Hi Guys Thanks for your speedy & kind responses. There's nothing like a bit of paranoia to get you R-ingTFMs.
I'm getting the strong impression it's something to do with firefox. On 20/07/07, Carl Ekman <[EMAIL PROTECTED]> wrote: Carl> do you see any significant traffic /back/ from your machine? No, as far as I can tell most/all of the traffic consists of a variety of 172.21.*.* addresses sending me RST packets. This seems to occur every minute or so: """ harry> sudo tcpdump net 172.21.0.0 mask 255.255.0.0 16:36:24.791036 IP 172.21.17.10.11019 > 192.168.0.149.48179: R 2859590495:2859590495(0) win 0 16:36:40.950498 IP 172.21.15.33.11019 > 192.168.0.149.48180: R 2865318960:2865318960(0) win 0 16:37:40.952359 IP 172.21.17.10.11019 > 192.168.0.149.48181: R 2942749099:2942749099(0) win 0 [...] """ This appears only to occur when firefox (including safemode) is running, not when eg only opera is running. What concerns me about this is that if they're coming from outside, as I assume they must be, how are they getting through my router? I think it's in response to something that firefox is doing. Carl> Not sure, but for instance - if someone kept sending broken FIN packages to Carl> you it's probably perfectly in order that it doesn't show with lsof or Carl> netstat. Okay, so would I be right in thinking that lsof and netstat are basically front ends to /proc/net/tcp? Something like broken FINs (or RSTs?) wouldn't be handled by user-space processes so wouldn't appear in proc? Carl> By the way, if you are going to run a rootkit detector, it is a better idea to Carl> boot from another disk - perhaps you can find a rootkit detector CD or Carl> similar - and then mount your normal partitions and scan them. This is Carl> because a clever rootkit could modify the syscalls so that when you are Carl> reading the exchanged binaries it infact returns the default ones and so on. I was beginning to suspect as much, I'll try digging out my Knoppix disc. Carl> By the way - a question back - does this mail show up on the SLUG-list? Carl> Earlier posts I've made have never shown up, and I am not sure if that is Carl> because mailman is "smart" and doesn't send my own emails back to me, or if Carl> it is because it for some reason doesn't work. Carl> Darren> You probably find that the network infrastructure between Darren> your router Darren> and the Internet is on a privately addressed network. Yup, ntl's a 10.*.*.* Darren> Have you tried a traceroute to any sites or any resources Darren> outside of Darren> your network to see what paths it takes? Carl> I'd check for that first, and traceroute to 172.21.14.12 My outputs are below. So I think firefox is somehow provoking something on NTL's WAN into sending me RST packets. Thanks for all your help, and setting my mind at rest! I'll investigate further and update. (I'm away for a bit so it might be a few weeks.) Thanks again! H. traceroutes: harry9~>sudo traceroute 66.102.9.104 traceroute to 66.102.9.104 (66.102.9.104), 30 hops max, 40 byte packets 1 192.168.0.1 (192.168.0.1) 0.419 ms 0.338 ms 0.307 ms 2 10.232.92.1 (10.232.92.1) 7.571 ms 11.218 ms * 3 renf-t2cam1-a-v135.inet.ntl.com (80.4.65.217) 6.604 ms 15.130 ms 6.069 ms 4 renf-t2core-a-ge-wan62.inet.ntl.com (195.182.176.165) 6.421 ms 7.342 ms * 5 ren-bb-a-so-230-0.inet.ntl.com (213.105.174.201) 6.487 ms 9.258 ms 7.957 ms 6 lee-bb-b-so-010-0.inet.ntl.com (62.253.185.162) 13.003 ms 15.484 ms * 7 nth-bb-a-so-600-0.inet.ntl.com (213.105.175.133) 19.692 ms 17.051 ms 16.378 ms 8 nth-bb-b-so-200-0.inet.ntl.com (213.105.172.194) 17.356 ms 16.085 ms 15.478 ms 9 * tele-ic-1-as0-0.inet.ntl.com (62.253.184.2) 18.526 ms 17.155 ms 10 212.250.14.66 (212.250.14.66) 18.694 ms 19.205 ms 18.348 ms 11 72.14.238.255 (72.14.238.255) 17.948 ms 72.14.238.244 (72.14.238.244) 17.979 ms 18.515 ms 12 * 66.249.95.107 (66.249.95.107) 28.854 ms 209.85.250.216 (209.85.250.216) 31.598 ms 13 64.233.174.113 (64.233.174.113) 29.520 ms 29.076 ms 72.14.232.233 (72.14.232.233) 40.600 ms 14 64.233.174.187 (64.233.174.187) 30.920 ms 31.397 ms 29.489 ms 15 64.233.174.14 (64.233.174.14) 31.610 ms 40.724 ms 36.414 ms 16 lm-in-f104.google.com (66.102.9.104) 31.665 ms * 31.641 ms harry9~>sudo traceroute 172.21.7.10 traceroute to 172.21.7.10 (172.21.7.10), 30 hops max, 40 byte packets 1 192.168.0.1 (192.168.0.1) 14.137 ms 0.343 ms 0.902 ms 2 * * * 3 * * * 4 * * * 5 * * * 6 * * * 7 * * * 8 * * * 9 * * * 10 * * * 11 * * * 12 * * * 13 * * * 14 * * * 15 * * * 16 * * * 17 * * * 18 * * * 19 * * * 20 * * * 21 * * * 22 * * * 23 * * * 24 * * * 25 * * * 26 * * * 27 * * * 28 * * * 29 * * * 30 * * * _______________________________________________ Scottish mailing list [email protected] https://mailman.lug.org.uk/mailman/listinfo/scottish
