Results 1 to 7 of 7
  1. #1
    Misc. User of PressF1 somebody's Avatar
    Join Date
    Dec 2004
    Posts
    5,198

    Default Linux Spyware???

    I've just noticed some interesting connections originating from one of my Debian servers, by running "netstat":

    tcp 0 0 10.0.0.xxx:3168 cargolinerplus.co:37528 TIME_WAIT
    tcp 0 0 10.0.0.xxx:1668 cargolinerplus.co:38400 TIME_WAIT
    tcp 0 0 10.0.0.xxx:1561 cargolinerplus.co:37953 TIME_WAIT
    tcp 0 0 10.0.0.xxx:4527 cargolinerplus.co:54918 TIME_WAIT
    tcp 0 0 10.0.0.xxx:3389 cargolinerplus.co:37665 TIME_WAIT
    tcp 0 0 10.0.0.xxx:4001 cargolinerplus.co:52994 TIME_WAIT
    tcp 0 0 10.0.0.xxx:4055 cargolinerplus.com:ftp TIME_WAIT
    tcp 0 0 10.0.0.xxx:4056 cargolinerplus.com:ftp TIME_WAIT

    This machine runs headless, and is not configured as a proxy or anything like that. I have certainly not done anything myself which has anything to do with this cargolinerplus website.

    This seems quite unusual, as that machine is one I have built recently, and is used on the internal network only. It is of concern as it holds some confidential information which I don't want leaking onto the internet. Does anyone have any thoughts as to what might be causing this, and what I can do about it?
    Any views expressed here are my own and do not necessarily represent the views of my employer or any affiliated 3rd party.

  2. #2
    Senior Member pctek's Avatar
    Join Date
    Feb 2005
    Location
    In the Wild West
    Posts
    24,212

    Default Re: Linux Spyware???

    So what do you have installed that could be accessing the net - like Skype, filesharing sw etc.
    wipe your paws.

  3. #3
    Misc. User of PressF1 somebody's Avatar
    Join Date
    Dec 2004
    Posts
    5,198

    Default Re: Linux Spyware???

    Quote Originally Posted by pctek View Post
    So what do you have installed that could be accessing the net - like Skype, filesharing sw etc.
    I've installed a basic LAMPP stack, and various compilation tools (GCC etc) - and that's pretty much it.

    As it's running headless, and without a GUI, I don't have a web browser, skype, torrent, or anything along those lines.
    Any views expressed here are my own and do not necessarily represent the views of my employer or any affiliated 3rd party.

  4. #4
    Gone Erayd's Avatar
    Join Date
    Dec 2004
    Location
    Wellington, NZ
    Posts
    5,761

    Default Re: Linux Spyware???

    What program does netstat say is using those connections? You should be able to tell from that. It's unlikely to be anything malicious unless your server has been cracked - and if that's the case you have far more to worry about that just a few strange connections...
    If you are interested in reading fanfiction on a mobile device or ebook reader, please visit flagfic.com.

  5. #5
    Misc. User of PressF1 somebody's Avatar
    Join Date
    Dec 2004
    Posts
    5,198

    Default Re: Linux Spyware???

    Quote Originally Posted by Erayd View Post
    What program does netstat say is using those connections? You should be able to tell from that. It's unlikely to be anything malicious unless your server has been cracked - and if that's the case you have far more to worry about that just a few strange connections...
    Looks like it's ncftp.

    tcp 0 81840 [myserver]:2149 cargolinerplus.co:52025 ESTABLISHED17527/ncftp
    tcp 0 0 [myserver]roofd cargolinerplus.com:ftp ESTABLISHED17527/ncftp
    tcp 0 0 [myserver]:1092 cargolinerplus.com:ftp TIME_WAIT -
    tcp 0 0 [myserver]:rootd cargolinerplus.com:ftp ESTABLISHED17539/ncftp
    tcp 0 0 [myserver]:1091 cargolinerplus.com:ftp TIME_WAIT -
    tcp 0 0 [myserver]:3723 cargolinerplus.co:57580 TIME_WAIT -
    tcp 0 0 [myserver]:4469 cargolinerplus.co:44814 TIME_WAIT -
    tcp 0 0 [myserver]:1992 cargolinerplus.co:35624 TIME_WAIT -
    tcp 0 65912 [myserver]:1896 cargolinerplus.co:49087 ESTABLISHED17539/ncftp
    tcp 0 0 [myserver]:1027 cargolinerplus.co:44495 TIME_WAIT -
    Any views expressed here are my own and do not necessarily represent the views of my employer or any affiliated 3rd party.

  6. #6
    Misc. User of PressF1 somebody's Avatar
    Join Date
    Dec 2004
    Posts
    5,198

    Default Re: Linux Spyware???

    This is very worrying - after doing a reverse ip lookup on 69.64.155.120, it looks like this is definetely something dodgy. Apparently there are over 123000 domains hosted at that IP http://www.domaintools.com/reverse-i...=69.64.155.120, so it could be one of those domain squatting services.
    Any views expressed here are my own and do not necessarily represent the views of my employer or any affiliated 3rd party.

  7. #7
    Misc. User of PressF1 somebody's Avatar
    Join Date
    Dec 2004
    Posts
    5,198

    Default Re: Linux Spyware???

    Just an update - Erayd kindly offered to take a look at the machine in question for me, and couldn't find any obvious cause of the problem. As a precaution I will be migrating my data off that machine and starting from scratch.
    Any views expressed here are my own and do not necessarily represent the views of my employer or any affiliated 3rd party.

Similar Threads

  1. Help I have Spyware!!!!
    By Bazman in forum PressF1
    Replies: 12
    Last Post: 20-06-2008, 10:37 AM
  2. spyware
    By rawkus1020 in forum PressF1
    Replies: 3
    Last Post: 27-02-2006, 04:24 PM
  3. WHY MORE SPYWARE
    By olldaddy78 in forum PressF1
    Replies: 7
    Last Post: 14-05-2005, 06:04 PM
  4. Anti-spyware installing spyware ?
    By wmoore in forum PressF1
    Replies: 3
    Last Post: 14-02-2005, 12:13 PM
  5. Spyware
    By Taly in forum PressF1
    Replies: 4
    Last Post: 05-12-2003, 02:22 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •