Announcement

**SteveRiley** · Oct 25, 2014, 05:49 PM

Originally posted by millusions View Post

im the kindest person you'll ever meet,
but this is just retarded.

Are you always so self-contradictory?

Originally posted by Feathers McGraw View Post

From example, these lines:

Code:

tcp        0      0 localhost:smtp          *:*                     LISTEN     
tcp6       0      0 ip6-localhost:smtp      [::]:*                  LISTEN

...mean that something is listening for connections on port 25, but only from your computer (localhost).

Right. To explain how we know this, compare the following two lines:

Code:

root@t520:~# [B]netstat -ltup[/B]
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
tcp        0      0 *:1234                  *:*                     LISTEN      49325/foo
tcp        0      0 localhost:5678          *:*                     LISTEN      49798/bar

The first process, foo is listening for incoming connections on port 1234/tcp on any interface on the machine. That's what the * in the "Local Address" column means. The second process, bar, is listening for incoming connections on port 5678/tcp on only the localhost interface. localhost is a virtual network interface that can communicate only with itself; it won't accept connections from anywhere outside the machine.

Originally posted by johndoe View Post

While I do that, look at what I found... From here http://www.securityfocus.com/bid/38578/exploit

That's a four-year-old vulnerability; found in March 2010 and fixed in about a month and a half. As others here have suggested, please do more research before leaping to conclusions.

Originally posted by johndoe View Post

I ran netstat -a a few days back as I was looking at ways to see who is connecting to my computer. I saw the output, and used network tools to see where the IPs originated that were connected. A lot were from Middle East. I just don't know what to do :/ I don't mean to offend anyone, just stating what I saw.

Code:

netstat -a                                                                                                                                                            
Active Internet connections (servers and established)                                                                                                                                        
Proto Recv-Q Send-Q Local Address           Foreign Address         State                                                                                                                    
tcp        0      0 rafal-desktop:domain    *:*                     LISTEN                                                                                                                   
tcp        0      0 localhost:ipp           *:*                     LISTEN                                                                                                                   
tcp        0      0 192.168.0.35:49379      li240-5.members.li:http ESTABLISHED                                                                                                              
tcp        0      0 192.168.0.35:33340      74.125.71.95:https      ESTABLISHED                                                                                                              
tcp        0      0 192.168.0.35:44059      fra07s30-in-f22.1:https ESTABLISHED                                                                                                              
tcp        0      0 192.168.0.35:37490      46.28.247.103:https     ESTABLISHED                                                                                                              
tcp        0      0 192.168.0.35:40808      46.28.247.88:https      TIME_WAIT                                                                                                                
tcp        0      0 192.168.0.35:49376      li240-5.members.li:http ESTABLISHED                                                                                                              
tcp        0      0 192.168.0.35:49825      46.28.247.109:https     ESTABLISHED
tcp        0      0 192.168.0.35:50524      46.28.247.98:https      TIME_WAIT  
tcp        0      0 192.168.0.35:40810      46.28.247.88:https      TIME_WAIT  
tcp        0      0 192.168.0.35:49380      li240-5.members.li:http TIME_WAIT  
tcp        0      0 192.168.0.35:49378      li240-5.members.li:http ESTABLISHED
tcp        0      0 192.168.0.35:49377      li240-5.members.li:http ESTABLISHED
tcp        0      0 192.168.0.35:44458      li203-141.members:https ESTABLISHED
tcp        0      0 192.168.0.35:52105      192.0.80.241:https      ESTABLISHED
tcp6       0      0 ip6-localhost:ipp       [::]:*                  LISTEN     
tcp6       1      0 ip6-localhost:36936     ip6-localhost:ipp       CLOSE_WAIT 
udp        0      0 *:mdns                  *:*                                
udp        0      0 *:40210                 *:*                                
udp        0      0 rafal-desktop:domain    *:*                                
udp        0      0 *:ipp                   *:*                                
udp6       0      0 [::]:45283              [::]:*                             
udp6       0      0 [::]:mdns               [::]:*

This was VERY long, computers and servers. So I started going through the IPs to see where they were coming from.

Nope, you have no connections coming into your computer from Middle Eastern IP address blocks. You have a handful of connections from your computer to what looks like three different computers running HTTPS. li240-5.members.li is part of the actual DNS name for www.kubuntuforums.net. The IP addresses beginning with 46.28.247 are Google. 192.0.80.241 is Gravatar, a comment plugin system commonly used on many web sites.

Announcement

Someone turned my desktop into a server

Comment