* strange connetions to exodus.net
@ 2004-02-21 11:25 Andreas Meyer
2004-02-21 15:25 ` Ted Kaczmarek
2004-02-21 16:47 ` Alexis
0 siblings, 2 replies; 10+ messages in thread
From: Andreas Meyer @ 2004-02-21 11:25 UTC (permalink / raw)
To: netfilter
Hello!
Just wrote a little iptables-script not allowing connections
to port 80.
Now in the log I see this:
Feb 21 11:53:41 delta kernel: DROP-TCP :IN= OUT=eth1 SRC=192.168.20.60 \
DST=209.225.0.6 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=22160 PROTO=TCP \
SPT=41197 DPT=80 WINDOW=5840 RES=0x00 SYN URGP=0
It seems that with every request to a website there is also a request to
IP 209.225.0.6 wich leads to exodus.net.
I am completely worried about this. Who can tell me what is going on?
Regards
--
Andreas Meyer
^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: strange connetions to exodus.net
2004-02-21 11:25 strange connetions to exodus.net Andreas Meyer
@ 2004-02-21 15:25 ` Ted Kaczmarek
2004-02-21 16:09 ` Andreas Meyer
2004-02-21 16:47 ` Alexis
1 sibling, 1 reply; 10+ messages in thread
From: Ted Kaczmarek @ 2004-02-21 15:25 UTC (permalink / raw)
To: Andreas Meyer; +Cc: netfilter
Look at the source of the web site you are visiting.
Ted
On Sat, 2004-02-21 at 12:25 +0100, Andreas Meyer wrote:
> Hello!
>
> Just wrote a little iptables-script not allowing connections
> to port 80.
> Now in the log I see this:
>
> Feb 21 11:53:41 delta kernel: DROP-TCP :IN= OUT=eth1 SRC=192.168.20.60 \
> DST=209.225.0.6 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=22160 PROTO=TCP \
> SPT=41197 DPT=80 WINDOW=5840 RES=0x00 SYN URGP=0
>
> It seems that with every request to a website there is also a request to
> IP 209.225.0.6 wich leads to exodus.net.
>
> I am completely worried about this. Who can tell me what is going on?
>
>
> Regards
> --
> Andreas Meyer
^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: strange connetions to exodus.net
2004-02-21 15:25 ` Ted Kaczmarek
@ 2004-02-21 16:09 ` Andreas Meyer
[not found] ` <200402211136.22220.JALaramie@Loudoun-Fairfax.com>
0 siblings, 1 reply; 10+ messages in thread
From: Andreas Meyer @ 2004-02-21 16:09 UTC (permalink / raw)
To: netfilter
Ted Kaczmarek <tedkaz@optonline.net> wrote:
> Look at the source of the web site you are visiting.
>
> Ted
> > Feb 21 11:53:41 delta kernel: DROP-TCP :IN= OUT=eth1 SRC=192.168.20.60 \
> > DST=209.225.0.6 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=22160 PROTO=TCP \
> > SPT=41197 DPT=80 WINDOW=5840 RES=0x00 SYN URGP=0
> >
> > It seems that with every request to a website there is also a request to
> > IP 209.225.0.6 wich leads to exodus.net.
> >
> > I am completely worried about this. Who can tell me what is going on?
Ted:
Feb 21 16:59:22 delta kernel: DROP-TCP :IN= OUT=eth1 SRC=192.168.20.60 \
DST=209.225.11.237 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=0 PROTO=TCP \
SPT=41504 DPT=80 WINDOW=5840 RES=0x00 SYN URGP=0
Feb 21 16:59:23 delta kernel: DROP-TCP :IN= OUT=eth1 SRC=192.168.20.60 \
DST=82.139.196.116 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=22160 PROTO=TCP \
SPT=41501 DPT=80 WINDOW=5840 RES=0x00 SYN URGP=0
Good point but this is my own site at 82.139.196.116 and I am sure
there is nothing pointing to exodus.net. Is this a DNS thing?
Regards
--
Andreas Meyer
^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: strange connetions to exodus.net
2004-02-21 11:25 strange connetions to exodus.net Andreas Meyer
2004-02-21 15:25 ` Ted Kaczmarek
@ 2004-02-21 16:47 ` Alexis
2004-02-21 17:25 ` Andreas Meyer
1 sibling, 1 reply; 10+ messages in thread
From: Alexis @ 2004-02-21 16:47 UTC (permalink / raw)
To: Andreas Meyer; +Cc: netfilter
That 192.168.20.60 is trying to connect to 209.225.0.6 is obviuos, by
the lenght and the syn looks like a get.
Have you checked if that box (168.20.60) has any virus or anything
like this??
Hello Andreas,
Saturday, February 21, 2004, 8:25:47 AM, you wrote:
AM> Hello!
AM> Just wrote a little iptables-script not allowing connections
AM> to port 80.
AM> Now in the log I see this:
AM> Feb 21 11:53:41 delta kernel: DROP-TCP :IN= OUT=eth1 SRC=192.168.20.60 \
AM> DST=209.225.0.6 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=22160 PROTO=TCP \
AM> SPT=41197 DPT=80 WINDOW=5840 RES=0x00 SYN URGP=0
AM> It seems that with every request to a website there is also a request to
AM> IP 209.225.0.6 wich leads to exodus.net.
AM> I am completely worried about this. Who can tell me what is going on?
AM> Regards
--
Best regards,
Alexis mailto:alexis@attla.net.ar
^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: strange connetions to exodus.net
[not found] ` <200402211136.22220.JALaramie@Loudoun-Fairfax.com>
@ 2004-02-21 17:19 ` Andreas Meyer
2004-02-21 17:34 ` Jeffrey Laramie
2004-02-21 18:06 ` Re[2]: " Alexis
0 siblings, 2 replies; 10+ messages in thread
From: Andreas Meyer @ 2004-02-21 17:19 UTC (permalink / raw)
To: netfilter
Jeffrey Laramie <JALaramie@Loudoun-Fairfax.com> wrote:
> > Ted:
> >
> > Feb 21 16:59:22 delta kernel: DROP-TCP :IN= OUT=eth1 SRC=192.168.20.60 \
> > DST=209.225.11.237 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=0 PROTO=TCP \
> > SPT=41504 DPT=80 WINDOW=5840 RES=0x00 SYN URGP=0
> > Feb 21 16:59:23 delta kernel: DROP-TCP :IN= OUT=eth1 SRC=192.168.20.60 \
> > DST=82.139.196.116 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=22160 PROTO=TCP \
> > SPT=41501 DPT=80 WINDOW=5840 RES=0x00 SYN URGP=0
> >
> > Good point but this is my own site at 82.139.196.116 and I am sure
> > there is nothing pointing to exodus.net. Is this a DNS thing?
>
> I don't see any IPs in your postings that point to exodus.net so I don't know
> where you're seeing that. The IP in your first posting is most likely adware
> running on the client 192.168.20.60 and the IP in your 2nd posting doesn't
> resolve. You need to check the processes running on 192.168.20.60 to see
> which one is calling these sites.
# dig -x 209.225.0.6
; <<>> DiG 9.2.2 <<>> -x 209.225.0.6
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 65525
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 4, ADDITIONAL: 0
;; QUESTION SECTION:
;6.0.225.209.in-addr.arpa. IN PTR
;; ANSWER SECTION:
6.0.225.209.in-addr.arpa. 3600 IN PTR servedby.advertising.com.
;; AUTHORITY SECTION:
0.225.209.in-addr.arpa. 3600 IN NS dns03.exodus.net.
0.225.209.in-addr.arpa. 3600 IN NS dns04.exodus.net.
0.225.209.in-addr.arpa. 3600 IN NS dns01.exodus.net.
0.225.209.in-addr.arpa. 3600 IN NS dns02.exodus.net.
;; Query time: 290 msec
;; SERVER: 192.168.1.75#53(192.168.1.75)
;; WHEN: Sat Feb 21 18:01:40 2004
;; MSG SIZE rcvd: 170
# dig -x 209.225.11.237
; <<>> DiG 9.2.2 <<>> -x 209.225.11.237
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 64855
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
;; QUESTION SECTION:
;237.11.225.209.in-addr.arpa. IN PTR
;; AUTHORITY SECTION:
11.225.209.in-addr.arpa. 3600 IN SOA dns01.exodus.net. hostmaster.exodus.net.11.225.209.in-addr.arpa. 2002091300 10800 3600 604800 86400
My LAN looks like this:
WKS 192.168.1.3 connection per webbrowser to Squid at 192.168.1.75
and the request from Squid is routed to the gateway 192.168.20.210
and as soon I start a request a tail -f /var/log/firewall on the
Squid-machine shows the request the above IPs. I don't known why.
--
Andreas Meyer | http://www.anup.de
| http://homeservice.anup.de/andreas
^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: strange connetions to exodus.net
2004-02-21 16:47 ` Alexis
@ 2004-02-21 17:25 ` Andreas Meyer
0 siblings, 0 replies; 10+ messages in thread
From: Andreas Meyer @ 2004-02-21 17:25 UTC (permalink / raw)
To: netfilter
Alexis <alexis@attla.net.ar> wrote:
> That 192.168.20.60 is trying to connect to 209.225.0.6 is obviuos, by
> the lenght and the syn looks like a get.
>
> Have you checked if that box (168.20.60) has any virus or anything
> like this??
>
The box is running Postfix and Apache. All incoming mail is scanned
by Antivir. Several other checks are running.
I found nothing strange til now.
--
Andreas Meyer | http://www.anup.de
| http://homeservice.anup.de/andreas
^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: strange connetions to exodus.net
2004-02-21 17:19 ` Andreas Meyer
@ 2004-02-21 17:34 ` Jeffrey Laramie
2004-02-21 18:06 ` Re[2]: " Alexis
1 sibling, 0 replies; 10+ messages in thread
From: Jeffrey Laramie @ 2004-02-21 17:34 UTC (permalink / raw)
To: netfilter
On Saturday 21 February 2004 12:19, Andreas Meyer wrote:
> Jeffrey Laramie <JALaramie@Loudoun-Fairfax.com> wrote:
> > > Ted:
> > >
> > > Feb 21 16:59:22 delta kernel: DROP-TCP :IN= OUT=eth1 SRC=192.168.20.60
> > > \ DST=209.225.11.237 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=0 PROTO=TCP \
> > > SPT=41504 DPT=80 WINDOW=5840 RES=0x00 SYN URGP=0
> > > Feb 21 16:59:23 delta kernel: DROP-TCP :IN= OUT=eth1 SRC=192.168.20.60
> > > \ DST=82.139.196.116 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=22160
> > > PROTO=TCP \ SPT=41501 DPT=80 WINDOW=5840 RES=0x00 SYN URGP=0
> > >
> > > Good point but this is my own site at 82.139.196.116 and I am sure
> > > there is nothing pointing to exodus.net. Is this a DNS thing?
> >
> > I don't see any IPs in your postings that point to exodus.net so I don't
> > know where you're seeing that. The IP in your first posting is most
> > likely adware running on the client 192.168.20.60 and the IP in your 2nd
> > posting doesn't resolve. You need to check the processes running on
> > 192.168.20.60 to see which one is calling these sites.
>
> # dig -x 209.225.0.6
>
> ; <<>> DiG 9.2.2 <<>> -x 209.225.0.6
> ;; global options: printcmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 65525
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 4, ADDITIONAL: 0
>
> ;; QUESTION SECTION:
> ;6.0.225.209.in-addr.arpa. IN PTR
>
> ;; ANSWER SECTION:
> 6.0.225.209.in-addr.arpa. 3600 IN PTR servedby.advertising.com.
>
> ;; AUTHORITY SECTION:
> 0.225.209.in-addr.arpa. 3600 IN NS dns03.exodus.net.
> 0.225.209.in-addr.arpa. 3600 IN NS dns04.exodus.net.
> 0.225.209.in-addr.arpa. 3600 IN NS dns01.exodus.net.
> 0.225.209.in-addr.arpa. 3600 IN NS dns02.exodus.net.
>
> ;; Query time: 290 msec
> ;; SERVER: 192.168.1.75#53(192.168.1.75)
> ;; WHEN: Sat Feb 21 18:01:40 2004
> ;; MSG SIZE rcvd: 170
>
> # dig -x 209.225.11.237
>
> ; <<>> DiG 9.2.2 <<>> -x 209.225.11.237
> ;; global options: printcmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 64855
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
>
> ;; QUESTION SECTION:
> ;237.11.225.209.in-addr.arpa. IN PTR
>
> ;; AUTHORITY SECTION:
> 11.225.209.in-addr.arpa. 3600 IN SOA dns01.exodus.net.
> hostmaster.exodus.net.11.225.209.in-addr.arpa. 2002091300 10800 3600 604800
> 86400
>
exodus.net is simply providing DNS for the servedby.advertising.com site.
That's probably not relevent to your concerns.
>
> My LAN looks like this:
>
> WKS 192.168.1.3 connection per webbrowser to Squid at 192.168.1.75
> and the request from Squid is routed to the gateway 192.168.20.210
>
> and as soon I start a request a tail -f /var/log/firewall on the
> Squid-machine shows the request the above IPs. I don't known why.
As I said earlier, the request to these sites is coming from 192.168.20.60.
You need to look at the processes running on that box to see what is calling
that website. It's probably adware but there's no way to know for sure from
an iptables log entry.
Jeff
^ permalink raw reply [flat|nested] 10+ messages in thread
* Re[2]: strange connetions to exodus.net
2004-02-21 17:19 ` Andreas Meyer
2004-02-21 17:34 ` Jeffrey Laramie
@ 2004-02-21 18:06 ` Alexis
2004-02-21 18:26 ` Andreas Meyer
1 sibling, 1 reply; 10+ messages in thread
From: Alexis @ 2004-02-21 18:06 UTC (permalink / raw)
To: Andreas Meyer; +Cc: netfilter
Now we see.
Like you said, if this is your webserver, some site inside your
webserver are using ads in this destination
exodus are only the dns for this addresses, but you are connecting to servedby.advertising.com
and, in your schema, where is 192.168.20.60?
Hello Andreas,
Saturday, February 21, 2004, 2:19:40 PM, you wrote:
AM> Jeffrey Laramie <JALaramie@Loudoun-Fairfax.com> wrote:
>> > Ted:
>> >
>> > Feb 21 16:59:22 delta kernel: DROP-TCP :IN= OUT=eth1 SRC=192.168.20.60 \
>> > DST=209.225.11.237 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=0 PROTO=TCP \
>> > SPT=41504 DPT=80 WINDOW=5840 RES=0x00 SYN URGP=0
>> > Feb 21 16:59:23 delta kernel: DROP-TCP :IN= OUT=eth1 SRC=192.168.20.60 \
>> > DST=82.139.196.116 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=22160 PROTO=TCP \
>> > SPT=41501 DPT=80 WINDOW=5840 RES=0x00 SYN URGP=0
>> >
>> > Good point but this is my own site at 82.139.196.116 and I am sure
>> > there is nothing pointing to exodus.net. Is this a DNS thing?
>>
>> I don't see any IPs in your postings that point to exodus.net so I don't know
>> where you're seeing that. The IP in your first posting is most likely adware
>> running on the client 192.168.20.60 and the IP in your 2nd posting doesn't
>> resolve. You need to check the processes running on 192.168.20.60 to see
>> which one is calling these sites.
AM> # dig -x 209.225.0.6
AM> ; <<>> DiG 9.2.2 <<>> -x 209.225.0.6
AM> ;; global options: printcmd
AM> ;; Got answer:
;; ->>>HEADER<<- opcode: QUERY, status: NOERROR, id: 65525
AM> ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 4, ADDITIONAL: 0
AM> ;; QUESTION SECTION:
AM> ;6.0.225.209.in-addr.arpa. IN PTR
AM> ;; ANSWER SECTION:
AM> 6.0.225.209.in-addr.arpa. 3600 IN PTR servedby.advertising.com.
AM> ;; AUTHORITY SECTION:
AM> 0.225.209.in-addr.arpa. 3600 IN NS dns03.exodus.net.
AM> 0.225.209.in-addr.arpa. 3600 IN NS dns04.exodus.net.
AM> 0.225.209.in-addr.arpa. 3600 IN NS dns01.exodus.net.
AM> 0.225.209.in-addr.arpa. 3600 IN NS dns02.exodus.net.
AM> ;; Query time: 290 msec
AM> ;; SERVER: 192.168.1.75#53(192.168.1.75)
AM> ;; WHEN: Sat Feb 21 18:01:40 2004
AM> ;; MSG SIZE rcvd: 170
AM> # dig -x 209.225.11.237
AM> ; <<>> DiG 9.2.2 <<>> -x 209.225.11.237
AM> ;; global options: printcmd
AM> ;; Got answer:
;; ->>>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 64855
AM> ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
AM> ;; QUESTION SECTION:
AM> ;237.11.225.209.in-addr.arpa. IN PTR
AM> ;; AUTHORITY SECTION:
AM> 11.225.209.in-addr.arpa. 3600 IN SOA
AM> dns01.exodus.net. hostmaster.exodus.net.11.225.209.in-addr.arpa.
AM> 2002091300 10800 3600 604800 86400
AM> My LAN looks like this:
AM> WKS 192.168.1.3 connection per webbrowser to Squid at 192.168.1.75
AM> and the request from Squid is routed to the gateway 192.168.20.210
AM> and as soon I start a request a tail -f /var/log/firewall on the
AM> Squid-machine shows the request the above IPs. I don't known why.
--
Best regards,
Alexis mailto:alexis@attla.net.ar
^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: Re[2]: strange connetions to exodus.net
2004-02-21 18:06 ` Re[2]: " Alexis
@ 2004-02-21 18:26 ` Andreas Meyer
2004-02-21 22:40 ` Re[4]: " Alexis
0 siblings, 1 reply; 10+ messages in thread
From: Andreas Meyer @ 2004-02-21 18:26 UTC (permalink / raw)
To: netfilter
Alexis <alexis@attla.net.ar> wrote:
> Now we see.
>
> Like you said, if this is your webserver, some site inside your
> webserver are using ads in this destination
>
> exodus are only the dns for this addresses, but you are connecting to servedby.advertising.com
>
> and, in your schema, where is 192.168.20.60?
+------------+ +-----------------+ +----------------------+
|WKS | |DMZ 192.168.1.75 | |Gateway 192.168.20.210|
|192.168.1.3 |-->| 192.168.20.60|-->| |
|with Opera | |with Squid etc. | +----------------------+
+------------+ +-----------------+
But! I think I found the answer to my problem. I think
Opera is the one who is causing this request. As soon
as I use for example Firebird there are no such requestes.
Ooooh, I have to watch this furthermore.
Thank you all for your patience!
--
Andreas Meyer | http://www.anup.de
| http://homeservice.anup.de/andreas
^ permalink raw reply [flat|nested] 10+ messages in thread
* Re[4]: strange connetions to exodus.net
2004-02-21 18:26 ` Andreas Meyer
@ 2004-02-21 22:40 ` Alexis
0 siblings, 0 replies; 10+ messages in thread
From: Alexis @ 2004-02-21 22:40 UTC (permalink / raw)
To: Andreas Meyer; +Cc: netfilter
right, opera has in his unregistered version an awful banner at the
top.
You have 3 choices
1- buy it
2- not to use it
3- crack it
:)
Hello Andreas,
Saturday, February 21, 2004, 3:26:07 PM, you wrote:
AM> Alexis <alexis@attla.net.ar> wrote:
>> Now we see.
>>
>> Like you said, if this is your webserver, some site inside your
>> webserver are using ads in this destination
>>
>> exodus are only the dns for this addresses, but you are
>> connecting to servedby.advertising.com
>>
>> and, in your schema, where is 192.168.20.60?
AM> +------------+ +-----------------+ +----------------------+
AM> |WKS | |DMZ 192.168.1.75 | |Gateway 192.168.20.210|
|192.168.1.3 |-->>| 192.168.20.60|-->| |
AM> |with Opera | |with Squid etc. | +----------------------+
AM> +------------+ +-----------------+
AM> But! I think I found the answer to my problem. I think
AM> Opera is the one who is causing this request. As soon
AM> as I use for example Firebird there are no such requestes.
AM> Ooooh, I have to watch this furthermore.
AM> Thank you all for your patience!
--
Best regards,
Alexis mailto:alexis@attla.net.ar
^ permalink raw reply [flat|nested] 10+ messages in thread
end of thread, other threads:[~2004-02-21 22:40 UTC | newest]
Thread overview: 10+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2004-02-21 11:25 strange connetions to exodus.net Andreas Meyer
2004-02-21 15:25 ` Ted Kaczmarek
2004-02-21 16:09 ` Andreas Meyer
[not found] ` <200402211136.22220.JALaramie@Loudoun-Fairfax.com>
2004-02-21 17:19 ` Andreas Meyer
2004-02-21 17:34 ` Jeffrey Laramie
2004-02-21 18:06 ` Re[2]: " Alexis
2004-02-21 18:26 ` Andreas Meyer
2004-02-21 22:40 ` Re[4]: " Alexis
2004-02-21 16:47 ` Alexis
2004-02-21 17:25 ` Andreas Meyer
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.