Identifying and Stopping Unwanted Net Traffic

Krautkramer, John John.Krautkramer at micrel.com
Wed Jun 24 22:40:35 UTC 2009 

Hi,

Yes you are correct in that I am running a web server. I just caught the
machine acting up again and this is what "netstat -tpn" gives me:

newdelli 69: netstat -tpn
(Not all processes could be identified, non-owned process info
 will not be shown, you would have to be root to see it all.)
Active Internet connections (w/o servers)
Proto Recv-Q Send-Q Local Address               Foreign Address
State       PID/Program name
tcp        0      0 192.168.1.41:46541          85.17.35.51:80
ESTABLISHED 3075/firefox-bin
tcp        0 129720 192.168.1.41:8080           65.218.208.2:54343
ESTABLISHED -
tcp        0  37856 ::ffff:192.168.1.41:80
::ffff:76.67.226.234:49754  ESTABLISHED -
tcp        0  25688 ::ffff:192.168.1.41:80
::ffff:76.67.226.234:49752  ESTABLISHED -
tcp        0  31096 ::ffff:192.168.1.41:80
::ffff:76.67.226.234:49758  ESTABLISHED -
tcp        0  14872 ::ffff:192.168.1.41:80
::ffff:76.67.226.234:49756  ESTABLISHED -
tcp        0  27040 ::ffff:192.168.1.41:80
::ffff:76.67.226.234:49746  ESTABLISHED -
tcp        0  35152 ::ffff:192.168.1.41:80
::ffff:76.67.226.234:49744  ESTABLISHED -
tcp        0  20280 ::ffff:192.168.1.41:80
::ffff:76.67.226.234:49750  ESTABLISHED -
tcp        0    784 ::ffff:192.168.1.41:22
::ffff:65.218.208.2:21290   ESTABLISHED -
tcp        0  17576 ::ffff:192.168.1.41:80
::ffff:76.67.226.234:49768  ESTABLISHED -
tcp        0  24336 ::ffff:192.168.1.41:80
::ffff:76.67.226.234:49762  ESTABLISHED -
tcp        0  18928 ::ffff:192.168.1.41:80
::ffff:76.67.226.234:49760  ESTABLISHED -
tcp        0  27040 ::ffff:192.168.1.41:80
::ffff:76.67.226.234:49766  ESTABLISHED -
tcp        0  22984 ::ffff:192.168.1.41:80
::ffff:76.67.226.234:49764  ESTABLISHED -
tcp        0      0 ::ffff:192.168.1.41:80
::ffff:212.200.38.150:3112  TIME_WAIT   -
tcp        0      0 ::ffff:192.168.1.41:80
::ffff:212.200.38.150:3107  TIME_WAIT   -
tcp        0      0 ::ffff:192.168.1.41:80
::ffff:212.200.38.150:3097  TIME_WAIT   -
tcp        0      0 ::ffff:192.168.1.41:80
::ffff:212.200.38.150:3102  TIME_WAIT   -
tcp        0      0 ::ffff:192.168.1.41:80
::ffff:212.200.38.150:3088  TIME_WAIT   -
tcp        0      0 ::ffff:192.168.1.41:80
::ffff:212.200.38.150:3093  TIME_WAIT   -
tcp        0      0 ::ffff:192.168.1.41:80
::ffff:212.200.38.150:3082  TIME_WAIT   -
tcp        0      0 ::ffff:192.168.1.41:80
::ffff:212.200.38.150:3073  TIME_WAIT   -
tcp        0      0 ::ffff:192.168.1.41:80
::ffff:212.200.38.150:3078  TIME_WAIT   -

The only program listed is firefox which I know is running on the
machine at the moment. The rest doesn't show any program. Does this mean
those connections were initiated from outside of the box? If that's the
case, then I need to find what these outside machines are getting to and
block it some how.

As pointed out above, the port through which the connections are made is
80. I don't know what I would to do eliminate this since I need port 80
for my web server to function.

The IP addresses causing the problem have again changed.

Any more ideas?

Thanks!

John

-----Original Message-----
From: redhat-list-bounces at redhat.com
[mailto:redhat-list-bounces at redhat.com] On Behalf Of Miner, Jonathan W
(US SSA)
Sent: Wednesday, June 24, 2009 12:35 PM
To: General Red Hat Linux discussion list
Subject: RE: Identifying and Stopping Unwanted Net Traffic

Add the -p option to netstat, and you'll see the program name.

Since your source port is "80", it sounds like you're running a
webserver.  If you're not running a webserver... then something else is
on that port!


-----Original Message-----
From:	redhat-list-bounces at redhat.com on behalf of Krautkramer, John
Sent:	Wed 6/24/2009 1:38 PM
To:	redhat-list at redhat.com
Cc:	
Subject:	Identifying and Stopping Unwanted Net Traffic

Hi,

 

I have a machine running RHEL5.0 that is clogging up my network
connection sporadically. Below is the output of "netstat -tn" while the
machine is acting up.

 

Active Internet connections (w/o servers)
Proto Recv-Q Send-Q Local Address               Foreign Address
State      
tcp        0      1 192.168.1.41:55200          66.102.7.100:80
FIN_WAIT1   
tcp        0      1 192.168.1.41:35291          66.102.7.101:80
FIN_WAIT1   
tcp        0      0 192.168.1.41:46541          85.17.35.51:80
ESTABLISHED 
tcp        0      1 192.168.1.41:42623          66.102.7.100:80
FIN_WAIT1   
tcp        0      0 192.168.1.41:55673          66.102.7.97:443
ESTABLISHED 
tcp        0  96876 ::ffff:192.168.1.41:80
::ffff:211.125.38.105:55594 ESTABLISHED 
tcp        0 116532 ::ffff:192.168.1.41:80
::ffff:211.125.38.105:55628 ESTABLISHED 

 

I believe it's the last 2 entries that are the problem. How do I
determine what these are and what on the system is generating the
traffic? I've also observed the Foreign Address is not always the same.
Today the problem addresses are different.

 

I know the solution is to find what is causing the traffic if I can, but
in the mean time, is there a way to block the traffic? I tried blocking
it at the DNS server with OpenDNS but they don't accept the IPV6
addresses.

 

Any ideas would be greatly appreciated!

 

John 

 

-- 
redhat-list mailing list
unsubscribe mailto:redhat-list-request at redhat.com?subject=subscribe
https://www.redhat.com/mailman/listinfo/redhat-list

More information about the redhat-list mailing list