Kjel Oslund Posted January 23, 2005 Report Share Posted January 23, 2005 Once or twice I've noticed some odd net traffic patterns and when running netstat I've seen a set of http connects to a ns2.moondrake.net. I've no idea what program is responsible for this ( nestat -p shows nothing). Any ideas? Quote Link to comment Share on other sites More sharing options...
Guest anon Posted January 23, 2005 Report Share Posted January 23, 2005 A quick check on that name server tells me its IP belongs to MandrakeSoft. Quote Link to comment Share on other sites More sharing options...
devries Posted January 23, 2005 Report Share Posted January 23, 2005 Just clicking on it would have brought you to mandrakesoft.com :D. Perhaps it's the automatic update service? Look in the list with running processes/programs (ps -aux) if you see something. Quote Link to comment Share on other sites More sharing options...
Kjel Oslund Posted January 23, 2005 Author Report Share Posted January 23, 2005 I did do a whois (bw-whois), but it didn't show any detailed info. I've since checked with the registrar's site www.gandi.net and saw the registration to Mandrakesoft Inc. It looks legit. I also did a google search for moondrake.net and it leads to a www.moonrake.net. However, the certificate for that server is bad and firefox rejects it. I scanned ps but didn't see anything unusual -- perhaps I missed it. I've looked at the crontab scripts but there is nothing there that would appear to be doing a net lookup. It could be the automated update service which I haven't subscribed to (it's just as easy to use urpmi). I'll disable it and see what happens. BTW, I did a chkrootkit too, just to be safe. I've never installed any unsigned rpms on my system, but I've often thought that a contrib rpm would be a good place for someone to attempt to install a rootkit. It would be interesting to know what step Mandrake takes to ensure that contrib rpms are safe, signed or otherwise. Quote Link to comment Share on other sites More sharing options...
Michel Posted February 22, 2005 Report Share Posted February 22, 2005 You can run the command "netstat -lp" as root or another user. It will show you all services that are listening, the name of the program that is listening and it's id I believe, ... For outgoing connections, you can use "netstat -p". hopes this helps, Michel Quote Link to comment Share on other sites More sharing options...
Kjel Oslund Posted February 22, 2005 Author Report Share Posted February 22, 2005 I finally tracked down the source of the mysterious moondrake connections using a combination of netstat and ethereal. It turns out that the connections were comming from mandrake's net_applet. Whenever I thought I saw a suspicous pattern of activity on my modem, I'd pop up the net_applet for a quick look. Then I'd run netstat to see things in more detail. That's when I'd see up to 12 http connections to ns2.moondrake.com with no associated process. Like this: [root@cougar kjel]# netstat -p -A inet Active Internet connections (w/o servers) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 192.168.1.100:33614 ns2.moondrake.net:http TIME_WAIT - tcp 0 0 192.168.1.100:33615 ns2.moondrake.net:http TIME_WAIT - tcp 0 0 192.168.1.100:33612 ns2.moondrake.net:http TIME_WAIT - tcp 0 0 192.168.1.100:33613 ns2.moondrake.net:http TIME_WAIT - tcp 0 0 192.168.1.100:33610 ns2.moondrake.net:http TIME_WAIT - tcp 0 0 192.168.1.100:33611 ns2.moondrake.net:http TIME_WAIT - tcp 0 0 192.168.1.100:33608 ns2.moondrake.net:http TIME_WAIT - tcp 0 0 192.168.1.100:33609 ns2.moondrake.net:http TIME_WAIT - tcp 0 0 192.168.1.100:33606 ns2.moondrake.net:http TIME_WAIT - tcp 0 0 192.168.1.100:33607 ns2.moondrake.net:http TIME_WAIT - tcp 0 0 192.168.1.100:33616 ns2.moondrake.net:http TIME_WAIT - After much digging around I finally found a section of perl code called by the net_applet that opens a connection to the http server on ns2.moondrake.net as a network heartbeat test to determine if you're connected to the net. It looks like the server can't keep up with the traffic and the connections pile up. Quote Link to comment Share on other sites More sharing options...
devries Posted February 23, 2005 Report Share Posted February 23, 2005 LOL :D Quote Link to comment Share on other sites More sharing options...
mattie Posted April 5, 2005 Report Share Posted April 5, 2005 rofl idd! :) thanks for saving me a lot of time ;) another reason for me to prefer knemo over the net-applet! :D Quote Link to comment Share on other sites More sharing options...
Guest helpdeskdan Posted June 10, 2005 Report Share Posted June 10, 2005 (edited) To disable it you have to close all the windows, including the usefull network monitor. (Which I was using to track it! "Dang, why won't it quit!") Use Ethereal to see if it stoped. Thanks to those who have posted this! Edited June 10, 2005 by helpdeskdan Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.