LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Networking (http://www.linuxquestions.org/questions/linux-networking-3/)
-   -   Strange tcpdump activity. (http://www.linuxquestions.org/questions/linux-networking-3/strange-tcpdump-activity-445970/)

NuxIT 05-18-2006 03:01 AM

Strange tcpdump activity.
 
Hi, I've noticed the last few times I've ssh'd into my linux laptop box at home that I've had strange activity coming from this website. Any ideas why the hell my machine randomly communicates with this website? I've ran chkrootkit and a full virus scan using f-prot and come up clean. What the hell could be causing this? Makes me want to DOS this damn webpage.. Grrrr.. Frustrated.... When you plug in newswww2.thny.bbc.co.uk to a web browser it brings up their site. I just have NO IDEA why my box randomly communicates with this damn uk website. F@#K IN A. Please help. I need to setup a host.deny filter for now at least to block this. Any tips/ideas appreciated.. I hate strange network activity. Yeah, I'm nuts.. F-ing interweb.


op,nop,timestamp 1213686597 32441687>
01:55:00.763121 IP newswww2.thny.bbc.co.uk.www > 10.16.0.52.48746: P 1:304(303) ack 765 win 32922 <nop,nop,timestamp 1213686597 32441687>
01:55:00.763207 IP 10.16.0.52.48746 > newswww2.thny.bbc.co.uk.www: . ack 304 win 1728 <nop,nop,timestamp 32441773 1213686597>
01:55:00.765285 IP newswww2.thny.bbc.co.uk.www > 10.16.0.52.48746: . 304:1752(1448) ack 765 win 32922 <nop,nop,timestamp 1213686597 32441687>
01:55:00.765385 IP 10.16.0.52.48746 > newswww2.thny.bbc.co.uk.www: . ack 1752 win 2452 <nop,nop,timestamp 32441775 1213686597>
01:55:00.852793 IP newswww2.thny.bbc.co.uk.www > 10.16.0.52.48746: . 1752:3200(1448) ack 765 win 32922 <nop,nop,timestamp 1213686605 32441775>
01:55:00.852902 IP 10.16.0.52.48746 > newswww2.thny.bbc.co.uk.www: . ack 3200 win 3176 <nop,nop,timestamp 32441863 1213686605>
01:55:00.854004 IP newswww2.thny.bbc.co.uk.www > 10.16.0.52.48746: . 3200:4648(1448) ack 765 win 32922 <nop,nop,timestamp 1213686605 32441775>
01:55:00.854116 IP 10.16.0.52.48746 > newswww2.thny.bbc.co.uk.www: . ack 4648 win 3900 <nop,nop,timestamp 32441864 1213686605>
01:55:00.855282 IP newswww2.thny.bbc.co.uk.www > 10.16.0.52.48746: . 4648:6096(1448) ack 765 win 32922 <nop,nop,timestamp 1213686605 32441775>
01:55:00.855387 IP 10.16.0.52.48746 > newswww2.thny.bbc.co.uk.www: . ack 6096 win 4624 <nop,nop,timestamp 32441865 1213686605>

acid_kewpie 05-18-2006 03:19 AM

check your ps output for a process that is doing this. just sounds like a news ticker or something. possibly an rss feed in firefox or something.

NuxIT 05-18-2006 03:35 AM

Quote:

Originally Posted by acid_kewpie
check your ps output for a process that is doing this. just sounds like a news ticker or something. possibly an rss feed in firefox or something.

Hey, thanks buddy.. I'm way to paranoid for my own good.. Your probably totally right about this. I do have firefox open on that laptop right now at home with the sage (RSS_reader) plugin installed so that would make sense. Damn, I'm loosing it.. Just trying to lock things down and learn a little in the process. I was very pissed that my knoppix box randomly started serving port 80 using thttpd out of no where earlier.. grrrr... Angry user on board..


All times are GMT -5. The time now is 06:13 AM.