[Scottish] netstat not reporting connection.

Colin McKinnon colin.mckinnon at ntlworld.com
Sat Jul 21 19:39:08 BST 2007 

On Friday 20 July 2007 01:53, donothing successfully wrote:
> Help! I think I've got a rootkit.
>
> I'm running ubuntu dapper behind a D-link DI-604 broadband
> router.
>
> iftop and tcpdump are reporting connections to 172.21.*.* ip addresses.
> Which wikipedia and whois tell me are on a private network.
> But my LAN's 192.168.*.*
>
Not very familiar with iftop but don't both these tools report on *packets* 
not connections.


> sudo tcpdump -XX  -vv -l net  172.21.0.0 mask 255.255.0.0
> gives eg:
> """
> 00:55:21.052339 IP (tos 0x0, ttl 241, id 0, offset 0, flags [DF],
> proto: TCP (6), length: 40) 172.21.13.12.11019 > 192.168.0.149.37370:
<snip>
> 00:55:36.087562 IP (tos 0x0, ttl 241, id 0, offset 0, flags [DF],
> proto: TCP (6), length: 40) 172.21.14.12.11019 > 192.168.0.149.37371:
Yup - just packets - and the port numbers are different too - sure you're 
router's not just leaking extra echoes of other traffic through? (I've got 
cable using a modem rather than ADSL, but can see other local peoples traffic 
on my interface).

It seems improbable that a hacker could compromise your machine and come up 
with a combinaion of private subnets which would actually allow then to route 
a connection back to another host.

If you're confident that your kernel, lsof and netstat are secure then its 
looking increasingly unlikely that your machine is involved - how likely is 
it that a hacker would build their own TCP stack?

> I've done some basic things to check for a rootkit:
>
> Downloaded debs to get md5sum and netstat binaries and
> checked them against the installed versions.
>
> Downloaded chkrootkit and compiled it.
> As far as I can tell it didn't report anything dodgy apart
> from some dot files in /usr/lib etc, which seem to be
> benign.
>
Sensible

> I tired looking in /proc/net/{udp,tcp} as discussed here:
> http://lists4.opensuse.org/opensuse/1999-06/msg01069.html
> if my convoluted hex conversion scripts are to be believed
> there was no mention of any 172* ip addresses there.
> If you can't trust /proc what can you trust?
>
This also seems to favour the leaky net theory over the rootkit theory.

If you can't demonstrate to your own satisfaction that these are not coming 
from your machine, try demonstrating they are coming from elsewhere by 
changing the address/subnet you are using betwen your PC and router.

HTH

C.

More information about the Scottish mailing list