Weird log on Firestarter

backroger · 04-19-2007, 08:16 PM

I got some unusual log in firestarter. Current Active Connections says it has:

Source Destination Port Service
10.14.0.1 88.105.110.238 1028 Unknown
10.14.0.1 88.105.110.238 1032 Unknown
10.14.0.1 216.162.88.130 29469 Unknown

Normaly I have this:

Source Destination Port Service
65.55.213.101 10.14.0.1 80 HTTP
10.14.0.1 202.123.88.1 squid firefox

When I do netstat, I have this

[root@ola ~]# netstat -vatn
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 0.0.0.0:32769 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:111 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:21 0.0.0.0:* LISTEN
tcp 0 0 10.14.0.1:53 0.0.0.0:* LISTEN
tcp 0 0 127.0.0.1:53 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN
tcp 0 0 127.0.0.1:631 0.0.0.0:* LISTEN
tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN
tcp 0 0 127.0.0.1:953 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:443 0.0.0.0:* LISTEN
tcp 0 0 10.14.0.1:80 65.55.213.101:17208 TIME_WAIT
tcp 0 0 10.14.0.1:80 65.55.213.101:17018 TIME_WAIT

Trying to do a chkrootkit for now and see how it goes. Or is it a bug in Firestarter?

backroger · 04-19-2007, 11:23 PM

Chkrootkit did not find anything except this..

Checking `chkutmp'... The tty of the following user process(es) were not found
in /var/run/utmp !
! RUID PID TTY CMD
! root 2677 tty1 /sbin/mingetty tty1
! root 2702 tty2 /sbin/mingetty tty2
! root 2726 tty3 /sbin/mingetty tty3
! root 2835 tty4 /sbin/mingetty tty4
! root 2902 tty5 /sbin/mingetty tty5
! root 2924 tty6 /sbin/mingetty tty6
chkutmp: nothing deleted

McAfee uvscan 5.01 console command didn't find anything either...

Scanning file /sbin/mingetty
Scanning file /sbin/arping

Summary report on /*
File(s)
Total files: ........... 324880
Clean: ................. 322463
Not scanned: ........... 0
Possibly Infected: ..... 0
Non-critical Error(s): 2

Capt_Caveman · 04-20-2007, 12:04 AM

Quote:

Originally Posted by backroger

Source Destination Port Service
10.14.0.1 88.105.110.238 1028 Unknown
10.14.0.1 88.105.110.238 1032 Unknown
10.14.0.1 216.162.88.130 29469 Unknown

Hard to say what they are based on the above info. Next time you see them use netstat -pantu to get a listing of port->PID mappings which you can then look up in output of 'ps aux'.

Quote:

[root@ola ~]# netstat -vatn
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 0.0.0.0:32769 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:111 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:21 0.0.0.0:* LISTEN
tcp 0 0 10.14.0.1:53 0.0.0.0:* LISTEN
tcp 0 0 127.0.0.1:53 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN
tcp 0 0 127.0.0.1:631 0.0.0.0:* LISTEN
tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN
tcp 0 0 127.0.0.1:953 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:443 0.0.0.0:* LISTEN
tcp 0 0 10.14.0.1:80 65.55.213.101:17208 TIME_WAIT
tcp 0 0 10.14.0.1:80 65.55.213.101:17018 TIME_WAIT

Lots of open ports. If you don't need stuff like RPC running then you should shut it off. Last 2 entries look like incoming connections to your webserver from hosts in the Microsoft IP range. In fact the IP resolves to a hostname that looks like a webcrawler that is probably indexing your site:

Code:

host 65.55.213.101
101.213.55.65.in-addr.arpa domain name pointer livebot-65-55-213-101.search.live.com.

backroger · 04-20-2007, 12:14 AM

Quote:

Originally Posted by Capt_Caveman

Hard to say what they are based on the above info. Next time you see them use netstat -pantu to get a listing of port->PID mappings which you can then look up in output of 'ps aux'.

Lots of open ports. If you don't need stuff like RPC running then you should shut it off. Last 2 entries look like incoming connections to your webserver from hosts in the Microsoft IP range. In fact the IP resolves to a hostname that looks like a webcrawler that is probably indexing your site:

Code:

host 65.55.213.101
101.213.55.65.in-addr.arpa domain name pointer livebot-65-55-213-101.search.live.com.

Thanks a lot, I will try turn off some unnecessary service for the time being.