LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 03-15-2009, 01:18 AM   #1
n00b1shzyx
LQ Newbie
 
Registered: Feb 2009
Posts: 7

Rep: Reputation: 0
Suspected Unauthorized Visitor


Quote:
Originally Posted by n00b1shzyx View Post
I did try nslookup on that other ip, it seems that its of another member of my isp. I dunno, maybe I'm just so paranoid, but it usually connects whenever I'm surfing or browsing a website and whenever it did come my pc got hang or become so slow then I have to reboot. I could say that its a regular visitor coz I oftentimes see that on iptstate.
...
I would like to reiterate what I have said about this regular ip range visitor. I could see that member of this iprange first connects to my pc on port 80 with an syn_sent state. I could see this by using
Code:
sudo netstat -plant
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
tcp        0      0 a.b.c.d:e           0.0.0.0:*               LISTEN      5360/cupsd      
tcp        0      1 a.b.c.d:33161   a.b.c.d:80        SYN_SENT    7928/firefox
then another member ip connects with the same syn_sent state on port 80 and whenever this other ip connects my pc goes very slow like its going to hangup. I couldn't move my mouse, then all of a sudden my screen just popped blackout on me then it goes back to normal. I even tried blocking this ip on iptables using
Code:
iptables -I INPUT -m iprange --src-range a.b.c.d-a.b.c.d -j DROP
but the bloody ip's always could get connected to port 80. wtf is going on? How would I check my pc for intrusions and to check for ports that is opened to the Internet?
 
Old 03-15-2009, 03:40 AM   #2
Nibbl3r
LQ Newbie
 
Registered: Dec 2008
Location: Zuerich, Switzerland
Distribution: Fedora Core/Debian
Posts: 28

Rep: Reputation: 16
Have you got a Firewall installed? You could just block all the ports and look how it goes.

Last edited by Nibbl3r; 03-15-2009 at 03:45 AM.
 
Old 03-15-2009, 10:25 AM   #3
Linuxchuck
LQ Newbie
 
Registered: Aug 2007
Distribution: Slackware from 94-09, Debian Since March 09
Posts: 28

Rep: Reputation: 19
Quote:
Originally Posted by n00b1shzyx View Post
I would like to reiterate what I have said about this regular ip range visitor. I could see that member of this iprange first connects to my pc on port 80 with an syn_sent state. I could see this by using
Code:
sudo netstat -plant
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
tcp        0      0 a.b.c.d:e           0.0.0.0:*               LISTEN      5360/cupsd      
tcp        0      1 a.b.c.d:33161   a.b.c.d:80        SYN_SENT    7928/firefox
then another member ip connects with the same syn_sent state on port 80 and whenever this other ip connects my pc goes very slow like its going to hangup. I couldn't move my mouse, then all of a sudden my screen just popped blackout on me then it goes back to normal. I even tried blocking this ip on iptables using
Code:
iptables -I INPUT -m iprange --src-range a.b.c.d-a.b.c.d -j DROP
but the bloody ip's always could get connected to port 80. wtf is going on? How would I check my pc for intrusions and to check for ports that is opened to the Internet?
Ok...

First off, this isn't an intrusion into your system. You can relax.

The connection you are referring to in your netstat output is an *outbound* connection from your system. What you are seeing is a connection from your firefox web browser to an external IP address. There's a pretty good chance that you will not see this type of connection going on if you don't have any web browsers open when you run this command. Do keep in mind that this connection state can persist until your TCP stack times out. So give it a few minutes to clear up before you check.

Second, that iptables command you are setting up in your system will wind up causing you nothing but problems. You are telling iptables to drop anything from the ip range that your own computer uses. This can include your own computer, depending on which chain you place the rule in. Not only that, but it can keep some of the critical network systems in your range like DNS from working when you need them. I would not suggest running this particular rule unless you *really* know what you are doing with iptables, and you *really* understand the topology of the network you are using.

Overall, what you are seeing is a normal TCP connection sequence event resulting from opening a web browser on your computer. If you are interested, you can test this out with the following command:

Code:
telnet 1.2.3.4
Then, in another console, execute this:

Code:
netstat -plant
I'd be willing to bet you'll see the same type of "SYN_SENT" line with only a couple of differences... It'll be going to the "1.2.3.4" IP, and it'll be using port 23 (telnet) instead of port 80 (HTTP).

In order to determine which ports are open to the internet on your computer, this command (run as root) will show you everything that is accepting inbound connections:

Code:
lsof -i -nN -P | grep -i listen
The first column in the output is the name of the program responsible for accepting the inbound connection.

So to sum it up: It's good to be vigilant on your system, and I do recommend running a firewall if your computer is directly connected to the internet. But this particular incident was nothing malicious. Just normal traffic on your system as a result of the use of a web browser.

As far as your computer slowing to a crawl, I'd start looking elsewhere for the culprit. For example, try running the "top" command from a command line and sorting the output to determine what's using the most CPU with the "P" (upper case) key, or sorting it by memory usage using the "M" (again, upper case) key.

Hope this helps...
 
Old 03-15-2009, 09:50 PM   #4
n00b1shzyx
LQ Newbie
 
Registered: Feb 2009
Posts: 7

Original Poster
Rep: Reputation: 0
Thanks.

Quote:
Originally Posted by Linuxchuck View Post
...There's a pretty good chance that you will not see this type of connection going on if you don't have any web browsers open when you run this command.
No, it doesn't just shows when I am using a browser, it shows too with my wineserver. And when I am idle or I stop browsing on some website or simply just doing nothing somehow it goes away. But the weird thing is it only shows when I am logged in on certain PPC/SEO sites and on linux forums. It's like its monitoring my every net activity or something.
Quote:
...depending on which chain you place the rule in.
Can you elaborate on this please. What happens when I would put it on either INPUT/OUTPUT/FORWARD chain?
Quote:
...unless you *really* know what you are doing with iptables, and you *really* understand the topology of the network you are using.
No, I don't really know what I am doing with iptables or understand my network topology. All I was trying to do was looking for a way to block this iprange and so I tried googling it. And when I found it, I tried applying it. It seemed to work fine but I found out later on it did not. (I got ufw and firestarter installed.)

Now that you have mentioned it, I am trying to know more about how to obtain, understand, configure my network topology if its even configurable. Then maybe I wouldn't be so noob like this.
Code:
lsof -i -nN -P | grep -i listen
Now with this code started offline, it shows my wineserver and 2 unknowns. (sorry, I forgot to copy and paste my pc got hangedup again.) but when its started online it shows this:
Code:
lsof: WARNING: can't stat() fuse.gvfs-fuse-daemon file system /home/user/.gvfs
      Output information may be incomplete.
cupsd     5446      root    2u  IPv4  15772       TCP 1.2.3.4:631 (LISTEN)

Last edited by n00b1shzyx; 03-15-2009 at 09:53 PM.
 
Old 03-16-2009, 08:17 PM   #5
n00b1shzyx
LQ Newbie
 
Registered: Feb 2009
Posts: 7

Original Poster
Rep: Reputation: 0
Like this one:
Code:
sudo netstat -plant
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
tcp        0      0 1.2.3.4:0   203.190.126.132:80      ESTABLISHED 8114/firefox    
tcp        0      0 1.2.3.4:0   75.126.162.205:80       ESTABLISHED 8114/firefox    
tcp        0      1 1.2.3.4:0   5.6.7.8:80         SYN_SENT    8114/firefox    
tcp        0      1 1.2.3.4:0   5.6.7.8:80         SYN_SENT    8114/firefox    
tcp        0      1 1.2.3.4:0   5.6.7.8:80         SYN_SENT    8114/firefox    
tcp        0      0 1.2.3.4:0   203.190.126.132:80      ESTABLISHED 8114/firefox    
tcp        0      0 1.2.3.4:0   75.126.162.205:80       ESTABLISHED 8114/firefox    
tcp        0      1 1.2.3.4:0   5.6.7.8:80         SYN_SENT    8114/firefox    
tcp        0      0 1.2.3.4:0   75.126.162.205:80       ESTABLISHED 8114/firefox    
tcp        0      1 1.2.3.4:0   5.6.7.8:80         SYN_SENT    8114/firefox    
tcp        0      0 1.2.3.4:0   203.190.126.132:80      ESTABLISHED 8114/firefox    
tcp        0      0 1.2.3.4:0   75.126.162.205:80       TIME_WAIT   -               
tcp        0      0 1.2.3.4:0   203.190.126.132:80      ESTABLISHED 8114/firefox    
tcp        1      0 1.2.3.4:0   209.85.143.127:80       CLOSE_WAIT  8114/firefox    
tcp        0      0 1.2.3.4:0   203.190.126.132:80      ESTABLISHED 8114/firefox    
tcp        0      1 1.2.3.4:0   5.6.7.8:80         SYN_SENT    8114/firefox    
tcp        0      0 1.2.3.4:0   203.190.126.132:80      ESTABLISHED 8114/firefox    
tcp        0      0 1.2.3.4:0   75.126.162.205:80       ESTABLISHED 8114/firefox
As you can see here, the freakin 5.6.7.8 ip has taken over my browser. If these are outbound connections coming from my system then maybe it has already installed itself without my f****n knowledge. I am a sitting duck and I don't know what to do about it until it times out.

Last edited by n00b1shzyx; 03-16-2009 at 08:19 PM.
 
Old 03-17-2009, 07:38 AM   #6
Linuxchuck
LQ Newbie
 
Registered: Aug 2007
Distribution: Slackware from 94-09, Debian Since March 09
Posts: 28

Rep: Reputation: 19
Quote:
Originally Posted by n00b1shzyx View Post
Like this one:
Code:
sudo netstat -plant
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
tcp        0      0 1.2.3.4:0   203.190.126.132:80      ESTABLISHED 8114/firefox    
tcp        0      0 1.2.3.4:0   75.126.162.205:80       ESTABLISHED 8114/firefox    
tcp        0      1 1.2.3.4:0   5.6.7.8:80         SYN_SENT    8114/firefox    
tcp        0      1 1.2.3.4:0   5.6.7.8:80         SYN_SENT    8114/firefox    
tcp        0      1 1.2.3.4:0   5.6.7.8:80         SYN_SENT    8114/firefox    
tcp        0      0 1.2.3.4:0   203.190.126.132:80      ESTABLISHED 8114/firefox    
tcp        0      0 1.2.3.4:0   75.126.162.205:80       ESTABLISHED 8114/firefox    
tcp        0      1 1.2.3.4:0   5.6.7.8:80         SYN_SENT    8114/firefox    
tcp        0      0 1.2.3.4:0   75.126.162.205:80       ESTABLISHED 8114/firefox    
tcp        0      1 1.2.3.4:0   5.6.7.8:80         SYN_SENT    8114/firefox    
tcp        0      0 1.2.3.4:0   203.190.126.132:80      ESTABLISHED 8114/firefox    
tcp        0      0 1.2.3.4:0   75.126.162.205:80       TIME_WAIT   -               
tcp        0      0 1.2.3.4:0   203.190.126.132:80      ESTABLISHED 8114/firefox    
tcp        1      0 1.2.3.4:0   209.85.143.127:80       CLOSE_WAIT  8114/firefox    
tcp        0      0 1.2.3.4:0   203.190.126.132:80      ESTABLISHED 8114/firefox    
tcp        0      1 1.2.3.4:0   5.6.7.8:80         SYN_SENT    8114/firefox    
tcp        0      0 1.2.3.4:0   203.190.126.132:80      ESTABLISHED 8114/firefox    
tcp        0      0 1.2.3.4:0   75.126.162.205:80       ESTABLISHED 8114/firefox
As you can see here, the freakin 5.6.7.8 ip has taken over my browser. If these are outbound connections coming from my system then maybe it has already installed itself without my f****n knowledge. I am a sitting duck and I don't know what to do about it until it times out.
Again, you are most likely not being hacked... This is normal browser activity. The browser has been told (either by a website, or by some extension/plugin that you have installed) to connect to this address, and the address is not responding in a timely manner. This causes your system to leave the ports in a "waiting for a reply" state until they time out. This doesn't mean it's something that shouldn't be fixed though. If you have a firefox extension/addon installed that is failing to connect to a site, and is causing your system to slow down as a result, you should uninstall it.

If you are sincerely concerned that this is an intrusion incident on your system, stop obfuscating the destination IP addresses of the suspicious traffic. This way, we can at least see where the connection attempts are going. If it's something you aren't telling your browser to go to, then the first thing to investigate is to look at where it's trying to go.

It's perfectly sensible to obfuscate your source IP if it is a public, routable IP address. However, if your IP is a 10.x.x.x, a 192.168.x.x, or a 172.16.x.x through a 172.32.x.x address, you don't have to go through the trouble of obfuscating anything, because that information is useless to anyone outside your network.
 
Old 03-22-2009, 01:49 AM   #7
n00b1shzyx
LQ Newbie
 
Registered: Feb 2009
Posts: 7

Original Poster
Rep: Reputation: 0
Quote:
Originally Posted by Linuxchuck View Post
... The browser has been told (either by a website, or by some extension/plugin that you have installed) to connect to this address, and the address is not responding in a timely manner. This causes your system to leave the ports in a "waiting for a reply" state until they time out. This doesn't mean it's something that shouldn't be fixed though.

... If it's something you aren't telling your browser to go to, then the first thing to investigate is to look at where it's trying to go.
I think I have found which application (mailserver) on my box the second ip range use its access coz it was actually listening for incoming connections. But I couldn't figure out the first one though. I have initially closed the application cupsd for my printer and yet still it appears on netstat. I have tiger and chkrootkit installed but I still have to read for the right combination of commands to make the mark. Still researching.

Is there any application you could suggest that would close an IP address connected to you, like what the command
Code:
kill <application>
would do but only its TCP connections?

Last edited by n00b1shzyx; 03-22-2009 at 01:51 AM.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Visitor messages? Quakeboy02 LQ Suggestions & Feedback 9 11-19-2008 05:58 PM
First time visitor...where are the FAQs mikifinaz LinuxQuestions.org Member Intro 2 05-25-2007 05:30 AM
Visitor reference on my server linuxhippy Linux - Server 2 05-24-2007 11:38 PM
timezone and visitor address rblampain Linux - General 3 01-09-2006 07:01 AM
Visitor Based Networks Mux General 0 12-04-2002 08:10 AM


All times are GMT -5. The time now is 05:17 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration