how do i verify, which programs are establishing unwanted connections ?


additional infos:
installed ufw (firewall)
nethogs (always shows a unkown program from root) (is that ok, or normal ?)

ip's like Akamai Technology (Akamai B.V) in England,
or 78.140.187.143

thank you.

by the way i am using Ubuntu 10.04 (Codename Lucid-Lynx)

Hi

Try this command:

lsof -i

It lists all open connections with command name.

Also: port-numbers greater than 1024 can be opened by any program, without requiring special privileges. Many programs do establish outbound connections using randomly-chosen port numbers. Also, many services "rendezvous" using a known (privileged) port-number, but only use this connection to establish the particulars for a subsequent conversation which takes place through a non-privileged, randomly chosen port. The connection remains until the parties are finished talking, then it is torn-down. There can be a lot more of this activity than you might think, and a lot more "churn" than you might expect.

Basically, you should find that all of the connections which you see are "plausible." It should make sense to you that the program in question exists, and that it would be talking to that particular party, and that it should be transferring such amount of traffic. In the case of low port-numbers, less than 1024, you should be able to account for each and every one, and you should not have any of these ports open "gratuitously."

If you need to have persistent connections to another computer, then I happen to be a big fan of VPN. Set up certificates (not PSKs = passwords!) on both ends so that each system can uniquely recognize the other(s), and shovel your traffic through that tunnel. Most routers have a hardware implementation of it. To authorized users, VPN is invisible. To everyone else, it's a steel door tightly shut. With a hardware implementation there is no delay in speed.

thank you very much, for your guidance, and the supplied information...