[Scottish] netstat not reporting connection.
Paxton, Darren
darren.paxton at mercer.com
Fri Jul 20 08:01:41 BST 2007
I could be wrong so anyone feel free to correct me.
You probably find that the network infrastructure between your router
and the Internet is on a privately addressed network.
e.g. my own system tracing to google is shown below (note hop #2 - which
is on a private address space)
The ISPs wouldn't be able to operate their infrastructure if they tried
to allocate a real IP address to every device so they use private
addressing instead and route internet packets via this private address
to your router which *does* have a real IP address.
Have you tried a traceroute to any sites or any resources outside of
your network to see what paths it takes?
Other than this, the 172 subnets should be unroutable from the internet
so there should be no way for your machine or router to know where to
route the packets to unless the routing table of the next hops knows.
Like I said, I could be wrong, but I don't think you've got much to
worry about.
Darren
1 (192.168.2.1) 1.712 ms 2.129 ms 2.575 ms
2 10.5.0.1 (10.5.0.1) 15.511 ms 15.868 ms 18.678 ms
3 62.30.0.49 (62.30.0.49) 19.253 ms 19.571 ms 19.822 ms
4 pc-62-30-249-13-ha.blueyonder.co.uk (62.30.249.13) 153.768 ms
154.258 ms 154.309 ms
5 bas-har-pos.telewest.net (194.117.136.30) 31.798 ms 33.070 ms
33.271 ms
6 tele1-know-rab.telewest.net (194.117.136.158) 33.659 ms 25.972 ms
26.409 ms
7 194.117.136.174 (194.117.136.174) 26.799 ms 16.165 ms 19.832 ms
8 tele2-gw4.telewest.net (194.117.136.197) 204.081 ms 204.625 ms
204.989 ms
9 194.117.148.251 (194.117.148.251) 28.362 ms 28.801 ms 29.182 ms
10 72.14.238.244 (72.14.238.244) 67.056 ms 72.14.238.255
(72.14.238.255) 32.512 ms 32.989 ms
11 209.85.250.216 (209.85.250.216) 43.326 ms 43.855 ms 66.249.95.107
(66.249.95.107) 32.154 ms
12 72.14.232.241 (72.14.232.241) 31.691 ms 64.233.174.185
(64.233.174.185) 29.905 ms 32.565 ms
13 216.239.49.114 (216.239.49.114) 38.376 ms 37.297 ms 216.239.49.126
(216.239.49.126) 38.345 ms
14 216.239.59.103 (216.239.59.103) 29.571 ms 32.777 ms 32.831 ms
On Fri, 2007-07-20 at 01:53 +0100, donothing successfully wrote:
Hi
Help! I think I've got a rootkit.
I'm running ubuntu dapper behind a D-link DI-604 broadband
router.
iftop and tcpdump are reporting connections to 172.21.*.* ip
addresses.
Which wikipedia and whois tell me are on a private network.
But my LAN's 192.168.*.*
I can't get netstat or lsof to report anything about them,
eg:
sudo lsof -i -n -r 1|grep 172
sudo netstat -ntuapc|grep 172
don't give anything.
sudo tcpdump -XX -vv -l net 172.21.0.0 mask 255.255.0.0
gives eg:
"""
00:55:21.052339 IP (tos 0x0, ttl 241, id 0, offset 0, flags
[DF],
proto: TCP (6), length: 40) 172.21.13.12.11019 >
192.168.0.149.37370:
R, cksum 0x362a (correct), 3372710218:3372710218(0) win 0
0x0000: 0013 20aa 8c7f 000d 88af d7d9 0800 4500
..............E.
0x0010: 0028 0000 4000 f106 0f71 ac15 0d0c c0a8
.(.. at ....q......
0x0020: 0095 2b0b 91fa c907 794a 0000 0000 5004
..+.....yJ....P.
0x0030: 0000 362a 0000 0000 0000 0000
..6*........
00:55:36.087562 IP (tos 0x0, ttl 241, id 0, offset 0, flags
[DF],
proto: TCP (6), length: 40) 172.21.14.12.11019 >
192.168.0.149.37371:
R, cksum 0x7a34 (correct), 3381801908:3381801908(0) win 0
0x0000: 0013 20aa 8c7f 000d 88af d7d9 0800 4500
..............E.
0x0010: 0028 0000 4000 f106 0e71 ac15 0e0c c0a8
.(.. at ....q......
0x0020: 0095 2b0b 91fb c992 33b4 0000 0000 5004
..+.....3.....P.
0x0030: 0000 7a34 0000 0000 0000 0000
..z4........
"""
I've done some basic things to check for a rootkit:
Downloaded debs to get md5sum and netstat binaries and
checked them against the installed versions.
Downloaded chkrootkit and compiled it.
As far as I can tell it didn't report anything dodgy apart
from some dot files in /usr/lib etc, which seem to be
benign.
I tired looking in /proc/net/{udp,tcp} as discussed here:
http://lists4.opensuse.org/opensuse/1999-06/msg01069.html
if my convoluted hex conversion scripts are to be believed
there was no mention of any 172* ip addresses there.
If you can't trust /proc what can you trust?
How can I find out what's going on here?
And how can I fix it?!
I would be very grateful for any advice.
cheers
Harry
ps
here's my script in case anyone's interested:
#!/bin/bash
sed '/local_address/d' /proc/net/{udp,tcp} |
while read i
do
echo "$i" |
awk '{print $2}' |
sed
'/local_address/d;s/://;s/\(..\)\(..\)\(..\)\(..\)\(....\)/0x\4
0x\3 0x\2 0x\1 0x\5/' |
xargs /usr/bin/printf '%d.%d.%d.%d:%d\t'
echo "$i" |
awk '{print $10}' |
sed 's/.*/0x&/g' |
xargs /usr/bin/printf '%d\n'
done
_______________________________________________
Scottish mailing list
Scottish at mailman.lug.org.uk
https://mailman.lug.org.uk/mailman/listinfo/scottish
Darren Paxton, European Midrange Systems Senior Engineer
Centralised Operations | MMC Global Technology Infrastructure (MGTI)
Mercer Human Resource Consulting | Mercury Court, Tithebarn Street,
Liverpool, L2 2QH, Merseyside, UK
+44 (0) 151 242 7216 | Mobile +44 (0) 7789 0 30027 |
darren.paxton at mercer.com <file://'mailto:darren.paxton@mercer.com'>
www.mmc.com <file://'http://www.mmc.com'>
This e-mail and any attachments may be confidential or legally
privileged.If you received this message in error or are not the intended
recipient, you should destroy the email message and any attachments or
copies, and you are prohibited from retaining, distributing, disclosing
or using any information contained herein. Please inform us of the
erroneous delivery by return e-mail. Thank you for your co-operation.
Mercer Human Resource Consulting Limited is authorised and regulated by
the Financial Services Authority. Registered in England No. 984275.
Registered Office: 1 Tower Place West, Tower Place, London, EC3R 5BU.
More information about the Scottish
mailing list