Page 1 of 2 12 LastLast
Results 1 to 10 of 12

Thread: Firestarter IP detections?

  1. #1
    Join Date
    Sep 2007
    Beans
    215

    Firestarter IP detections?

    Something new for a change. Today my computer screen blipped and went black for only a second, then it became sluggish. I felt a bit paranoid as I was in the middle of an online transaction, so I rebooted, then started firestarter. I seldom use it coz I always forget to turn it on, wish the damned thing was automatic starting.

    Moving on, I'm getting detections every 20 or so seconds, from dozens of different IP addresses and ports, this has me somewhat worried/concerned.

    How safe is Linux against hacking, really?

  2. #2
    Join Date
    Jan 2007
    Location
    London, UK
    Beans
    3,525
    Distro
    Ubuntu Development Release

    Re: Firestarter IP detections?

    can you post output of this command:

    Code:
    netstat -nat
    This will show all established foreign connections on specific ports or sockets

    BTW, this is excellent guide to iptables to block ports that are not needed. Firstarter always gave me problem though.
    http://ubuntuforums.org/showthread.php?t=159661
    You came empty handed, that is how you shall leave. Whatever you claim as yours today, belonged to someone else yesterday, will be someone else's tomorrow.

  3. #3
    Join Date
    Aug 2007
    Location
    Chicago, IL, USA
    Beans
    1,429
    Distro
    Ubuntu 12.04 Precise Pangolin

    Re: Firestarter IP detections?

    Firestarter is just a front end for IP tables. IP tables is always running even when Firestarter is not.

    By the way, Firestarter is quite old and no longer maintained. I recommend GUFW instead.

  4. #4
    Join Date
    Sep 2007
    Beans
    215

    Re: Firestarter IP detections?

    This is what I got.

    Code:
    ~$ netstat -nat
    Active Internet connections (servers and established)
    Proto Recv-Q Send-Q Local Address           Foreign Address         State      
    tcp        0      0 0.0.0.0:51413           0.0.0.0:*               LISTEN     
    tcp        0      0 127.0.0.1:631           0.0.0.0:*               LISTEN     
    tcp        0      0 127.0.0.1:25            0.0.0.0:*               LISTEN     
    tcp        0      0 0.0.0.0:9091            0.0.0.0:*               LISTEN     
    tcp        0      0 0.0.0.0:57827           0.0.0.0:*               LISTEN     
    tcp        0      0 0.0.0.0:6000            0.0.0.0:*               LISTEN     
    tcp        0      0 192.168.11.2:34600      219.112.73.136:32998    ESTABLISHED
    tcp        0   1024 192.168.11.2:52803      78.94.162.254:9390      ESTABLISHED
    tcp        0      0 192.168.11.2:60689      74.125.153.100:80       ESTABLISHED
    tcp        0      0 192.168.11.2:42404      189.79.106.144:51413    ESTABLISHED
    tcp        0      0 192.168.11.2:55018      86.149.232.1:50559      ESTABLISHED
    tcp        0  11852 192.168.11.2:50014      124.168.0.124:20322     ESTABLISHED
    tcp        0  12336 192.168.11.2:58809      99.226.98.126:33112     ESTABLISHED
    tcp        0      0 192.168.11.2:59883      60.254.149.16:80        ESTABLISHED
    tcp        0    257 192.168.11.2:50768      99.226.98.126:33112     FIN_WAIT1  
    tcp        0      0 192.168.11.2:37381      67.84.29.81:21694       ESTABLISHED
    tcp        0      0 192.168.11.2:54949      99.140.242.42:17766     ESTABLISHED
    tcp        0      0 192.168.11.2:56486      173.171.21.33:10656     ESTABLISHED
    tcp        0      0 192.168.11.2:36422      208.88.18.5:443         ESTABLISHED
    tcp        0      0 192.168.11.2:43515      219.90.163.252:47132    ESTABLISHED
    tcp        0      0 192.168.11.2:59884      60.254.149.16:80        ESTABLISHED
    tcp6       0      0 :::51413                :::*                    LISTEN     
    tcp6       0      0 ::1:631                 :::*                    LISTEN     
    tcp6       0      0 :::6000                 :::*                    LISTEN
    What is GUFW?

  5. #5
    Join Date
    Jan 2007
    Location
    London, UK
    Beans
    3,525
    Distro
    Ubuntu Development Release

    Re: Firestarter IP detections?

    Can you close firefox or any other webbrowser and then run the same command and post here.
    You came empty handed, that is how you shall leave. Whatever you claim as yours today, belonged to someone else yesterday, will be someone else's tomorrow.

  6. #6
    Join Date
    Aug 2007
    Location
    Chicago, IL, USA
    Beans
    1,429
    Distro
    Ubuntu 12.04 Precise Pangolin

    Re: Firestarter IP detections?

    Quote Originally Posted by T4K3Z0U View Post
    What is GUFW?
    It's like firestarter, but better maintained.

  7. #7
    Join Date
    Sep 2007
    Beans
    215

    Re: Firestarter IP detections?

    Quote Originally Posted by ukripper View Post
    Can you close firefox or any other webbrowser and then run the same command and post here.
    This is what I got after closing firefox, TB, and transmission.

    Code:
    ~$ netstat -nat
    Active Internet connections (servers and established)
    Proto Recv-Q Send-Q Local Address           Foreign Address         State      
    tcp        0      0 127.0.0.1:631           0.0.0.0:*               LISTEN     
    tcp        0      0 127.0.0.1:25            0.0.0.0:*               LISTEN     
    tcp        0      0 0.0.0.0:57827           0.0.0.0:*               LISTEN     
    tcp        0      0 0.0.0.0:6000            0.0.0.0:*               LISTEN     
    tcp        0      0 192.168.11.2:46678      188.126.64.3:80         TIME_WAIT  
    tcp        0      0 192.168.11.2:57030      72.14.203.113:80        TIME_WAIT  
    tcp        0      0 192.168.11.2:34347      83.86.232.54:43183      TIME_WAIT  
    tcp        0      0 192.168.11.2:34600      219.112.73.136:32998    ESTABLISHED
    tcp        0      0 192.168.11.2:52803      78.94.162.254:9390      TIME_WAIT  
    tcp        0      0 192.168.11.2:53335      86.149.232.1:50559      TIME_WAIT  
    tcp        0      0 192.168.11.2:55575      69.16.253.67:80         TIME_WAIT  
    tcp        0      0 192.168.11.2:60127      93.97.65.147:25743      FIN_WAIT2  
    tcp        0      0 192.168.11.2:44369      99.140.242.42:17766     TIME_WAIT  
    tcp        0      0 192.168.11.2:53775      99.226.98.126:33112     TIME_WAIT  
    tcp        0    148 192.168.11.2:51963      189.79.106.144:51413    FIN_WAIT1  
    tcp        0      0 192.168.11.2:50014      124.168.0.124:20322     TIME_WAIT  
    tcp        0      0 192.168.11.2:44503      38.102.35.243:80        FIN_WAIT2  
    tcp        0      0 192.168.11.2:55628      72.167.82.11:995        TIME_WAIT  
    tcp        0      0 192.168.11.2:37381      67.84.29.81:21694       TIME_WAIT  
    tcp        0      0 192.168.11.2:38869      203.97.33.210:110       TIME_WAIT  
    tcp        0      0 192.168.11.2:36422      208.88.18.5:443         TIME_WAIT  
    tcp        0      0 192.168.11.2:55584      69.16.253.67:80         TIME_WAIT  
    tcp6       0      0 ::1:631                 :::*                    LISTEN     
    tcp6       0      0 :::6000                 :::*                    LISTEN
    I presume the one that was still established was Skype.

  8. #8
    Join Date
    Sep 2007
    Beans
    215

    Re: Firestarter IP detections?

    Quote Originally Posted by Thelasko View Post
    It's like firestarter, but better maintained.
    I've installed GUFW but don't know how to activate it. It doesn't show up under the internet column, via applications.

  9. #9
    Join Date
    Jul 2009
    Location
    Port 8118->9050
    Beans
    Hidden!
    Distro
    Ubuntu 9.04 Jaunty Jackalope

    Re: Firestarter IP detections?

    Quote Originally Posted by T4K3Z0U View Post
    I've installed GUFW but don't know how to activate it. It doesn't show up under the internet column, via applications.
    If I were you I would stick to Firestarter for now if your comfortable with it. Ninety nine percent of your netstat scan connections with TIME WAIT are basically probably left over dead connections left hanging when you closed your browser or dropped your irc client ,etc .
    tcp 0 0 192.168.11.2:34600 219.112.73.136:32998 ESTABLISHED
    ^^This would be the only suspect connection I can see, but tt could be explained by a torrent client, ftp data, any other connection you may have to a server. I would manually close the port connection then re-netstat and see if your still holding a high port connection to another ip before you get too worried. It could be explained by many things

    Edit: running rKhunter could also help with checking if you have a back door installed. If you dont have it you can install it with apt-get. It will alert you to modified files and permissions and actual rk's.
    Last edited by BigB'sLinux; December 12th, 2009 at 08:08 AM.

  10. #10
    Join Date
    Dec 2005
    Location
    Western Australia
    Beans
    11,480
    Distro
    Ubuntu 12.04 Precise Pangolin

    Re: Firestarter IP detections?

    If Firestarter is set to block all incoming connections, then you have nothing to worry about. Firestarter has blocked them.

    Incidentally, this is one reason why I tell people not to use Firestarter - it scares people when they see the log of blocked connections and they think the Russian Mafia is hacking them. Gufw can be found under 'System - Administration - Firewall Configuration' and the underlying firewall is always running.

    Not that you need a firewall if nothing is listening to incoming connections.
    I try to treat the cause, not the symptom. I avoid the terminal in instructions, unless it's easier or necessary. My instructions will work within the Ubuntu system, instead of breaking or subverting it. Those are the three guarantees to the helpee.

Page 1 of 2 12 LastLast

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •