Re: strange connetions to exodus.net

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Jeffrey Laramie <JALaramie@xxxxxxxxxxxxxxxxxxx> wrote:

> > Ted:
> >
> > Feb 21 16:59:22 delta kernel: DROP-TCP :IN= OUT=eth1 SRC=192.168.20.60 \
> >  DST=209.225.11.237 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=0 PROTO=TCP \
> >  SPT=41504 DPT=80 WINDOW=5840 RES=0x00 SYN URGP=0
> > Feb 21 16:59:23 delta kernel: DROP-TCP :IN= OUT=eth1 SRC=192.168.20.60 \
> >  DST=82.139.196.116 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=22160 PROTO=TCP \
> >  SPT=41501 DPT=80 WINDOW=5840 RES=0x00 SYN URGP=0
> >
> > Good point but this is my own site at 82.139.196.116 and I am sure
> > there is nothing pointing to exodus.net. Is this a DNS thing?
> 
> I don't see any IPs in your postings that point to exodus.net so I don't know 
> where you're seeing that. The IP in your first posting is most likely adware 
> running on the client 192.168.20.60 and the IP in your 2nd posting doesn't 
> resolve. You need to check the processes running on 192.168.20.60 to see 
> which one is calling these sites.

# dig -x 209.225.0.6

; <<>> DiG 9.2.2 <<>> -x 209.225.0.6
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 65525
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 4, ADDITIONAL: 0

;; QUESTION SECTION:
;6.0.225.209.in-addr.arpa.      IN      PTR

;; ANSWER SECTION:
6.0.225.209.in-addr.arpa. 3600  IN      PTR     servedby.advertising.com.

;; AUTHORITY SECTION:
0.225.209.in-addr.arpa. 3600    IN      NS      dns03.exodus.net.
0.225.209.in-addr.arpa. 3600    IN      NS      dns04.exodus.net.
0.225.209.in-addr.arpa. 3600    IN      NS      dns01.exodus.net.
0.225.209.in-addr.arpa. 3600    IN      NS      dns02.exodus.net.

;; Query time: 290 msec
;; SERVER: 192.168.1.75#53(192.168.1.75)
;; WHEN: Sat Feb 21 18:01:40 2004
;; MSG SIZE  rcvd: 170

# dig -x 209.225.11.237

; <<>> DiG 9.2.2 <<>> -x 209.225.11.237
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 64855
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0

;; QUESTION SECTION:
;237.11.225.209.in-addr.arpa.   IN      PTR

;; AUTHORITY SECTION:
11.225.209.in-addr.arpa. 3600   IN      SOA     dns01.exodus.net. hostmaster.exodus.net.11.225.209.in-addr.arpa. 2002091300 10800 3600 604800 86400


My LAN looks like this:

WKS 192.168.1.3 connection per webbrowser to Squid at 192.168.1.75
and the request from Squid is routed to the gateway 192.168.20.210

and as soon I start a request a tail -f /var/log/firewall on the
Squid-machine shows the request the above IPs. I don't known why.


-- 
   Andreas Meyer   | http://www.anup.de
                   | http://homeservice.anup.de/andreas
[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux