How to inentify local source of connection (program and user)

How to inentify local source of connection (program and user)

[akuda]

Hi,

Recently I found some unidentified outgoing connections (UOC, instead of
UFO) from one of my linux machines (gentoo, firewall by vuurmuur.org via
ipTables). Those UOC occurs soon after boot time, even though I closed all
services. These are DNS calls.
   So I asked my friends full-time admins, how to check which program
requests access to internet, and what user started this program. If, for
example, RIAA would come to some University telling that from their IP
someone is downloading "Lilo & Stitch" illegally, the admin should be able
to tell who turned on bittorrent :) . And what stroke me was the fact, that
they actually didn't know! They asked me to hunt for those UOC, and then
type netstat with some options, to get the path to the binary, and locate in
someone's home directory (the bittorrent client won't be probably installed
as general bin for all users :) ).
   Any other idea how to do it? Can I force linux to log who and how is
requesting a outgoing connection?

-- 
View this message in context: http://www.nabble.com/How-to-inentify-local-source-of-connection-%28program-and-user%29-tp20757992p20757992.html
Sent from the linux-admin mailing list archive at Nabble.com.

Re: How to inentify local source of connection (program and user)

[Herta Van den Eynde]

2008/11/30 akuda <akuda@poczta.fm>
>
> Hi,
>
> Recently I found some unidentified outgoing connections (UOC, instead of
> UFO) from one of my linux machines (gentoo, firewall by vuurmuur.org via
> ipTables). Those UOC occurs soon after boot time, even though I closed all
> services. These are DNS calls.
>   So I asked my friends full-time admins, how to check which program
> requests access to internet, and what user started this program. If, for
> example, RIAA would come to some University telling that from their IP
> someone is downloading "Lilo & Stitch" illegally, the admin should be able
> to tell who turned on bittorrent :) . And what stroke me was the fact, that
> they actually didn't know! They asked me to hunt for those UOC, and then
> type netstat with some options, to get the path to the binary, and locate in
> someone's home directory (the bittorrent client won't be probably installed
> as general bin for all users :) ).
>   Any other idea how to do it? Can I force linux to log who and how is
> requesting a outgoing connection?
>

Hi,

Have you tried "lsof -i'?

Kind regards,

Herta

--
"Life on Earth may be expensive,
but it comes with a free ride around the Sun."

Re: How to inentify local source of connection (program and user)

[Michael H. Warfield]

[-- Attachment #1: Type: text/plain, Size: 2956 bytes --]

On Sun, 2008-11-30 at 06:06 -0800, akuda wrote:
> Hi,

> Recently I found some unidentified outgoing connections (UOC, instead of
> UFO) from one of my linux machines (gentoo, firewall by vuurmuur.org via
> ipTables). Those UOC occurs soon after boot time, even though I closed all
> services. These are DNS calls.

	DNS queries are extremely common (almost unavoidable).  Most likely,
they are reverse lookups looking for a name associated with your
interface address.  There are any one of a number of applications which
may do a "gethostbyname" or "gethostbyaddress" which will trigger DNS
queries.  If you've got a graphical display (X, xdm, gdm) starting up I
can almost guarantee that you'll see DNS queries.  If you are getting
your IP address via dhcp, you're likely to see associated DNS queries in
response to any one of a number of DHCP options.  If you've got logging
enabled, you're likely to see DNS queries.

>    So I asked my friends full-time admins, how to check which program
> requests access to internet, and what user started this program. If, for
> example, RIAA would come to some University telling that from their IP
> someone is downloading "Lilo & Stitch" illegally, the admin should be able
> to tell who turned on bittorrent :) . And what stroke me was the fact, that
> they actually didn't know! They asked me to hunt for those UOC, and then
> type netstat with some options, to get the path to the binary, and locate in
> someone's home directory (the bittorrent client won't be probably installed
> as general bin for all users :) ).

	Someone else suggested lsof.  You say these are connections but then
say they are DNS which really probably means UDP (which is
connectionless) and you're probably not going to see them up for very
long, like long enough to catch them manually.  Things like bittorrent
are relatively easy to track down because they involved long persistent
TCP connections.  DNS queries are almost ubiquitous on a system, though.
I don't see how you would run a system and totally avoid DNS queries or
why you would want to even try.

>    Any other idea how to do it? Can I force linux to log who and how is
> requesting a outgoing connection?

	You could play with some of the iptables facilities.  You could also
set up your own nameserver and force DNS queries through localhost and
log them using "bind" to see what the queries are.  You could also fire
up tcpdump and capture what the queries are.  You could also play with
the audit subsystem and trap on DNS requests.  I'm not sure any of it's
worth the effort for mere DNS queries.

	Mike
-- 
Michael H. Warfield (AI4NB) | (770) 985-6132 |  mhw@WittsEnd.com
   /\/\|=mhw=|\/\/          | (678) 463-0932 |  http://www.wittsend.com/mhw/
   NIC whois: MHW9          | An optimist believes we live in the best of all
 PGP Key: 0xDF1DD471        | possible worlds.  A pessimist is sure of it!


[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 307 bytes --]

Re: How to inentify local source of connection (program and user)

[Glynn Clements]

akuda wrote:

> Recently I found some unidentified outgoing connections (UOC, instead of
> UFO) from one of my linux machines (gentoo, firewall by vuurmuur.org via
> ipTables). Those UOC occurs soon after boot time, even though I closed all
> services. These are DNS calls.
>    So I asked my friends full-time admins, how to check which program
> requests access to internet, and what user started this program. If, for
> example, RIAA would come to some University telling that from their IP
> someone is downloading "Lilo & Stitch" illegally, the admin should be able
> to tell who turned on bittorrent :) . And what stroke me was the fact, that
> they actually didn't know! They asked me to hunt for those UOC, and then
> type netstat with some options, to get the path to the binary, and locate in
> someone's home directory (the bittorrent client won't be probably installed
> as general bin for all users :) ).
>    Any other idea how to do it? Can I force linux to log who and how is
> requesting a outgoing connection?

You can tell iptables to log the UID with the --log-uid option, but if
it's UID 0 (root), that doesn't tell you much.

You could configure iptables to block "unknown" outbound DNS queries,
and hope that whatever is sending them generates an error message when
the lookup fails.

You can use tcpdump to log outbound DNS queries, eliminate "known"
queries, and examine the remainder to see if the content of the
queries provides some clues as to the origin.

As a last resort, you could modify the source for libnss_dns or
libresolv to log the current PID.

-- 
Glynn Clements <glynn@gclements.plus.com>