Results 1 to 8 of 8
  1. #1

    iftop - weirdness

    Im looking at iftop and im seeing this...

    my.host.name:34797 => x.x-x-x.reverse.theplanet.com:domain

    Can anyone tell me why thats in there? Theres a bunch of entries on different ports.

    my.host.name:34817 => x.x-x-x.reverse.theplanet.com:domain 0b 58b 15b
    <= 0b 58b 15b
    my.host.name:34816 => x.x-x-x.reverse.theplanet.com:domain 0b 402b 187b
    <= 0b 1.01Kb 493b
    my.host.name:34815 => x.x-x-x.reverse.theplanet.com:domain 0b 0b 115b
    <= 0b 0b 345b
    my.host.name:34810 => x.x-x-x.reverse.theplanet.com:domain 0b 0b 57b
    <= 0b 0b 164b
    my.host.name:34812 => x.x-x-x.reverse.theplanet.com:domain 0b 0b 43b
    <= 0b 0b 127b
    my.host.name:34814 => x.x-x-x.reverse.theplanet.com:domain 0b 0b 43b
    <= 0b 0b 114b
    my.host.name:34819 => x.x-x-x.reverse.theplanet.com:domain 296b 173b 43b
    <= 544b 429b 107b
    my.host.name:34811 => x.x-x-x.reverse.theplanet.com:domain 0b 0b 29b
    <= 0b 0b 89b
    my.host.name:34817 => x.x-x-x.reverse.theplanet.com:domain 0b 58b 15b
    <= 0b 323b 81b
    my.host.name:34818 => x.x-x-x.reverse.theplanet.com:domain 0b 58b 14b
    <= 0b 171b 43b

  2. #2
    looking at it some more it seems all the traffic is going to port 53

    port 53 is used in 2 trojans that I know of so time to do a security sweep lol.

  3. #3
    Join Date
    Mar 2005
    Location
    Cardiff, Wales, UK
    Posts
    45
    Port 53 (on both TCP and UDP) is a DNS server. They all small requests, so it looks like they're just connections to one of the DNS servers for the-planet.com
    Jonathan Wright (Technical Director, JAB Web Solutions Limited).

    UK Hosting and Reseller Hosting from JAB Web Solutions

  4. #4
    yeah clam and chkrootkit and rkhunter showed nothing out of the ordinary so that must be it.

  5. #5
    How can I tell if there are unnecessary connections and transfers going on anyways?

  6. #6
    Join Date
    Mar 2005
    Location
    Cardiff, Wales, UK
    Posts
    45
    Use something like tcpdump or ethereal to listen to the traffic going to/from that port and see what's being 'talked' about.
    Jonathan Wright (Technical Director, JAB Web Solutions Limited).

    UK Hosting and Reseller Hosting from JAB Web Solutions

  7. #7
    heres something funny - I must have dns using a server at theplanet lol. iftop - if I turn of dns resolution all the entries for theplanet :53 listings go away lol.

  8. #8
    Join Date
    Mar 2005
    Location
    Cardiff, Wales, UK
    Posts
    45
    Stands to reason then that if you've got people or connections coming in from the-planet.com, then using DNS resolution would force reverse lookups via their servers.

    Problem solved!
    Jonathan Wright (Technical Director, JAB Web Solutions Limited).

    UK Hosting and Reseller Hosting from JAB Web Solutions

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •