Home > Linux, Security > Finding UID that is generating traffic

Finding UID that is generating traffic

And though our hearts are broken
We have to wipe the tears away
In vain they did not suffer
Ten Thousand Strong will seize the day

(Iced Earth – Ten Thousand Strong)

Did you have one of those days when you notice strange traffic in your firewall logs and don’t know who is responsible for it? Is your machine compromised, or is it a legitimate traffic? Or maybe your server ends on SPAM blacklists every now and then although mail.log is as clean as your car? Well, first step in this case is to find out what UID is responsible for the suspicious traffic.
Iptables on Linux offers owner match, which works on OUTPUT chain only and attempts to match characteristics of the packet creator. Offcourse this works only for locally-generated packets. So, in this example we’ll try to match UID of the user that’s sending strange traffic. First off all, let’s enumerate all UIDs for running processes:

# ps -ef n | grep -v UID | sed 's/^\s*//' | cut -d' ' -f1 | sort | uniq
0
25
27
29
32
38
43
482
487
488
490
501
502
89
91
97
99

Next step is to generate iptables rules in OUTPUT chain to log outgoing connections. Let’s suppose we want to focus on packets going to destination port SMTP (TCP/25), because we’re suspicious about someone sending mails directly, without using local MTA. We can achieve this by running:

# for i in \
`ps -ef n | grep -v UID | sed 's/^\s*//' | cut -d' ' -f1 | sort | uniq`; \
do \
  iptables -A OUTPUT \
    -m owner --uid-owner $i \
    -p tcp --dport 25 \
    -j ULOG --ulog-prefix "GENERATED BY UID $i: "; \
done

With iptables populated, we can relax, lay back into comfortable chair and tail the log:

# tail -f /var/log/ulog/ulog/syslogemu | grep "GENERATED BY UID"
Dec  6 17:07:10 hostname GENERATED BY UID 502:  IN= OUT=eth0 MAC=
  SRC=local_ip DST=64.12.90.33 LEN=60 TOS=00 PREC=0x00 TTL=64 ID=1285
  DF PROTO=TCP SPT=54558 DPT=25 SEQ=1228047343 ACK=0 WINDOW=5840 SYN URGP=0 
Dec  6 17:07:10 hostname GENERATED BY UID 502:  IN= OUT=eth0 MAC=
  SRC=local_ip DST=65.55.92.152 LEN=60 TOS=00 PREC=0x00 TTL=64 ID=21290
  DF PROTO=TCP SPT=52895 DPT=25 SEQ=2552747462 ACK=0 WINDOW=5840 SYN URGP=0  
Dec  6 17:07:10 hostname GENERATED BY UID 502:  IN= OUT=eth0 MAC=
  SRC=local_ip DST=173.194.69.26 LEN=60 TOS=00 PREC=0x00 TTL=64 ID=46380 CE
  DF PROTO=TCP SPT=46744 DPT=25 SEQ=314520542 ACK=0 WINDOW=5840 SYN URGP=0 
Dec  6 17:07:10 hostname GENERATED BY UID 502:  IN= OUT=eth0 MAC=
  SRC=local_ip DST=173.194.69.26 LEN=52 TOS=00 PREC=0x00 TTL=64 ID=46381 CE
  DF PROTO=TCP SPT=46744 DPT=25 SEQ=314520543 ACK=814882206 WINDOW=46 ACK URGP=0 
Dec  6 17:07:10 hostname GENERATED BY UID 502:  IN= OUT=eth0 MAC=
  SRC=local_ip DST=98.139.54.60 LEN=60 TOS=00 PREC=0x00 TTL=64 ID=57227 CE
  DF PROTO=TCP SPT=54942 DPT=25 SEQ=2517129359 ACK=0 WINDOW=5840 SYN URGP=0 
Dec  6 17:07:10 hostname GENERATED BY UID 502:  IN= OUT=eth0 MAC=
  SRC=local_ip DST=173.194.69.26 LEN=52 TOS=00 PREC=0x00 TTL=64 ID=46382 CE
  DF PROTO=TCP SPT=46744 DPT=25 SEQ=314520543 ACK=814882251 WINDOW=46 ACK URGP=0 
Dec  6 17:07:10 hostname GENERATED BY UID 502:  IN= OUT=eth0 MAC=
  SRC=local_ip DST=173.194.69.26 LEN=58 TOS=00 PREC=0x00 TTL=64 ID=46383 CE
  DF PROTO=TCP SPT=46744 DPT=25 SEQ=314520543 ACK=814882251 WINDOW=46 ACK PSH URGP=0  
Dec  6 17:07:10 hostname GENERATED BY UID 502:  IN= OUT=eth0 MAC=
  SRC=local_ip DST=65.54.188.110 LEN=60 TOS=00 PREC=0x00 TTL=64 ID=54361 CE
  DF PROTO=TCP SPT=44414 DPT=25 SEQ=3003601745 ACK=0 WINDOW=5840 SYN URGP=0

OK, so we’ve found out the culprit!

Note that we only monitor UIDs that have running processes. Wether or not to log all the existing UIDs on local system is out of scope of this article, and depends on each particular case.

Hope you guys enjoyed it and see you guys next time (by my favorite e-sports commentator – Husky) 😉

Advertisements
Categories: Linux, Security Tags: ,
  1. No comments yet.
  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: