I would like to reiterate what I have said about this regular ip range visitor. I could see that member of this iprange first connects to my pc on port 80 with an syn_sent state. I could see this by using then another member ip connects with the same syn_sent state on port 80 and whenever this other ip connects my pc goes very slow like its going to hangup. I couldn't move my mouse, then all of a sudden my screen just popped blackout on me then it goes back to normal. I even tried blocking this ip on iptables using but the bloody ip's always could get connected to port 80. wtf is going on? How would I check my pc for intrusions and to check for ports that is opened to the Internet?

Have you got a Firewall installed? You could just block all the ports and look how it goes.

Ok...

First off, this isn't an intrusion into your system. You can relax.

The connection you are referring to in your netstat output is an *outbound* connection from your system. What you are seeing is a connection from your firefox web browser to an external IP address. There's a pretty good chance that you will not see this type of connection going on if you don't have any web browsers open when you run this command. Do keep in mind that this connection state can persist until your TCP stack times out. So give it a few minutes to clear up before you check.

Second, that iptables command you are setting up in your system will wind up causing you nothing but problems. You are telling iptables to drop anything from the ip range that your own computer uses. This can include your own computer, depending on which chain you place the rule in. Not only that, but it can keep some of the critical network systems in your range like DNS from working when you need them. I would not suggest running this particular rule unless you *really* know what you are doing with iptables, and you *really* understand the topology of the network you are using.

Overall, what you are seeing is a normal TCP connection sequence event resulting from opening a web browser on your computer. If you are interested, you can test this out with the following command:

Then, in another console, execute this:

I'd be willing to bet you'll see the same type of "SYN_SENT" line with only a couple of differences... It'll be going to the "1.2.3.4" IP, and it'll be using port 23 (telnet) instead of port 80 (HTTP).

In order to determine which ports are open to the internet on your computer, this command (run as root) will show you everything that is accepting inbound connections:

The first column in the output is the name of the program responsible for accepting the inbound connection.

So to sum it up: It's good to be vigilant on your system, and I do recommend running a firewall if your computer is directly connected to the internet. But this particular incident was nothing malicious. Just normal traffic on your system as a result of the use of a web browser.

As far as your computer slowing to a crawl, I'd start looking elsewhere for the culprit. For example, try running the "top" command from a command line and sorting the output to determine what's using the most CPU with the "P" (upper case) key, or sorting it by memory usage using the "M" (again, upper case) key.

Hope this helps...

Thanks.

No, it doesn't just shows when I am using a browser, it shows too with my wineserver. And when I am idle or I stop browsing on some website or simply just doing nothing somehow it goes away. But the weird thing is it only shows when I am logged in on certain PPC/SEO sites and on linux forums. It's like its monitoring my every net activity or something.
Can you elaborate on this please. What happens when I would put it on either INPUT/OUTPUT/FORWARD chain? No, I don't really know what I am doing with iptables or understand my network topology. All I was trying to do was looking for a way to block this iprange and so I tried googling it. And when I found it, I tried applying it. It seemed to work fine but I found out later on it did not. (I got ufw and firestarter installed.)

Now that you have mentioned it, I am trying to know more about how to obtain, understand, configure my network topology if its even configurable. Then maybe I wouldn't be so noob like this. Now with this code started offline, it shows my wineserver and 2 unknowns. (sorry, I forgot to copy and paste my pc got hangedup again.) but when its started online it shows this:

Like this one: As you can see here, the freakin 5.6.7.8 ip has taken over my browser. If these are outbound connections coming from my system then maybe it has already installed itself without my f****n knowledge. I am a sitting duck and I don't know what to do about it until it times out.

Again, you are most likely not being hacked... This is normal browser activity. The browser has been told (either by a website, or by some extension/plugin that you have installed) to connect to this address, and the address is not responding in a timely manner. This causes your system to leave the ports in a "waiting for a reply" state until they time out. This doesn't mean it's something that shouldn't be fixed though. If you have a firefox extension/addon installed that is failing to connect to a site, and is causing your system to slow down as a result, you should uninstall it.

If you are sincerely concerned that this is an intrusion incident on your system, stop obfuscating the destination IP addresses of the suspicious traffic. This way, we can at least see where the connection attempts are going. If it's something you aren't telling your browser to go to, then the first thing to investigate is to look at where it's trying to go.

It's perfectly sensible to obfuscate your source IP if it is a public, routable IP address. However, if your IP is a 10.x.x.x, a 192.168.x.x, or a 172.16.x.x through a 172.32.x.x address, you don't have to go through the trouble of obfuscating anything, because that information is useless to anyone outside your network.

I think I have found which application (mailserver) on my box the second ip range use its access coz it was actually listening for incoming connections. But I couldn't figure out the first one though. I have initially closed the application cupsd for my printer and yet still it appears on netstat. I have tiger and chkrootkit installed but I still have to read for the right combination of commands to make the mark. Still researching.

Is there any application you could suggest that would close an IP address connected to you, like what the command would do but only its TCP connections?