LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices

Reply
 
Search this Thread
Old 05-18-2006, 03:01 AM   #1
NuxIT
Member
 
Registered: Jul 2003
Location: Westminser, CO
Distribution: xUbuntu
Posts: 76

Rep: Reputation: 20
Strange tcpdump activity.


Hi, I've noticed the last few times I've ssh'd into my linux laptop box at home that I've had strange activity coming from this website. Any ideas why the hell my machine randomly communicates with this website? I've ran chkrootkit and a full virus scan using f-prot and come up clean. What the hell could be causing this? Makes me want to DOS this damn webpage.. Grrrr.. Frustrated.... When you plug in newswww2.thny.bbc.co.uk to a web browser it brings up their site. I just have NO IDEA why my box randomly communicates with this damn uk website. F@#K IN A. Please help. I need to setup a host.deny filter for now at least to block this. Any tips/ideas appreciated.. I hate strange network activity. Yeah, I'm nuts.. F-ing interweb.


op,nop,timestamp 1213686597 32441687>
01:55:00.763121 IP newswww2.thny.bbc.co.uk.www > 10.16.0.52.48746: P 1:304(303) ack 765 win 32922 <nop,nop,timestamp 1213686597 32441687>
01:55:00.763207 IP 10.16.0.52.48746 > newswww2.thny.bbc.co.uk.www: . ack 304 win 1728 <nop,nop,timestamp 32441773 1213686597>
01:55:00.765285 IP newswww2.thny.bbc.co.uk.www > 10.16.0.52.48746: . 304:1752(1448) ack 765 win 32922 <nop,nop,timestamp 1213686597 32441687>
01:55:00.765385 IP 10.16.0.52.48746 > newswww2.thny.bbc.co.uk.www: . ack 1752 win 2452 <nop,nop,timestamp 32441775 1213686597>
01:55:00.852793 IP newswww2.thny.bbc.co.uk.www > 10.16.0.52.48746: . 1752:3200(1448) ack 765 win 32922 <nop,nop,timestamp 1213686605 32441775>
01:55:00.852902 IP 10.16.0.52.48746 > newswww2.thny.bbc.co.uk.www: . ack 3200 win 3176 <nop,nop,timestamp 32441863 1213686605>
01:55:00.854004 IP newswww2.thny.bbc.co.uk.www > 10.16.0.52.48746: . 3200:4648(1448) ack 765 win 32922 <nop,nop,timestamp 1213686605 32441775>
01:55:00.854116 IP 10.16.0.52.48746 > newswww2.thny.bbc.co.uk.www: . ack 4648 win 3900 <nop,nop,timestamp 32441864 1213686605>
01:55:00.855282 IP newswww2.thny.bbc.co.uk.www > 10.16.0.52.48746: . 4648:6096(1448) ack 765 win 32922 <nop,nop,timestamp 1213686605 32441775>
01:55:00.855387 IP 10.16.0.52.48746 > newswww2.thny.bbc.co.uk.www: . ack 6096 win 4624 <nop,nop,timestamp 32441865 1213686605>
 
Old 05-18-2006, 03:19 AM   #2
acid_kewpie
Moderator
 
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,378

Rep: Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963
check your ps output for a process that is doing this. just sounds like a news ticker or something. possibly an rss feed in firefox or something.
 
Old 05-18-2006, 03:35 AM   #3
NuxIT
Member
 
Registered: Jul 2003
Location: Westminser, CO
Distribution: xUbuntu
Posts: 76

Original Poster
Rep: Reputation: 20
Quote:
Originally Posted by acid_kewpie
check your ps output for a process that is doing this. just sounds like a news ticker or something. possibly an rss feed in firefox or something.
Hey, thanks buddy.. I'm way to paranoid for my own good.. Your probably totally right about this. I do have firefox open on that laptop right now at home with the sage (RSS_reader) plugin installed so that would make sense. Damn, I'm loosing it.. Just trying to lock things down and learn a little in the process. I was very pissed that my knoppix box randomly started serving port 80 using thttpd out of no where earlier.. grrrr... Angry user on board..
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Monitoring disk activity with vmstat gives strange values. Why? tobikars Linux - Software 0 12-07-2005 12:07 AM
very strange network/firewall activity - thoughts? cyph3r7 Linux - Security 4 10-19-2004 11:16 AM
Very strange activity - EXE running as apache?? lucastic Linux - Security 2 09-03-2004 05:01 AM
Strange PPP activity gauge73 Linux - Networking 0 08-18-2004 06:46 PM
Strange network activity !!!!!! OneManArmy Linux - Newbie 3 07-14-2004 10:19 AM


All times are GMT -5. The time now is 12:11 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration