strange root@(ip address) found

***Dapper Dan*** · 09-12-2007

While doing the commands from this post, I found this within the output...

Code:

 root@72.9.233.132

A whois returns this...

Code:

OrgName:    Global Net Access, LLC 
OrgID:      GNAL-2
Address:    1100 White St SW
City:       Atlanta
StateProv:  GA
PostalCode: 30310
Country:    US

ReferralServer: rwhois://rwhois.gnax.net:4321

NetRange:   72.9.224.0 - 72.9.255.255 
CIDR:       72.9.224.0/19 
OriginAS:   AS3595,  AS16626
NetName:    GNAXNET
NetHandle:  NET-72-9-224-0-1
Parent:     NET-72-0-0-0-0
NetType:    Direct Allocation
NameServer: DNS1.GNAX.NET
NameServer: DNS2.GNAX.NET
NameServer: NS1.GNAX.NET
NameServer: NS2.GNAX.NET
Comment:    ADDRESSES WITHIN THIS BLOCK ARE NON-PORTABLE
Comment:    ********************************************
Comment:    Reassignment information for this block is
Comment:    available at rwhois.gnax.net port 4321
Comment:    ********************************************
RegDate:    2004-10-11
Updated:    2007-06-01

RAbuseHandle: ABUSE745-ARIN
RAbuseName:   GNAX ABUSE 
RAbusePhone:  +1-404-230-9150
RAbuseEmail:  abuse@gnax.net 

RNOCHandle: ENGIN7-ARIN
RNOCName:   GNAX ENGINEERING 
RNOCPhone:  +1-404-230-9150
RNOCEmail:  engineering@gnax.net 

RTechHandle: ENGIN7-ARIN
RTechName:   GNAX ENGINEERING 
RTechPhone:  +1-404-230-9150
RTechEmail:  engineering@gnax.net 

OrgAbuseHandle: ABUSE745-ARIN
OrgAbuseName:   GNAX ABUSE 
OrgAbusePhone:  +1-404-230-9150
OrgAbuseEmail:  abuse@gnax.net

OrgNOCHandle: ENGIN7-ARIN
OrgNOCName:   GNAX ENGINEERING 
OrgNOCPhone:  +1-404-230-9150
OrgNOCEmail:  engineering@gnax.net

OrgTechHandle: ENGIN7-ARIN
OrgTechName:   GNAX ENGINEERING 
OrgTechPhone:  +1-404-230-9150
OrgTechEmail:  engineering@gnax.net

# ARIN WHOIS database, last updated 2007-09-11 19:10
# Enter ? for additional hints on searching ARIN's WHOIS database.


Found a referral to rwhois.gnax.net:4321.

&#37;rwhois V-1.5:003fff:00 rwhois.gnax.net (by Network Solutions, Inc. V-1.5.7.3)
network:Class-Name:network
network:ID:108.72.9.224.0/19
network:Auth-Area:72.9.224.0/19
network:Network-Name:RackWan
network:IP-Network:72.9.233.128/26
network:Organization;I:RackWan
network:Tech-Contact;I:soporte@rackwan.com
network:Admin-Contact;I:sebastian@rackwan.com
network:Created:20041213
network:Updated:20060417
network:Updated-By:engineering@gnax.net

I ran rkhunter and it didn't return anything out of the ordinary. When I checked my router, all ports are closed and nmap revealed that only port 80 was open.

I ssh'd root@72.9.233.132 and it asked for a password. I have no idea who this is. Why would this be on my Ubuntu box as a command? Any ideas about this? Any thoughts or help appreciated.

**RobinVossen** · 09-12-2007

Check the logs
Check SElinux?
Dont use Ubuntu (My Opinion)

**anomie** · 09-12-2007

Are you saying the entry
root@72.9.233.132
shows up in your user's bash history?

It's strange because that is not a command. Even so, it is a little ominous. Maybe review the history more carefully to make sure you have the full entry. (Just pipe the whole thing to less and search for that.)

rkhunter is pretty good because it checks (for supported OSes) md5 sums for a long list of binaries. It also checks for rootkit signatures and some other things like new groups and accounts on the system. When was the last time you ran it before the most recent run? For an extra sanity check you can also run chkrootkit. (I'd also add that it is possible for any binary - including your rootkit checker - to become compromised.)

Do you have any services that are listening on external, web-facing interfaces? Use netstat -ltun to double-check.

More possibilities once we know the answer to that question.

***Dapper Dan*** · 09-12-2007

Hi fellows and thanks for the insight and help. RobinVossen, I checked over the logs and didn't see anything suspicious. anomie, I felt the same way. Why is this listed as a command?? Here is the output of netstat -ltun...

For Ubuntu...

Code:

Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State
tcp        0      0 127.0.0.1:2208          0.0.0.0:*               LISTEN
tcp        0      0 127.0.0.1:631           0.0.0.0:*               LISTEN
tcp        0      0 127.0.0.1:2207          0.0.0.0:*               LISTEN
tcp6       0      0 :::22                   :::*                    LISTEN
udp        0      0 0.0.0.0:32768           0.0.0.0:*
udp        0      0 0.0.0.0:5353            0.0.0.0:*

...and the same box under Slackware 12...

Code:

Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State
tcp        0      0 127.0.0.1:2208          0.0.0.0:*               LISTEN
tcp        0      0 0.0.0.0:37              0.0.0.0:*               LISTEN
tcp        0      0 0.0.0.0:111             0.0.0.0:*               LISTEN
tcp        0      0 0.0.0.0:113             0.0.0.0:*               LISTEN
tcp        0      0 127.0.0.1:631           0.0.0.0:*               LISTEN
tcp        0      0 0.0.0.0:52635           0.0.0.0:*               LISTEN
tcp        0      0 127.0.0.1:2207          0.0.0.0:*               LISTEN
tcp6       0      0 :::22                   :::*                    LISTEN
udp        0      0 0.0.0.0:512             0.0.0.0:*
udp        0      0 0.0.0.0:32768           0.0.0.0:*
udp        0      0 0.0.0.0:37              0.0.0.0:*
udp        0      0 0.0.0.0:111             0.0.0.0:*
udp        0      0 0.0.0.0:631             0.0.0.0:*
udp        0      0 192.168.1.101:123       0.0.0.0:*
udp        0      0 127.0.0.1:123           0.0.0.0:*
udp        0      0 0.0.0.0:123             0.0.0.0:*
udp        0      0 0.0.0.0:766             0.0.0.0:*
udp6       0      0 fe80::219:d1ff:fe41:123 :::*
udp6       0      0 ::1:123                 :::*
udp6       0      0 :::123                  :::*

**anomie** · 09-12-2007

Since the command appeared in your Ubuntu installation I'll focus on that. These are the listening sockets to look at for now:

Code:

tcp6       0      0 :::22                   :::*                    LISTEN
udp        0      0 0.0.0.0:32768           0.0.0.0:*
udp        0      0 0.0.0.0:5353            0.0.0.0:*

First, I don't have a Linux box in front of me at the moment, so I am not exactly sure how to interpret the first column of the first line. It may mean both ipv4 and ipv6 are enabled for listening tcp port 22, or it may just mean ipv6 is enabled for tcp port 22. (Either way it could be an issue.)

A couple more questions:
1. Are you running a firewall?
2. If so, are connections allowed from the outside world to tcp port 22?
3. Are any of the following enabled in sshd_config: PasswordAuthentication, Challenge-Response Authentication, UsePAM ?

It might be a good idea to check /var/log/secure (at least that's the naming CentOS uses) for ssh connections and connection attempts over the past few weeks. If your system is running logwatch this automatically reports ssh connections to you. (You may need to check root's mail.)

As for the two udp sockets, some quick notes:

udp 32768 summarized here. I am not familiar with Filenet TMS. Maybe it is something one of your apps requires.

udp 5353 summarized here. Sounds like iTunes or similar application using multicast DNS.

**RobinVossen** · 09-12-2007

Well, I think I cant help you now..
Since I cant *touch* the Terminal.
I might be able to look into it but then you need to trust me by giving me a SSH account :/ (Guess you wont do that, since neither will I

)

Well, umm What command did you use to show that "root@72.9.233.132"
Since if it was the Search Function I give there you or some program uses that all the time :/

Thread Tools

Display

strange root@(ip address) found

Posting Permissions