Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
netstat output
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
trikmik
n00b
n00b


Joined: 06 Nov 2017
Posts: 62

PostPosted: Fri Dec 08, 2017 8:33 pm    Post subject: netstat output Reply with quote

i noticed this output in netstat but i can not understand it is something wrong?
Code:
# iptables -L
Chain INPUT (policy DROP)
target     prot opt source               destination         

Chain FORWARD (policy DROP)
target     prot opt source               destination         

Chain OUTPUT (policy DROP)
target     prot opt source               destination         

Code:
# netstat -tupln
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name   
tcp        0      0 0.0.0.0:5355            0.0.0.0:*               LISTEN      4634/systemd-resolv
tcp6       0      0 :::5355                 :::*                    LISTEN      4634/systemd-resolv
udp        0      0 0.0.0.0:5355            0.0.0.0:*                           4634/systemd-resolv
udp        0      0 127.0.0.53:53           0.0.0.0:*                           4634/systemd-resolv
udp        0      0 192.168.42.26:68        0.0.0.0:*                           4619/systemd-networ
udp6       0      0 :::5355                 :::*                                4634/systemd-resolv
udp6       0      0 fe80::c8e9:5dff:feb:546 :::*                                4619/systemd-networ
udp6       0      0 fe80::2e4d:54ff:fee:546 :::*                                4619/systemd-networ
Back to top
View user's profile Send private message
Ant P.
Watchman
Watchman


Joined: 18 Apr 2009
Posts: 5074

PostPosted: Sat Dec 09, 2017 12:57 am    Post subject: Reply with quote

You chose systemd - it comes with manpages for all those programs, why not read them?

Side note: your system is going to be very, very broken if you blindly block network traffic over localhost like that.
Back to top
View user's profile Send private message
Maitreya
Guru
Guru


Joined: 11 Jan 2006
Posts: 319

PostPosted: Sat Dec 09, 2017 8:59 am    Post subject: Reply with quote

Netstat just shows what is listening.
The iptables will decide what goes trough.
So this all looks ok??
Back to top
View user's profile Send private message
bunder
Bodhisattva
Bodhisattva


Joined: 10 Apr 2004
Posts: 5620

PostPosted: Sat Dec 09, 2017 9:07 am    Post subject: Reply with quote

with no rules and policy drop, nothing will be able to do anything in either direction
Back to top
View user's profile Send private message
trikmik
n00b
n00b


Joined: 06 Nov 2017
Posts: 62

PostPosted: Sat Dec 09, 2017 11:58 am    Post subject: Reply with quote

i noticed this ip: 52.213.89.190 giving tls encrypted handshake on whireshark
i did whois and it is not normal that my usb phone android connected 3g network is connected to my gentoo box and then gives away tls handshake to I.P in 52-213 Wrocław, Polen ? what do i do now?

i turn on computer then it gives away ip to 52.213.89.190 without starting firefox or emerge or anything.

i need to turn this box offline and investigate

bye
Back to top
View user's profile Send private message
trikmik
n00b
n00b


Joined: 06 Nov 2017
Posts: 62

PostPosted: Sat Dec 09, 2017 7:41 pm    Post subject: Reply with quote

my android phone is tethering to my gentoo desktop and as soon as i turn on the computer i get:

Capture from wireshark when turning on the gentoo machine: my ip address is NOT 52.213.89.190 however as soon as i turn on the machine it starts sending to that ip address.

Code:
1   0.000000000   192.168.42.129   192.168.42.119   DNS   191   Standard query response 0x0c0d A location.services.mozilla.com CNAME locprod1-elb-eu-west-1.prod.mozaws.net A 52.213.89.190 A 34.249.232.228 A 52.31.122.196
2   0.042792965   192.168.42.129   192.168.42.119   DNS   225   Standard query response 0xce2b AAAA location.services.mozilla.com CNAME locprod1-elb-eu-west-1.prod.mozaws.net SOA ns-1260.awsdns-29.org
3   0.043319222   192.168.42.119   52.213.89.190   TCP   76   51448 → 443 [SYN] Seq=0 Win=29200 Len=0 MSS=1460 SACK_PERM=1 TSval=3592023883 TSecr=0 WS=128
4   0.152622488   52.213.89.190           192.168.42.119   TCP   76   443 → 51448 [SYN, ACK] Seq=0 Ack=1 Win=26847 Len=0 MSS=1409 SACK_PERM=1 TSval=2143902162 TSecr=3592023883 WS=256
5   0.152674683   192.168.42.119   52.213.89.190   TCP   68   51448 → 443 [ACK] Seq=1 Ack=1 Win=29312 Len=0 TSval=3592023993 TSecr=2143902162
6   0.153382233   192.168.42.119   52.213.89.190   TLSv1.2   589   Client Hello
7   0.312685022   52.213.89.190           192.168.42.119   TCP   68   443 → 51448 [ACK] Seq=1 Ack=522 Win=28160 Len=0 TSval=2143902201 TSecr=3592023993
8   0.382628457   52.213.89.190           192.168.42.119   TLSv1.2   1465   Server Hello
9   0.382663138   192.168.42.119    52.213.89.190   TCP   68   51448 → 443 [ACK] Seq=522 Ack=1398 Win=32128 Len=0 TSval=3592024223 TSecr=2143902202
10   0.382705451   52.213.89.190           192.168.42.119   TCP   1465   443 → 51448 [ACK] Seq=1398 Ack=522 Win=28160 Len=1397 TSval=2143902202 TSecr=3592023993 [TCP segment of a reassembled PDU]
11   0.382723493   192.168.42.119     52.213.89.190   TCP   68   51448 → 443 [ACK] Seq=522 Ack=2795 Win=35072 Len=0 TSval=3592024223 TSecr=2143902202
12   0.384705842   52.213.89.190             192.168.42.119   TLSv1.2   1203   Certificate, Server Key Exchange, Server Hello Done
13   0.384740954   192.168.42.119     52.213.89.190   TCP   68   51448 → 443 [ACK] Seq=522 Ack=3930 Win=37888 Len=0 TSval=3592024225 TSecr=2143902202
14   0.388051376   192.168.42.119     52.213.89.190   TLSv1.2   143   Client Key Exchange
15   0.388082536   192.168.42.119     52.213.89.190   TLSv1.2   74   Change Cipher Spec
16   0.388093388   192.168.42.119     52.213.89.190   TLSv1.2   113   Encrypted Handshake Message
17   0.460496525   52.213.89.190   192.   168.42.119   TCP   68   443 → 51448 [ACK] Seq=3930 Ack=648 Win=28160 Len=0 TSval=2143902239 TSecr=3592024228
18   0.462667003   52.213.89.190   192.   168.42.119   TLSv1.2   119   Change Cipher Spec, Encrypted Handshake Message
19   0.465289925   192.168.42.119   52.213.89.190   TLSv1.2   284   Application Data
20   0.465395634   192.168.42.119   52.213.89.190   TLSv1.2   99   Application Data
21   0.542538035   52.213.89.190           192.168.42.119   TCP   68   443 → 51448 [ACK] Seq=3981 Ack=895 Win=29184 Len=0 TSval=2143902259 TSecr=3592024305
22   0.549758692   52.213.89.190           192.168.42.119   TLSv1.2   391   Application Data
23   0.590403428   192.168.42.119   52.213.89.190   TCP   68   51448 → 443 [ACK] Seq=895 Ack=4304 Win=40704 Len=0 TSval=3592024390 TSecr=2143902261
24   1.574562810   fe80::8821:c2ff:fe4e:7857   ff02::2   ICMPv6   72   Router Solicitation from 8a:21:c2:4e:78:57
25   5.004541847   8a:21:c2:4e:78:57      ARP   44   Who has 192.168.42.119? Tell 192.168.42.129
26   5.004562532   26:17:9e:ae:a0:d7      ARP   44   192.168.42.119 is at 26:17:9e:ae:a0:d7
27   5.584734786   fe80::8821:c2ff:fe4e:7857   ff02::2   ICMPv6   72   Router Solicitation from 8a:21:c2:4e:78:57

who is that ? why is my gentoo machine sending tcp tls2 over port 443 to that i.p address that i do not recognize?
can someone please help i am desprate am i hacked? do i need to reinstall gentoo? how can i provide more evidence?[/post]

[Moderator edit: added [code] tags to preserve output layout. -Hu]
Back to top
View user's profile Send private message
trikmik
n00b
n00b


Joined: 06 Nov 2017
Posts: 62

PostPosted: Sat Dec 09, 2017 8:23 pm    Post subject: Reply with quote

where does the ip address noted in above post comes from?

I am not sure if i need reinstall gentoo please help

*Edit*
When connecting to a other network my computer still sends out packets to
52.31.122.196
52.213.89.190

I unmerged and depclean Firefox, and my system is pretty much default gnome gentoo.

Why does the machine sends packets to those ip's ?
Wireshark shows those lines in bright Red color what does that mean?

How can i know where those ip's are comming from?

Please help

*Edit2*
After closing Port 443 i do not send anymore tcp to ip noted above.

Question remains why do i send out over network Port 443 when not doing anything network related

I checked it is not my router dns
Back to top
View user's profile Send private message
Ant P.
Watchman
Watchman


Joined: 18 Apr 2009
Posts: 5074

PostPosted: Sat Dec 09, 2017 10:25 pm    Post subject: Reply with quote

trikmik wrote:
who is that ? why is my gentoo machine sending tcp tls2 over port 443 to that i.p address that i do not recognize?

Because you've installed crapware, be it GNOME, systemd or something else, that asks that remote server to geolocate you based on your public IP. There's probably a setting to disable it, which you have obviously failed to even look for before flying off the handle. Be glad it's only mozilla's service and not google.
Quote:
can someone please help i am desprate am i hacked? do i need to reinstall gentoo? how can i provide more evidence?[/post]

Nobody can help you if you won't learn how to help yourself. Your system's already on the way to destruction since you've screwed up the firewall, installed a mountain of things you clearly lack the capacity or patience to understand, and are too busy yelling paranoid schizophrenic rants over the top of every other voice here to RTFM.

We've suffered paranoid help vampires here in the past. They refused to listen and wasted everyone's time, and eventually got the boot. Don't start being another one, our patience is not infinite.
Back to top
View user's profile Send private message
Hu
Moderator
Moderator


Joined: 06 Mar 2007
Posts: 12490

PostPosted: Sun Dec 10, 2017 1:32 am    Post subject: Reply with quote

If you need help, post specific problems. When you change system state, describe that change in a way that we could make the same change. Don't expect us to guess how to make a similar change. For example, you wrote "After closing Port 443 ...". What does that mean? What commands did you use? I can think of three very different commands that might be described that way, and their impacts vary widely.

Use complete sentences and good English grammar. Perfect grammar/spelling is not required, but the more we need to interpret around imperfections, the greater the chance we will either make a mistake (leading to misunderstanding and bad advice) or lose patience (leading to a lack of response).
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum