LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (http://www.linuxquestions.org/questions/linux-security-4/)
-   -   scared of netstat -a report (http://www.linuxquestions.org/questions/linux-security-4/scared-of-netstat-a-report-4175453702/)

gene292 03-11-2013 09:12 PM

scared of netstat -a report
 
I hope this is not a false alarm.
MY machine is running ubuntu 12.04 lts
it is set up as a lamp server.

I've just ran a netstat -a command for the 1st time.
What alarmed me were lines like those below:
tcp 0 0 www.testlimo.com:45259 91.190.218.57:12350 ESTABLISHED
tcp 0 0 www.testlimo.com:45961 157.56.52.23:40025 ESTABLISHED
-----------------------------------------------
Now testlimo.com is a local domain only. it is defined in /etc/hosts
the machine is not setup as a dns server.
This machine is behind NAT router. E3000.
I was forwarding ports 80 and 443(SSL) only.
I disabled forwarding today.
So why do I see those ip addresses for Syngapore, Ireland, Oklahoma and Montreal????
From a local site that is supposed to be dead.
I ran tiger - no major failures - just a few 20-30 bad checksums. most for phpunit.

If my system is "infected" how do I clean it?

rigor 03-11-2013 11:45 PM

gene292,

I went onto a system that is not a DNS server. In fact, it generally doesn't provide any services to the outside world. It's a private system on a private LAN. It's behind a NAT router. The machine is given, a locally known IP ( in principle a "non-routed" IP address ), from a local DHCP server. I queried an outside DNS server, to try to make sure there is no domain in the world named "fake_domain.com". I then edited the /etc/hosts file on the private machine, so that the local IP address assigned to the machine was associated with the non-existent domain name "fake_domain.com". After that change to the /etc/hosts file, these are some of the lines from the output of the "netstat -a" command, run on that machine:


Code:

Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address          Foreign Address        State     
tcp        0      0 *:trivnet1              *:*                    LISTEN     
tcp        0      0 *:sunrpc                *:*                    LISTEN     
tcp        0      0 *:7634                  *:*                    LISTEN     
tcp        0      0 *:ftp                  *:*                    LISTEN     
tcp        0      0 *:ssh                  *:*                    LISTEN     
tcp        0      0 localhost:ipp          *:*                    LISTEN     
tcp        1      0 fake_domain.com:60549  static.5.49.63.17:https CLOSE_WAIT 
tcp        1      0 fake_domain.com:43914  static.132.61.63.:https CLOSE_WAIT 
tcp        1      0 fake_domain.com:52448  static.5.49.63.17:https CLOSE_WAIT 
tcp        0      0 fake_domain.com:34280  192.204.4.43:www-http  TIME_WAIT 
tcp        1      0 fake_domain.com:52436  static.5.49.63.17:https CLOSE_WAIT 
tcp        1      0 fake_domain.com:52469  static.5.49.63.17:https CLOSE_WAIT 
tcp        1      0 fake_domain.com:60547  static.5.49.63.17:https CLOSE_WAIT 
tcp        1      0 fake_domain.com:60523  static.5.49.63.17:https CLOSE_WAIT 
tcp        1      0 fake_domain.com:43911  static.132.61.63.:https CLOSE_WAIT 
tcp        1      0 fake_domain.com:60595  static.5.49.63.17:https CLOSE_WAIT 
tcp        1      0 fake_domain.com:60524  static.5.49.63.17:https CLOSE_WAIT 
tcp        1      0 fake_domain.com:60586  static.5.49.63.17:https CLOSE_WAIT 
tcp        1      0 fake_domain.com:52466  static.5.49.63.17:https CLOSE_WAIT 
tcp        1      0 fake_domain.com:52427  static.5.49.63.17:https CLOSE_WAIT 
tcp        0      0 fake_domain.com:34253  192.204.4.43:www-http  TIME_WAIT 
tcp        0      0 fake_domain.com:34266  192.204.4.43:www-http  TIME_WAIT 
tcp        1      0 fake_domain.com:60540  static.5.49.63.17:https CLOSE_WAIT 
tcp        1      0 fake_domain.com:60587  static.5.49.63.17:https CLOSE_WAIT 
tcp        1      0 fake_domain.com:52273  static.5.49.63.17:https CLOSE_WAIT 
tcp        1      0 fake_domain.com:60571  static.5.49.63.17:https CLOSE_WAIT 
tcp        1      0 fake_domain.com:52351  static.5.49.63.17:https CLOSE_WAIT 
tcp        1      0 fake_domain.com:52279  static.5.49.63.17:https CLOSE_WAIT 
tcp        1      0 fake_domain.com:60512  static.5.49.63.17:https CLOSE_WAIT 
tcp        1      0 fake_domain.com:52191  static.5.49.63.17:https CLOSE_WAIT 
tcp        1      0 fake_domain.com:52465  static.5.49.63.17:https CLOSE_WAIT 
tcp        1      0 fake_domain.com:34063  static.5.49.63:www-http CLOSE_WAIT 
tcp        1      0 fake_domain.com:52270  static.5.49.63.17:https CLOSE_WAIT 
tcp        1      0 fake_domain.com:59470  static.132.61.63.:https CLOSE_WAIT 
tcp        1      0 fake_domain.com:52435  static.5.49.63.17:https CLOSE_WAIT 
tcp        1      0 fake_domain.com:43899  static.132.61.63.:https CLOSE_WAIT 
tcp        1      0 fake_domain.com:52274  static.5.49.63.17:https CLOSE_WAIT 
tcp        1      0 fake_domain.com:60555  static.5.49.63.17:https CLOSE_WAIT 
tcp        1      0 fake_domain.com:52470  static.5.49.63.17:https CLOSE_WAIT 
tcp        1      0 fake_domain.com:52445  static.5.49.63.17:https CLOSE_WAIT 
tcp        1      0 fake_domain.com:52359  static.5.49.63.17:https CLOSE_WAIT 
tcp        1      0 fake_domain.com:52381  static.5.49.63.17:https CLOSE_WAIT 
tcp        0      0 fake_domain.com:34283  192.204.4.43:www-http  ESTABLISHED

I don't know about the IP addresses which you haven't shown us, but at a quick look, it seems as if the IP's you did show us are involved with things such as Skype and Microsoft.

Why do you mention that the machine is not a DNS server? Why exactly does that concern you?

What do you mean by the phrase "a local site that is supposed to be dead"?

Do you allow outgoing connections at all? Or any connections? Is Skype in use?

orgcandman 03-12-2013 09:37 AM

netstat -a isn't a very good way to determine the domain on the left-hand-side (ie, the local interface). The system's preference for name lookups is usually from files first (look in your nsswitch.conf), in which case it will report whatever comes from /etc/hosts first (since it preforms something similar gethostaddr() call), without ever querying the actual dns name.

gene292 03-12-2013 11:08 AM

Thanks, rigor and orgcandman. That is the case - testlimo.com is 1st in /etc/hosts.

Fooooooo.
I mentioned that the machine was not DNS server, and there is no dns server in my home yet, to show that there can not be any access to testlimo from the outside.
And since I was not working on testlimo - it should not access any outside sites.
So when I saw Singapore IP addr - I started sweating. :-)
tcp 0 1 www.testlimo.com:57317 111.221.74.25:40011 SYN_SENT

I did not see any reason to trust MS hosting in Singapore.
Still not sure why it went there. Some kind of ADV?

I'll close this as solved in a couple of day if there is no further input.

Noway2 03-12-2013 11:22 AM

The netsat command shows you the active and reset network connections. Your two examples:
Code:

tcp 0 0 www.testlimo.com:45259 91.190.218.57:12350 ESTABLISHED
tcp 0 0 www.testlimo.com:45961 157.56.52.23:40025 ESTABLISHED

Show that there are two active TCP connections from what is probably your machine, as resolved by the hosts file, to these other machines. What is puzzling about the connections are the destination port numbers. They look like they would be for a VOIP or game server connection.

You can use the netstat -pane command to get additional information regarding what process is making these connections.

gene292 03-12-2013 11:54 AM

Great advice Noway2!!!!!!!!!!
Here is netstat -pane, which looks a lot less scary:
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 0 106607761 -
tcp 0 1409 192.168.1.102:38056 173.252.101.26:80 ESTABLISHED 1000 127382733 7511/firefox
tcp 1 0 192.168.1.102:43544 91.189.89.144:80 CLOSE_WAIT 1000 120298353 5398/ubuntu-geoip-p
tcp 0 1748 192.168.1.102:33124 23.5.49.224:80 ESTABLISHED 1000 127381004 7511/firefox
tcp 0 967 192.168.1.102:38060 173.252.101.26:80 ESTABLISHED 1000 127379820 7511/firefox
tcp 0 0 192.168.1.102:41236 74.125.26.105:443 ESTABLISHED 1000 127364032 7511/firefox
tcp 0 529 192.168.1.102:59458 165.254.32.75:80 ESTABLISHED 1000 127374545 7511/firefox
tcp 0 1888 192.168.1.102:33125 23.5.49.224:80 ESTABLISHED 1000 127381005 7511/firefox
tcp 0 0 192.168.1.102:52012 75.126.109.194:80 ESTABLISHED 1000 127390734 7511/firefox
tcp 0 0 192.168.1.102:41926 74.125.26.99:443 ESTABLISHED 1000 127357146 6785/chrome
tcp 0 1443 192.168.1.102:56956 173.194.43.25:80 ESTABLISHED 1000 127373895 7511/firefox
tcp 0 0 192.168.1.102:49628 54.243.115.186:443 ESTABLISHED 1000 127380148 7511/firefox
tcp 0 1260 192.168.1.102:38061 173.252.101.26:80 ESTABLISHED 1000 127379821 7511/firefox
tcp 0 0 192.168.1.102:47199 173.194.43.8:443 ESTABLISHED 1000 127354988 6785/chrome
tcp 0 0 192.168.1.102:60748 173.194.38.182:443 ESTABLISHED 1000 127369566 7511/firefox
tcp 0 375 192.168.1.102:56243 74.125.226.226:80 ESTABLISHED 1000 127374566 7511/firefox
tcp 0 1020 192.168.1.102:49729 173.194.43.58:80 ESTABLISHED 1000 127378990 7511/firefox
tcp6 0 0 ::1:631 :::* LISTEN 0 126364707 -
----------------------------------------------------------------------------
At lease all destination ports are http and shttp.
Any ideas why so many user defined ports from browsers?

Noway2 03-12-2013 01:03 PM

Quote:

Originally Posted by gene292 (Post 4910098)
At lease all destination ports are http and shttp.
Any ideas why so many user defined ports from browsers?

For each new connection, your system will grab a high numbered port at random. From your list, some examples are 38056, 43544, and 59458. This is normal behavior. Notice at the end of the line it says, ESTABLISHED or CLOSE_WAIT. This is the "state" of the connection. A TCP connection is much like a telephone call where a connection is made, used, and then taken down. Here is a link to a .pdf with a good explanation of the states. Each browser session will likely establish a lot of connections because of the main content, plus each ad, analytic, and other active link in the page. You can see that the destination ports are all 80 or 443 indicating browser traffic destinations and these are also associated with browser application connections. One of the tricks of forensic analysis, and reasons why it is best to not reboot or disturb a suspect machine is you can also look at the process tree to correlate the PIDs to see both the location path of the file using the connection as well as the parent processes.

gene292 03-12-2013 03:18 PM

Thanks, Noway2. You are an asset to this forum.
In this case ignorance was not bliss.
I am no longer scared. :-)

StrangeIdea 03-21-2013 08:18 PM

hi,

Quote:

Originally Posted by rigor (Post 4909662)
Code:

Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address          Foreign Address        State     
tcp        1      0 fake_domain.com:60549  static.5.49.63.17:https CLOSE_WAIT 
tcp        1      0 fake_domain.com:43914  static.132.61.63.:https CLOSE_WAIT


Sorry for stealing this thread, but I have question to rigor. Maybe you know where these addresses (static.5.49.63.17:https and static.132.61.63.:https) are pointing to? How have you got them?

I just had a strange "event". I was working with Google Translate and listening Youtube in background. When suddenly sound stopped. Ok, stream stuck. Tried to rewind. Nothing. Waiting for site. Tried opening other pages. Waiting.... Ok. That's FF issue. Killed FF. And decided to run "netstat". Got tens of these addresses in LAST_ACK state. WTF? Started to wonder what that could be. Googled and found this page. Any ideas?

rigor 03-22-2013 03:05 PM

Quote:

Originally Posted by StrangeIdea (Post 4916297)
hi,

Sorry for stealing this thread, but I have question to rigor. Maybe you know where these addresses (static.5.49.63.17:https and static.132.61.63.:https) are pointing to? How have you got them?

I just had a strange "event". I was working with Google Translate and listening Youtube in background. When suddenly sound stopped. Ok, stream stuck. Tried to rewind. Nothing. Waiting for site. Tried opening other pages. Waiting.... Ok. That's FF issue. Killed FF. And decided to run "netstat". Got tens of these addresses in LAST_ACK state. WTF? Started to wonder what that could be. Googled and found this page. Any ideas?

I too get the "static..." addresses when I use Google Translate.

If whatever Linux you use allows these options ( or their equivalents ) on the netstat command:

Code:

netstat -A inet -veepaT
you can get a fairly full/verbose/detailed output from netstat, that doesn't truncate information.

In my case these addresses seem to lead to a hosting company in Germany.

http://www.hetzner.de/en/hosting/unternehmen/ueber-uns

StrangeIdea 03-22-2013 03:39 PM

Thanks a lot! Found out the reason. FF's ShowIP plugin was quering for remote data.


All times are GMT -5. The time now is 08:49 AM.