[PLUG] Possible security issue

MJang mike at mommabears.com
Sat May 1 17:54:28 UTC 2010


On Sat, 2010-05-01 at 08:49 -0700, MJang wrote:
> On Sat, 2010-05-01 at 08:30 -0700, MJang wrote:
> > Folks, 
> > 
> > Been experimenting a bit with nc. As such, I've been seeing how it
> > connects from system to system. To that end, I started an Apache server
> > on my laptop (on Hardy Heron). After a bit, I ran the following command
> > to see if the nc from another system would show up.
> > 
> > netstat -atun 
> > 
> > Well, it didn't, but I soon got a bunch of entries similar to 
> > 
> > tcp  0  0 10.168.0.111:44535    xxx.yyy.zzz.aaa:80   ESTABLISHED
> > 
> > Where xxx.yyy.zzz.aaa are public addresses from places like FL and MA.
> > It's not like I have anything but the standard "It works" page on that
> > Apache server. 
> > 
> > And I have a pretty standard (though old) firewall on the router, with
> > port forwarding set up (for the most part) to some non-existent systems
> > on my local private IP net. My laptop is not one of them. 
> > 
> > So there's a weakness somewhere. I don't have MS running anywhere (at
> > the moment) Any suggestions on where I should look?
> 
> Just to follow-up, I tried some of the IP addresses from the remote
> sites in my browser, and most of them go to fake Google home pages. I'm
> guessing they're looking for other places for their phishes. The fake
> Googles are pretty slick, even error pages from their IP addresses are
> carefully done.
> 
> Thanks,
> Mike

Um... I think that probably is Google.

***

Hmmm... learned something new. I went a step further (inspired by your
lsof idea) and tried the following command to identify the process

netstat -atump 

And they all link back to Firefox. So you're correct. Thank you!

But that leaves one remaining question - 

Why do these processes appear in the netstat output --only-- when Apache
is running?

Thanks,
Mike




More information about the PLUG mailing list