Suspect Internet Connection

Support for security such as Firewalls and securing linux
marathonman
Posts: 26
Joined: 2008/04/27 14:47:18
Location: Revere, MA

Suspect Internet Connection

Postby marathonman » 2008/12/17 01:20:22

I'm not certain this is the most appropriate list for this (apache?) but ...
When I execute "netstat -cet" I see a tcp connection between my server and "ag-in-f19.google.com" (and similar) running on very high ports (30000+). The PID changes frequently but when I try to kill it it says there's no such process, even though running netstat again often returns the same PID. Unsurprisingly, ag-in-f19.google.com doesn't show up in a whois search.

Surely someone has compromised my system. How would I set about removing it? I am going to beef up my firewall but I'd like to squash this process right away.

Thanks,
Bruce Hyatt

User avatar
AlanBartlett
Forum Moderator
Posts: 9311
Joined: 2007/10/22 11:30:09
Location: ~/Earth/UK/England/Suffolk
Contact:

Re: Suspect Internet Connection

Postby AlanBartlett » 2008/12/17 17:14:07

I may be wrong but I suspect that process is a Google search bot.

Code: Select all

$ host ag-in-f19.google.com
ag-in-f19.google.com has address 72.14.247.19
$ dig ag-in-f19.google.com

; <<>> DiG 9.3.4-P1 <<>> ag-in-f19.google.com
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 11671
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 4, ADDITIONAL: 4

;; QUESTION SECTION:
;ag-in-f19.google.com.          IN      A

;; ANSWER SECTION:
ag-in-f19.google.com.   86384   IN      A       72.14.247.19

;; AUTHORITY SECTION:
google.com.             74225   IN      NS      ns3.google.com.
google.com.             74225   IN      NS      ns4.google.com.
google.com.             74225   IN      NS      ns1.google.com.
google.com.             74225   IN      NS      ns2.google.com.

;; ADDITIONAL SECTION:
ns1.google.com.         105487  IN      A       216.239.32.10
ns2.google.com.         79595   IN      A       216.239.34.10
ns3.google.com.         109307  IN      A       216.239.36.10
ns4.google.com.         157078  IN      A       216.239.38.10

;; Query time: 48 msec
;; SERVER: 192.168.1.1#53(192.168.1.1)
;; WHEN: Wed Dec 17 17:10:57 2008
;; MSG SIZE  rcvd: 190

$ cat ~/tmp/nmap.txt
# Nmap 4.11 scan initiated Wed Dec 17 16:34:19 2008 as: nmap -sT -sV -P0 -T2 -oN /home/ajb/tmp/nmap.txt 72.14.247.19
Interesting ports on ag-in-f19.google.com (72.14.247.19):
Not shown: 1676 filtered ports
PORT    STATE  SERVICE  VERSION
80/tcp  open   http     Google httpd 1.3 (GFE)
113/tcp closed auth
179/tcp closed bgp
443/tcp open   ssl/http Google httpd 1.3 (GFE)
Service Info: OS: Linux

# Nmap run completed at Wed Dec 17 16:59:03 2008 -- 1 IP address (1 host up) scanned in 1484.746 seconds
$

marathonman
Posts: 26
Joined: 2008/04/27 14:47:18
Location: Revere, MA

Re: Suspect Internet Connection

Postby marathonman » 2008/12/17 21:02:55

AlanJBartlett wrote:
I may be wrong but I suspect that process is a Google search bot.


Thanks Alan. I wondered about that. I'm going to see if Google will tell
me anything about it.

It seems odd to me, though, that they would have a process constantly
running on my computer. I've also had portsentry report port scans
from Google.

Bruce Hyatt

marathonman
Posts: 26
Joined: 2008/04/27 14:47:18
Location: Revere, MA

Re: Suspect Internet Connection

Postby marathonman » 2008/12/18 02:10:15

Turns out it was a Gmail notifier. It ran even after signing out of Gmail and closing the tab. I had to also close the all other tabs and even then it continued to run for a while. I'm so paranoid, I was sure for a while that my server had been cracked.

Bruce Hyatt

User avatar
AlanBartlett
Forum Moderator
Posts: 9311
Joined: 2007/10/22 11:30:09
Location: ~/Earth/UK/England/Suffolk
Contact:

Re: Suspect Internet Connection

Postby AlanBartlett » 2008/12/18 14:23:08

Turns out it was a Gmail notifier.

No harm done then, Bruce.

I'm so paranoid, I was sure for a while that my server had been cracked.

You can sleep soundly in your bed tonight. :-)