Firestarter weirdness.

[[censored]]

According to Firestarter, I have a mysterious http connection to this IP address:



It's always up, regardless of whether there's any browser happening. The connection also doesn't show up in lsof or netstat. Could it be a bug in Firestarter?

It's all a bit creepy, because my ISP has accused me sending email spam. But I wouldn't be surprised at all if they have made a mistake, especially given that they seem to be a bit vague on the details.

Nevertheless, I've taken the precaution opening firestarter and blocking all smtp and pop connections. I've also made outgoing connections restrictive by default.

I also booted up from a live disk, and ran chkrootkit and rkhunter. chkrootkit came back negative. rkhunter gave me a bit of a scare, by warning that all the files in /usr/bin have "been changed". I assume this is a false positive, because rkhunter, freshly installed on a live distro, couldn't possibly know what the files were before. *touch wood*

ubuntu 9.04

[cdenley]

It looks like that IP is for an ad server. It doesn't seem to respond to vague requests I send it, so I can't say for sure. Did you have a web browser open? If so, what site were you at? I wouldn't be worried about that.

As for sending spam, were you running an MTA?

Code:

sudo netstat -tlnp

[[censored]]

A Mail Transfer Agent, cdenley? No. Not as far as I know. But I think their inference from the people at my ISP is that it's some clever trojan that installs its own.

[teward]

Not to be annoying, but you can use Firestarter to block the outbound traffic to that IP address.

Under policies (or whatever tab that is), you can select "Outbound Network Policy", select the section that lets you specify a website/IP address, add a rule, and block the outbound traffic to that IP. It will prevent your system from connecting to it, 100% of the time.

Give that a try, and please report back.

[cdenley]

A Mail Transfer Agent, cdenley? No. Not as far as I know.

The command I posted would list anything listening on SMTP. Sometimes it can get installed as a dependency and people don't realize it. Recently, because of a bug, it became a dependency for the chrome browser.

But I think their inference from the people at my ISP is that it's some clever trojan that installs its own.

In the windows world, that is usually the case. I would say most linux systems that send spam are because someone didn't know how to configure their MTA, though.

[DawieS]

My guess is that it is a routing server used by one of those chat programs you are running. They normally have daemons running from boot to shutdown.

If you want to make sure, you could block it, and see which application doesn't work anymore. (Rather block the whole range belonging to the same owner, or else it will just select the next available server):
64.236.0.0/16

Another thing that looks a bit strange, is that secure connection you have with one of the Mozilla Firefox servers. If this was done with Firefox, then "firefox" should have been listed under Program.

[OpSecShellshock]

64.236.144.228 is allocated to AOL. If one of your chat clients uses AIM, that's probably where that's coming from.

63.245.209.92 is an IP address that Firefox checks in with to see if there are updates for your add-ons.

[[censored]]

cdenley did the netstat as you suggested. Here is the result, seems to show a heap of stuff listening......

Code:

Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
tcp        0      0 0.0.0.0:2049            0.0.0.0:*               LISTEN      -               
tcp        0      0 0.0.0.0:35714           0.0.0.0:*               LISTEN      2771/python     
tcp        0      0 0.0.0.0:44899           0.0.0.0:*               LISTEN      3215/rpc.mountd 
tcp        0      0 0.0.0.0:9988            0.0.0.0:*               LISTEN      2771/python     
tcp        0      0 0.0.0.0:13000           0.0.0.0:*               LISTEN      3084/bearerbox  
tcp        0      0 0.0.0.0:13002           0.0.0.0:*               LISTEN      3084/bearerbox  
tcp        0      0 0.0.0.0:59051           0.0.0.0:*               LISTEN      2303/rpc.statd  
tcp        0      0 0.0.0.0:41775           0.0.0.0:*               LISTEN      -               
tcp        0      0 0.0.0.0:111             0.0.0.0:*               LISTEN      2281/portmap    
tcp        0      0 127.0.0.1:631           0.0.0.0:*               LISTEN      3725/cupsd      
tcp        0      0 127.0.0.1:42007         0.0.0.0:*               LISTEN      3052/hddtemp    
tcp6       0      0 :::139                  :::*                    LISTEN      3281/smbd       
tcp6       0      0 ::1:631                 :::*                    LISTEN      3725/cupsd      
tcp6       0      0 :::445                  :::*                    LISTEN      3281/smbd

[[censored]]

Finally, after a day, I managed to get through to the technical services guy at my ISP. The spamming did occur, but they had the wrong account.

[uRock]

System> Admin> Network Tools is your friend.