[GLLUG] Infected - Help/advice?

Ed Thomson ethomson at edwardthomson.com
Mon Mar 12 13:09:00 EDT 2007 

On Mar 12, 2007, at 8:49 AM, Benjamin Cathey wrote:

> Okay - I noticed some strange traffic on our firewall this morning
...
> It seems our mailserver was trying to get out
>
> Date:	03/12 07:52:35 	Name:	ICMP Destination Unreachable  
> (Communication Administratively Prohibited)
> Priority:	3 	Type:	Misc activity
> IP info: 	192.168.1.3:80 -> 86.106.27.100:40068
> References:	none found

I think you're getting SYN flooded, hehe.

I'm not familiar with Guardian or its log entries, but I think (but  
I'm not sure) that this is Guardian telling you that it's passing a  
packet from your mail server's web server to a remote host, and it's  
coming back from your upstream router as Destination Unreachable.   
(If I'm wrong, and this is Guardian telling you that it's rejecting a  
packet, then your firewall is misconfigured.)

I suspect it's the former, and that you're getting SYN flooded by  
some machines claiming to be in Hungary.  Basically, they send  
opening connection (SYN) packets, and never reply to them.  These  
connections stay half-open on your mail server (ie, in SYN_RECV  
state) and if there's a lot of them, this can fill your SYN queue on  
your machine, causing your mail server to drop inbound TCP connections.

This was a much bigger deal 5 years ago, as firewalls and operating  
systems have improved quite a bit their protection against this.  If  
you're only seeing a dozen, it's unlikely to cause you any problems.   
(You can see your queue size by running "sysctl  
net.ipv4.tcp_max_syn_backlog"  My oldest production machine is 2.4.25  
which has pretty decent SYN handling and a queue size of 1024.)

> Should I be worried or is there something I am not understanding  
> here?  According to what I can find on the net this (the bindshell  
> port 465) is a common false positive.

On a mail server, probably not - 465 is smtps, which is the TLS-only  
"secure" smtp port.

>
> But what about all this -
>
> netstat -a on the mailserver shows:
>
...snipped...
> tcp        0      0 192.168.1.3:http        86.104.31.200:40681      
> SYN_RECV
>
> why would the mailserver have outgoing http to all these IP addresses?

Note that netstat always shows address pairs as local/remote (not  
source/dest).  Your mail server was actually the destination for  
these connections, since they're in the SYN_RECV state.

-Ed

More information about the linux-user mailing list