Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I hope this is not a false alarm.
MY machine is running ubuntu 12.04 lts
it is set up as a lamp server.
I've just ran a netstat -a command for the 1st time.
What alarmed me were lines like those below:
tcp 0 0 www.testlimo.com:45259 91.190.218.57:12350 ESTABLISHED
tcp 0 0 www.testlimo.com:45961 157.56.52.23:40025 ESTABLISHED
-----------------------------------------------
Now testlimo.com is a local domain only. it is defined in /etc/hosts
the machine is not setup as a dns server.
This machine is behind NAT router. E3000.
I was forwarding ports 80 and 443(SSL) only.
I disabled forwarding today.
So why do I see those ip addresses for Syngapore, Ireland, Oklahoma and Montreal????
From a local site that is supposed to be dead.
I ran tiger - no major failures - just a few 20-30 bad checksums. most for phpunit.
I went onto a system that is not a DNS server. In fact, it generally doesn't provide any services to the outside world. It's a private system on a private LAN. It's behind a NAT router. The machine is given, a locally known IP ( in principle a "non-routed" IP address ), from a local DHCP server. I queried an outside DNS server, to try to make sure there is no domain in the world named "fake_domain.com". I then edited the /etc/hosts file on the private machine, so that the local IP address assigned to the machine was associated with the non-existent domain name "fake_domain.com". After that change to the /etc/hosts file, these are some of the lines from the output of the "netstat -a" command, run on that machine:
I don't know about the IP addresses which you haven't shown us, but at a quick look, it seems as if the IP's you did show us are involved with things such as Skype and Microsoft.
Why do you mention that the machine is not a DNS server? Why exactly does that concern you?
What do you mean by the phrase "a local site that is supposed to be dead"?
Do you allow outgoing connections at all? Or any connections? Is Skype in use?
netstat -a isn't a very good way to determine the domain on the left-hand-side (ie, the local interface). The system's preference for name lookups is usually from files first (look in your nsswitch.conf), in which case it will report whatever comes from /etc/hosts first (since it preforms something similar gethostaddr() call), without ever querying the actual dns name.
Thanks, rigor and orgcandman. That is the case - testlimo.com is 1st in /etc/hosts.
Fooooooo.
I mentioned that the machine was not DNS server, and there is no dns server in my home yet, to show that there can not be any access to testlimo from the outside.
And since I was not working on testlimo - it should not access any outside sites.
So when I saw Singapore IP addr - I started sweating. :-)
tcp 0 1 www.testlimo.com:57317 111.221.74.25:40011 SYN_SENT
I did not see any reason to trust MS hosting in Singapore.
Still not sure why it went there. Some kind of ADV?
I'll close this as solved in a couple of day if there is no further input.
The netsat command shows you the active and reset network connections. Your two examples:
Code:
tcp 0 0 www.testlimo.com:45259 91.190.218.57:12350 ESTABLISHED
tcp 0 0 www.testlimo.com:45961 157.56.52.23:40025 ESTABLISHED
Show that there are two active TCP connections from what is probably your machine, as resolved by the hosts file, to these other machines. What is puzzling about the connections are the destination port numbers. They look like they would be for a VOIP or game server connection.
You can use the netstat -pane command to get additional information regarding what process is making these connections.
At lease all destination ports are http and shttp.
Any ideas why so many user defined ports from browsers?
For each new connection, your system will grab a high numbered port at random. From your list, some examples are 38056, 43544, and 59458. This is normal behavior. Notice at the end of the line it says, ESTABLISHED or CLOSE_WAIT. This is the "state" of the connection. A TCP connection is much like a telephone call where a connection is made, used, and then taken down. Here is a link to a .pdf with a good explanation of the states. Each browser session will likely establish a lot of connections because of the main content, plus each ad, analytic, and other active link in the page. You can see that the destination ports are all 80 or 443 indicating browser traffic destinations and these are also associated with browser application connections. One of the tricks of forensic analysis, and reasons why it is best to not reboot or disturb a suspect machine is you can also look at the process tree to correlate the PIDs to see both the location path of the file using the connection as well as the parent processes.
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 1 0 fake_domain.com:60549 static.5.49.63.17:https CLOSE_WAIT
tcp 1 0 fake_domain.com:43914 static.132.61.63.:https CLOSE_WAIT
Sorry for stealing this thread, but I have question to rigor. Maybe you know where these addresses (static.5.49.63.17:https and static.132.61.63.:https) are pointing to? How have you got them?
I just had a strange "event". I was working with Google Translate and listening Youtube in background. When suddenly sound stopped. Ok, stream stuck. Tried to rewind. Nothing. Waiting for site. Tried opening other pages. Waiting.... Ok. That's FF issue. Killed FF. And decided to run "netstat". Got tens of these addresses in LAST_ACK state. WTF? Started to wonder what that could be. Googled and found this page. Any ideas?
Sorry for stealing this thread, but I have question to rigor. Maybe you know where these addresses (static.5.49.63.17:https and static.132.61.63.:https) are pointing to? How have you got them?
I just had a strange "event". I was working with Google Translate and listening Youtube in background. When suddenly sound stopped. Ok, stream stuck. Tried to rewind. Nothing. Waiting for site. Tried opening other pages. Waiting.... Ok. That's FF issue. Killed FF. And decided to run "netstat". Got tens of these addresses in LAST_ACK state. WTF? Started to wonder what that could be. Googled and found this page. Any ideas?
I too get the "static..." addresses when I use Google Translate.
If whatever Linux you use allows these options ( or their equivalents ) on the netstat command:
Code:
netstat -A inet -veepaT
you can get a fairly full/verbose/detailed output from netstat, that doesn't truncate information.
In my case these addresses seem to lead to a hosting company in Germany.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
