[Scottish] netstat not reporting connection.

Paxton, Darren darren.paxton at mercer.com
Fri Jul 20 08:01:41 BST 2007


I could be wrong so anyone feel free to correct me.

You probably find that the network infrastructure between your router
and the Internet is on a privately addressed network. 

e.g. my own system tracing to google is shown below (note hop #2 - which
is on a private address space)

The ISPs wouldn't be able to operate their infrastructure if they tried
to allocate a real IP address to every device so they use private
addressing instead and route internet packets via this private address
to your router which *does* have a real IP address.

Have you tried a traceroute to any sites or any resources outside of
your network to see what paths it takes?

Other than this, the 172 subnets should be unroutable from the internet
so there should be no way for your machine or router to know where to
route the packets to unless the routing table of the next hops knows.

Like I said, I could be wrong, but I don't think you've got much to
worry about.

Darren

1   (192.168.2.1)  1.712 ms  2.129 ms  2.575 ms
2  10.5.0.1 (10.5.0.1)  15.511 ms  15.868 ms  18.678 ms
3  62.30.0.49 (62.30.0.49)  19.253 ms  19.571 ms  19.822 ms
4  pc-62-30-249-13-ha.blueyonder.co.uk (62.30.249.13)  153.768 ms
154.258 ms  154.309 ms
5  bas-har-pos.telewest.net (194.117.136.30)  31.798 ms  33.070 ms
33.271 ms
6  tele1-know-rab.telewest.net (194.117.136.158)  33.659 ms  25.972 ms
26.409 ms
7  194.117.136.174 (194.117.136.174)  26.799 ms  16.165 ms  19.832 ms
8  tele2-gw4.telewest.net (194.117.136.197)  204.081 ms  204.625 ms
204.989 ms
9  194.117.148.251 (194.117.148.251)  28.362 ms  28.801 ms  29.182 ms
10  72.14.238.244 (72.14.238.244)  67.056 ms 72.14.238.255
(72.14.238.255)  32.512 ms  32.989 ms
11  209.85.250.216 (209.85.250.216)  43.326 ms  43.855 ms 66.249.95.107
(66.249.95.107)  32.154 ms
12  72.14.232.241 (72.14.232.241)  31.691 ms 64.233.174.185
(64.233.174.185)  29.905 ms  32.565 ms
13  216.239.49.114 (216.239.49.114)  38.376 ms  37.297 ms 216.239.49.126
(216.239.49.126)  38.345 ms
14  216.239.59.103 (216.239.59.103)  29.571 ms  32.777 ms  32.831 ms


On Fri, 2007-07-20 at 01:53 +0100, donothing successfully wrote: 

	
	Hi
	
	Help! I think I've got a rootkit.
	
	I'm running ubuntu dapper behind a D-link DI-604 broadband
	router.
	
	iftop and tcpdump are reporting connections to 172.21.*.* ip
addresses.
	Which wikipedia and whois tell me are on a private network.
	But my LAN's 192.168.*.*
	
	I can't get netstat or lsof to report anything about them,
	eg:
	sudo lsof -i -n -r 1|grep 172
	sudo netstat -ntuapc|grep 172
	don't give anything.
	
	sudo tcpdump -XX  -vv -l net  172.21.0.0 mask 255.255.0.0
	gives eg:
	"""
	00:55:21.052339 IP (tos 0x0, ttl 241, id 0, offset 0, flags
[DF],
	proto: TCP (6), length: 40) 172.21.13.12.11019 >
192.168.0.149.37370:
	R, cksum 0x362a (correct), 3372710218:3372710218(0) win 0
		0x0000:  0013 20aa 8c7f 000d 88af d7d9 0800 4500
..............E.
		0x0010:  0028 0000 4000 f106 0f71 ac15 0d0c c0a8
.(.. at ....q......
		0x0020:  0095 2b0b 91fa c907 794a 0000 0000 5004
..+.....yJ....P.
		0x0030:  0000 362a 0000 0000 0000 0000
..6*........
	00:55:36.087562 IP (tos 0x0, ttl 241, id 0, offset 0, flags
[DF],
	proto: TCP (6), length: 40) 172.21.14.12.11019 >
192.168.0.149.37371:
	R, cksum 0x7a34 (correct), 3381801908:3381801908(0) win 0
		0x0000:  0013 20aa 8c7f 000d 88af d7d9 0800 4500
..............E.
		0x0010:  0028 0000 4000 f106 0e71 ac15 0e0c c0a8
.(.. at ....q......
		0x0020:  0095 2b0b 91fb c992 33b4 0000 0000 5004
..+.....3.....P.
		0x0030:  0000 7a34 0000 0000 0000 0000
..z4........
	"""
	
	I've done some basic things to check for a rootkit:
	
	Downloaded debs to get md5sum and netstat binaries and
	checked them against the installed versions.
	
	Downloaded chkrootkit and compiled it.
	As far as I can tell it didn't report anything dodgy apart
	from some dot files in /usr/lib etc, which seem to be
	benign.
	
	I tired looking in /proc/net/{udp,tcp} as discussed here:
	http://lists4.opensuse.org/opensuse/1999-06/msg01069.html
	if my convoluted hex conversion scripts are to be believed
	there was no mention of any 172* ip addresses there.
	If you can't trust /proc what can you trust?
	
	How can I find out what's going on here?
	And how can I fix it?!
	
	I would be very grateful for any advice.
	
	cheers
	Harry
	
	ps
	here's my script in case anyone's interested:
	
	#!/bin/bash
	sed '/local_address/d' /proc/net/{udp,tcp} |
	while read i
	do
		echo "$i" |
		awk '{print $2}' |
		sed
'/local_address/d;s/://;s/\(..\)\(..\)\(..\)\(..\)\(....\)/0x\4
	0x\3 0x\2 0x\1 0x\5/' |
		xargs /usr/bin/printf '%d.%d.%d.%d:%d\t'
	
		echo "$i" |
		awk '{print $10}' |
		sed 's/.*/0x&/g' |
		xargs /usr/bin/printf '%d\n'
	done
	
	_______________________________________________
	Scottish mailing list
	Scottish at mailman.lug.org.uk
	https://mailman.lug.org.uk/mailman/listinfo/scottish

Darren Paxton, European Midrange Systems Senior Engineer
Centralised Operations | MMC Global Technology Infrastructure (MGTI)
Mercer Human Resource Consulting | Mercury Court, Tithebarn Street,
Liverpool, L2 2QH, Merseyside, UK
+44 (0) 151 242 7216 | Mobile +44 (0) 7789 0 30027 |
darren.paxton at mercer.com <file://'mailto:darren.paxton@mercer.com'> 
www.mmc.com <file://'http://www.mmc.com'>  	

This e-mail and any attachments may be confidential or legally
privileged.If you received this message in error or are not the intended
recipient, you should destroy the email message and any attachments or
copies, and you are prohibited from retaining, distributing, disclosing
or using any information contained herein. Please inform us of the
erroneous delivery by return e-mail. Thank you for your co-operation.

Mercer Human Resource Consulting Limited is authorised and regulated by
the Financial Services Authority. Registered in England No. 984275.
Registered Office: 1 Tower Place West, Tower Place, London, EC3R 5BU.




More information about the Scottish mailing list