Re: How to inentify local source of connection (program and user)

[Glynn Clements <glynn@gclements.plus.com>]

akuda wrote:

> Recently I found some unidentified outgoing connections (UOC, instead of
> UFO) from one of my linux machines (gentoo, firewall by vuurmuur.org via
> ipTables). Those UOC occurs soon after boot time, even though I closed all
> services. These are DNS calls.
>    So I asked my friends full-time admins, how to check which program
> requests access to internet, and what user started this program. If, for
> example, RIAA would come to some University telling that from their IP
> someone is downloading "Lilo & Stitch" illegally, the admin should be able
> to tell who turned on bittorrent :) . And what stroke me was the fact, that
> they actually didn't know! They asked me to hunt for those UOC, and then
> type netstat with some options, to get the path to the binary, and locate in
> someone's home directory (the bittorrent client won't be probably installed
> as general bin for all users :) ).
>    Any other idea how to do it? Can I force linux to log who and how is
> requesting a outgoing connection?

You can tell iptables to log the UID with the --log-uid option, but if
it's UID 0 (root), that doesn't tell you much.

You could configure iptables to block "unknown" outbound DNS queries,
and hope that whatever is sending them generates an error message when
the lookup fails.

You can use tcpdump to log outbound DNS queries, eliminate "known"
queries, and examine the remainder to see if the content of the
queries provides some clues as to the origin.

As a last resort, you could modify the source for libnss_dns or
libresolv to log the current PID.

-- 
Glynn Clements <glynn@gclements.plus.com>