I'm not certain this is the most appropriate list for this (apache?) but ...
When I execute "netstat -cet" I see a tcp connection between my server and "ag-in-f19.google.com" (and similar) running on very high ports (30000+). The PID changes frequently but when I try to kill it it says there's no such process, even though running netstat again often returns the same PID. Unsurprisingly, ag-in-f19.google.com doesn't show up in a whois search.
Surely someone has compromised my system. How would I set about removing it? I am going to beef up my firewall but I'd like to squash this process right away.
Thanks,
Bruce Hyatt
Suspect Internet Connection
-
marathonman
- Posts: 26
- Joined: 2008/04/27 14:47:18
- Location: Revere, MA
-
AlanBartlett
- Forum Moderator
- Posts: 9325
- Joined: 2007/10/22 11:30:09
- Location: ~/Earth/UK/England/Suffolk
- Contact:
Re: Suspect Internet Connection
I may be wrong but I suspect that process is a [i]Google search bot[/i].
[code]
$ host ag-in-f19.google.com
ag-in-f19.google.com has address 72.14.247.19
$ dig ag-in-f19.google.com
; <<>> DiG 9.3.4-P1 <<>> ag-in-f19.google.com
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 11671
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 4, ADDITIONAL: 4
;; QUESTION SECTION:
;ag-in-f19.google.com. IN A
;; ANSWER SECTION:
ag-in-f19.google.com. 86384 IN A 72.14.247.19
;; AUTHORITY SECTION:
google.com. 74225 IN NS ns3.google.com.
google.com. 74225 IN NS ns4.google.com.
google.com. 74225 IN NS ns1.google.com.
google.com. 74225 IN NS ns2.google.com.
;; ADDITIONAL SECTION:
ns1.google.com. 105487 IN A 216.239.32.10
ns2.google.com. 79595 IN A 216.239.34.10
ns3.google.com. 109307 IN A 216.239.36.10
ns4.google.com. 157078 IN A 216.239.38.10
;; Query time: 48 msec
;; SERVER: 192.168.1.1#53(192.168.1.1)
;; WHEN: Wed Dec 17 17:10:57 2008
;; MSG SIZE rcvd: 190
$ cat ~/tmp/nmap.txt
# Nmap 4.11 scan initiated Wed Dec 17 16:34:19 2008 as: nmap -sT -sV -P0 -T2 -oN /home/ajb/tmp/nmap.txt 72.14.247.19
Interesting ports on ag-in-f19.google.com (72.14.247.19):
Not shown: 1676 filtered ports
PORT STATE SERVICE VERSION
80/tcp open http Google httpd 1.3 (GFE)
113/tcp closed auth
179/tcp closed bgp
443/tcp open ssl/http Google httpd 1.3 (GFE)
Service Info: OS: Linux
# Nmap run completed at Wed Dec 17 16:59:03 2008 -- 1 IP address (1 host up) scanned in 1484.746 seconds
$
[/code]
[code]
$ host ag-in-f19.google.com
ag-in-f19.google.com has address 72.14.247.19
$ dig ag-in-f19.google.com
; <<>> DiG 9.3.4-P1 <<>> ag-in-f19.google.com
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 11671
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 4, ADDITIONAL: 4
;; QUESTION SECTION:
;ag-in-f19.google.com. IN A
;; ANSWER SECTION:
ag-in-f19.google.com. 86384 IN A 72.14.247.19
;; AUTHORITY SECTION:
google.com. 74225 IN NS ns3.google.com.
google.com. 74225 IN NS ns4.google.com.
google.com. 74225 IN NS ns1.google.com.
google.com. 74225 IN NS ns2.google.com.
;; ADDITIONAL SECTION:
ns1.google.com. 105487 IN A 216.239.32.10
ns2.google.com. 79595 IN A 216.239.34.10
ns3.google.com. 109307 IN A 216.239.36.10
ns4.google.com. 157078 IN A 216.239.38.10
;; Query time: 48 msec
;; SERVER: 192.168.1.1#53(192.168.1.1)
;; WHEN: Wed Dec 17 17:10:57 2008
;; MSG SIZE rcvd: 190
$ cat ~/tmp/nmap.txt
# Nmap 4.11 scan initiated Wed Dec 17 16:34:19 2008 as: nmap -sT -sV -P0 -T2 -oN /home/ajb/tmp/nmap.txt 72.14.247.19
Interesting ports on ag-in-f19.google.com (72.14.247.19):
Not shown: 1676 filtered ports
PORT STATE SERVICE VERSION
80/tcp open http Google httpd 1.3 (GFE)
113/tcp closed auth
179/tcp closed bgp
443/tcp open ssl/http Google httpd 1.3 (GFE)
Service Info: OS: Linux
# Nmap run completed at Wed Dec 17 16:59:03 2008 -- 1 IP address (1 host up) scanned in 1484.746 seconds
$
[/code]
-
marathonman
- Posts: 26
- Joined: 2008/04/27 14:47:18
- Location: Revere, MA
Re: Suspect Internet Connection
[quote]
AlanJBartlett wrote:
I may be wrong but I suspect that process is a [i]Google search bot[/i].
[/quote]
Thanks Alan. I wondered about that. I'm going to see if Google will tell
me anything about it.
It seems odd to me, though, that they would have a process constantly
running on my computer. I've also had portsentry report port scans
from Google.
Bruce Hyatt
AlanJBartlett wrote:
I may be wrong but I suspect that process is a [i]Google search bot[/i].
[/quote]
Thanks Alan. I wondered about that. I'm going to see if Google will tell
me anything about it.
It seems odd to me, though, that they would have a process constantly
running on my computer. I've also had portsentry report port scans
from Google.
Bruce Hyatt
-
marathonman
- Posts: 26
- Joined: 2008/04/27 14:47:18
- Location: Revere, MA
Re: Suspect Internet Connection
Turns out it was a Gmail notifier. It ran even after signing out of Gmail and closing the tab. I had to also close the all other tabs and even then it continued to run for a while. I'm so paranoid, I was sure for a while that my server had been cracked.
Bruce Hyatt
Bruce Hyatt
-
AlanBartlett
- Forum Moderator
- Posts: 9325
- Joined: 2007/10/22 11:30:09
- Location: ~/Earth/UK/England/Suffolk
- Contact:
Re: Suspect Internet Connection
[quote]Turns out it was a Gmail notifier.[/quote]
No harm done then, [b]Bruce[/b].
[quote]I'm so paranoid, I was sure for a while that my server had been cracked.[/quote]
You can sleep soundly in your bed tonight. :-)
No harm done then, [b]Bruce[/b].
[quote]I'm so paranoid, I was sure for a while that my server had been cracked.[/quote]
You can sleep soundly in your bed tonight. :-)