[PLUG] Possible security issue
MJang
mike at mommabears.com
Sat May 1 17:54:28 UTC 2010
On Sat, 2010-05-01 at 08:49 -0700, MJang wrote:
> On Sat, 2010-05-01 at 08:30 -0700, MJang wrote:
> > Folks,
> >
> > Been experimenting a bit with nc. As such, I've been seeing how it
> > connects from system to system. To that end, I started an Apache server
> > on my laptop (on Hardy Heron). After a bit, I ran the following command
> > to see if the nc from another system would show up.
> >
> > netstat -atun
> >
> > Well, it didn't, but I soon got a bunch of entries similar to
> >
> > tcp 0 0 10.168.0.111:44535 xxx.yyy.zzz.aaa:80 ESTABLISHED
> >
> > Where xxx.yyy.zzz.aaa are public addresses from places like FL and MA.
> > It's not like I have anything but the standard "It works" page on that
> > Apache server.
> >
> > And I have a pretty standard (though old) firewall on the router, with
> > port forwarding set up (for the most part) to some non-existent systems
> > on my local private IP net. My laptop is not one of them.
> >
> > So there's a weakness somewhere. I don't have MS running anywhere (at
> > the moment) Any suggestions on where I should look?
>
> Just to follow-up, I tried some of the IP addresses from the remote
> sites in my browser, and most of them go to fake Google home pages. I'm
> guessing they're looking for other places for their phishes. The fake
> Googles are pretty slick, even error pages from their IP addresses are
> carefully done.
>
> Thanks,
> Mike
Um... I think that probably is Google.
***
Hmmm... learned something new. I went a step further (inspired by your
lsof idea) and tried the following command to identify the process
netstat -atump
And they all link back to Firefox. So you're correct. Thank you!
But that leaves one remaining question -
Why do these processes appear in the netstat output --only-- when Apache
is running?
Thanks,
Mike
More information about the PLUG
mailing list