[Rkhunter-users] strange rsync behaviour

Tue, 21 Nov 2017 15:20:02 -0800 

Hi

I'm having an issue that I'm starting to think is suspicious and I'm
wondering if rkhunter should have picked it up.

This is the setup.
 * debian jessie amd64, with backports kernel (4.9). rkhunter 1.4.2-0,
rsync 3.1.1-3.
 * debsums is happy with the checksums of the rsync & rkhunter package files.

 * after boot, rsync daemon starts ok listening on 873/tcp
 * something seems to take over the connection so that rsync clients
start failing:

  $ rsync localhost::
  rsync: failed to connect to localhost (127.0.0.1): Connection refused (111)
  rsync error: error in socket IO (code 10) at clientserver.c(128)
[Receiver=3.1.1]

 * I get similar failures connecting to the affected host's rsync service
  from other machines.

 * In netstat -an I see there is a connection to another host on port 2049
  $ netstat -anp|grep 873
  tcp        0      0 1.2.3.4:873     1.2.3.5:2049     ESTABLISHED    -
 * however I can't find any associated process,
   using lsof, fuser or ss, nor unhide-tcp. rkhunter --check is clean.

Things I tried

 * grubbing around in /proc/net/tcp shows the connection
    but did not yield any related UIDs other than 0.
 * I tried chasing down the inode numbers mentioned
   in the /proc/net/tcp entry but the system has multiple filesystems
   so I could use some pointers on the use of debugfs.

 * If I kill the connection with tcpkill, it comes back after a variable delay;
    the delay is a few seconds at least.
 * After killing the tcp connection I was able to restart rsync and
   get it to bind to port 873, but it gets taken over again not long after.
 * stracing the tcpkill process didn't yield any clues about
    what is taking over the connection.

 * tcpdumping the connection on 1.2.3.4 shows rsync traffic.
   Early on I was seeing headers and data, now all I seem to see is
   the server startup and  MOTD string.
   Wireshark flags occasional duplicate ACKs and reused tcp ports.
 * tcpdumping the connection on 1.2.3.5 shows much the same.

Does this sound familiar to anyone? Any ideas on what to try next?

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Rkhunter-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/rkhunter-users

Reply via email to