Re: strange outbound connection
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
johannes wrote:
> Tim Hardy wrote:
>
>> johannes wrote:
>>
>>> Magnus Pedersen wrote:
>>>
>>>> johannes wrote:
>>>>
>>>>> The gui of my firewall reports a strange outbound connection on
>>>>> port 1054 to a strange IP.
>>>>>
>>>>> How could I determine which process matches this connection?
>>>>> How could I determine if this is something worrying?
>>>>>
>>>> netstat -plant | grep 1054
>>>>
>>> ...shows nothing.
>>>
>>> I guess it's a problem of firestarter (firewall gui)???
>>>
>>
>> What exactly is the firewall saying? What IP is the connection being
>> made to? I don't know firestarter so I can't really comment on that
>>
>> Are you running netstat while the firewall is registering activity or
>> afterwards? Or is the firewall blocking this connection. netstat will
>> only show currently active connections afaik
>
>
> The firewall is on and displaying this funny open connection, while it
> is not shown in netstat.
>
>> Try running ethereal too to see if you can capture any packets sent on
>> this connection - it might give you a better clue
>
>
> I just ran ethereal for about an hour with no trace on that particular
> host.
>
> The firewall (firestrarter gui to be precise), just shows a line in
> active connections (ie. NOT in blocked connections) with an 'unknown
> service' on port 1056 to that external host. I'm just wondering how
> firestarter knows about this connection.
>
> I don't know how to proceed. Maybe it's just a bug in firestarter to be
> ignored?
>
> Johannes
What about `lsof -i`?
Sarunas Burdulis
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
iD8DBQFDzP/fejaFVltl6E8RAt5OAJ9QoyKh4VrJ6nc8AFm2rLJEUzMORgCfWVXU
40BEb2YCtBPO9fDWahY/ntQ=
=ONXy
-----END PGP SIGNATURE-----
Reply to: