[Scottish] netstat not reporting connection.
donothing successfully
donothingsuccessfully at googlemail.com
Fri Jul 20 01:53:59 BST 2007
Hi
Help! I think I've got a rootkit.
I'm running ubuntu dapper behind a D-link DI-604 broadband
router.
iftop and tcpdump are reporting connections to 172.21.*.* ip addresses.
Which wikipedia and whois tell me are on a private network.
But my LAN's 192.168.*.*
I can't get netstat or lsof to report anything about them,
eg:
sudo lsof -i -n -r 1|grep 172
sudo netstat -ntuapc|grep 172
don't give anything.
sudo tcpdump -XX -vv -l net 172.21.0.0 mask 255.255.0.0
gives eg:
"""
00:55:21.052339 IP (tos 0x0, ttl 241, id 0, offset 0, flags [DF],
proto: TCP (6), length: 40) 172.21.13.12.11019 > 192.168.0.149.37370:
R, cksum 0x362a (correct), 3372710218:3372710218(0) win 0
0x0000: 0013 20aa 8c7f 000d 88af d7d9 0800 4500 ..............E.
0x0010: 0028 0000 4000 f106 0f71 ac15 0d0c c0a8 .(.. at ....q......
0x0020: 0095 2b0b 91fa c907 794a 0000 0000 5004 ..+.....yJ....P.
0x0030: 0000 362a 0000 0000 0000 0000 ..6*........
00:55:36.087562 IP (tos 0x0, ttl 241, id 0, offset 0, flags [DF],
proto: TCP (6), length: 40) 172.21.14.12.11019 > 192.168.0.149.37371:
R, cksum 0x7a34 (correct), 3381801908:3381801908(0) win 0
0x0000: 0013 20aa 8c7f 000d 88af d7d9 0800 4500 ..............E.
0x0010: 0028 0000 4000 f106 0e71 ac15 0e0c c0a8 .(.. at ....q......
0x0020: 0095 2b0b 91fb c992 33b4 0000 0000 5004 ..+.....3.....P.
0x0030: 0000 7a34 0000 0000 0000 0000 ..z4........
"""
I've done some basic things to check for a rootkit:
Downloaded debs to get md5sum and netstat binaries and
checked them against the installed versions.
Downloaded chkrootkit and compiled it.
As far as I can tell it didn't report anything dodgy apart
from some dot files in /usr/lib etc, which seem to be
benign.
I tired looking in /proc/net/{udp,tcp} as discussed here:
http://lists4.opensuse.org/opensuse/1999-06/msg01069.html
if my convoluted hex conversion scripts are to be believed
there was no mention of any 172* ip addresses there.
If you can't trust /proc what can you trust?
How can I find out what's going on here?
And how can I fix it?!
I would be very grateful for any advice.
cheers
Harry
ps
here's my script in case anyone's interested:
#!/bin/bash
sed '/local_address/d' /proc/net/{udp,tcp} |
while read i
do
echo "$i" |
awk '{print $2}' |
sed '/local_address/d;s/://;s/\(..\)\(..\)\(..\)\(..\)\(....\)/0x\4
0x\3 0x\2 0x\1 0x\5/' |
xargs /usr/bin/printf '%d.%d.%d.%d:%d\t'
echo "$i" |
awk '{print $10}' |
sed 's/.*/0x&/g' |
xargs /usr/bin/printf '%d\n'
done
More information about the Scottish
mailing list