Jump to content

what is ns2.moondrake.net?


Kjel Oslund
 Share

Recommended Posts

I did do a whois (bw-whois), but it didn't show any detailed info. I've since checked with the registrar's site www.gandi.net and saw the registration to Mandrakesoft Inc. It looks legit. I also did a google search for moondrake.net and it leads to a www.moonrake.net. However, the certificate for that server is bad and firefox rejects it.

 

I scanned ps but didn't see anything unusual -- perhaps I missed it. I've looked at the crontab scripts but there is nothing there that would appear to be doing a net lookup. It could be the automated update service which I haven't subscribed to (it's just as easy to use urpmi). I'll disable it and see what happens.

 

BTW, I did a chkrootkit too, just to be safe. I've never installed any unsigned rpms on my system, but I've often thought that a contrib rpm would be a good place for someone to attempt to install a rootkit. It would be interesting to know what step Mandrake takes to ensure that contrib rpms are safe, signed or otherwise.

Link to comment
Share on other sites

  • 5 weeks later...

You can run the command "netstat -lp" as root or another user.

 

It will show you all services that are listening, the name of the program that is listening and it's id I believe, ...

 

For outgoing connections, you can use "netstat -p".

 

hopes this helps,

 

Michel

Link to comment
Share on other sites

I finally tracked down the source of the mysterious moondrake connections using a combination of netstat and ethereal. It turns out that the connections were comming from mandrake's net_applet.

 

Whenever I thought I saw a suspicous pattern of activity on my modem, I'd pop up the net_applet for a quick look. Then I'd run netstat to see things in more detail. That's when I'd see up to 12 http connections to ns2.moondrake.com with no associated process. Like this:

[root@cougar kjel]# netstat -p -A inet
Active Internet connections (w/o servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
tcp        0      0 192.168.1.100:33614     ns2.moondrake.net:http  TIME_WAIT   -
tcp        0      0 192.168.1.100:33615     ns2.moondrake.net:http  TIME_WAIT   -
tcp        0      0 192.168.1.100:33612     ns2.moondrake.net:http  TIME_WAIT   -
tcp        0      0 192.168.1.100:33613     ns2.moondrake.net:http  TIME_WAIT   -
tcp        0      0 192.168.1.100:33610     ns2.moondrake.net:http  TIME_WAIT   -
tcp        0      0 192.168.1.100:33611     ns2.moondrake.net:http  TIME_WAIT   -
tcp        0      0 192.168.1.100:33608     ns2.moondrake.net:http  TIME_WAIT   -
tcp        0      0 192.168.1.100:33609     ns2.moondrake.net:http  TIME_WAIT   -
tcp        0      0 192.168.1.100:33606     ns2.moondrake.net:http  TIME_WAIT   -
tcp        0      0 192.168.1.100:33607     ns2.moondrake.net:http  TIME_WAIT   -
tcp        0      0 192.168.1.100:33616     ns2.moondrake.net:http  TIME_WAIT   -

After much digging around I finally found a section of perl code called by the net_applet that opens a connection to the http server on ns2.moondrake.net as a network heartbeat test to determine if you're connected to the net. It looks like the server can't keep up with the traffic and the connections pile up.

Link to comment
Share on other sites

  • 1 month later...
  • 2 months later...
Guest helpdeskdan

To disable it you have to close all the windows, including the usefull network monitor. (Which I was using to track it! "Dang, why won't it quit!") Use Ethereal to see if it stoped.

 

Thanks to those who have posted this!

Edited by helpdeskdan
Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
 Share

×
×
  • Create New...