Courious "unknown" entries in "netstat" output

Sheridan · 01-28-2008, 04:41 AM

Lately, I've ben starting to see some strange entries in netstat output:

Please note the line with [UNKNOWN]:10410...

Code:

tcp        0      0 11.0.37.1:41991             mysql.ccv:mysql             ESTABLISHED
tcp        0      0 11.0.37.1:41963             mysql.ccv:mysql             ESTABLISHED
tcp        0      0 11.0.37.1:50594             mysql.ccv:mysql             ESTABLISHED
getnameinfo failed
tcp        0      0 estdtagwy01.tech.nmsama:ssh [UNKNOWN]:10410             ESTABLISHED
tcp        0      0 estdtagwy01.tech.nmsama:ssh ::ffff:11.0.38.12:sis-emt   ESTABLISHED
tcp        0      0 estdtagwy01.tech.nmsama:ssh admin.unideb.hu:46541     ESTABLISHED

What can cause this? I'm getting real concerned that I may be compromised.

(Edited typo)

Sheridan · 01-28-2008, 04:47 AM

Update:

With lsof I managed to find out that it's the extern. IP of our outsource partner for development and they do legitimate work on the server...

However... I still don't understand why netstat shows UNKNOWN...

(Also, I guess this thread no longer belongs to "security", but rather "Networking"...)

unSpawn · 01-28-2008, 06:17 AM

Try using 'dig -x' to resolve the IP address and see what errors it returns.
Maybe some DNS server claiming not being authoritative where it should be or like that.
BTW 'netstat -n' is faster because it doesn't need to resolve IP to hostname resolution first.

Sheridan · 01-28-2008, 09:24 AM

Quote:

Originally Posted by unSpawn

Try using 'dig -x' to resolve the IP address and see what errors it returns.

Thanks!

I get this when I try resolving their external IP:

Code:

[root@estdtagwy01 ~]# dig -x 125.16.20x.xxx

; <<>> DiG 9.4.2 <<>> -x 125.16.20x.xxx
;; global options:  printcmd
;; connection timed out; no servers could be reached

... however, resolving something else like this, works fine:

Code:

[root@estdtagwy01 ~]# dig -x 209.85.135.99

; <<>> DiG 9.4.2 <<>> -x 209.85.135.99
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 1987
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 4, ADDITIONAL: 4

;; QUESTION SECTION:
;99.135.85.209.in-addr.arpa.    IN      PTR

;; ANSWER SECTION:
99.135.85.209.in-addr.arpa. 2006 IN     PTR     mu-in-f99.google.com.

;; AUTHORITY SECTION:
135.85.209.in-addr.arpa. 10718  IN      NS      ns1.google.com.
-----------CUT-----------

;; ADDITIONAL SECTION:
ns4.google.com.         4952    IN      A       216.239.38.10
-----------CUT-----------

;; Query time: 2 msec
;; SERVER: 11.0.37.1#53(11.0.37.1)
;; WHEN: Mon Jan 28 17:21:29 2008
;; MSG SIZE  rcvd: 214

So... it seems to be with this one IP only so far.

Now they have left office for today so I cannot investigate further until tomorrow...

deadeyes · 09-01-2009, 07:36 AM

Sorry to bump this thread up again...
But I still wonder why UNKNOWN is in the Foreign Address column.

I tried to find an answer on this question on google but without luck.

Does anyone know what conditions trigger the UNKNOWN text to be shown?

unSpawn · 09-01-2009, 09:09 AM

If you don't supply "-n" then I'd say resolution errors. If that doesn't do it for you then you could always get the "net-tools" source and see if 'grep -r . -e UNKNOWN' or reading netstat.c at around lines 902, 1162 and 1195 (valid for net-tools-1.60) makes more sense.