LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Newbie (https://www.linuxquestions.org/questions/linux-newbie-8/)
-   -   Suspected Unauthorized Visitor (https://www.linuxquestions.org/questions/linux-newbie-8/suspected-unauthorized-visitor-711688/)

n00b1shzyx 03-15-2009 02:18 AM

Suspected Unauthorized Visitor
 
Quote:

Originally Posted by n00b1shzyx (Post 3456334)
I did try nslookup on that other ip, it seems that its of another member of my isp. I dunno, maybe I'm just so paranoid, but it usually connects whenever I'm surfing or browsing a website and whenever it did come my pc got hang or become so slow then I have to reboot. I could say that its a regular visitor coz I oftentimes see that on iptstate.
...

I would like to reiterate what I have said about this regular ip range visitor. I could see that member of this iprange first connects to my pc on port 80 with an syn_sent state. I could see this by using
Code:

sudo netstat -plant
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address          Foreign Address        State      PID/Program name
tcp        0      0 a.b.c.d:e          0.0.0.0:*              LISTEN      5360/cupsd     
tcp        0      1 a.b.c.d:33161  a.b.c.d:80        SYN_SENT    7928/firefox

then another member ip connects with the same syn_sent state on port 80 and whenever this other ip connects my pc goes very slow like its going to hangup. I couldn't move my mouse, then all of a sudden my screen just popped blackout on me then it goes back to normal. I even tried blocking this ip on iptables using
Code:

iptables -I INPUT -m iprange --src-range a.b.c.d-a.b.c.d -j DROP
but the bloody ip's always could get connected to port 80. wtf is going on? How would I check my pc for intrusions and to check for ports that is opened to the Internet?

Nibbl3r 03-15-2009 04:40 AM

Have you got a Firewall installed? You could just block all the ports and look how it goes.

Linuxchuck 03-15-2009 11:25 AM

Quote:

Originally Posted by n00b1shzyx (Post 3475864)
I would like to reiterate what I have said about this regular ip range visitor. I could see that member of this iprange first connects to my pc on port 80 with an syn_sent state. I could see this by using
Code:

sudo netstat -plant
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address          Foreign Address        State      PID/Program name
tcp        0      0 a.b.c.d:e          0.0.0.0:*              LISTEN      5360/cupsd     
tcp        0      1 a.b.c.d:33161  a.b.c.d:80        SYN_SENT    7928/firefox

then another member ip connects with the same syn_sent state on port 80 and whenever this other ip connects my pc goes very slow like its going to hangup. I couldn't move my mouse, then all of a sudden my screen just popped blackout on me then it goes back to normal. I even tried blocking this ip on iptables using
Code:

iptables -I INPUT -m iprange --src-range a.b.c.d-a.b.c.d -j DROP
but the bloody ip's always could get connected to port 80. wtf is going on? How would I check my pc for intrusions and to check for ports that is opened to the Internet?

Ok...

First off, this isn't an intrusion into your system. You can relax. :)

The connection you are referring to in your netstat output is an *outbound* connection from your system. What you are seeing is a connection from your firefox web browser to an external IP address. There's a pretty good chance that you will not see this type of connection going on if you don't have any web browsers open when you run this command. Do keep in mind that this connection state can persist until your TCP stack times out. So give it a few minutes to clear up before you check.

Second, that iptables command you are setting up in your system will wind up causing you nothing but problems. You are telling iptables to drop anything from the ip range that your own computer uses. This can include your own computer, depending on which chain you place the rule in. Not only that, but it can keep some of the critical network systems in your range like DNS from working when you need them. I would not suggest running this particular rule unless you *really* know what you are doing with iptables, and you *really* understand the topology of the network you are using.

Overall, what you are seeing is a normal TCP connection sequence event resulting from opening a web browser on your computer. If you are interested, you can test this out with the following command:

Code:

telnet 1.2.3.4
Then, in another console, execute this:

Code:

netstat -plant
I'd be willing to bet you'll see the same type of "SYN_SENT" line with only a couple of differences... It'll be going to the "1.2.3.4" IP, and it'll be using port 23 (telnet) instead of port 80 (HTTP).

In order to determine which ports are open to the internet on your computer, this command (run as root) will show you everything that is accepting inbound connections:

Code:

lsof -i -nN -P | grep -i listen
The first column in the output is the name of the program responsible for accepting the inbound connection.

So to sum it up: It's good to be vigilant on your system, and I do recommend running a firewall if your computer is directly connected to the internet. But this particular incident was nothing malicious. Just normal traffic on your system as a result of the use of a web browser.

As far as your computer slowing to a crawl, I'd start looking elsewhere for the culprit. For example, try running the "top" command from a command line and sorting the output to determine what's using the most CPU with the "P" (upper case) key, or sorting it by memory usage using the "M" (again, upper case) key.

Hope this helps...

n00b1shzyx 03-15-2009 10:50 PM

Thanks.

Quote:

Originally Posted by Linuxchuck (Post 3476122)
...There's a pretty good chance that you will not see this type of connection going on if you don't have any web browsers open when you run this command.

No, it doesn't just shows when I am using a browser, it shows too with my wineserver. And when I am idle or I stop browsing on some website or simply just doing nothing somehow it goes away. But the weird thing is it only shows when I am logged in on certain PPC/SEO sites and on linux forums. It's like its monitoring my every net activity or something. :(
Quote:

...depending on which chain you place the rule in.
Can you elaborate on this please. What happens when I would put it on either INPUT/OUTPUT/FORWARD chain?
Quote:

...unless you *really* know what you are doing with iptables, and you *really* understand the topology of the network you are using.
No, I don't really know what I am doing with iptables or understand my network topology. All I was trying to do was looking for a way to block this iprange and so I tried googling it. And when I found it, I tried applying it. It seemed to work fine but I found out later on it did not. (I got ufw and firestarter installed.)

Now that you have mentioned it, I am trying to know more about how to obtain, understand, configure my network topology if its even configurable. Then maybe I wouldn't be so noob like this.
Code:

lsof -i -nN -P | grep -i listen
Now with this code started offline, it shows my wineserver and 2 unknowns. (sorry, I forgot to copy and paste my pc got hangedup again.) but when its started online it shows this:
Code:

lsof: WARNING: can't stat() fuse.gvfs-fuse-daemon file system /home/user/.gvfs
      Output information may be incomplete.
cupsd    5446      root    2u  IPv4  15772      TCP 1.2.3.4:631 (LISTEN)


n00b1shzyx 03-16-2009 09:17 PM

Like this one:
Code:

sudo netstat -plant
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address          Foreign Address        State      PID/Program name
tcp        0      0 1.2.3.4:0  203.190.126.132:80      ESTABLISHED 8114/firefox   
tcp        0      0 1.2.3.4:0  75.126.162.205:80      ESTABLISHED 8114/firefox   
tcp        0      1 1.2.3.4:0  5.6.7.8:80        SYN_SENT    8114/firefox   
tcp        0      1 1.2.3.4:0  5.6.7.8:80        SYN_SENT    8114/firefox   
tcp        0      1 1.2.3.4:0  5.6.7.8:80        SYN_SENT    8114/firefox   
tcp        0      0 1.2.3.4:0  203.190.126.132:80      ESTABLISHED 8114/firefox   
tcp        0      0 1.2.3.4:0  75.126.162.205:80      ESTABLISHED 8114/firefox   
tcp        0      1 1.2.3.4:0  5.6.7.8:80        SYN_SENT    8114/firefox   
tcp        0      0 1.2.3.4:0  75.126.162.205:80      ESTABLISHED 8114/firefox   
tcp        0      1 1.2.3.4:0  5.6.7.8:80        SYN_SENT    8114/firefox   
tcp        0      0 1.2.3.4:0  203.190.126.132:80      ESTABLISHED 8114/firefox   
tcp        0      0 1.2.3.4:0  75.126.162.205:80      TIME_WAIT  -             
tcp        0      0 1.2.3.4:0  203.190.126.132:80      ESTABLISHED 8114/firefox   
tcp        1      0 1.2.3.4:0  209.85.143.127:80      CLOSE_WAIT  8114/firefox   
tcp        0      0 1.2.3.4:0  203.190.126.132:80      ESTABLISHED 8114/firefox   
tcp        0      1 1.2.3.4:0  5.6.7.8:80        SYN_SENT    8114/firefox   
tcp        0      0 1.2.3.4:0  203.190.126.132:80      ESTABLISHED 8114/firefox   
tcp        0      0 1.2.3.4:0  75.126.162.205:80      ESTABLISHED 8114/firefox

As you can see here, the freakin 5.6.7.8 ip has taken over my browser. If these are outbound connections coming from my system then maybe it has already installed itself without my f****n knowledge. I am a sitting duck and I don't know what to do about it until it times out. :(

Linuxchuck 03-17-2009 08:38 AM

Quote:

Originally Posted by n00b1shzyx (Post 3477701)
Like this one:
Code:

sudo netstat -plant
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address          Foreign Address        State      PID/Program name
tcp        0      0 1.2.3.4:0  203.190.126.132:80      ESTABLISHED 8114/firefox   
tcp        0      0 1.2.3.4:0  75.126.162.205:80      ESTABLISHED 8114/firefox   
tcp        0      1 1.2.3.4:0  5.6.7.8:80        SYN_SENT    8114/firefox   
tcp        0      1 1.2.3.4:0  5.6.7.8:80        SYN_SENT    8114/firefox   
tcp        0      1 1.2.3.4:0  5.6.7.8:80        SYN_SENT    8114/firefox   
tcp        0      0 1.2.3.4:0  203.190.126.132:80      ESTABLISHED 8114/firefox   
tcp        0      0 1.2.3.4:0  75.126.162.205:80      ESTABLISHED 8114/firefox   
tcp        0      1 1.2.3.4:0  5.6.7.8:80        SYN_SENT    8114/firefox   
tcp        0      0 1.2.3.4:0  75.126.162.205:80      ESTABLISHED 8114/firefox   
tcp        0      1 1.2.3.4:0  5.6.7.8:80        SYN_SENT    8114/firefox   
tcp        0      0 1.2.3.4:0  203.190.126.132:80      ESTABLISHED 8114/firefox   
tcp        0      0 1.2.3.4:0  75.126.162.205:80      TIME_WAIT  -             
tcp        0      0 1.2.3.4:0  203.190.126.132:80      ESTABLISHED 8114/firefox   
tcp        1      0 1.2.3.4:0  209.85.143.127:80      CLOSE_WAIT  8114/firefox   
tcp        0      0 1.2.3.4:0  203.190.126.132:80      ESTABLISHED 8114/firefox   
tcp        0      1 1.2.3.4:0  5.6.7.8:80        SYN_SENT    8114/firefox   
tcp        0      0 1.2.3.4:0  203.190.126.132:80      ESTABLISHED 8114/firefox   
tcp        0      0 1.2.3.4:0  75.126.162.205:80      ESTABLISHED 8114/firefox

As you can see here, the freakin 5.6.7.8 ip has taken over my browser. If these are outbound connections coming from my system then maybe it has already installed itself without my f****n knowledge. I am a sitting duck and I don't know what to do about it until it times out. :(

Again, you are most likely not being hacked... This is normal browser activity. The browser has been told (either by a website, or by some extension/plugin that you have installed) to connect to this address, and the address is not responding in a timely manner. This causes your system to leave the ports in a "waiting for a reply" state until they time out. This doesn't mean it's something that shouldn't be fixed though. If you have a firefox extension/addon installed that is failing to connect to a site, and is causing your system to slow down as a result, you should uninstall it.

If you are sincerely concerned that this is an intrusion incident on your system, stop obfuscating the destination IP addresses of the suspicious traffic. This way, we can at least see where the connection attempts are going. If it's something you aren't telling your browser to go to, then the first thing to investigate is to look at where it's trying to go.

It's perfectly sensible to obfuscate your source IP if it is a public, routable IP address. However, if your IP is a 10.x.x.x, a 192.168.x.x, or a 172.16.x.x through a 172.32.x.x address, you don't have to go through the trouble of obfuscating anything, because that information is useless to anyone outside your network.

n00b1shzyx 03-22-2009 02:49 AM

Quote:

Originally Posted by Linuxchuck (Post 3478192)
... The browser has been told (either by a website, or by some extension/plugin that you have installed) to connect to this address, and the address is not responding in a timely manner. This causes your system to leave the ports in a "waiting for a reply" state until they time out. This doesn't mean it's something that shouldn't be fixed though.

... If it's something you aren't telling your browser to go to, then the first thing to investigate is to look at where it's trying to go.

I think I have found which application (mailserver) on my box the second ip range use its access coz it was actually listening for incoming connections. But I couldn't figure out the first one though. I have initially closed the application cupsd for my printer and yet still it appears on netstat. I have tiger and chkrootkit installed but I still have to read for the right combination of commands to make the mark. Still researching.

Is there any application you could suggest that would close an IP address connected to you, like what the command
Code:

kill <application>
would do but only its TCP connections?


All times are GMT -5. The time now is 04:14 AM.