LinuxQuestions.org
Go Job Hunting at the LQ Job Marketplace
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 03-11-2013, 09:12 PM   #1
gene292
LQ Newbie
 
Registered: Jul 2011
Distribution: ubuntu 12.04
Posts: 16

Rep: Reputation: Disabled
scared of netstat -a report


I hope this is not a false alarm.
MY machine is running ubuntu 12.04 lts
it is set up as a lamp server.

I've just ran a netstat -a command for the 1st time.
What alarmed me were lines like those below:
tcp 0 0 www.testlimo.com:45259 91.190.218.57:12350 ESTABLISHED
tcp 0 0 www.testlimo.com:45961 157.56.52.23:40025 ESTABLISHED
-----------------------------------------------
Now testlimo.com is a local domain only. it is defined in /etc/hosts
the machine is not setup as a dns server.
This machine is behind NAT router. E3000.
I was forwarding ports 80 and 443(SSL) only.
I disabled forwarding today.
So why do I see those ip addresses for Syngapore, Ireland, Oklahoma and Montreal????
From a local site that is supposed to be dead.
I ran tiger - no major failures - just a few 20-30 bad checksums. most for phpunit.

If my system is "infected" how do I clean it?
 
Old 03-11-2013, 11:45 PM   #2
rigor
Member
 
Registered: Sep 2011
Posts: 136

Rep: Reputation: Disabled
gene292,

I went onto a system that is not a DNS server. In fact, it generally doesn't provide any services to the outside world. It's a private system on a private LAN. It's behind a NAT router. The machine is given, a locally known IP ( in principle a "non-routed" IP address ), from a local DHCP server. I queried an outside DNS server, to try to make sure there is no domain in the world named "fake_domain.com". I then edited the /etc/hosts file on the private machine, so that the local IP address assigned to the machine was associated with the non-existent domain name "fake_domain.com". After that change to the /etc/hosts file, these are some of the lines from the output of the "netstat -a" command, run on that machine:


Code:
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address         State      
tcp        0      0 *:trivnet1              *:*                     LISTEN      
tcp        0      0 *:sunrpc                *:*                     LISTEN      
tcp        0      0 *:7634                  *:*                     LISTEN      
tcp        0      0 *:ftp                   *:*                     LISTEN      
tcp        0      0 *:ssh                   *:*                     LISTEN      
tcp        0      0 localhost:ipp           *:*                     LISTEN      
tcp        1      0 fake_domain.com:60549   static.5.49.63.17:https CLOSE_WAIT  
tcp        1      0 fake_domain.com:43914   static.132.61.63.:https CLOSE_WAIT  
tcp        1      0 fake_domain.com:52448   static.5.49.63.17:https CLOSE_WAIT  
tcp        0      0 fake_domain.com:34280   192.204.4.43:www-http   TIME_WAIT   
tcp        1      0 fake_domain.com:52436   static.5.49.63.17:https CLOSE_WAIT  
tcp        1      0 fake_domain.com:52469   static.5.49.63.17:https CLOSE_WAIT  
tcp        1      0 fake_domain.com:60547   static.5.49.63.17:https CLOSE_WAIT  
tcp        1      0 fake_domain.com:60523   static.5.49.63.17:https CLOSE_WAIT  
tcp        1      0 fake_domain.com:43911   static.132.61.63.:https CLOSE_WAIT  
tcp        1      0 fake_domain.com:60595   static.5.49.63.17:https CLOSE_WAIT  
tcp        1      0 fake_domain.com:60524   static.5.49.63.17:https CLOSE_WAIT  
tcp        1      0 fake_domain.com:60586   static.5.49.63.17:https CLOSE_WAIT  
tcp        1      0 fake_domain.com:52466   static.5.49.63.17:https CLOSE_WAIT  
tcp        1      0 fake_domain.com:52427   static.5.49.63.17:https CLOSE_WAIT  
tcp        0      0 fake_domain.com:34253   192.204.4.43:www-http   TIME_WAIT   
tcp        0      0 fake_domain.com:34266   192.204.4.43:www-http   TIME_WAIT   
tcp        1      0 fake_domain.com:60540   static.5.49.63.17:https CLOSE_WAIT  
tcp        1      0 fake_domain.com:60587   static.5.49.63.17:https CLOSE_WAIT  
tcp        1      0 fake_domain.com:52273   static.5.49.63.17:https CLOSE_WAIT  
tcp        1      0 fake_domain.com:60571   static.5.49.63.17:https CLOSE_WAIT  
tcp        1      0 fake_domain.com:52351   static.5.49.63.17:https CLOSE_WAIT  
tcp        1      0 fake_domain.com:52279   static.5.49.63.17:https CLOSE_WAIT  
tcp        1      0 fake_domain.com:60512   static.5.49.63.17:https CLOSE_WAIT  
tcp        1      0 fake_domain.com:52191   static.5.49.63.17:https CLOSE_WAIT  
tcp        1      0 fake_domain.com:52465   static.5.49.63.17:https CLOSE_WAIT  
tcp        1      0 fake_domain.com:34063   static.5.49.63:www-http CLOSE_WAIT  
tcp        1      0 fake_domain.com:52270   static.5.49.63.17:https CLOSE_WAIT  
tcp        1      0 fake_domain.com:59470   static.132.61.63.:https CLOSE_WAIT  
tcp        1      0 fake_domain.com:52435   static.5.49.63.17:https CLOSE_WAIT  
tcp        1      0 fake_domain.com:43899   static.132.61.63.:https CLOSE_WAIT  
tcp        1      0 fake_domain.com:52274   static.5.49.63.17:https CLOSE_WAIT  
tcp        1      0 fake_domain.com:60555   static.5.49.63.17:https CLOSE_WAIT  
tcp        1      0 fake_domain.com:52470   static.5.49.63.17:https CLOSE_WAIT  
tcp        1      0 fake_domain.com:52445   static.5.49.63.17:https CLOSE_WAIT  
tcp        1      0 fake_domain.com:52359   static.5.49.63.17:https CLOSE_WAIT  
tcp        1      0 fake_domain.com:52381   static.5.49.63.17:https CLOSE_WAIT  
tcp        0      0 fake_domain.com:34283   192.204.4.43:www-http   ESTABLISHED
I don't know about the IP addresses which you haven't shown us, but at a quick look, it seems as if the IP's you did show us are involved with things such as Skype and Microsoft.

Why do you mention that the machine is not a DNS server? Why exactly does that concern you?

What do you mean by the phrase "a local site that is supposed to be dead"?

Do you allow outgoing connections at all? Or any connections? Is Skype in use?

Last edited by rigor; 03-12-2013 at 12:20 AM.
 
Old 03-12-2013, 09:37 AM   #3
orgcandman
Member
 
Registered: May 2002
Location: dracut MA
Distribution: Ubuntu; PNE-LE; LFS (no book)
Posts: 594

Rep: Reputation: 102Reputation: 102
netstat -a isn't a very good way to determine the domain on the left-hand-side (ie, the local interface). The system's preference for name lookups is usually from files first (look in your nsswitch.conf), in which case it will report whatever comes from /etc/hosts first (since it preforms something similar gethostaddr() call), without ever querying the actual dns name.
 
1 members found this post helpful.
Old 03-12-2013, 11:08 AM   #4
gene292
LQ Newbie
 
Registered: Jul 2011
Distribution: ubuntu 12.04
Posts: 16

Original Poster
Rep: Reputation: Disabled
Thanks, rigor and orgcandman. That is the case - testlimo.com is 1st in /etc/hosts.

Fooooooo.
I mentioned that the machine was not DNS server, and there is no dns server in my home yet, to show that there can not be any access to testlimo from the outside.
And since I was not working on testlimo - it should not access any outside sites.
So when I saw Singapore IP addr - I started sweating. :-)
tcp 0 1 www.testlimo.com:57317 111.221.74.25:40011 SYN_SENT

I did not see any reason to trust MS hosting in Singapore.
Still not sure why it went there. Some kind of ADV?

I'll close this as solved in a couple of day if there is no further input.
 
Old 03-12-2013, 11:22 AM   #5
Noway2
Senior Member
 
Registered: Jul 2007
Distribution: Ubuntu 10.10, Slackware 64-current
Posts: 2,124

Rep: Reputation: 776Reputation: 776Reputation: 776Reputation: 776Reputation: 776Reputation: 776Reputation: 776
The netsat command shows you the active and reset network connections. Your two examples:
Code:
tcp 0 0 www.testlimo.com:45259 91.190.218.57:12350 ESTABLISHED
tcp 0 0 www.testlimo.com:45961 157.56.52.23:40025 ESTABLISHED
Show that there are two active TCP connections from what is probably your machine, as resolved by the hosts file, to these other machines. What is puzzling about the connections are the destination port numbers. They look like they would be for a VOIP or game server connection.

You can use the netstat -pane command to get additional information regarding what process is making these connections.
 
1 members found this post helpful.
Old 03-12-2013, 11:54 AM   #6
gene292
LQ Newbie
 
Registered: Jul 2011
Distribution: ubuntu 12.04
Posts: 16

Original Poster
Rep: Reputation: Disabled
Great advice Noway2!!!!!!!!!!
Here is netstat -pane, which looks a lot less scary:
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 0 106607761 -
tcp 0 1409 192.168.1.102:38056 173.252.101.26:80 ESTABLISHED 1000 127382733 7511/firefox
tcp 1 0 192.168.1.102:43544 91.189.89.144:80 CLOSE_WAIT 1000 120298353 5398/ubuntu-geoip-p
tcp 0 1748 192.168.1.102:33124 23.5.49.224:80 ESTABLISHED 1000 127381004 7511/firefox
tcp 0 967 192.168.1.102:38060 173.252.101.26:80 ESTABLISHED 1000 127379820 7511/firefox
tcp 0 0 192.168.1.102:41236 74.125.26.105:443 ESTABLISHED 1000 127364032 7511/firefox
tcp 0 529 192.168.1.102:59458 165.254.32.75:80 ESTABLISHED 1000 127374545 7511/firefox
tcp 0 1888 192.168.1.102:33125 23.5.49.224:80 ESTABLISHED 1000 127381005 7511/firefox
tcp 0 0 192.168.1.102:52012 75.126.109.194:80 ESTABLISHED 1000 127390734 7511/firefox
tcp 0 0 192.168.1.102:41926 74.125.26.99:443 ESTABLISHED 1000 127357146 6785/chrome
tcp 0 1443 192.168.1.102:56956 173.194.43.25:80 ESTABLISHED 1000 127373895 7511/firefox
tcp 0 0 192.168.1.102:49628 54.243.115.186:443 ESTABLISHED 1000 127380148 7511/firefox
tcp 0 1260 192.168.1.102:38061 173.252.101.26:80 ESTABLISHED 1000 127379821 7511/firefox
tcp 0 0 192.168.1.102:47199 173.194.43.8:443 ESTABLISHED 1000 127354988 6785/chrome
tcp 0 0 192.168.1.102:60748 173.194.38.182:443 ESTABLISHED 1000 127369566 7511/firefox
tcp 0 375 192.168.1.102:56243 74.125.226.226:80 ESTABLISHED 1000 127374566 7511/firefox
tcp 0 1020 192.168.1.102:49729 173.194.43.58:80 ESTABLISHED 1000 127378990 7511/firefox
tcp6 0 0 ::1:631 :::* LISTEN 0 126364707 -
----------------------------------------------------------------------------
At lease all destination ports are http and shttp.
Any ideas why so many user defined ports from browsers?
 
Old 03-12-2013, 01:03 PM   #7
Noway2
Senior Member
 
Registered: Jul 2007
Distribution: Ubuntu 10.10, Slackware 64-current
Posts: 2,124

Rep: Reputation: 776Reputation: 776Reputation: 776Reputation: 776Reputation: 776Reputation: 776Reputation: 776
Quote:
Originally Posted by gene292 View Post
At lease all destination ports are http and shttp.
Any ideas why so many user defined ports from browsers?
For each new connection, your system will grab a high numbered port at random. From your list, some examples are 38056, 43544, and 59458. This is normal behavior. Notice at the end of the line it says, ESTABLISHED or CLOSE_WAIT. This is the "state" of the connection. A TCP connection is much like a telephone call where a connection is made, used, and then taken down. Here is a link to a .pdf with a good explanation of the states. Each browser session will likely establish a lot of connections because of the main content, plus each ad, analytic, and other active link in the page. You can see that the destination ports are all 80 or 443 indicating browser traffic destinations and these are also associated with browser application connections. One of the tricks of forensic analysis, and reasons why it is best to not reboot or disturb a suspect machine is you can also look at the process tree to correlate the PIDs to see both the location path of the file using the connection as well as the parent processes.
 
1 members found this post helpful.
Old 03-12-2013, 03:18 PM   #8
gene292
LQ Newbie
 
Registered: Jul 2011
Distribution: ubuntu 12.04
Posts: 16

Original Poster
Rep: Reputation: Disabled
Thanks, Noway2. You are an asset to this forum.
In this case ignorance was not bliss.
I am no longer scared. :-)

Last edited by gene292; 03-12-2013 at 03:19 PM.
 
Old 03-21-2013, 08:18 PM   #9
StrangeIdea
LQ Newbie
 
Registered: Mar 2013
Posts: 2

Rep: Reputation: Disabled
hi,

Quote:
Originally Posted by rigor View Post
Code:
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address         State      
tcp        1      0 fake_domain.com:60549   static.5.49.63.17:https CLOSE_WAIT  
tcp        1      0 fake_domain.com:43914   static.132.61.63.:https CLOSE_WAIT
Sorry for stealing this thread, but I have question to rigor. Maybe you know where these addresses (static.5.49.63.17:https and static.132.61.63.:https) are pointing to? How have you got them?

I just had a strange "event". I was working with Google Translate and listening Youtube in background. When suddenly sound stopped. Ok, stream stuck. Tried to rewind. Nothing. Waiting for site. Tried opening other pages. Waiting.... Ok. That's FF issue. Killed FF. And decided to run "netstat". Got tens of these addresses in LAST_ACK state. WTF? Started to wonder what that could be. Googled and found this page. Any ideas?
 
Old 03-22-2013, 03:05 PM   #10
rigor
Member
 
Registered: Sep 2011
Posts: 136

Rep: Reputation: Disabled
Quote:
Originally Posted by StrangeIdea View Post
hi,

Sorry for stealing this thread, but I have question to rigor. Maybe you know where these addresses (static.5.49.63.17:https and static.132.61.63.:https) are pointing to? How have you got them?

I just had a strange "event". I was working with Google Translate and listening Youtube in background. When suddenly sound stopped. Ok, stream stuck. Tried to rewind. Nothing. Waiting for site. Tried opening other pages. Waiting.... Ok. That's FF issue. Killed FF. And decided to run "netstat". Got tens of these addresses in LAST_ACK state. WTF? Started to wonder what that could be. Googled and found this page. Any ideas?
I too get the "static..." addresses when I use Google Translate.

If whatever Linux you use allows these options ( or their equivalents ) on the netstat command:

Code:
netstat -A inet -veepaT
you can get a fairly full/verbose/detailed output from netstat, that doesn't truncate information.

In my case these addresses seem to lead to a hosting company in Germany.

http://www.hetzner.de/en/hosting/unternehmen/ueber-uns
 
Old 03-22-2013, 03:39 PM   #11
StrangeIdea
LQ Newbie
 
Registered: Mar 2013
Posts: 2

Rep: Reputation: Disabled
Thanks a lot! Found out the reason. FF's ShowIP plugin was quering for remote data.
 
  


Reply

Tags
network, security, ubuntu 12.04


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Very new and very scared JMCart Linux - Newbie 8 05-14-2011 03:13 AM
generating a report in Squid's report generator - Sarg mandrakeBren Linux - Software 0 11-03-2009 06:59 AM
LXer: LD Port Report 1.12 update, Can now Follow CDP neighbors during the report opti LXer Syndicated Linux News 0 09-18-2009 01:11 PM
scared GT I.N.C Linux - Newbie 6 07-05-2002 09:34 AM
M$ getting scared acid_kewpie General 42 01-17-2002 10:36 PM


All times are GMT -5. The time now is 06:02 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration