[PLUG] Possible security issue

wes plug at the-wes.com
Sun May 2 03:06:27 UTC 2010 

On Sat, May 1, 2010 at 10:54 AM, MJang <mike at mommabears.com> wrote:

> On Sat, 2010-05-01 at 08:49 -0700, MJang wrote:
> > On Sat, 2010-05-01 at 08:30 -0700, MJang wrote:
> > > Folks,
> > >
> > > Been experimenting a bit with nc. As such, I've been seeing how it
> > > connects from system to system. To that end, I started an Apache server
> > > on my laptop (on Hardy Heron). After a bit, I ran the following command
> > > to see if the nc from another system would show up.
> > >
> > > netstat -atun
> > >
> > > Well, it didn't, but I soon got a bunch of entries similar to
> > >
> > > tcp  0  0 10.168.0.111:44535    xxx.yyy.zzz.aaa:80   ESTABLISHED
> > >
> > > Where xxx.yyy.zzz.aaa are public addresses from places like FL and MA.
> > > It's not like I have anything but the standard "It works" page on that
> > > Apache server.
> > >
> > > And I have a pretty standard (though old) firewall on the router, with
> > > port forwarding set up (for the most part) to some non-existent systems
> > > on my local private IP net. My laptop is not one of them.
> > >
> > > So there's a weakness somewhere. I don't have MS running anywhere (at
> > > the moment) Any suggestions on where I should look?
> >
> > Just to follow-up, I tried some of the IP addresses from the remote
> > sites in my browser, and most of them go to fake Google home pages. I'm
> > guessing they're looking for other places for their phishes. The fake
> > Googles are pretty slick, even error pages from their IP addresses are
> > carefully done.
> >
> > Thanks,
> > Mike
>
> Um... I think that probably is Google.
>
> ***
>
> Hmmm... learned something new. I went a step further (inspired by your
> lsof idea) and tried the following command to identify the process
>
> netstat -atump
>
> And they all link back to Firefox. So you're correct. Thank you!
>
> But that leaves one remaining question -
>
> Why do these processes appear in the netstat output --only-- when Apache
> is running?
>
> Thanks,
> Mike
>
> _______________________________________________
> PLUG mailing list
> PLUG at lists.pdxlinux.org
> http://lists.pdxlinux.org/mailman/listinfo/plug
>


I would have to guess that is a coincidence. If you stop apache and browse
to google, the connections should show up in netstat. If they didn't, I
would be _very_ surprised.

-wes

More information about the PLUG mailing list