTE 527497
unix 3 [ ] STREAM CONNECTE 16349
unix 3 [ ] STREAM CONNECTE 16348
unix 3 [ ] STREAM CONNECTE 16347
unix 3 [ ] STREAM CONNECTE 16346
unix 2 [ ] DGRAM 12470
unix 2 [ ] DGRAM 12449
unix 3 [ ] STREAM CONNECTE 11639
unix 3 [ ] STREAM CONNECTE 11638
unix 2 [ ] DGRAM 11626
unix 2 [ ] DGRAM 11426
unix 2 [ ] DGRAM 11418
unix 2 [ ] DGRAM 11353
unix 2 [ ] DGRAM 10510

[ccnet]

Par contre, aucune tentative en entrée

Mais un tunnel sortant ...
Si l'on capture les trames sortantes vers cette ip, si on laisse sortir que contient le trafic ? clair, chiffré ?

[fgh30]

Exemple de trame capturée en sortie :

No. Time Source Destination Protocol Info
17 56.081947 192.168.0.10 109.205.64.121 TCP 36807 > http [SYN] Seq=0 Win=5840 Len=0 MSS=1460 SACK_PERM=1 TSV=44514153 TSER=0 WS=2

Frame 17: 74 bytes on wire (592 bits), 74 bytes captured (592 bits)
Arrival Time: Jul 4, 2011 11:48:50.295130000 CEST
Epoch Time: 1309772930.295130000 seconds
[Time delta from previous captured frame: 41.081104000 seconds]
[Time delta from previous displayed frame: 41.081104000 seconds]
[Time since reference or first frame: 56.081947000 seconds]
Frame Number: 17
Frame Length: 74 bytes (592 bits)
Capture Length: 74 bytes (592 bits)
[Frame is marked: False]
[Frame is ignored: False]
[Protocols in frame: eth:ip:tcp]
[Coloring Rule Name: HTTP]
[Coloring Rule String: http || tcp.port == 80]
Ethernet II, Src: Micro-St_64:27:a3 (00:11:09:64:27:a3), Dst: Netgear_b1:b7:f4 (00:14:6c:b1:b7:f4)
Destination: Netgear_b1:b7:f4 (00:14:6c:b1:b7:f4)
Address: Netgear_b1:b7:f4 (00:14:6c:b1:b7:f4)
.... ...0 .... .... .... .... = IG bit: Individual address (unicast)
.... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
Source: Micro-St_64:27:a3 (00:11:09:64:27:a3)
Address: Micro-St_64:27:a3 (00:11:09:64:27:a3)
.... ...0 .... .... .... .... = IG bit: Individual address (unicast)
.... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
Type: IP (0x0800)
Internet Protocol, Src: 192.168.0.10 (192.168.0.10), Dst: 109.205.64.121 (109.205.64.121)
Version: 4
Header length: 20 bytes
Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
0000 00.. = Differentiated Services Codepoint: Default (0x00)
.... ..0. = ECN-Capable Transport (ECT): 0
.... ...0 = ECN-CE: 0
Total Length: 60
Identification: 0x07b3 (1971)
Flags: 0x02 (Don't Fragment)
0... .... = Reserved bit: Not set
.1.. .... = Don't fragment: Set
..0. .... = More fragments: Not set
Fragment offset: 0
Time to live: 64
Protocol: TCP (6)
Header checksum: 0xc410 [correct]
[Good: True]
[Bad: False]
Source: 192.168.0.10 (192.168.0.10)
Destination: 109.205.64.121 (109.205.64.121)
Transmission Control Protocol, Src Port: 36807 (36807), Dst Port: http (80), Seq: 0, Len: 0
Source port: 36807 (36807)
Destination port: http (80)
[Stream index: 0]
Sequence number: 0 (relative sequence number)
Header length: 40 bytes
Flags: 0x02 (SYN)
000. .... .... = Reserved: Not set
...0 .... .... = Nonce: Not set
.... 0... .... = Congestion Window Reduced (CWR): Not set
.... .0.. .... = ECN-Echo: Not set
.... ..0. .... = Urgent: Not set
.... ...0 .... = Acknowledgement: Not set
.... .... 0... = Push: Not set
.... .... .0.. = Reset: Not set
.... .... ..1. = Syn: Set
.... .... ...0 = Fin: Not set
Window size: 5840
Checksum: 0xf8fb [validation disabled]
[Good Checksum: False]
[Bad Checksum: False]
Options: (20 bytes)
Maximum segment size: 1460 bytes
TCP SACK Permitted Option: True
Timestamps: TSval 44514153, TSecr 0
NOP
Window scale: 2 (multiply by 4)

0000 00 14 6c b1 b7 f4 00 11 09 64 27 a3 08 00 45 00 ..l......d'...E.
0010 00 3c 07 b3 40 00 40 06 c4 10 c0 a8 00 0a 6d cd .<..@.@.......m.
0020 40 79 8f c7 00 50 db 2a 1f ee 00 00 00 00 a0 02 @y...P.*........
0030 16 d0 f8 fb 00 00 02 04 05 b4 04 02 08 0a 02 a7 ................
0040 3b 69 00 00 00 00 01 03 03 02 ;i........

[jdh]

Je vérifierais si cette adresse ne se retrouve pas dans le log de Squid (/var/log/squid/access.log ou équivalent ...).

Je vérifierais si l'entreprise indiquée (un réparateur de PC) est connue ou non dans la société ...

[fgh30]

Et exemple de paquet retour :

No. Time Source Destination Protocol Info
510 6.128845 109.205.64.121 192.168.0.10 TCP http > 42649 [RST, ACK] Seq=1 Ack=1 Win=0 Len=0

Frame 510: 60 bytes on wire (480 bits), 60 bytes captured (480 bits)
Arrival Time: Jul 4, 2011 15:56:57.280053000 CEST
Epoch Time: 1309787817.280053000 seconds
[Time delta from previous captured frame: 0.055230000 seconds]
[Time delta from previous displayed frame: 0.055230000 seconds]
[Time since reference or first frame: 6.128845000 seconds]
Frame Number: 510
Frame Length: 60 bytes (480 bits)
Capture Length: 60 bytes (480 bits)
[Frame is marked: False]
[Frame is ignored: False]
[Protocols in frame: eth:ip:tcp]
[Coloring Rule Name: TCP RST]
[Coloring Rule String: tcp.flags.reset eq 1]
Ethernet II, Src: Netgear_b1:b7:f4 (00:14:6c:b1:b7:f4), Dst: Wistron_f3:92:a1 (00:26:2d:f3:92:a1)
Destination: Wistron_f3:92:a1 (00:26:2d:f3:92:a1)
Address: Wistron_f3:92:a1 (00:26:2d:f3:92:a1)
.... ...0 .... .... .... .... = IG bit: Individual address (unicast)
.... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
Source: Netgear_b1:b7:f4 (00:14:6c:b1:b7:f4)
Address: Netgear_b1:b7:f4 (00:14:6c:b1:b7:f4)
.... ...0 .... .... .... .... = IG bit: Individual address (unicast)
.... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
Type: IP (0x0800)
Trailer: 000000000000
Internet Protocol, Src: 109.205.64.121 (109.205.64.121), Dst: 192.168.0.10 (192.168.0.10)
Version: 4
Header length: 20 bytes
Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
0000 00.. = Differentiated Services Codepoint: Default (0x00)
.... ..0. = ECN-Capable Transport (ECT): 0
.... ...0 = ECN-CE: 0
Total Length: 40
Identification: 0x0000 (0)
Flags: 0x02 (Don't Fragment)
0... .... = Reserved bit: Not set
.1.. .... = Don't fragment: Set
..0. .... = More fragments: Not set
Fragment offset: 0
Time to live: 50
Protocol: TCP (6)
Header checksum: 0xd9d7 [correct]
[Good: True]
[Bad: False]
Source: 109.205.64.121 (109.205.64.121)
Destination: 192.168.0.10 (192.168.0.10)
Transmission Control Protocol, Src Port: http (80), Dst Port: 42649 (42649), Seq: 1, Ack: 1, Len: 0
Source port: http (80)
Destination port: 42649 (42649)
[Stream index: 109]
Sequence number: 1 (relative sequence number)
Acknowledgement number: 1 (relative ack number)
Header length: 20 bytes
Flags: 0x14 (RST, ACK)
000. .... .... = Reserved: Not set
...0 .... .... = Nonce: Not set
.... 0... .... = Congestion Window Reduced (CWR): Not set
.... .0.. .... = ECN-Echo: Not set
.... ..0. .... = Urgent: Not set
.... ...1 .... = Acknowledgement: Set
.... .... 0... = Push: Not set
.... .... .1.. = Reset: Set
[Expert Info (Chat/Sequence): Connection reset (RST)]
[Message: Connection reset (RST)]
[Severity level: Chat]
[Group: Sequence]
.... .... ..0. = Syn: Not set
.... .... ...0 = Fin: Not set
Window size: 0
Checksum: 0xbfb6 [validation disabled]
[Good Checksum: False]
[Bad Checksum: False]
[SEQ/ACK analysis]
[This is an ACK to the segment in frame: 508]
[The RTT to ACK the segment was: 0.055353000 seconds]

0000 00 26 2d f3 92 a1 00 14 6c b1 b7 f4 08 00 45 00 .&-.....l.....E.
0010 00 28 00 00 40 00 32 06 d9 d7 6d cd 40 79 c0 a8 .(..@.2...m.@y..
0020 00 0a 00 50 a6 99 00 00 00 00 83 f2 56 45 50 14 ...P........VEP.
0030 00 00 bf b6 00 00 00 00 00 00 00 00 ............

[fgh30]

Non...

find /var/log/squid -name "*" -exec grep -Hn "109.205.64.121" {} \;
/var/log/squid/access.log:6702:1309778708.027 181886 192.168.1.153 TCP_MISS/504 1428 GET http://109.205.64.121/ - DIRECT/109.205.64.121 text/html
/var/log/squid/access.log:6703:1309778889.760 181675 192.168.1.153 TCP_MISS/504 1450 GET http://109.205.64.121/favicon.ico - DIRECT/109.205.64.121 text/html
/var/log/squid/access.log:6704:1309779071.312 181533 192.168.1.153 TCP_MISS/504 1450 GET http://109.205.64.121/favicon.ico - DIRECT/109.205.64.121 text/html
/var/log/squid/access.log:6752:1309779900.132 168 192.168.1.153 TCP_MISS/503 1429 GET http://109.205.64.121/ - DIRECT/109.205.64.121 text/html
/var/log/squid/access.log:6753:1309779903.573 167 192.168.1.153 TCP_MISS/503 1429 GET http://109.205.64.121/ - DIRECT/109.205.64.121 text/html
/var/log/squid/access.log:6754:1309779906.040 165 192.168.1.153 TCP_MISS/503 1429 GET http://109.205.64.121/ - DIRECT/109.205.64.121 text/html
/var/log/squid/access.log:6758:1309779915.290 165 192.168.1.153 TCP_MISS/503 1429 GET http://109.205.64.121/ - DIRECT/109.205.64.121 text/html
/var/log/squid/access.log:6759:1309779917.378 45149 192.168.1.153 TCP_MISS/503 1429 GET http://109.205.64.121/ - DIRECT/109.205.64.121 text/html
/var/log/squid/store.log:11844:1309778708.027 RELEASE -1 FFFFFFFF D55E3F399B60403D6E1F61F28A2408E5 504 1309778708 0 1309778708 text/html 1120/1361 GET http://109.205.64.121/
/var/log/squid/store.log:11845:1309778889.760 RELEASE -1 FFFFFFFF 0FA2F505A5BBFA2D36EA54279684BFB1 504 1309778889 0 1309778889 text/html 1142/1383 GET http://109.205.64.121/favicon.ico
/var/log/squid/store.log:11846:1309779071.312 RELEASE -1 FFFFFFFF 765E7DCEDE3069733DA327E99FF3C3D5 504 1309779070 0 1309779070 text/html 1142/1383 GET http://109.205.64.121/favicon.ico
/var/log/squid/store.log:11901:1309779900.132 RELEASE -1 FFFFFFFF 288CC59411E02E05827CFAC32039D001 503 1309779900 0 1309779900 text/html 1118/1362 GET http://109.205.64.121/
/var/log/squid/store.log:11902:1309779903.573 RELEASE -1 FFFFFFFF 4C2F987100357EE30552672E16705D85 503 1309779903 0 1309779903 text/html 1118/1362 GET http://109.205.64.121/
/var/log/squid/store.log:11903:1309779906.040 RELEASE -1 FFFFFFFF 1E491ED5BE03D7FFD21CC0C23E159F99 503 1309779905 0 1309779905 text/html 1118/1362 GET http://109.205.64.121/
/var/log/squid/store.log:11904:1309779915.290 RELEASE -1 FFFFFFFF B049D4DE987F31A1C5463C8A9C3AA736 503 1309779915 0 1309779915 text/html 1118/1362 GET http://109.205.64.121/
/var/log/squid/store.log:11905:1309779917.378 RELEASE -1 FFFFFFFF 7DAE1E0D766AD6B9C2109997AAB044BF 503 1309779917 0 1309779917 text/html 1118/1362 GET http://109.205.64.121/

Par contre, j'ai aussi trouvé ceci : extrait du fichier /var/log/freshclam/current :

2011-07-04 13:52:09.775953500 connect_error: getsockopt(SO_ERROR): fd=3 error=111: Connection refused
2011-07-04 13:52:09.776011500 Can't connect to port 80 of host db.local.clamav.net (IP: 109.205.64.121)

Ce serait, tout bêtement, un serveur de mise à jour Clamav ? Mais pourquoi ma SME irait le spammer ?

http://forum.ovh.com/showthread.php?t=68441&page=2 ?

[fgh30]

Bon, je vais passer le topic en résolu.

Il s'agissait manifestement d'un problème de mise à jour de clamav.

J'ai mis à jour la sme et relancer le bouzin. Elle ne spam plus l'adresse 109.205.64.121


Et le fichier de log /var/log/freshclam.current n'affiche plus d'erreur.


Merci pour votre aide et votre méthodologie.