Web Hosting Talk : Web Hosting Main Forums : Hosting Security and Technology : Netstat reveals suspicious activity

[the-muse]

I was just "goofinig around" with Netstat the other day and noticed something very odd, and very disturbing.
--------------------------------------------------------------------------------
tcp 0 253 www.carhopper.netmtp 222.108.6.220:gdp-port ESTABLISHED

tcp 0 0 www.carhopper.netmtp 59.34.169.56:2240 TIME_WAIT

udp 0 0 www.carhopper.ne:domain *:*
--------------------------------------------------------------------------------
$ netstat -r
www.carhopper.n * 255.255.255.255 UH 0 0 0 eth0
--------------------------------------------------------------------------------
$ netstat -a
tcp 0 0 www.carhopper.netmtp dsl-201-129-15-24:60807 TIME_WAIT

tcp 0 0 www.carhopper.net:http crawl-66-249-71-5:43374 TIME_WAIT

tcp 0 0 www.carhopper.netmtp 22067.rjo.virtua.c:4463 ESTABLISHED

cp 0 59 www.carhopper.netmtp 60.0.150.44:2745 ESTABLISHED

tcp 0 0 www.carhopper.net:http ip68-14-52-214.no.:1989 ESTABLISHED

tcp 0 0 www.carhopper.net:http ip68-14-52-214.no.:1988 ESTABLISHED

--------------------------------------------------------------------------------

carhopper.net is a domain I owned a few years ago, and had hosted on a server which was hacked. The domain expired quite a while ago. When I tried two days ago to research for any traces of the domain, I found nothing. It's listed in the whois as "available". The IPs I've found at different time, associated with the Netstat readout I've traced to Korea and China, among other countries.

I'm concerned about a backdoor trojan - the type that "cloaks" itself successfully from detection by RKhunter, Chkrootkit, LogWatch, etc. When I see my former domain appear in the results of a Netstat call, then can't find any trace of who, if anyone, might be using that domain, I get very nervous.

I checked /var/named and grepped /var/log for clues. Nothing with carhopper.net.

Any thoughts about this mystery? carhopper.net appears faithfully whenever I run Netstat. It never "goes away". I asked the tech at the NOC if there may be some offbeat chance that carhopper.net was somehow still in some file on his network, but haven't had a response from him.

best wishes ...
the-muse

[Matt -Seeksadmin]

Hi,
As far as apache is concerned, you still have carhopper.net on your system. Go into your httpd.conf and go ctrl+w and type in carhopper.net. See if it comes up with anything. How they found that site if the domain is broken is beyong me, but hey, anything is possible.

The only possible concerning thing is:
tcp 0 253 www.carhopper.netmtp 222.108.6.220:gdp-port ESTABLISHED

Otherwise its just apache and mail requests, which is fine if its still in your configurations.

[grubber]

Hi the-muse!

Check your /etc/hosts file may be it contains the record

xxx.xxx.xxx.xxx www.carhopper.net

delete it!

[the-muse]

Quote:

Matt -Seeksadmin Go into your httpd.conf and go ctrl+w and type in carhopper.net

...thank you for the response... no sign of carhopper.net in httpd.conf...

Quote:

grubber Check your /etc/hosts file may be it contains the record

...thank you for the suggestion... not there.

i've grepped entire directories as well with no results... something is out of whack somewhere... it may not be a security risk, but I sure don't like it...

best wishes...
the-muse

[sailorFred]

Use netstat -an

Just kidding.

Try nslookup xxx.xxx.xxx.xxx (your IP address).

If the name isn't coming from your hosts file, it must be the reverse DNS lookup.

Have you had your ISP set up a reverse DNS record for your IP? If not, it's probably the old one from before.

[jamesyeeoc]

Check all your zone files and named.conf, including your in-addr.arpa files for carhopper.net

[Matt -Seeksadmin]

I know this is going to be a stupid suggestion but mose as well check it. You haven't set your servername as carhopper.net have you?