Hello, Thanks for your reply. I dont think that anybody is using my computer as a gateway. That very unlikely. I use a ppp connection and so I get a new ip each time and for someone to use my computer as a gateway each time is unlikely because they would have to find out what my ip is. Besides I dont think my computer offers enough for anyone to bother. In fact the other ip address was the ip address I had in a previous connection. I have attached the output of netstat -a to this email. If you look at the first 3 connections the status says CLOSE_WAIT. As you said I used lsof to trace which program was causing all this and I discovered it to be netscape. However as one would expect that after closing netscape these packets would stop going through and let diald disconnect, BUT unfortunately this does not happen. The packets keep going through persistently. Now that netscape is closed, lsof or netstat does not show anything anymore and so I cant trace it. I have tried this many times but failed to trace the source of it. Please suggest how I can stop this. Vikash. > > > The problem is that these packets keep the link alive even when I am > not doing > > anything. Even Netscape was not running. This happens very and > everytime it is > > one or the other website that my machine keeps contacting. Sometimes I > can see > > activity which does not involove my IP address at all and even that > keeps the > > link up. > >That indicates that some-one is using your machine as a gateway. > > >Okay, lets look here: >23:17:04.785743 202.85.95.149.1030 > 202.77.134.132.www: R >1380778020:1380778020(0) win 0 >23:17:27.125584 202.77.134.132.www > 202.85.95.149.1153: F 0:0(0) ack 1 >win 32120 (DF) > >On your machine, port 1030 and 1153 are connected to www port of remote >machine. > >You should see this exact connection by typeing "netstat -a". From my >machine: >tcp 0 0 >pc36.ucs.co.za:2897 mail.ucs.co.za:imap2 ESTABLISHED >(an imap connection to my mailserver). > >If you get this, get hold of a package lsof, which can match your local >port (in your case 1030 and 1153) to a process. Sorry, forgot the URL. >If you don't get this, someone is playing around. > >-- >Kind regards, >Berend > >-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= >Berend De Schouwer, +27-11-339-6111, UCS
Active Internet connections (servers and established) Proto Recv-Q Send-Q Local Address Foreign Address State tcp 1 0 ip95-95.asiaonline:1157 vip-paix9.flycast.c:www CLOSE_WAIT tcp 1 0 ip95-95.asiaonline:1156 208.223.204.110:www CLOSE_WAIT tcp 1 0 ip95-95.asiaonline:1152 208.223.204.110:www CLOSE_WAIT tcp 0 0 *:6000 *:* LISTEN tcp 0 0 *:netbios-ssn *:* LISTEN tcp 0 0 *:www *:* LISTEN tcp 0 0 *:smtp *:* LISTEN tcp 0 0 toshiba.crown.hk:domain *:* LISTEN tcp 0 0 localhost:domain *:* LISTEN tcp 0 0 *:linuxconf *:* LISTEN tcp 0 0 *:auth *:* LISTEN tcp 0 0 *:pop-3 *:* LISTEN tcp 0 0 *:telnet *:* LISTEN tcp 0 0 *:ftp *:* LISTEN udp 0 0 ip95-95.asiaonli:domain *:* udp 0 0 diald.system:domain *:* udp 0 0 toshiba.cro:netbios-dgm *:* udp 0 0 toshiba.crow:netbios-ns *:* udp 0 0 *:netbios-dgm *:* udp 0 0 *:netbios-ns *:* udp 0 0 *:domain *:* udp 0 0 toshiba.crown.hk:domain *:* udp 0 0 localhost:domain *:* raw 0 0 *:icmp *:* 7 raw 0 0 *:tcp *:* 7 Active UNIX domain sockets (servers and established) Proto RefCnt Flags Type State I-Node Path unix 0 [ ACC ] STREAM LISTENING 590 /dev/gpmctl unix 1 [ ] STREAM CONNECTED 1670 @00000086 unix 1 [ ] STREAM CONNECTED 1598 @0000007f unix 1 [ ] STREAM CONNECTED 868 @0000005d unix 1 [ ] STREAM CONNECTED 515 @0000002a unix 1 [ ] STREAM CONNECTED 1412 @0000007d unix 1 [ ] STREAM CONNECTED 855 @00000057 unix 0 [ ACC ] STREAM LISTENING 853 /tmp//kio_0_570_0.0 unix 0 [ ACC ] STREAM LISTENING 781 /tmp/.X11-unix/X0 unix 1 [ ] STREAM CONNECTED 876 @0000005e unix 1 [ ] STREAM CONNECTED 859 @00000058 unix 0 [ ACC ] STREAM LISTENING 857 /tmp//kfm_0_570_0.0 unix 1 [ ] STREAM CONNECTED 833 @0000004f unix 1 [ ] STREAM CONNECTED 800 @00000047 unix 1 [ ] STREAM CONNECTED 915 @00000064 unix 1 [ ] STREAM CONNECTED 849 @00000055 unix 0 [ ACC ] STREAM LISTENING 649 /tmp/.font-unix/fs-1 unix 1 [ ] STREAM CONNECTED 851 @00000056 unix 1 [ ] STREAM CONNECTED 569 @00000030 unix 1 [ ] STREAM CONNECTED 843 @00000053 unix 1 [ ] STREAM CONNECTED 846 @00000054 unix 1 [ ] STREAM CONNECTED 783 @00000043 unix 0 [ ACC ] STREAM LISTENING 442 /dev/log unix 1 [ N ] STREAM CONNECTED 887 @00000060 unix 1 [ ] STREAM CONNECTED 839 @00000051 unix 1 [ ] STREAM CONNECTED 756 @00000042 unix 0 [ ACC ] STREAM LISTENING 517 /var/run/ndc unix 1 [ ] STREAM CONNECTED 841 @00000052 unix 1 [ ] STREAM CONNECTED 735 @00000040 unix 1 [ ] STREAM CONNECTED 461 @00000026 unix 1 [ ] STREAM CONNECTED 837 @00000050 unix 0 [ ] STREAM CONNECTED 141 @00000014 unix 1 [ ] STREAM CONNECTED 1676 /dev/log unix 1 [ ] STREAM CONNECTED 1599 /tmp/.X11-unix/X0 unix 1 [ ] STREAM CONNECTED 1413 /tmp/.X11-unix/X0 unix 1 [ ] STREAM CONNECTED 916 /dev/log unix 1 [ ] STREAM CONNECTED 888 /tmp/.X11-unix/X0 unix 1 [ ] STREAM CONNECTED 877 /tmp/.X11-unix/X0 unix 1 [ ] STREAM CONNECTED 869 /tmp/.X11-unix/X0 unix 1 [ ] STREAM CONNECTED 860 /tmp/.X11-unix/X0 unix 1 [ ] STREAM CONNECTED 856 /tmp/.X11-unix/X0 unix 1 [ ] STREAM CONNECTED 852 /tmp/.X11-unix/X0 unix 1 [ ] STREAM CONNECTED 850 /tmp/.X11-unix/X0 unix 1 [ ] STREAM CONNECTED 847 /tmp/.X11-unix/X0 unix 1 [ ] STREAM CONNECTED 844 /tmp/.X11-unix/X0 unix 1 [ ] STREAM CONNECTED 842 /tmp/.X11-unix/X0 unix 1 [ ] STREAM CONNECTED 840 /tmp/.X11-unix/X0 unix 1 [ ] STREAM CONNECTED 838 /tmp/.X11-unix/X0 unix 1 [ ] STREAM CONNECTED 834 /tmp/.X11-unix/X0 unix 1 [ ] STREAM CONNECTED 801 /dev/log unix 1 [ ] STREAM CONNECTED 786 /tmp/.X11-unix/X0 unix 1 [ ] STREAM CONNECTED 757 /dev/log unix 1 [ ] STREAM CONNECTED 736 /dev/log unix 1 [ ] STREAM CONNECTED 570 /dev/log unix 1 [ ] STREAM CONNECTED 516 /dev/log unix 1 [ ] STREAM CONNECTED 462 /dev/log
