Is someone on my network?! ::ffff:192.168.0.10:ssh ::ffff:192.168.0.:38201 ESTABLISHE

ming0 · 04-11-2005, 02:45 PM

My lan has 2 desktops, a laptop, and a server (all running ubuntu).

I have a d-link router/fw, and all of my computers have firestarter (firewall) running. I have ssh forwarded (from internet) to my desktop, and http forwarded to the server--other than that, my network doesn't have any ports listening on the internet.

I have all my computers running with static IP addresses.

Here's what happens when I run: netstat -a
tcp6 0 0 ::ffff:192.168.0.10:ssh ::ffff:192.168.0.:38201 ESTABLISHED

I don't have any of my computers set up as 192.168.0.10!

Is this normal, or has someone compromised my LAN?

Thanks

Capt_Caveman · 04-11-2005, 07:41 PM

Usually the first IP in the netstat output is the local address, which would suggest that is your IP. If you look at the output of 'netstat -pant' what IP is the main sshd service listening on? If it's 0.0.0.0:22 then take a look at the output of 'ifconfig' to see if you have any interfaces listening on that IP.

ming0 · 04-11-2005, 09:39 PM

Okay, I'm not really sure what it is--I'll just list put this stuff below

Code:

 dean@server ~ $ netstat -pant
(Not all processes could be identified, non-owned process info
 will not be shown, you would have to be root to see it all.)
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name 
tcp        0      0 0.0.0.0:19150           0.0.0.0:*               LISTEN     - 
tcp        0      0 192.168.0.102:631       0.0.0.0:*               LISTEN     - 
tcp        0      0 127.0.0.1:631           0.0.0.0:*               LISTEN     - 
tcp        0      0 127.0.0.1:25            0.0.0.0:*               LISTEN     - 
tcp        0      0 127.0.0.1:6010          0.0.0.0:*               LISTEN     - 
tcp        0      0 192.168.0.102:19150     192.168.0.103:37897     ESTABLISHED- 
tcp6       0      0 :::19150                :::*                    LISTEN     - 
tcp6       0      0 :::80                   :::*                    LISTEN     - 
tcp6       0      0 :::22                   :::*                    LISTEN     - 
tcp6       0      0 ::1:25                  :::*                    LISTEN     - 
tcp6       0      0 ::1:6010                :::*                    LISTEN     - 
tcp6       0      0 ::ffff:192.168.0.102:80 ::ffff:66.92.67.7:62197 ESTABLISHED- 
tcp6       0      0 ::ffff:192.168.0.102:80 ::ffff:66.92.67.7:62196 ESTABLISHED- 
tcp6       0      0 ::ffff:192.168.0.102:80 ::ffff:66.92.67.7:62198 ESTABLISHED- 
tcp6       0    288 ::ffff:192.168.0.102:22 ::ffff:192.168.0.:40749 ESTABLISHED- 
tcp6       0      0 ::ffff:192.168.0.102:80 ::ffff:66.92.67.7:62195 ESTABLISHED-

Code:

dean@server ~ $ netstat -a
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address         State
tcp        0      0 *:19150                 *:*                     LISTEN
tcp        0      0 192.168.0.102:ipp       *:*                     LISTEN
tcp        0      0 localhost.localdoma:ipp *:*                     LISTEN
tcp        0      0 localhost.localdom:smtp *:*                     LISTEN
tcp        0      0 localhost.localdom:6010 *:*                     LISTEN
tcp        0      0 192.168.0.102:19150     dean:37897              ESTABLISHED
tcp6       0      0 *:19150                 *:*                     LISTEN
tcp6       0      0 *:www                   *:*                     LISTEN
tcp6       0      0 *:ssh                   *:*                     LISTEN
tcp6       0      0 localhost:smtp          *:*                     LISTEN
tcp6       0      0 localhost:6010          *:*                     LISTEN
tcp6       0      0 ::ffff:192.168.0.10:ssh ::ffff:192.168.0.:40749 ESTABLISHED
udp        0      0 *:ipp                   *:*
Active UNIX domain sockets (servers and established)
Proto RefCnt Flags       Type       State         I-Node Path
unix  2      [ ACC ]     STREAM     LISTENING     66960    @/tmp/dbus-FQpO1QA0yE
unix  2      [ ACC ]     STREAM     LISTENING     138435   /tmp/orbit-dean/linc-61bd-0-6d7f2be5ee3
***cut***

Code:

dean@server ~ $ ifconfig
eth0      Link encap:Ethernet  HWaddr 00:05:5D:44:0E:C5
          inet addr:192.168.0.102  Bcast:192.168.0.255  Mask:255.255.255.0
          inet6 addr: fe80::205:5dff:fe44:ec5/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:11277220 errors:10 dropped:26 overruns:10 frame:0
          TX packets:9047540 errors:0 dropped:0 overruns:5 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:2320559171 (2.1 GiB)  TX bytes:2225244915 (2.0 GiB)
          Interrupt:5 Base address:0x6400

lo        Link encap:Local Loopback
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:416006 errors:0 dropped:0 overruns:0 frame:0
          TX packets:416006 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:583526573 (556.4 MiB)  TX bytes:583526573 (556.4 MiB)

And just to be sure, the IPs are as follows:

server = 192.168.0.102
desktop 1 = 192.168.0.103
desktop 2 = 192.168.0.100
laptop = 192.168.0.101
router = 192.168.0.1

Other than that, there shouldn't be anyone else on the LAN--tho I have wireless (w/ wep enabled, of course).

Capt_Caveman · 04-11-2005, 11:18 PM

Actually it looks like the 'netstat -a' output is just truncated. If you compare the entry in netstat -a:
tcp6 0 0 ::ffff:192.168.0.10:ssh ::ffff:192.168.0.:40749 ESTABLISHED

with netstat -pantu you see:
tcp6 0 288 ::ffff:192.168.0.102:22 ::ffff:192.168.0.:40749 ESTABLISHED-

which is the same socket. You might want to play around with the netstat -ae or -av options to get full output.

ming0 · 04-12-2005, 01:04 AM

oh, good call... sometimes all it takes is another set of eyes

Thanks for the help!