Originally Posted by n00b1shzyx
I would like to reiterate what I have said about this regular ip range visitor. I could see that member of this iprange first connects to my pc on port 80 with an syn_sent state. I could see this by using
sudo netstat -plant
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 a.b.c.d:e 0.0.0.0:* LISTEN 5360/cupsd
tcp 0 1 a.b.c.d:33161 a.b.c.d:80 SYN_SENT 7928/firefox
then another member ip connects with the same syn_sent state on port 80 and whenever this other ip connects my pc goes very slow like its going to hangup. I couldn't move my mouse, then all of a sudden my screen just popped blackout on me then it goes back to normal. I even tried blocking this ip on iptables using
iptables -I INPUT -m iprange --src-range a.b.c.d-a.b.c.d -j DROP
but the bloody ip's always could get connected to port 80. wtf is going on? How would I check my pc for intrusions and to check for ports that is opened to the Internet?
First off, this isn't an intrusion into your system. You can relax.
The connection you are referring to in your netstat output is an *outbound* connection from your system. What you are seeing is a connection from your firefox web browser to an external IP address. There's a pretty good chance that you will not see this type of connection going on if you don't have any web browsers open when you run this command. Do keep in mind that this connection state can persist until your TCP stack times out. So give it a few minutes to clear up before you check.
Second, that iptables command you are setting up in your system will wind up causing you nothing but problems. You are telling iptables to drop anything from the ip range that your own computer uses. This can include your own computer, depending on which chain you place the rule in. Not only that, but it can keep some of the critical network systems in your range like DNS from working when you need them. I would not suggest running this particular rule unless you *really* know what you are doing with iptables, and you *really* understand the topology of the network you are using.
Overall, what you are seeing is a normal TCP connection sequence event resulting from opening a web browser on your computer. If you are interested, you can test this out with the following command:
Then, in another console, execute this:
I'd be willing to bet you'll see the same type of "SYN_SENT" line with only a couple of differences... It'll be going to the "18.104.22.168" IP, and it'll be using port 23 (telnet) instead of port 80 (HTTP).
In order to determine which ports are open to the internet on your computer, this command (run as root) will show you everything that is accepting inbound connections:
lsof -i -nN -P | grep -i listen
The first column in the output is the name of the program responsible for accepting the inbound connection.
So to sum it up: It's good to be vigilant on your system, and I do recommend running a firewall if your computer is directly connected to the internet. But this particular incident was nothing malicious. Just normal traffic on your system as a result of the use of a web browser.
As far as your computer slowing to a crawl, I'd start looking elsewhere for the culprit. For example, try running the "top" command from a command line and sorting the output to determine what's using the most CPU with the "P" (upper case) key, or sorting it by memory usage using the "M" (again, upper case) key.
Hope this helps...