LinuxQuestions.org
Visit Jeremy's Blog.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 01-29-2008, 09:43 PM   #1
genix
LQ Newbie
 
Registered: Jul 2007
Distribution: slackware
Posts: 23

Rep: Reputation: 15
browsers opening too many connections as root


noticed what looks like a nasty problem, just wanting to confirm
i just started to run netstat with a 2 second sleep so i can always keep an eye on connections. Today i have noticed that when running my browser as my normal user that i get ROOT opening up alot of connections to the same sites, this is not good, it had happened when i use firefox or konqueror, have not noticed it when i use links yet, but will do further testing, here is an example of what netstat reports when i connect to linuxquestions right now
Proto Recv-Q Send-Q Local Address Foreign Address State User Inode
tcp 0 0 *:sunrpc *:* LISTEN root 8506
tcp 0 0 192.168.1.2:50038 linuxquestions.cac:http TIME_WAIT root 0
tcp 0 0 192.168.1.2:50037 linuxquestions.cac:http TIME_WAIT root 0
tcp 0 0 192.168.1.2:39321 pagead.l.google.co:http TIME_WAIT root 0
tcp 0 0 192.168.1.2:39336 pagead.l.google.co:http TIME_WAIT root 0
tcp 0 0 192.168.1.2:39335 pagead.l.google.co:http TIME_WAIT root 0
tcp 0 0 192.168.1.2:50040 linuxquestions.cac:http TIME_WAIT root 0
tcp 0 0 192.168.1.2:50041 linuxquestions.cac:http TIME_WAIT root 0
tcp 0 0 192.168.1.2:38909 www-google-analyti:http TIME_WAIT root 0
tcp 0 0 192.168.1.2:45483 www.gentoo.org:http TIME_WAIT root 0
tcp 0 0 192.168.1.2:50042 linuxquestions.cac:http TIME_WAIT root 0
tcp 0 0 192.168.1.2:39334 pagead.l.google.co:http TIME_WAIT root 0
tcp 0 0 192.168.1.2:45486 www.gentoo.org:http TIME_WAIT root 0
tcp 0 0 192.168.1.2:39312 pagead.l.google.co:http TIME_WAIT root 0
tcp 0 0 192.168.1.2:39323 pagead.l.google.co:http TIME_WAIT root 0
tcp 1 0 192.168.1.2:50044 linuxquestions.cac:http CLOSE_WAIT hellman 6657901
tcp 0 0 192.168.1.2:50039 linuxquestions.cac:http TIME_WAIT root 0

the inodes are all zero, and there are ALOT of connections for just one browser it looks very much like a rootkit or trojan,
then again this could be the default behavior any ideas???i recently got rid of the "numbers links" add_on from firefox , infact i removed the entire browser ( i noticed firefox and firefox only making strange connections with this plugin and i was only connecting to my router)

Last edited by genix; 01-29-2008 at 09:50 PM.
 
Old 01-30-2008, 08:33 AM   #2
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,561
Blog Entries: 54

Rep: Reputation: 2927Reputation: 2927Reputation: 2927Reputation: 2927Reputation: 2927Reputation: 2927Reputation: 2927Reputation: 2927Reputation: 2927Reputation: 2927Reputation: 2927
Quote:
Originally Posted by genix View Post
when running my browser as my normal user that i get ROOT opening up alot of connections to the same sites (..) the inodes are all zero, and there are ALOT of connections for just one browser
It doesn't spell "root" anywhere and there ain't a lot of conns (all relative ofcourse). Next time run netstat with "-np" which makes it faster (not resolve addresses) and showing the process name of the connection. If you ph33r malicious activity there's three approaches: 0) deny traffic and see what happens or 1) run Wireshark to see protocol breakdowns and follow traffic streams or 2) log packets to file with say tcpdump and run the capture through Snort to see if it says anything (and I highly doubt it will).
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
root, opening and console Niflheim Linux - Newbie 7 01-25-2005 01:59 PM
opening root in debian phoenix_wolf Linux - Newbie 6 01-06-2005 04:41 PM
Urgent: Opening ports for passive FTP connections in smoothwall? orange400 Linux - Networking 2 05-27-2004 06:15 AM
Opening X progs as root. shaggz Linux - General 1 04-29-2004 12:00 AM
opening a file as root in KWrite Moebius Linux - Newbie 4 01-26-2004 07:24 AM


All times are GMT -5. The time now is 10:15 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration