On Thu, Jun 26, 2008 at 8:33 PM, Chris Downie <[EMAIL PROTECTED]> wrote: > <[EMAIL PROTECTED]> was rumoured to say: >>> >>> On Thu, Jun 26, 2008 at 4:21 PM, Chris Downie <[EMAIL PROTECTED]> wrote: >>> Presumably I now need to run netstat again when it's downloading to what >>> extra is happening. > >> yes, and/or some of the other solutions posted. >> The doomsayers may be right, but there may also be a simpler and more >> benign answer :-) > > netstat run whilst downloading: > > Active Internet connections (servers and established) > Proto Recv-Q Send-Q Local Address Foreign Address > State PID/Program name > tcp 0 0 0.0.0.0:515 0.0.0.0:* > LISTEN 3748/inetd > tcp 0 0 127.0.0.1:5318 0.0.0.0:* > LISTEN 3670/python > tcp 0 0 127.0.0.1:4774 0.0.0.0:* > LISTEN 3663/hpiod > tcp 0 0 0.0.0.0:20012 0.0.0.0:* > LISTEN 3748/inetd > tcp 0 0 127.0.0.1:783 0.0.0.0:* > LISTEN 3695/spamd.pid > tcp 0 0 0.0.0.0:631 0.0.0.0:* > LISTEN 4598/cupsd > tcp 0 0 0.0.0.0:7741 0.0.0.0:* > LISTEN 3752/lisa > tcp 0 0 127.0.0.1:4774 > 127.0.0.1:3357 ESTABLISHED 3663/hpiod > tcp 1 0 127.0.0.1:3874 127.0.0.1:631 > CLOSE_WAIT 3670/python > tcp 1 0 127.0.0.1:3875 127.0.0.1:631 > CLOSE_WAIT 3670/python > tcp 0 0 127.0.0.1:3357 > 127.0.0.1:4774 ESTABLISHED 3670/python > tcp 0 0 192.168.0.2:4554 > 117.104.160.194:80 ESTABLISHED 11097/freshclam > tcp 0 0 192.168.0.2:3969 203.57.145.2:80 > ESTABLISHED 9075/opera
of the ESTABLISHED connections, opera is connecting to trademe (along with half the rest of the country) freshclam is connecting to some web hosting site, which could be updating something? Is the md5sum of freshclam correct? (most packaging systems have a way of verifying installed files by md5sum, or some other digest system). the other connections are to localhost. Of course your traffic could be udp I suppose. Sure its not another computer? Do you have a wireless network someone else is accessing? > > So possibly a script giving clamav free reign? > > I ran chkrootkit with nothing untoward found. > > Cheers, > Chris > > >
