scared of netstat -a report
I hope this is not a false alarm.
MY machine is running ubuntu 12.04 lts it is set up as a lamp server. I've just ran a netstat -a command for the 1st time. What alarmed me were lines like those below: tcp 0 0 www.testlimo.com:45259 91.190.218.57:12350 ESTABLISHED tcp 0 0 www.testlimo.com:45961 157.56.52.23:40025 ESTABLISHED ----------------------------------------------- Now testlimo.com is a local domain only. it is defined in /etc/hosts the machine is not setup as a dns server. This machine is behind NAT router. E3000. I was forwarding ports 80 and 443(SSL) only. I disabled forwarding today. So why do I see those ip addresses for Syngapore, Ireland, Oklahoma and Montreal???? From a local site that is supposed to be dead. I ran tiger - no major failures - just a few 20-30 bad checksums. most for phpunit. If my system is "infected" how do I clean it? |
gene292,
I went onto a system that is not a DNS server. In fact, it generally doesn't provide any services to the outside world. It's a private system on a private LAN. It's behind a NAT router. The machine is given, a locally known IP ( in principle a "non-routed" IP address ), from a local DHCP server. I queried an outside DNS server, to try to make sure there is no domain in the world named "fake_domain.com". I then edited the /etc/hosts file on the private machine, so that the local IP address assigned to the machine was associated with the non-existent domain name "fake_domain.com". After that change to the /etc/hosts file, these are some of the lines from the output of the "netstat -a" command, run on that machine: Code:
Active Internet connections (servers and established) Why do you mention that the machine is not a DNS server? Why exactly does that concern you? What do you mean by the phrase "a local site that is supposed to be dead"? Do you allow outgoing connections at all? Or any connections? Is Skype in use? |
netstat -a isn't a very good way to determine the domain on the left-hand-side (ie, the local interface). The system's preference for name lookups is usually from files first (look in your nsswitch.conf), in which case it will report whatever comes from /etc/hosts first (since it preforms something similar gethostaddr() call), without ever querying the actual dns name.
|
Thanks, rigor and orgcandman. That is the case - testlimo.com is 1st in /etc/hosts.
Fooooooo. I mentioned that the machine was not DNS server, and there is no dns server in my home yet, to show that there can not be any access to testlimo from the outside. And since I was not working on testlimo - it should not access any outside sites. So when I saw Singapore IP addr - I started sweating. :-) tcp 0 1 www.testlimo.com:57317 111.221.74.25:40011 SYN_SENT I did not see any reason to trust MS hosting in Singapore. Still not sure why it went there. Some kind of ADV? I'll close this as solved in a couple of day if there is no further input. |
The netsat command shows you the active and reset network connections. Your two examples:
Code:
tcp 0 0 www.testlimo.com:45259 91.190.218.57:12350 ESTABLISHED You can use the netstat -pane command to get additional information regarding what process is making these connections. |
Great advice Noway2!!!!!!!!!!
Here is netstat -pane, which looks a lot less scary: tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 0 106607761 - tcp 0 1409 192.168.1.102:38056 173.252.101.26:80 ESTABLISHED 1000 127382733 7511/firefox tcp 1 0 192.168.1.102:43544 91.189.89.144:80 CLOSE_WAIT 1000 120298353 5398/ubuntu-geoip-p tcp 0 1748 192.168.1.102:33124 23.5.49.224:80 ESTABLISHED 1000 127381004 7511/firefox tcp 0 967 192.168.1.102:38060 173.252.101.26:80 ESTABLISHED 1000 127379820 7511/firefox tcp 0 0 192.168.1.102:41236 74.125.26.105:443 ESTABLISHED 1000 127364032 7511/firefox tcp 0 529 192.168.1.102:59458 165.254.32.75:80 ESTABLISHED 1000 127374545 7511/firefox tcp 0 1888 192.168.1.102:33125 23.5.49.224:80 ESTABLISHED 1000 127381005 7511/firefox tcp 0 0 192.168.1.102:52012 75.126.109.194:80 ESTABLISHED 1000 127390734 7511/firefox tcp 0 0 192.168.1.102:41926 74.125.26.99:443 ESTABLISHED 1000 127357146 6785/chrome tcp 0 1443 192.168.1.102:56956 173.194.43.25:80 ESTABLISHED 1000 127373895 7511/firefox tcp 0 0 192.168.1.102:49628 54.243.115.186:443 ESTABLISHED 1000 127380148 7511/firefox tcp 0 1260 192.168.1.102:38061 173.252.101.26:80 ESTABLISHED 1000 127379821 7511/firefox tcp 0 0 192.168.1.102:47199 173.194.43.8:443 ESTABLISHED 1000 127354988 6785/chrome tcp 0 0 192.168.1.102:60748 173.194.38.182:443 ESTABLISHED 1000 127369566 7511/firefox tcp 0 375 192.168.1.102:56243 74.125.226.226:80 ESTABLISHED 1000 127374566 7511/firefox tcp 0 1020 192.168.1.102:49729 173.194.43.58:80 ESTABLISHED 1000 127378990 7511/firefox tcp6 0 0 ::1:631 :::* LISTEN 0 126364707 - ---------------------------------------------------------------------------- At lease all destination ports are http and shttp. Any ideas why so many user defined ports from browsers? |
Quote:
|
Thanks, Noway2. You are an asset to this forum.
In this case ignorance was not bliss. I am no longer scared. :-) |
hi,
Quote:
I just had a strange "event". I was working with Google Translate and listening Youtube in background. When suddenly sound stopped. Ok, stream stuck. Tried to rewind. Nothing. Waiting for site. Tried opening other pages. Waiting.... Ok. That's FF issue. Killed FF. And decided to run "netstat". Got tens of these addresses in LAST_ACK state. WTF? Started to wonder what that could be. Googled and found this page. Any ideas? |
Quote:
If whatever Linux you use allows these options ( or their equivalents ) on the netstat command: Code:
netstat -A inet -veepaT In my case these addresses seem to lead to a hosting company in Germany. http://www.hetzner.de/en/hosting/unternehmen/ueber-uns |
Thanks a lot! Found out the reason. FF's ShowIP plugin was quering for remote data.
|
All times are GMT -5. The time now is 08:09 AM. |