[Scottish] netstat not reporting connection.

donothing successfully donothingsuccessfully at googlemail.com
Fri Jul 20 17:32:23 BST 2007 

Hi Guys

Thanks for your speedy & kind responses.
There's nothing like a bit of paranoia to get you
R-ingTFMs.

I'm getting the strong impression it's something to do with
firefox.

On 20/07/07, Carl Ekman <carl at gosig.nu> wrote:
Carl> do you see any significant traffic /back/ from your machine?

No, as far as I can tell most/all of the traffic consists of
a variety of 172.21.*.* addresses sending me RST packets.
This seems to occur every minute or so:
"""
harry> sudo tcpdump net  172.21.0.0 mask 255.255.0.0
16:36:24.791036 IP 172.21.17.10.11019 > 192.168.0.149.48179: R
2859590495:2859590495(0) win 0
16:36:40.950498 IP 172.21.15.33.11019 > 192.168.0.149.48180: R
2865318960:2865318960(0) win 0
16:37:40.952359 IP 172.21.17.10.11019 > 192.168.0.149.48181: R
2942749099:2942749099(0) win 0
[...]
"""

This appears only to occur when firefox (including safemode)
is running, not when eg only opera is running.

What concerns me about this is that if they're coming from
outside, as I assume they must be, how are they getting
through my router?
I think it's in response to something that firefox is doing.

Carl> Not sure, but for instance - if someone kept sending broken FIN
packages to
Carl> you it's probably perfectly in order that it doesn't show with lsof or
Carl> netstat.

Okay, so would I be right in thinking that lsof and netstat
are basically front ends to /proc/net/tcp?
Something like broken FINs (or RSTs?)  wouldn't be handled by user-space
processes so wouldn't appear in proc?

Carl> By the way, if you are going to run a rootkit detector, it is a
better idea to
Carl> boot from another disk - perhaps you can find a rootkit detector CD or
Carl> similar - and then mount your normal partitions and scan them. This is
Carl> because a clever rootkit could modify the syscalls so that when you are
Carl> reading the exchanged binaries it infact returns the default
ones and so on.

I was beginning to suspect as much, I'll try digging out my
Knoppix disc.

Carl> By the way - a question back - does this mail show up on the SLUG-list?
Carl> Earlier posts I've made have never shown up, and I am not sure if that is
Carl> because mailman is "smart" and doesn't send my own emails back
to me, or if
Carl> it is because it for some reason doesn't work.
Carl>

Darren> You probably find that the network infrastructure between
Darren> your router
Darren> and the Internet is on a privately addressed network.

Yup, ntl's a 10.*.*.*

Darren> Have you tried a traceroute to any sites or any resources
Darren> outside of
Darren> your network to see what paths it takes?

Carl> I'd check for that first, and traceroute to 172.21.14.12

My outputs are below.

So I think firefox is somehow provoking something on NTL's
WAN into sending me RST packets.

Thanks for all your help, and setting my mind at rest!

I'll investigate further and update.
(I'm away for a bit so it might be a few weeks.)

Thanks again!
H.

traceroutes:

harry9~>sudo traceroute 66.102.9.104
traceroute to 66.102.9.104 (66.102.9.104), 30 hops max, 40 byte packets
 1  192.168.0.1 (192.168.0.1)  0.419 ms  0.338 ms  0.307 ms
 2  10.232.92.1 (10.232.92.1)  7.571 ms  11.218 ms *
 3  renf-t2cam1-a-v135.inet.ntl.com (80.4.65.217)  6.604 ms  15.130 ms  6.069 ms
 4  renf-t2core-a-ge-wan62.inet.ntl.com (195.182.176.165)  6.421 ms  7.342 ms *
 5  ren-bb-a-so-230-0.inet.ntl.com (213.105.174.201)  6.487 ms  9.258
ms  7.957 ms
 6  lee-bb-b-so-010-0.inet.ntl.com (62.253.185.162)  13.003 ms  15.484 ms *
 7  nth-bb-a-so-600-0.inet.ntl.com (213.105.175.133)  19.692 ms
17.051 ms  16.378 ms
 8  nth-bb-b-so-200-0.inet.ntl.com (213.105.172.194)  17.356 ms
16.085 ms  15.478 ms
 9  * tele-ic-1-as0-0.inet.ntl.com (62.253.184.2)  18.526 ms  17.155 ms
10  212.250.14.66 (212.250.14.66)  18.694 ms  19.205 ms  18.348 ms
11  72.14.238.255 (72.14.238.255)  17.948 ms 72.14.238.244
(72.14.238.244)  17.979 ms  18.515 ms
12  * 66.249.95.107 (66.249.95.107)  28.854 ms 209.85.250.216
(209.85.250.216)  31.598 ms
13  64.233.174.113 (64.233.174.113)  29.520 ms  29.076 ms
72.14.232.233 (72.14.232.233)  40.600 ms
14  64.233.174.187 (64.233.174.187)  30.920 ms  31.397 ms  29.489 ms
15  64.233.174.14 (64.233.174.14)  31.610 ms  40.724 ms  36.414 ms
16  lm-in-f104.google.com (66.102.9.104)  31.665 ms *  31.641 ms

harry9~>sudo traceroute 172.21.7.10
traceroute to 172.21.7.10 (172.21.7.10), 30 hops max, 40 byte packets
 1  192.168.0.1 (192.168.0.1)  14.137 ms  0.343 ms  0.902 ms
 2  * * *
 3  * * *
 4  * * *
 5  * * *
 6  * * *
 7  * * *
 8  * * *
 9  * * *
10  * * *
11  * * *
12  * * *
13  * * *
14  * * *
15  * * *
16  * * *
17  * * *
18  * * *
19  * * *
20  * * *
21  * * *
22  * * *
23  * * *
24  * * *
25  * * *
26  * * *
27  * * *
28  * * *
29  * * *
30  * * *

More information about the Scottish mailing list