* strange connetions to exodus.net @ 2004-02-21 11:25 Andreas Meyer 2004-02-21 15:25 ` Ted Kaczmarek 2004-02-21 16:47 ` Alexis 0 siblings, 2 replies; 10+ messages in thread From: Andreas Meyer @ 2004-02-21 11:25 UTC (permalink / raw) To: netfilter Hello! Just wrote a little iptables-script not allowing connections to port 80. Now in the log I see this: Feb 21 11:53:41 delta kernel: DROP-TCP :IN= OUT=eth1 SRC=192.168.20.60 \ DST=209.225.0.6 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=22160 PROTO=TCP \ SPT=41197 DPT=80 WINDOW=5840 RES=0x00 SYN URGP=0 It seems that with every request to a website there is also a request to IP 209.225.0.6 wich leads to exodus.net. I am completely worried about this. Who can tell me what is going on? Regards -- Andreas Meyer ^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: strange connetions to exodus.net 2004-02-21 11:25 strange connetions to exodus.net Andreas Meyer @ 2004-02-21 15:25 ` Ted Kaczmarek 2004-02-21 16:09 ` Andreas Meyer 2004-02-21 16:47 ` Alexis 1 sibling, 1 reply; 10+ messages in thread From: Ted Kaczmarek @ 2004-02-21 15:25 UTC (permalink / raw) To: Andreas Meyer; +Cc: netfilter Look at the source of the web site you are visiting. Ted On Sat, 2004-02-21 at 12:25 +0100, Andreas Meyer wrote: > Hello! > > Just wrote a little iptables-script not allowing connections > to port 80. > Now in the log I see this: > > Feb 21 11:53:41 delta kernel: DROP-TCP :IN= OUT=eth1 SRC=192.168.20.60 \ > DST=209.225.0.6 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=22160 PROTO=TCP \ > SPT=41197 DPT=80 WINDOW=5840 RES=0x00 SYN URGP=0 > > It seems that with every request to a website there is also a request to > IP 209.225.0.6 wich leads to exodus.net. > > I am completely worried about this. Who can tell me what is going on? > > > Regards > -- > Andreas Meyer ^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: strange connetions to exodus.net 2004-02-21 15:25 ` Ted Kaczmarek @ 2004-02-21 16:09 ` Andreas Meyer [not found] ` <200402211136.22220.JALaramie@Loudoun-Fairfax.com> 0 siblings, 1 reply; 10+ messages in thread From: Andreas Meyer @ 2004-02-21 16:09 UTC (permalink / raw) To: netfilter Ted Kaczmarek <tedkaz@optonline.net> wrote: > Look at the source of the web site you are visiting. > > Ted > > Feb 21 11:53:41 delta kernel: DROP-TCP :IN= OUT=eth1 SRC=192.168.20.60 \ > > DST=209.225.0.6 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=22160 PROTO=TCP \ > > SPT=41197 DPT=80 WINDOW=5840 RES=0x00 SYN URGP=0 > > > > It seems that with every request to a website there is also a request to > > IP 209.225.0.6 wich leads to exodus.net. > > > > I am completely worried about this. Who can tell me what is going on? Ted: Feb 21 16:59:22 delta kernel: DROP-TCP :IN= OUT=eth1 SRC=192.168.20.60 \ DST=209.225.11.237 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=0 PROTO=TCP \ SPT=41504 DPT=80 WINDOW=5840 RES=0x00 SYN URGP=0 Feb 21 16:59:23 delta kernel: DROP-TCP :IN= OUT=eth1 SRC=192.168.20.60 \ DST=82.139.196.116 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=22160 PROTO=TCP \ SPT=41501 DPT=80 WINDOW=5840 RES=0x00 SYN URGP=0 Good point but this is my own site at 82.139.196.116 and I am sure there is nothing pointing to exodus.net. Is this a DNS thing? Regards -- Andreas Meyer ^ permalink raw reply [flat|nested] 10+ messages in thread
[parent not found: <200402211136.22220.JALaramie@Loudoun-Fairfax.com>]
* Re: strange connetions to exodus.net [not found] ` <200402211136.22220.JALaramie@Loudoun-Fairfax.com> @ 2004-02-21 17:19 ` Andreas Meyer 2004-02-21 17:34 ` Jeffrey Laramie 2004-02-21 18:06 ` Re[2]: " Alexis 0 siblings, 2 replies; 10+ messages in thread From: Andreas Meyer @ 2004-02-21 17:19 UTC (permalink / raw) To: netfilter Jeffrey Laramie <JALaramie@Loudoun-Fairfax.com> wrote: > > Ted: > > > > Feb 21 16:59:22 delta kernel: DROP-TCP :IN= OUT=eth1 SRC=192.168.20.60 \ > > DST=209.225.11.237 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=0 PROTO=TCP \ > > SPT=41504 DPT=80 WINDOW=5840 RES=0x00 SYN URGP=0 > > Feb 21 16:59:23 delta kernel: DROP-TCP :IN= OUT=eth1 SRC=192.168.20.60 \ > > DST=82.139.196.116 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=22160 PROTO=TCP \ > > SPT=41501 DPT=80 WINDOW=5840 RES=0x00 SYN URGP=0 > > > > Good point but this is my own site at 82.139.196.116 and I am sure > > there is nothing pointing to exodus.net. Is this a DNS thing? > > I don't see any IPs in your postings that point to exodus.net so I don't know > where you're seeing that. The IP in your first posting is most likely adware > running on the client 192.168.20.60 and the IP in your 2nd posting doesn't > resolve. You need to check the processes running on 192.168.20.60 to see > which one is calling these sites. # dig -x 209.225.0.6 ; <<>> DiG 9.2.2 <<>> -x 209.225.0.6 ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 65525 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 4, ADDITIONAL: 0 ;; QUESTION SECTION: ;6.0.225.209.in-addr.arpa. IN PTR ;; ANSWER SECTION: 6.0.225.209.in-addr.arpa. 3600 IN PTR servedby.advertising.com. ;; AUTHORITY SECTION: 0.225.209.in-addr.arpa. 3600 IN NS dns03.exodus.net. 0.225.209.in-addr.arpa. 3600 IN NS dns04.exodus.net. 0.225.209.in-addr.arpa. 3600 IN NS dns01.exodus.net. 0.225.209.in-addr.arpa. 3600 IN NS dns02.exodus.net. ;; Query time: 290 msec ;; SERVER: 192.168.1.75#53(192.168.1.75) ;; WHEN: Sat Feb 21 18:01:40 2004 ;; MSG SIZE rcvd: 170 # dig -x 209.225.11.237 ; <<>> DiG 9.2.2 <<>> -x 209.225.11.237 ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 64855 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0 ;; QUESTION SECTION: ;237.11.225.209.in-addr.arpa. IN PTR ;; AUTHORITY SECTION: 11.225.209.in-addr.arpa. 3600 IN SOA dns01.exodus.net. hostmaster.exodus.net.11.225.209.in-addr.arpa. 2002091300 10800 3600 604800 86400 My LAN looks like this: WKS 192.168.1.3 connection per webbrowser to Squid at 192.168.1.75 and the request from Squid is routed to the gateway 192.168.20.210 and as soon I start a request a tail -f /var/log/firewall on the Squid-machine shows the request the above IPs. I don't known why. -- Andreas Meyer | http://www.anup.de | http://homeservice.anup.de/andreas ^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: strange connetions to exodus.net 2004-02-21 17:19 ` Andreas Meyer @ 2004-02-21 17:34 ` Jeffrey Laramie 2004-02-21 18:06 ` Re[2]: " Alexis 1 sibling, 0 replies; 10+ messages in thread From: Jeffrey Laramie @ 2004-02-21 17:34 UTC (permalink / raw) To: netfilter On Saturday 21 February 2004 12:19, Andreas Meyer wrote: > Jeffrey Laramie <JALaramie@Loudoun-Fairfax.com> wrote: > > > Ted: > > > > > > Feb 21 16:59:22 delta kernel: DROP-TCP :IN= OUT=eth1 SRC=192.168.20.60 > > > \ DST=209.225.11.237 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=0 PROTO=TCP \ > > > SPT=41504 DPT=80 WINDOW=5840 RES=0x00 SYN URGP=0 > > > Feb 21 16:59:23 delta kernel: DROP-TCP :IN= OUT=eth1 SRC=192.168.20.60 > > > \ DST=82.139.196.116 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=22160 > > > PROTO=TCP \ SPT=41501 DPT=80 WINDOW=5840 RES=0x00 SYN URGP=0 > > > > > > Good point but this is my own site at 82.139.196.116 and I am sure > > > there is nothing pointing to exodus.net. Is this a DNS thing? > > > > I don't see any IPs in your postings that point to exodus.net so I don't > > know where you're seeing that. The IP in your first posting is most > > likely adware running on the client 192.168.20.60 and the IP in your 2nd > > posting doesn't resolve. You need to check the processes running on > > 192.168.20.60 to see which one is calling these sites. > > # dig -x 209.225.0.6 > > ; <<>> DiG 9.2.2 <<>> -x 209.225.0.6 > ;; global options: printcmd > ;; Got answer: > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 65525 > ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 4, ADDITIONAL: 0 > > ;; QUESTION SECTION: > ;6.0.225.209.in-addr.arpa. IN PTR > > ;; ANSWER SECTION: > 6.0.225.209.in-addr.arpa. 3600 IN PTR servedby.advertising.com. > > ;; AUTHORITY SECTION: > 0.225.209.in-addr.arpa. 3600 IN NS dns03.exodus.net. > 0.225.209.in-addr.arpa. 3600 IN NS dns04.exodus.net. > 0.225.209.in-addr.arpa. 3600 IN NS dns01.exodus.net. > 0.225.209.in-addr.arpa. 3600 IN NS dns02.exodus.net. > > ;; Query time: 290 msec > ;; SERVER: 192.168.1.75#53(192.168.1.75) > ;; WHEN: Sat Feb 21 18:01:40 2004 > ;; MSG SIZE rcvd: 170 > > # dig -x 209.225.11.237 > > ; <<>> DiG 9.2.2 <<>> -x 209.225.11.237 > ;; global options: printcmd > ;; Got answer: > ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 64855 > ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0 > > ;; QUESTION SECTION: > ;237.11.225.209.in-addr.arpa. IN PTR > > ;; AUTHORITY SECTION: > 11.225.209.in-addr.arpa. 3600 IN SOA dns01.exodus.net. > hostmaster.exodus.net.11.225.209.in-addr.arpa. 2002091300 10800 3600 604800 > 86400 > exodus.net is simply providing DNS for the servedby.advertising.com site. That's probably not relevent to your concerns. > > My LAN looks like this: > > WKS 192.168.1.3 connection per webbrowser to Squid at 192.168.1.75 > and the request from Squid is routed to the gateway 192.168.20.210 > > and as soon I start a request a tail -f /var/log/firewall on the > Squid-machine shows the request the above IPs. I don't known why. As I said earlier, the request to these sites is coming from 192.168.20.60. You need to look at the processes running on that box to see what is calling that website. It's probably adware but there's no way to know for sure from an iptables log entry. Jeff ^ permalink raw reply [flat|nested] 10+ messages in thread
* Re[2]: strange connetions to exodus.net 2004-02-21 17:19 ` Andreas Meyer 2004-02-21 17:34 ` Jeffrey Laramie @ 2004-02-21 18:06 ` Alexis 2004-02-21 18:26 ` Andreas Meyer 1 sibling, 1 reply; 10+ messages in thread From: Alexis @ 2004-02-21 18:06 UTC (permalink / raw) To: Andreas Meyer; +Cc: netfilter Now we see. Like you said, if this is your webserver, some site inside your webserver are using ads in this destination exodus are only the dns for this addresses, but you are connecting to servedby.advertising.com and, in your schema, where is 192.168.20.60? Hello Andreas, Saturday, February 21, 2004, 2:19:40 PM, you wrote: AM> Jeffrey Laramie <JALaramie@Loudoun-Fairfax.com> wrote: >> > Ted: >> > >> > Feb 21 16:59:22 delta kernel: DROP-TCP :IN= OUT=eth1 SRC=192.168.20.60 \ >> > DST=209.225.11.237 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=0 PROTO=TCP \ >> > SPT=41504 DPT=80 WINDOW=5840 RES=0x00 SYN URGP=0 >> > Feb 21 16:59:23 delta kernel: DROP-TCP :IN= OUT=eth1 SRC=192.168.20.60 \ >> > DST=82.139.196.116 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=22160 PROTO=TCP \ >> > SPT=41501 DPT=80 WINDOW=5840 RES=0x00 SYN URGP=0 >> > >> > Good point but this is my own site at 82.139.196.116 and I am sure >> > there is nothing pointing to exodus.net. Is this a DNS thing? >> >> I don't see any IPs in your postings that point to exodus.net so I don't know >> where you're seeing that. The IP in your first posting is most likely adware >> running on the client 192.168.20.60 and the IP in your 2nd posting doesn't >> resolve. You need to check the processes running on 192.168.20.60 to see >> which one is calling these sites. AM> # dig -x 209.225.0.6 AM> ; <<>> DiG 9.2.2 <<>> -x 209.225.0.6 AM> ;; global options: printcmd AM> ;; Got answer: ;; ->>>HEADER<<- opcode: QUERY, status: NOERROR, id: 65525 AM> ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 4, ADDITIONAL: 0 AM> ;; QUESTION SECTION: AM> ;6.0.225.209.in-addr.arpa. IN PTR AM> ;; ANSWER SECTION: AM> 6.0.225.209.in-addr.arpa. 3600 IN PTR servedby.advertising.com. AM> ;; AUTHORITY SECTION: AM> 0.225.209.in-addr.arpa. 3600 IN NS dns03.exodus.net. AM> 0.225.209.in-addr.arpa. 3600 IN NS dns04.exodus.net. AM> 0.225.209.in-addr.arpa. 3600 IN NS dns01.exodus.net. AM> 0.225.209.in-addr.arpa. 3600 IN NS dns02.exodus.net. AM> ;; Query time: 290 msec AM> ;; SERVER: 192.168.1.75#53(192.168.1.75) AM> ;; WHEN: Sat Feb 21 18:01:40 2004 AM> ;; MSG SIZE rcvd: 170 AM> # dig -x 209.225.11.237 AM> ; <<>> DiG 9.2.2 <<>> -x 209.225.11.237 AM> ;; global options: printcmd AM> ;; Got answer: ;; ->>>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 64855 AM> ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0 AM> ;; QUESTION SECTION: AM> ;237.11.225.209.in-addr.arpa. IN PTR AM> ;; AUTHORITY SECTION: AM> 11.225.209.in-addr.arpa. 3600 IN SOA AM> dns01.exodus.net. hostmaster.exodus.net.11.225.209.in-addr.arpa. AM> 2002091300 10800 3600 604800 86400 AM> My LAN looks like this: AM> WKS 192.168.1.3 connection per webbrowser to Squid at 192.168.1.75 AM> and the request from Squid is routed to the gateway 192.168.20.210 AM> and as soon I start a request a tail -f /var/log/firewall on the AM> Squid-machine shows the request the above IPs. I don't known why. -- Best regards, Alexis mailto:alexis@attla.net.ar ^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: Re[2]: strange connetions to exodus.net 2004-02-21 18:06 ` Re[2]: " Alexis @ 2004-02-21 18:26 ` Andreas Meyer 2004-02-21 22:40 ` Re[4]: " Alexis 0 siblings, 1 reply; 10+ messages in thread From: Andreas Meyer @ 2004-02-21 18:26 UTC (permalink / raw) To: netfilter Alexis <alexis@attla.net.ar> wrote: > Now we see. > > Like you said, if this is your webserver, some site inside your > webserver are using ads in this destination > > exodus are only the dns for this addresses, but you are connecting to servedby.advertising.com > > and, in your schema, where is 192.168.20.60? +------------+ +-----------------+ +----------------------+ |WKS | |DMZ 192.168.1.75 | |Gateway 192.168.20.210| |192.168.1.3 |-->| 192.168.20.60|-->| | |with Opera | |with Squid etc. | +----------------------+ +------------+ +-----------------+ But! I think I found the answer to my problem. I think Opera is the one who is causing this request. As soon as I use for example Firebird there are no such requestes. Ooooh, I have to watch this furthermore. Thank you all for your patience! -- Andreas Meyer | http://www.anup.de | http://homeservice.anup.de/andreas ^ permalink raw reply [flat|nested] 10+ messages in thread
* Re[4]: strange connetions to exodus.net 2004-02-21 18:26 ` Andreas Meyer @ 2004-02-21 22:40 ` Alexis 0 siblings, 0 replies; 10+ messages in thread From: Alexis @ 2004-02-21 22:40 UTC (permalink / raw) To: Andreas Meyer; +Cc: netfilter right, opera has in his unregistered version an awful banner at the top. You have 3 choices 1- buy it 2- not to use it 3- crack it :) Hello Andreas, Saturday, February 21, 2004, 3:26:07 PM, you wrote: AM> Alexis <alexis@attla.net.ar> wrote: >> Now we see. >> >> Like you said, if this is your webserver, some site inside your >> webserver are using ads in this destination >> >> exodus are only the dns for this addresses, but you are >> connecting to servedby.advertising.com >> >> and, in your schema, where is 192.168.20.60? AM> +------------+ +-----------------+ +----------------------+ AM> |WKS | |DMZ 192.168.1.75 | |Gateway 192.168.20.210| |192.168.1.3 |-->>| 192.168.20.60|-->| | AM> |with Opera | |with Squid etc. | +----------------------+ AM> +------------+ +-----------------+ AM> But! I think I found the answer to my problem. I think AM> Opera is the one who is causing this request. As soon AM> as I use for example Firebird there are no such requestes. AM> Ooooh, I have to watch this furthermore. AM> Thank you all for your patience! -- Best regards, Alexis mailto:alexis@attla.net.ar ^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: strange connetions to exodus.net 2004-02-21 11:25 strange connetions to exodus.net Andreas Meyer 2004-02-21 15:25 ` Ted Kaczmarek @ 2004-02-21 16:47 ` Alexis 2004-02-21 17:25 ` Andreas Meyer 1 sibling, 1 reply; 10+ messages in thread From: Alexis @ 2004-02-21 16:47 UTC (permalink / raw) To: Andreas Meyer; +Cc: netfilter That 192.168.20.60 is trying to connect to 209.225.0.6 is obviuos, by the lenght and the syn looks like a get. Have you checked if that box (168.20.60) has any virus or anything like this?? Hello Andreas, Saturday, February 21, 2004, 8:25:47 AM, you wrote: AM> Hello! AM> Just wrote a little iptables-script not allowing connections AM> to port 80. AM> Now in the log I see this: AM> Feb 21 11:53:41 delta kernel: DROP-TCP :IN= OUT=eth1 SRC=192.168.20.60 \ AM> DST=209.225.0.6 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=22160 PROTO=TCP \ AM> SPT=41197 DPT=80 WINDOW=5840 RES=0x00 SYN URGP=0 AM> It seems that with every request to a website there is also a request to AM> IP 209.225.0.6 wich leads to exodus.net. AM> I am completely worried about this. Who can tell me what is going on? AM> Regards -- Best regards, Alexis mailto:alexis@attla.net.ar ^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: strange connetions to exodus.net 2004-02-21 16:47 ` Alexis @ 2004-02-21 17:25 ` Andreas Meyer 0 siblings, 0 replies; 10+ messages in thread From: Andreas Meyer @ 2004-02-21 17:25 UTC (permalink / raw) To: netfilter Alexis <alexis@attla.net.ar> wrote: > That 192.168.20.60 is trying to connect to 209.225.0.6 is obviuos, by > the lenght and the syn looks like a get. > > Have you checked if that box (168.20.60) has any virus or anything > like this?? > The box is running Postfix and Apache. All incoming mail is scanned by Antivir. Several other checks are running. I found nothing strange til now. -- Andreas Meyer | http://www.anup.de | http://homeservice.anup.de/andreas ^ permalink raw reply [flat|nested] 10+ messages in thread
end of thread, other threads:[~2004-02-21 22:40 UTC | newest]
Thread overview: 10+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2004-02-21 11:25 strange connetions to exodus.net Andreas Meyer
2004-02-21 15:25 ` Ted Kaczmarek
2004-02-21 16:09 ` Andreas Meyer
[not found] ` <200402211136.22220.JALaramie@Loudoun-Fairfax.com>
2004-02-21 17:19 ` Andreas Meyer
2004-02-21 17:34 ` Jeffrey Laramie
2004-02-21 18:06 ` Re[2]: " Alexis
2004-02-21 18:26 ` Andreas Meyer
2004-02-21 22:40 ` Re[4]: " Alexis
2004-02-21 16:47 ` Alexis
2004-02-21 17:25 ` Andreas Meyer
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.