Re: mysterious/suspicious internet activity.

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



(I sent this to the list three times in the past two days; it apparently never arrived, and it did not bounce.)

I rebooted, and did a few netstat's and an iftop while the workstation was "quiet".  I pasted output from 2 netstat runs into a text file.

I paused the iftop display many times to grab line pairs of interest, and pasted those into the text file that has the netstat runs.

The text file is attached.

Most of the entries in the iftop display involve comcast, my internet service provider.  Quite a few unexpected addresses also show up in iftop.  A few questions come to mind...

A few years ago, I saw in the system journal numerous log-in attempts by outsiders from all over the world, and opened a thread about that.  Now such attempts are blocked by the firewall.  If an outsider tries to communicate with my workstation, and the firewall blocks the attempt, will the attempt show up in the network activity panel of ksysguard? Will that attempt show up in the iftop display?

Bill.
bash.4[~]: netstat -atuevp
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       User       Inode      PID/Program name
tcp        0      0 coyote:domain           0.0.0.0:*               LISTEN      root       31188      1084/dnsmasq
tcp        0      0 0.0.0.0:ipp             0.0.0.0:*               LISTEN      root       22447      947/cupsd
tcp        0      0 localhost:smtp          0.0.0.0:*               LISTEN      root       39031      1680/sendmail: acce
tcp6       0      0 [::]:ipp                [::]:*                  LISTEN      root       22448      947/cupsd
udp        0      0 0.0.0.0:mdns            0.0.0.0:*                           avahi      22058      748/avahi-daemon: r
udp        0      0 coyote:domain           0.0.0.0:*                           root       31187      1084/dnsmasq
udp        0      0 0.0.0.0:bootps          0.0.0.0:*                           root       31184      1084/dnsmasq
udp        0      0 c-98-245-12-4.hs:bootpc denv01dhcp-ho-02:bootps ESTABLISHED root       29795      862/NetworkManager
udp        0      0 localhost:323           0.0.0.0:*                           root       25199      763/chronyd
udp        0      0 0.0.0.0:58501           0.0.0.0:*                           avahi      22060      748/avahi-daemon: r
udp6       0      0 [::]:mdns               [::]:*                              avahi      22059      748/avahi-daemon: r
udp6       0      0 localhost:323           [::]:*                              root       25200      763/chronyd
udp6       0      0 coyote:dhcpv6-client    [::]:*                              root       30632      862/NetworkManager
udp6       0      0 [::]:33746              [::]:*                              avahi      22061      748/avahi-daemon: r
bash.5[~]: netstat -atuevp
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       User       Inode      PID/Program name
tcp        0      0 coyote:domain           0.0.0.0:*               LISTEN      root       31188      1084/dnsmasq
tcp        0      0 0.0.0.0:ipp             0.0.0.0:*               LISTEN      root       22447      947/cupsd
tcp        0      0 localhost:smtp          0.0.0.0:*               LISTEN      root       39031      1680/sendmail: acce
tcp6       0      0 [::]:ipp                [::]:*                  LISTEN      root       22448      947/cupsd
udp        0      0 0.0.0.0:mdns            0.0.0.0:*                           avahi      22058      748/avahi-daemon: r
udp        0      0 coyote:domain           0.0.0.0:*                           root       31187      1084/dnsmasq
udp        0      0 0.0.0.0:bootps          0.0.0.0:*                           root       31184      1084/dnsmasq
udp        0      0 c-98-245-12-4.hs:bootpc denv01dhcp-ho-02:bootps ESTABLISHED root       29795      862/NetworkManager
udp        0      0 localhost:323           0.0.0.0:*                           root       25199      763/chronyd
udp        0      0 0.0.0.0:58501           0.0.0.0:*                           avahi      22060      748/avahi-daemon: r
udp6       0      0 [::]:mdns               [::]:*                              avahi      22059      748/avahi-daemon: r
udp6       0      0 localhost:323           [::]:*                              root       25200      763/chronyd
udp6       0      0 coyote:dhcpv6-client    [::]:*                              root       30632      862/NetworkManager
udp6       0      0 [::]:33746              [::]:*                              avahi      22061      748/avahi-daemon: r
bash.6[~]:

-----
some captured iftop lines
-----

c-98-245-12-4.hsd1.co.comcast.net    => 172.86.179.85                                                    0b	  0b     15b
                                     <=                                                                  0b	  0b     15b

c-98-245-12-4.hsd1.co.comcast.net    => aksdefk.cn                                                       0b	  0b     15b
                                     <=                                                                  0b	  0b	  9b

c-98-245-12-4.hsd1.co.comcast.net    => ns570281.ip-51-161-12.net                                        0b	  0b     14b
                                     <=                                                                  0b	  0b	  9b

c-98-245-12-4.hsd1.co.comcast.net    => 167.71.161.95                                                    0b	  0b     14b
                                     <=                                                                  0b	  0b      9b

c-98-245-12-4.hsd1.co.comcast.net    => HOST.DNANUTRITIONCENTER.ORG                                      0b      0b     14b
                                     <=                                                                  0b      0b      9b

c-98-245-12-4.hsd1.co.comcast.net    => 45.129.33.180                                                    0b	  0b     14b
                                     <=                                                                  0b	  0b	  9b

c-98-245-12-4.hsd1.co.comcast.net    => 78.171.35.99.dynamic.ttnet.com.tr                                0b	  0b     14b
                                     <=                                                                  0b	  0b	  9b

c-98-245-12-4.hsd1.co.comcast.net    => 99-104-170-138.lightspeed.lsvlky.sbcglobal.net                   0b	  0b     15b
                                     <=                                                                  0b	  0b     15b

c-98-245-12-4.hsd1.co.comcast.net    => sarasvati.sattvik.com                                            0b	  0b     15b
                                     <=                                                                  0b	  0b     15b

c-98-245-12-4.hsd1.co.comcast.net    => 80.82.68.29                                                      0b	  0b     14b
                                     <=                                                                  0b	  0b      9b

c-98-245-12-4.hsd1.co.comcast.net    => 31.20.97.83.ro.ovo.sc                                            0b	 54b	 14b
                                     <=                                                                  0b     37b	  9b

c-98-245-12-4.hsd1.co.comcast.net    => 121.23.133.254                                                 272b     54b     14b
                                     <=                                                                184b     37b	  9b

coyote                               => proxy09.fedoraproject.org                                        0b    426b    107b
                                     <=                                                                  0b    625b    156b

c-98-245-12-4.hsd1.co.comcast.net    => proxy13-rdu02.fedoraproject.org                                  0b	  0b	 83b
                                     <=                                                                  0b      0b    136b

c-98-245-12-4.hsd1.co.comcast.net    => scanner-01.ch1.censys-scanner.com                                0b	  0b	 14b
                                     <=                                                                  0b	  0b      9b

c-98-245-12-4.hsd1.co.comcast.net    => zg-0915b-89.stretchoid.com                                       0b	  0b     14b
                                     <=                                                                  0b	  0b	  9b

c-98-245-12-4.hsd1.co.comcast.net    => 138.99.216.104                                                   0b	  0b     14b
                                     <=                                                                  0b	  0b	  9b

c-98-245-12-4.hsd1.co.comcast.net    => 31.184.215.57                                                    0b	  0b     14b
                                     <=                                                                  0b	  0b	  9b

c-98-245-12-4.hsd1.co.comcast.net    => scanner.openportstats.com                                        0b	  0b	 14b
                                     <=                                                                  0b	  0b      9b

c-98-245-12-4.hsd1.co.comcast.net    => ec2-13-229-78-217.ap-southeast-1.compute.amazonaws.com           0b	 32b	  8b
                                     <=                                                                  0b     37b	  9b

c-98-245-12-4.hsd1.co.comcast.net    => 96.120.119.53                                                    0b	  0b	  0b
                                     <=                                                                  0b	  0b    150b

c-98-245-12-4.hsd1.co.comcast.net    => www.arbor-observatory.com                                        0b	  0b      0b
                                     <=                                                                  0b	 37b      9b

c-98-245-12-4.hsd1.co.comcast.net    => zg-0915a-345.stretchoid.com                                      0b	 54b	 14b
                                     <=                                                                  0b     37b      9b

c-98-245-12-4.hsd1.co.comcast.net    => 203.166.213.199                                                  0b	 54b	 14b
                                     <=                                                                  0b     37b	  9b

c-98-245-12-4.hsd1.co.comcast.net    => scan-02a.shadowserver.org                                        0b     54b     14b
                                     <=                                                                  0b     37b	  9b

c-98-245-12-4.hsd1.co.comcast.net    => worker-01.sfj.censys-scanner.com                                 0b	  0b	 14b
                                     <=                                                                  0b      0b      9b

c-98-245-12-4.hsd1.co.comcast.net    => ip-113-42.4vendeta.com                                           0b	 54b	 14b
                                     <=                                                                  0b     37b	  9b

c-98-245-12-4.hsd1.co.comcast.net    => no-mans-land.m247.com                                            0b	 54b	 14b
                                     <=                                                                  0b     37b	  9b

c-98-245-12-4.hsd1.co.comcast.net    => 109x194x3x165.static-customer.bryansk.ertelecom.ru               0b     54b     14b
                                     <=                                                                  0b     37b	  9b


-----
some ip address first fields
-----

31
45
78
80
96
99
121
138
152
167
172
197
203
_______________________________________________
users mailing list -- users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to users-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/users@xxxxxxxxxxxxxxxxxxxxxxx
[Index of Archives]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [EPEL Devel]     [Fedora Magazine]     [Fedora Summer Coding]     [Fedora Laptop]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Desktop]     [Fedora Fonts]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Yosemite News]     [Gnome Users]     [KDE Users]     [Fedora Art]     [Fedora Docs]     [Fedora Sparc]     [Libvirt Users]     [Fedora ARM]

  Powered by Linux