[PLUG] Possible security issue
Tim
tim-pdxlug at sentinelchicken.org
Sat May 1 16:23:05 UTC 2010
> > Been experimenting a bit with nc. As such, I've been seeing how it
> > connects from system to system. To that end, I started an Apache server
> > on my laptop (on Hardy Heron). After a bit, I ran the following command
> > to see if the nc from another system would show up.
> >
> > netstat -atun
> >
> > Well, it didn't, but I soon got a bunch of entries similar to
> >
> > tcp 0 0 10.168.0.111:44535 xxx.yyy.zzz.aaa:80 ESTABLISHED
> >
> > Where xxx.yyy.zzz.aaa are public addresses from places like FL and MA.
> > It's not like I have anything but the standard "It works" page on that
> > Apache server.
> >
> > And I have a pretty standard (though old) firewall on the router, with
> > port forwarding set up (for the most part) to some non-existent systems
> > on my local private IP net. My laptop is not one of them.
> >
> > So there's a weakness somewhere. I don't have MS running anywhere (at
> > the moment) Any suggestions on where I should look?
>
> Just to follow-up, I tried some of the IP addresses from the remote
> sites in my browser, and most of them go to fake Google home pages. I'm
> guessing they're looking for other places for their phishes. The fake
> Googles are pretty slick, even error pages from their IP addresses are
> carefully done.
Um... I think that probably is Google.
Your netstat output is showing that a remote system is talking to you
from port 80 to one of your high numbered ports. This almost
certainly means a client on your machine connected to port 80 on the
remote machine and used an automatically selected local port number.
It's probably just your web browser talking to Google. To find out
what process is talking to those hosts for sure, try:
# lsof -i -n
HTH,
tim
More information about the PLUG
mailing list