RE: Strange connections

Subject: RE: Strange connections
From: Arthur Corliss (arthur@corlissfamily.org)
Date: Tue Aug 13 2002 - 17:53:06 AKDT

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
• Next message: Jim Gribbin: "Is Linux or Windows easier to intall?"
• Previous message: Brad Bice: "RE: Strange connections"
• In reply to: Brad Bice: "RE: Strange connections"
• Next in thread: Mike Tibor: "RE: Strange connections"
• Reply: Arthur Corliss: "RE: Strange connections"
• Reply: Arthur Corliss: "RE: Strange connections"

> Hi Arthur,
> I lost some of the info because it was wrapping, but here's another
> look at it.
>
> Is the port for www.evecosoftware.com 1833?
>
> If that is correct, 1833 is
>
> udpradio 1833/tcp udpradio
> udpradio 1833/udp udpradio
> We aren't streaming any kind of audio on this server. Any ideas on
> what's going on?
>
> TCP
> Local Address Remote Address Swind Send-Q Rwind Recv-Q
> State
> -------------------- -------------------- ----- ------ ----- ------ -------
> apu1.alaskapacific.edu.ssh 10.102.1.21.2513 16551 0 8760
  0 CLOSE_WAIT
> apu1.alaskapacific.edu.ssh www.evecosoftware.com.1833 32120 0 10136
  0 ESTABLISHED
> apu1.alaskapacific.edu.ssh 202.175.82.64.60379 5840 0 10136
  0 ESTABLISHED
> apu1.alaskapacific.edu.ssh 10.102.1.21.4707 17296 31 8760
  0 ESTABLISHED
> Active UNIX domain sockets
> Address Type Vnode Conn Local Addr Remote Addr
> f5ec7d28 stream-ord f5fe7f20 00000000 /tmp/mysql.sock
> f5ec7e40 stream-ord f5ebb498 00000000 /usr/local/etc/ndc

Dude, I want to know what's going on with the output you're showing me. The
first e-mail showed normal 'netstat -v' output from Solaris, what you're
showing me above is just 'netstat'.

Once again: if you use the -v argument, each connection is two lines: the
first being one end, the other being the other end *plus* extended connection
info. *One* of those lines will show your host, and the port is appended to
the host name/IP.

Now, if you're going to *not* use -v, then the columns above should be
self-explanatory, www.evecosoftware.com is clearly connecting to *your* ssh
daemon.

Keep in mind, you need to look at both ends of a connection before you can
make an educated guess about what kind of traffic is actually being
transmitted. And in this case, if you can verify that you're running ssh on
port 22, then that should be a lock.

        --Arthur Corliss
          Bolverk's Lair -- http://arthur.corlissfamily.org/
          Digital Mages -- http://www.digitalmages.com/
          "Live Free or Die, the Only Way to Live" -- NH State Motto

---------
To unsubscribe, send email to <aklug-request@aklug.org>
with 'unsubscribe' in the message body.

• Next message: Jim Gribbin: "Is Linux or Windows easier to intall?"
• Previous message: Brad Bice: "RE: Strange connections"
• In reply to: Brad Bice: "RE: Strange connections"
• Next in thread: Mike Tibor: "RE: Strange connections"
• Reply: Arthur Corliss: "RE: Strange connections"
• Reply: Arthur Corliss: "RE: Strange connections"

This archive was generated by hypermail 2a23 : Tue Aug 13 2002 - 18:38:09 AKDT