Unusual netstat logs

[cooky560 Veteran]

Basically as the title, even if I have no software connecting to the internet, I see these entries in netstat:

tcp4 0 0 1.0.0.5.53974 www-11-02-ash2.f.http ESTABLISHED

tcp4 0 0 1.0.0.5.53972 www-11-02-ash2.f.http ESTABLISHED

tcp4 0 0 1.0.0.5.53970 www-11-02-ash2.f.http ESTABLISHED

tcp4 0 0 1.0.0.5.53967 wy-in-f100.1e100.https ESTABLISHED

tcp4 0 0 1.0.0.5.53966 wy-in-f95.1e100..http ESTABLISHED

tcp4 0 0 1.0.0.5.53965 wy-in-f95.1e100..http ESTABLISHED

tcp4 0 0 1.0.0.5.53964 wy-in-f95.1e100..http ESTABLISHED

tcp4 0 0 1.0.0.5.53941 wy-in-f113.1e100.http ESTABLISHED

tcp4 0 0 1.0.0.5.53939 wy-in-f113.1e100.http ESTABLISHED

tcp4 0 0 1.0.0.5.53909 wy-in-f99.1e100..https ESTABLISHED

tcp4 0 0 1.0.0.5.53902 wy-in-f102.1e100.http ESTABLISHED

tcp4 0 37 1.0.0.5.54077 l1.login.vip.ukl.https CLOSING

tcp4 0 37 1.0.0.5.54076 l1.login.vip.ukl.https CLOSING

I'm really worried, what are they?

[+BudMan MVC]

Ummm your on an IP address of 1.0.0.5 on your box?

inetnum: 1.0.0.0 - 1.0.0.255

netname: Debogon-prefix

descr: APNIC Debogon Project

role: APNIC RESEARCH

1.0.0.0 is a not some address you should be using, you can not just pull IPs out of your ass! Well you can but it can cause you problems. Why would your box be using a 1.0.0.5 address?

as to where you connections are going, seems missing part of the fqdn there? http and https are ports 80 and 443, the numbers next to your 1.0.0.5 are the source ports..

Can you post the netstat -an output so we can see what the actual IPs are vs ptr, etc. which looks to be cut off and not showing the FQDN.

example : wy-in-f99.1e100..https

that .. seems to me to be showing that output was shortened and not showing the full thing.

but 1e100 is owned by google

[cooky560 Veteran]

My box has always had a wan of series 80.x.x.x and a LAN of 1.0.0.x

The read out is

Active Internet connections (including servers)

Proto Recv-Q Send-Q Local Address Foreign Address (state)

tcp4 0 0 1.0.0.5.54514 209.85.227.102.443 ESTABLISHED

tcp4 0 0 1.0.0.5.54485 2.18.191.139.80 ESTABLISHED

tcp4 0 0 1.0.0.5.54468 209.85.227.138.80 ESTABLISHED

tcp4 0 0 1.0.0.5.54467 209.85.227.95.80 ESTABLISHED

tcp4 0 0 1.0.0.5.54466 209.85.227.95.80 ESTABLISHED

tcp4 0 0 1.0.0.5.54425 69.63.190.22.80 ESTABLISHED

tcp4 0 0 1.0.0.5.54423 69.63.190.22.80 ESTABLISHED

tcp4 0 0 1.0.0.5.54422 69.63.190.22.80 ESTABLISHED

tcp4 0 0 1.0.0.5.54075 98.136.48.100.5050 ESTABLISHED

tcp4 0 0 1.0.0.5.54074 69.171.241.10.5222 ESTABLISHED

[+BudMan MVC]

And who set it to use 1.x.x.x ?? I can not believe any router would ship that as default, so someone must of changed it. And I can tell you this, whoever it was has not a clue to anything to do with ip's, there are private ranges that are valid for you to use 10.x.x.x, 192.168.x.x and 172.16-31.x.x -- 1.0.0.x as I showed you is a reserved block of address that is not meant for private use.

Not saying it won't work, but its against common practice and there is NO point to doing it. The private blocks were set assigned for a specific reason, just grabbing a netblock out of your ass is BAD PRACTICE!!

As to those ip ranges.. like I thought

Google Inc. GOOGLE (NET-209-85-128-0-1) 209.85.128.0 - 209.85.255.255

inetnum: 2.18.176.0 - 2.18.191.255

netname: AKAMAI-PA

descr: Akamai Technologies

This is a HUGE distribution network, used by ALL THE MAJOR PLAYERS for lots and lots of reason, they host huge cloud services.

Facebook, Inc. TFBNET2 (NET-69-63-176-0-1) 69.63.176.0 - 69.63.191.255

Yahoo! Inc. A-YAHOO-US9 (NET-98-136-0-0-1) 98.136.0.0 - 98.139.255.255

And then again another facebook range

Facebook, Inc. TFBNET3 (NET-69-171-224-0-1) 69.171.224.0 - 69.171.255.255

With yahoo, I would assume you have messenger or their update software running?

Without seeing your tasklist of what processes can't know what is making the connections. you could through the -b option on your netstat and will show you the process that is making the connection or could use say tcpview from ms to see what is making the connections http://technet.microsoft.com/en-us/sysinternals/bb897437

Or if your on w7 say you could just look at the networking tab under resource monitor to see what is making the connections.

But just because you close your browser, does not mean your machine is not going to be making connections to the internet. Even with every program closed their background processes that many companies install that would be checking for updates in the background, etc. etc. Not a facebook user, but prob your IM client if open that ties in with facebook maybe.

take a look at netstat -anb and you can see what processes are making the connections, or use one of the other methods I listed. But all looks legit to me, other than that nonsense non private IP range your using on your network ;)

[cooky560 Veteran]

Budman, the ONLY tasks I had running when I executed that command were Finder and Terminal

[+BudMan MVC]

And what part did you not understand about background processes? From the finder comment I take it your on a mac? Off the top I do not know the OS X command for showing processes that have the connections open.. Would have to look it up, but in linux in general with netstat command its

So for example on my ubuntu box I see this

root@ubuntu:/home/budman# netstat -anp

Active Internet connections (servers and established)

Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name

tcp 0 0 0.0.0.0:10000 0.0.0.0:* LISTEN 1428/perl

tcp 0 0 0.0.0.0:4949 0.0.0.0:* LISTEN 591/munin-node

tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 887/sshd

tcp 0 0 0.0.0.0:3000 0.0.0.0:* LISTEN 786/ntop

tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN 1083/master

tcp 0 44 192.168.1.7:22 10.0.200.6:1252 ESTABLISHED 21252/sshd: budman

See the PID of the process and then the process name, which would be correct since I have ssh connection to my box at home. I would try that on your OS X box, if that is what your running use the -p on linux/unix which is pretty much the guts of OS X anyway and it should show you what has the connections open.

But again connections to those networks would seem legit to me. If you want to shut them down then you need to figure out what process is making them, its clear something is making them ;)

If you really worried fire up a sniffer and take a look what is being sent between your box and those IPs, I do believe that wireshark will run on OS X -- yup see downloads for 10.5 and 10.6 there http://www.wireshark.org/download.html

But I believe netstat -anp would give you want you want to know, ie the process creating the connections - if not p on os x, then just look to what flag it is for your version of netstat.. Most likely have to run that command as root, or sudo up to root to run it to show you that info -- or you will normally not see the pid/program info

[cooky560 Veteran]

Well, thanks for your help :)

[+BudMan MVC]

And did you figure out what it was?

[cooky560 Veteran]

No, but I'm not fussed if its a legitimate connection. i tried using that -anp trigger but it doesn't work on a mac, and the man page didn't tell me if there was such a trigger

NETSTAT(1) BSD General Commands Manual NETSTAT(1)

NAME

netstat -- show network status

SYNOPSIS

netstat [-AaLlnW] [-f address_family | -p protocol]

netstat [-gilns] [-f address_family]

netstat -i | -I interface [-w wait] [-abdgt]

netstat -s [-s] [-f address_family | -p protocol] [-w wait]

netstat -i | -I interface -s [-f address_family | -p protocol]

netstat -m [-m]

netstat -r [-Aaln] [-f address_family]

netstat -rs [-s]

DESCRIPTION

The netstat command symbolically displays the contents of various net-

work-related data structures. There are a number of output formats,

depending on the options for the information presented. The first form

of the command displays a list of active sockets for each protocol. The

second form presents the contents of one of the other network data struc-

tures according to the option selected. Using the third form, with a wait

interval specified, netstat will continuously display the information

[+BudMan MVC]

you could try lsof -i tcp its should show you the pid as well.

[cooky560 Veteran]

Richard-Cooks-iMac:~ Cooky$ lsof -i tcp

COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME

Adium 126 Cooky 12u IPv4 0x076a2748 0t0 TCP 1.0.0.5:49157->cs220p2.msg.sp1.yahoo.com:mmcc (ESTABLISHED)

Adium 126 Cooky 13u IPv4 0x076a2b58 0t0 TCP 1.0.0.5:49156->jabber-03-01-snc6.tfbnw.net:jabber-client (ESTABLISHED)

Google 147 Cooky 27u IPv4 0x0769fea8 0t0 TCP 1.0.0.5:49212->wy-in-f105.1e100.net:https (ESTABLISHED)

Google 147 Cooky 72u IPv4 0x0936dad8 0t0 TCP 1.0.0.5:49258->74.125.230.135:http (ESTABLISHED)

Google 147 Cooky 73u IPv4 0x09702708 0t0 TCP 1.0.0.5:49287->www-15-02-ash3.facebook.com:http (ESTABLISHED)

Google 147 Cooky 78u IPv4 0x076a2f68 0t0 TCP 1.0.0.5:49187->a88-221-88-24.deploy.akamaitechnologies.com:http (ESTABLISHED)

Google 147 Cooky 80u IPv4 0x09a086c8 0t0 TCP 1.0.0.5:49259->www-11-01-ash4.facebook.com:http (ESTABLISHED)

Google 147 Cooky 83u IPv4 0x0936f338 0t0 TCP 1.0.0.5:49252->wy-in-f95.1e100.net:http (ESTABLISHED)

Google 147 Cooky 84u IPv4 0x0936e2f8 0t0 TCP 1.0.0.5:49220->84.53.178.9:http (ESTABLISHED)

Google 147 Cooky 87u IPv4 0x0769fa98 0t0 TCP 1.0.0.5:49221->84.53.178.9:http (ESTABLISHED)

Google 147 Cooky 88u IPv4 0x09370788 0t0 TCP 1.0.0.5:49222->84.53.178.9:http (ESTABLISHED)

Google 147 Cooky 89u IPv4 0x0936ff68 0t0 TCP 1.0.0.5:49223->84.53.178.9:http (ESTABLISHED)

Google 147 Cooky 90u IPv4 0x09702b18 0t0 TCP 1.0.0.5:49203->84.53.178.9:http (ESTABLISHED)

Google 147 Cooky 92u IPv4 0x076a2338 0t0 TCP 1.0.0.5:49224->84.53.178.9:http (ESTABLISHED)

Google 147 Cooky 93u IPv4 0x076a1f28 0t0 TCP 1.0.0.5:49225->84.53.178.9:http (ESTABLISHED)

Google 147 Cooky 94u IPv4 0x076a1b18 0t0 TCP 1.0.0.5:49226->84.53.178.9:http (ESTABLISHED)

Google 147 Cooky 95u IPv4 0x076a1708 0t0 TCP 1.0.0.5:49227->84.53.178.9:http (ESTABLISHED)

Google 147 Cooky 96u IPv4 0x076a12f8 0t0 TCP 1.0.0.5:49228->84.53.178.9:http (ESTABLISHED)

Google 147 Cooky 97u IPv4 0x076a0ee8 0t0 TCP 1.0.0.5:49229->84.53.178.9:http (ESTABLISHED)

Google 147 Cooky 98u IPv4 0x076a0ad8 0t0 TCP 1.0.0.5:49230->84.53.178.9:http (ESTABLISHED)

Google 147 Cooky 99u IPv4 0x076a06c8 0t0 TCP 1.0.0.5:49231->84.53.178.9:http (ESTABLISHED)

Google 147 Cooky 102u IPv4 0x097022f8 0t0 TCP 1.0.0.5:49205->84.53.178.9:http (ESTABLISHED)

Google 147 Cooky 103u IPv4 0x09703748 0t0 TCP 1.0.0.5:49266->74.125.230.142:https (ESTABLISHED)

Google 147 Cooky 110u IPv4 0x09a0b788 0t0 TCP 1.0.0.5:49238->84.53.178.9:http (ESTABLISHED)

Google 147 Cooky 111u IPv4 0x09a09708 0t0 TCP 1.0.0.5:49246->74.125.230.128:http (ESTABLISHED)

Google 147 Cooky 113u IPv4 0x09a0af68 0t0 TCP 1.0.0.5:49240->84.53.178.9:http (ESTABLISHED)

Google 147 Cooky 114u IPv4 0x09a0b378 0t0 TCP 1.0.0.5:49239->84.53.178.9:http (ESTABLISHED)

Google 147 Cooky 115u IPv4 0x09a0ab58 0t0 TCP 1.0.0.5:49241->84.53.178.9:http (ESTABLISHED)

Google 147 Cooky 119u IPv4 0x097012b8 0t0 TCP 1.0.0.5:49288->www-15-02-ash3.facebook.com:http (ESTABLISHED)

Google 147 Cooky 125u IPv4 0x076a3378 0t0 TCP 1.0.0.5:49253->wy-in-f95.1e100.net:http (ESTABLISHED)

Google 147 Cooky 126u IPv4 0x076a3788 0t0 TCP 1.0.0.5:49254->wy-in-f95.1e100.net:http (ESTABLISHED)

Google 147 Cooky 127u IPv4 0x09a07ea8 0t0 TCP 1.0.0.5:49255->wy-in-f95.1e100.net:http (ESTABLISHED)

Google 147 Cooky 135u IPv4 0x09700ea8 0t0 TCP 1.0.0.5:49285->74.125.230.128:http (ESTABLISHED)

Google 147 Cooky 136u IPv4 0x0936eb18 0t0 TCP 1.0.0.5:49282->wy-in-f102.1e100.net:http (ESTABLISHED)

Google 147 Cooky 137u IPv4 0x0769f688 0t0 TCP 1.0.0.5:49286->wy-in-f100.1e100.net:http (ESTABLISHED)

[+BudMan MVC]

there you go 2 processes running, google pid 147 and adium 126 making all the connections.

I know for sure that adium is a crossplatform IM client, thought you said you weren't running any applications ;)

As to process google?? I would figure out the path. From pid number you should be able to look in proc/pid which should be sym link from exe to where its running from..

So for example

root@ubuntu:~# lsof -i tcp

COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME

munin-nod 591 root 5u IPv4 7433 0t0 TCP *:munin (LISTEN)

ntop 786 ntop 1u IPv4 8098 0t0 TCP *:3000 (LISTEN)

that munin-nod pid 591, where is that running from -- well if I look in /proc/591 at the exe link

root@ubuntu:/proc/591# ls -la exe

lrwxrwxrwx 1 root root 0 2011-09-25 08:22 exe -> /usr/bin/perl

So perl is running something - now that might be a bad example to use, have to do a few more steps to track down exactly what perl did ;) So lets look at different example. Lets look at ntop

root@ubuntu:/# cd /proc/786

root@ubuntu:/proc/786# ls -la exe

lrwxrwxrwx 1 root root 0 2011-09-25 08:28 exe -> /usr/sbin/ntop

So now you can figure if you where google is running from, and should it be?? Prob some stupid updater??

[cooky560 Veteran]

Adium was running when I ran the check, it wasn't running when I created this topic.

As for pid 147, cd /proc/147 doesn't work :(

[+BudMan MVC]

Freaking mac, does non standard **** - let me fire up my os x VM and take a look at how to do it on mac.

[+BudMan MVC]

Not a fan of the new look! But anyway, use the activity monitor and it will show you the details of your processes, you can see pid numbers and it will show you where on the file system the thing is running from, etc. I had a screen shot, but its on myhome box and with the slowness of the site I don't want to bother, you should be able to find it - its called activity monitor.

[cooky560 Veteran]

I know where activity monitor is, the process belongs to google chrome and is contained inside chrome's .app package, however I find it odd it still has connections when it's not running

[+BudMan MVC]

Im not ;) And something is still running or it would be impossible for it to have connections ;) Just because your not running an actual browser window does not mean part of the installed application is not still working, ie checking for updates, tracking you, etc. etc.