Find the answer to your Linux question:
Results 1 to 6 of 6
While doing the commands from this post , I found this within the output... Code: root@72.9.233.132 A whois returns this... Code: OrgName: Global Net Access, LLC OrgID: GNAL-2 Address: 1100 ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1
    Trusted Penguin Dapper Dan's Avatar
    Join Date
    Oct 2004
    Location
    The Sovereign State of South Carolina
    Posts
    4,630

    strange root@(ip address) found


    While doing the commands from this post, I found this within the output...
    Code:
     root@72.9.233.132
    A whois returns this...
    Code:
    OrgName:    Global Net Access, LLC 
    OrgID:      GNAL-2
    Address:    1100 White St SW
    City:       Atlanta
    StateProv:  GA
    PostalCode: 30310
    Country:    US
    
    ReferralServer: rwhois://rwhois.gnax.net:4321
    
    NetRange:   72.9.224.0 - 72.9.255.255 
    CIDR:       72.9.224.0/19 
    OriginAS:   AS3595,  AS16626
    NetName:    GNAXNET
    NetHandle:  NET-72-9-224-0-1
    Parent:     NET-72-0-0-0-0
    NetType:    Direct Allocation
    NameServer: DNS1.GNAX.NET
    NameServer: DNS2.GNAX.NET
    NameServer: NS1.GNAX.NET
    NameServer: NS2.GNAX.NET
    Comment:    ADDRESSES WITHIN THIS BLOCK ARE NON-PORTABLE
    Comment:    ********************************************
    Comment:    Reassignment information for this block is
    Comment:    available at rwhois.gnax.net port 4321
    Comment:    ********************************************
    RegDate:    2004-10-11
    Updated:    2007-06-01
    
    RAbuseHandle: ABUSE745-ARIN
    RAbuseName:   GNAX ABUSE 
    RAbusePhone:  +1-404-230-9150
    RAbuseEmail:  abuse@gnax.net 
    
    RNOCHandle: ENGIN7-ARIN
    RNOCName:   GNAX ENGINEERING 
    RNOCPhone:  +1-404-230-9150
    RNOCEmail:  engineering@gnax.net 
    
    RTechHandle: ENGIN7-ARIN
    RTechName:   GNAX ENGINEERING 
    RTechPhone:  +1-404-230-9150
    RTechEmail:  engineering@gnax.net 
    
    OrgAbuseHandle: ABUSE745-ARIN
    OrgAbuseName:   GNAX ABUSE 
    OrgAbusePhone:  +1-404-230-9150
    OrgAbuseEmail:  abuse@gnax.net
    
    OrgNOCHandle: ENGIN7-ARIN
    OrgNOCName:   GNAX ENGINEERING 
    OrgNOCPhone:  +1-404-230-9150
    OrgNOCEmail:  engineering@gnax.net
    
    OrgTechHandle: ENGIN7-ARIN
    OrgTechName:   GNAX ENGINEERING 
    OrgTechPhone:  +1-404-230-9150
    OrgTechEmail:  engineering@gnax.net
    
    # ARIN WHOIS database, last updated 2007-09-11 19:10
    # Enter ? for additional hints on searching ARIN's WHOIS database.
    
    
    Found a referral to rwhois.gnax.net:4321.
    
    %rwhois V-1.5:003fff:00 rwhois.gnax.net (by Network Solutions, Inc. V-1.5.7.3)
    network:Class-Name:network
    network:ID:108.72.9.224.0/19
    network:Auth-Area:72.9.224.0/19
    network:Network-Name:RackWan
    network:IP-Network:72.9.233.128/26
    network:Organization;I:RackWan
    network:Tech-Contact;I:soporte@rackwan.com
    network:Admin-Contact;I:sebastian@rackwan.com
    network:Created:20041213
    network:Updated:20060417
    network:Updated-By:engineering@gnax.net
    I ran rkhunter and it didn't return anything out of the ordinary. When I checked my router, all ports are closed and nmap revealed that only port 80 was open.

    I ssh'd root@72.9.233.132 and it asked for a password. I have no idea who this is. Why would this be on my Ubuntu box as a command? Any ideas about this? Any thoughts or help appreciated.
    Last edited by Dapper Dan; 09-12-2007 at 01:33 PM.
    Linux Mint + IceWM Registered: #371367 New Members: click here

  2. #2
    Linux Engineer RobinVossen's Avatar
    Join Date
    Aug 2007
    Location
    The Netherlands
    Posts
    1,429
    Check the logs
    Check SElinux?
    Dont use Ubuntu (My Opinion)
    New Users, please read this..
    Google first, then ask..

  3. #3
    Linux Guru anomie's Avatar
    Join Date
    Mar 2005
    Location
    Texas
    Posts
    1,692
    Are you saying the entry
    root@72.9.233.132
    shows up in your user's bash history?

    It's strange because that is not a command. Even so, it is a little ominous. Maybe review the history more carefully to make sure you have the full entry. (Just pipe the whole thing to less and search for that.)

    rkhunter is pretty good because it checks (for supported OSes) md5 sums for a long list of binaries. It also checks for rootkit signatures and some other things like new groups and accounts on the system. When was the last time you ran it before the most recent run? For an extra sanity check you can also run chkrootkit. (I'd also add that it is possible for any binary - including your rootkit checker - to become compromised.)

    Do you have any services that are listening on external, web-facing interfaces? Use netstat -ltun to double-check.

    More possibilities once we know the answer to that question.

  4. $spacer_open
    $spacer_close
  5. #4
    Trusted Penguin Dapper Dan's Avatar
    Join Date
    Oct 2004
    Location
    The Sovereign State of South Carolina
    Posts
    4,630
    Hi fellows and thanks for the insight and help. RobinVossen, I checked over the logs and didn't see anything suspicious. anomie, I felt the same way. Why is this listed as a command?? Here is the output of netstat -ltun...

    For Ubuntu...
    Code:
    Active Internet connections (only servers)
    Proto Recv-Q Send-Q Local Address           Foreign Address         State
    tcp        0      0 127.0.0.1:2208          0.0.0.0:*               LISTEN
    tcp        0      0 127.0.0.1:631           0.0.0.0:*               LISTEN
    tcp        0      0 127.0.0.1:2207          0.0.0.0:*               LISTEN
    tcp6       0      0 :::22                   :::*                    LISTEN
    udp        0      0 0.0.0.0:32768           0.0.0.0:*
    udp        0      0 0.0.0.0:5353            0.0.0.0:*
    ...and the same box under Slackware 12...
    Code:
    Active Internet connections (only servers)
    Proto Recv-Q Send-Q Local Address           Foreign Address         State
    tcp        0      0 127.0.0.1:2208          0.0.0.0:*               LISTEN
    tcp        0      0 0.0.0.0:37              0.0.0.0:*               LISTEN
    tcp        0      0 0.0.0.0:111             0.0.0.0:*               LISTEN
    tcp        0      0 0.0.0.0:113             0.0.0.0:*               LISTEN
    tcp        0      0 127.0.0.1:631           0.0.0.0:*               LISTEN
    tcp        0      0 0.0.0.0:52635           0.0.0.0:*               LISTEN
    tcp        0      0 127.0.0.1:2207          0.0.0.0:*               LISTEN
    tcp6       0      0 :::22                   :::*                    LISTEN
    udp        0      0 0.0.0.0:512             0.0.0.0:*
    udp        0      0 0.0.0.0:32768           0.0.0.0:*
    udp        0      0 0.0.0.0:37              0.0.0.0:*
    udp        0      0 0.0.0.0:111             0.0.0.0:*
    udp        0      0 0.0.0.0:631             0.0.0.0:*
    udp        0      0 192.168.1.101:123       0.0.0.0:*
    udp        0      0 127.0.0.1:123           0.0.0.0:*
    udp        0      0 0.0.0.0:123             0.0.0.0:*
    udp        0      0 0.0.0.0:766             0.0.0.0:*
    udp6       0      0 fe80::219:d1ff:fe41:123 :::*
    udp6       0      0 ::1:123                 :::*
    udp6       0      0 :::123                  :::*
    Linux Mint + IceWM Registered: #371367 New Members: click here

  6. #5
    Linux Guru anomie's Avatar
    Join Date
    Mar 2005
    Location
    Texas
    Posts
    1,692
    Since the command appeared in your Ubuntu installation I'll focus on that. These are the listening sockets to look at for now:
    Code:
    tcp6       0      0 :::22                   :::*                    LISTEN
    udp        0      0 0.0.0.0:32768           0.0.0.0:*
    udp        0      0 0.0.0.0:5353            0.0.0.0:*
    First, I don't have a Linux box in front of me at the moment, so I am not exactly sure how to interpret the first column of the first line. It may mean both ipv4 and ipv6 are enabled for listening tcp port 22, or it may just mean ipv6 is enabled for tcp port 22. (Either way it could be an issue.)

    A couple more questions:
    1. Are you running a firewall?
    2. If so, are connections allowed from the outside world to tcp port 22?
    3. Are any of the following enabled in sshd_config: PasswordAuthentication, Challenge-Response Authentication, UsePAM ?

    It might be a good idea to check /var/log/secure (at least that's the naming CentOS uses) for ssh connections and connection attempts over the past few weeks. If your system is running logwatch this automatically reports ssh connections to you. (You may need to check root's mail.)

    As for the two udp sockets, some quick notes:

    udp 32768 summarized here. I am not familiar with Filenet TMS. Maybe it is something one of your apps requires.

    udp 5353 summarized here. Sounds like iTunes or similar application using multicast DNS.

  7. #6
    Linux Engineer RobinVossen's Avatar
    Join Date
    Aug 2007
    Location
    The Netherlands
    Posts
    1,429
    Well, I think I cant help you now..
    Since I cant *touch* the Terminal.
    I might be able to look into it but then you need to trust me by giving me a SSH account :/ (Guess you wont do that, since neither will I )

    Well, umm What command did you use to show that "root@72.9.233.132"
    Since if it was the Search Function I give there you or some program uses that all the time :/
    New Users, please read this..
    Google first, then ask..

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •