[lug] phantom irc traffic

Hugh Brown hugh at math.byu.edu
Fri Nov 21 07:25:54 MST 2008 

netstat -vatp|grep irc.rcn.com

the -p option tells you which process has the connection open.

lsof -i at irc.rcn.com

will also give you similar information

Hugh

Gordon Golding wrote:
>  
> 
> 
> Somebody noticed a very regular pattern of IRC traffic from our webserver.
> 
> 
> 
> Every 3 minutes a handshake.
> 
> 
> 
>  
> 
> 
> 
> What could cause this? 
> We got kooties?
> 
> 
> 
>  
> 
> 
> 
> Can’t seem to figure out what process is doing this.
> 
> 
> 
>  
> 
> 
> 
> Also, we see a ESTABLISHED connection to irc.rcn.com
> 
> 
> 
> Can’t figure out what process is holding that connection.
> 
> 
> 
>  
> 
> 
> 
> How can I figure out what process is holding that irc.rcn.com
> that I see in netstat?
> 
> 
> 
>  
> 
> 
> 
> Any thoughts?
> 
> 
> 
>  
> 
> 
> 
> IP 195.197.175.21 is irc2.saunalahti.fi
> 
> 
> 
> We have grad students and researchers from all over the
> world, so I’m not immediately panicked at the foreign address.
> 
> 
> 
>  
> 
> 
> 
> Here are some flowscan logs for the IRC traffic. 
> 
> 
> 
>  
> 
> 
> 
> 11/20 00:05:05 
> 195.197.175.21  128.138.225.63   6 
> 0  6667 49439     2    
> 139
> 
> 
> 
> 11/20 00:05:05 
> 128.138.225.63 
> 195.197.175.21   6  0 49439 
> 6667     2     138
> 
> 
> 
> 11/20 00:08:05 
> 195.197.175.21 
> 128.138.225.63   6  0  6667
> 49439     2     139
> 
> 
> 
> 11/20 00:08:05 
> 128.138.225.63 
> 195.197.175.21   6  0 49439 
> 6667     2     138
> 
> 
> 
>  11/20 00:11:05  195.197.175.21  128.138.225.63   6  0  6667 49439    
> 2     139
> 
> 
> 
> 11/20 00:11:05 
> 128.138.225.
> 63 
> 195.197.175.21   6  0 49439 
> 6667     2     138
> 
> 
> 
> 11/20 00:14:05 
> 128.138.225.63 
> 195.197.175.21   6  0 49439 
> 6667     2     138
> 
> 
> 
> 11/20 00:14:05 
> 195.197.175.21 
> 128.138.225.63   6  0  6667
> 49439     2     139
> 
> 
> 
> 11/20 00:15:28 
> 128.138.225.63 
> 195.197.175.21   6  0 49439 
> 6667     2     104
> 
> 
> 
> 11/20 00:15:28 
> 195.197.175.21 
> 128.138.225.63   6  0  6667
> 49439     2     379
> 
> 
> 
> 11/20 00:17:05 
> 195.197.175.21 
> 128.138.225.63   6  0  6667
> 49439     2     139
> 
> 
> 
> 11/20 00:17:05 
> 128.138.225.63 
> 195.197.175.21   6  0 49439 
> 6667     2     138
> 
> 
> 
> 11/20 00:20:05 
> 128.138.225.63 
> 195.197.175.21   6  0 49439 
> 6667     2     138
> 
> 
> 
> 11/20 00:20:05 
> 195.197.175.21 
> 128.138.225.63   6  0  6667
> 49439     2     139
> 
> 
> 
> 11/20 00:23:10 
> 128.138.225.63 
> 195.197.175.21   6  0 49439 
> 6667     3     190
> 
> 
> 
> 11/20 00:23:10 
> 195.197.175.21 
> 128.138.225.63   6  0  6667
> 49439     3     328
> 
> 
> 
> 
>  
> 
> 
> Gordon 
> 
> 
> 
> 
> ------------------------------------------------------------------------
> 
> _______________________________________________
> Web Page:  http://lug.boulder.co.us
> Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
> Join us on IRC: lug.boulder.co.us port=6667 channel=#colug

More information about the LUG mailing list