Bizarre connections from and to a FC7 unattended
Thomas TS
ttsoares at cristhom.com.br
Mon Jul 23 17:53:35 UTC 2007
This is a FC7 full updated.
The system is running with no user logged in.
Just some default daemons and services:
# netstat -apn | grep LIST | grep tcp
tcp 0 0 127.0.0.1:8000
0.0.0.0:* LISTEN 2580/nasd
tcp 0 0 192.168.122.1:53
0.0.0.0:* LISTEN 2834/dnsmasq
tcp 0 0 0.0.0.0:821
0.0.0.0:* LISTEN 2335/rpc.statd
tcp 0 0 127.0.0.1:631
0.0.0.0:* LISTEN 2525/cupsd
tcp 0 0 127.0.0.1:25
0.0.0.0:* LISTEN 2559/sendmail: acce
tcp 0 0 :::111
:::* LISTEN 2301/rpcbind
tcp 0 0 :::22
:::* LISTEN 2539/sshd
This box is behind a NAT and from the gateway one can look the
connections to/from the FC7 system.
After some time monitoring with iptraf several - for me - strange
connections appears...
┌ TCP Connections (Source Host:Port) ───────────── Packets ─── Bytes ───
Flags ──── Iface ─────┐
│┌192.168.1.254:42977
= 695 45740 --A- eth2 │
│└192.168.1.129:22
= 575 96948 -PA-
eth2 │
│┌193.28.235.40:80
= 0 0 ----
eth2 │
│└192.168.1.129:45869
= 4 240 S--- eth2 │
│┌192.168.1.129:44799
= 8 565 --A- eth2 │
│└131.252.208.96:80
= 7 2730 CLOSED eth2 │
│┌193.140.100.100:21
= 0 0 ----
eth2 │
│└192.168.1.129:55991
= 1 46 RESET eth2 │
│┌192.168.1.129:56462
= 0 0 ---- eth2 │
│└64.90.181.77:55979
> 1 52 --A- eth2 │
│┌192.168.1.129:22
= 49 6668 CLOSED eth2 │
│└192.168.1.254:36544
= 64 7008 CLOSED eth2 │
│┌192.168.1.129:44507
= 9 641 --A- eth2 │
│└209.132.176.120:80
= 9 4689 CLOSED eth2 │
Some are obviously acceptable, as 209.132.176.120
admin.fedora.redhat.com but a lot ones are to places very strange !!!
I am already blocking all to/from
198.82.161.0/24
193.28.235.0/24
147.102.222.0/24
131.252.208.0/24
because could not figure out why and witch program was doing a lot of
uploads from my system to hosts at IPs at those class B and C nets...
Am i to paranoid ?
More information about the users
mailing list