Without consensus..

yesterday as I was carrying out my mundane task with my wa3002g4 - regular disconnection issue still persisting - but with all that and no program accessing the network the wlan indicator was blinking as in being accessed and with the firewire it was evident that the network was being used without my consensus and now was very eager to find which program was accessing the network so with little search, the very regular form of suggestion - netstat/tcpdump/wireshark was propping up so with the tcpdump found that the
ec2-184-73-194-227.compute-1.amazonaws.com.www
was accessing my box without permission. but even before checking which was the process that was doing it. It stopped - later on found that it was the amazon site doing its job - but how could they do that with no consensus.

The output of tcpdump

ranjit@dell-laptop:~$ sudo tcpdump -i ath0
[sudo] password for ranjit:
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ath0, link-type EN10MB (Ethernet), capture size 96 bytes
21:53:31.197831 IP 192.168.1.2.50074 > resolver2.opendns.com.domain: 38512+ TXT? current.cvd.clamav.net. (40)
21:53:31.214828 IP 192.168.1.2.38499 > resolver2.opendns.com.domain: 29628+ PTR? 220.220.67.208.in-addr.arpa. (45)
21:53:31.786371 IP resolver2.opendns.com.domain > 192.168.1.2.50074: 38512 1/0/0 TXT[|domain]
21:53:31.828202 IP resolver2.opendns.com.domain > 192.168.1.2.38499: 29628 1/0/0 (80)
21:53:31.828568 IP 192.168.1.2.56419 > resolver2.opendns.com.domain: 382+ PTR? 2.1.168.192.in-addr.arpa. (42)
21:53:32.400625 IP resolver2.opendns.com.domain > 192.168.1.2.56419: 382 NXDomain 0/0/0 (42)
21:53:32.962176 IP 192.168.1.2.36395 > resolver2.opendns.com.domain: 49785+ A? database.clamav.net. (37)
21:53:33.217134 IP 192.168.1.2.46661 > ec2-184-73-194-227.compute-1.amazonaws.com.www: S 1825043612:1825043612(0) win 5840
21:53:33.531595 IP resolver2.opendns.com.domain > 192.168.1.2.36395: 49785 7/0/0 CNAME[|domain]
21:53:33.532318 IP 192.168.1.2.42104 > resolver2.opendns.com.domain: 17149+ A? database.clamav.net. (37)
21:53:33.725063 IP ec2-184-73-194-227.compute-1.amazonaws.com.www > 192.168.1.2.46661: S 225898766:225898766(0) ack 1825043613 win 5840
21:53:33.725154 IP 192.168.1.2.46661 > ec2-184-73-194-227.compute-1.amazonaws.com.www: . ack 1 win 5840
21:53:33.725360 IP 192.168.1.2.46661 > ec2-184-73-194-227.compute-1.amazonaws.com.www: P 1:580(579) ack 1 win 5840
21:53:34.115542 IP resolver2.opendns.com.domain > 192.168.1.2.42104: 17149 7/0/0 CNAME[|domain]
21:53:34.116268 IP 192.168.1.2.52688 > resolver2.opendns.com.domain: 22086+ A? database.clamav.net. (37)
21:53:34.249847 IP ec2-184-73-194-227.compute-1.amazonaws.com.www > 192.168.1.2.46661: . ack 580 win 5211
21:53:34.707608 IP ec2-184-73-194-227.compute-1.amazonaws.com.www > 192.168.1.2.46661: F 232:232(0) ack 580 win 5211
21:53:34.707686 IP 192.168.1.2.46661 > ec2-184-73-194-227.compute-1.amazonaws.com.www: . ack 1 win 5840
21:53:34.709628 IP ec2-184-73-194-227.compute-1.amazonaws.com.www > 192.168.1.2.46661: P 1:232(231) ack 580 win 5211
21:53:34.709677 IP 192.168.1.2.46661 > ec2-184-73-194-227.compute-1.amazonaws.com.www: . ack 233 win 6432
21:53:34.710019 IP 192.168.1.2.46661 > ec2-184-73-194-227.compute-1.amazonaws.com.www: F 580:580(0) ack 233 win 6432
21:53:34.712310 IP resolver2.opendns.com.domain > 192.168.1.2.52688: 22086 7/0/0 CNAME[|domain]
21:53:34.713132 IP 192.168.1.2.41256 > resolver2.opendns.com.domain: 6712+ A? database.clamav.net. (37)
21:53:35.209814 IP ec2-184-73-194-227.compute-1.amazonaws.com.www > 192.168.1.2.46661: . ack 581 win 5211
21:53:35.293719 IP resolver2.opendns.com.domain > 192.168.1.2.41256: 6712 7/0/0 CNAME[|domain]
21:53:35.295279 IP 192.168.1.2.37929 > resolver2.opendns.com.domain: 37947+ A? database.clamav.net. (37)
21:53:35.876052 IP resolver2.opendns.com.domain > 192.168.1.2.37929: 37947 7/0/0 CNAME[|domain]
21:53:35.882849 IP server-216-137-63-13.lhr3.cloudfront.net.www > 192.168.1.2.43040: F 2145307016:2145307016(0) ack 305058198 win 6880
21:53:35.884099 IP server-216-137-63-13.lhr3.cloudfront.net.www > 192.168.1.2.43039: F 2144127637:2144127637(0) ack 299530464 win 6650
21:53:35.921135 IP 192.168.1.2.43040 > server-216-137-63-13.lhr3.cloudfront.net.www: . ack 1 win 11360
21:53:35.921386 IP 192.168.1.2.43039 > server-216-137-63-13.lhr3.cloudfront.net.www: . ack 1 win 53960
21:53:35.936700 IP 192.168.1.2.38807 > resolver2.opendns.com.domain: 65025+ A? database.clamav.net. (37)
21:53:36.506826 IP resolver2.opendns.com.domain > 192.168.1.2.38807: 65025 7/0/0 CNAME[|domain]
21:53:37.402571 IP 192.168.1.2.58837 > resolver2.opendns.com.domain: 18747+ PTR? 227.194.73.184.in-addr.arpa. (45)
21:53:37.992783 IP resolver2.opendns.com.domain > 192.168.1.2.58837: 18747 1/0/0 (101)
21:53:37.993610 IP 192.168.1.2.45190 > resolver2.opendns.com.domain: 41743+ PTR? 13.63.137.216.in-addr.arpa. (44)
21:53:38.720639 IP resolver2.opendns.com.domain > 192.168.1.2.45190: 41743 1/0/0 (98)
21:53:39.731410 IP 192.168.1.2.43040 > server-216-137-63-13.lhr3.cloudfront.net.www: F 1:1(0) ack 1 win 11360
21:53:39.731514 IP 192.168.1.2.43039 > server-216-137-63-13.lhr3.cloudfront.net.www: F 1:1(0) ack 1 win 53960
21:53:39.896928 IP server-216-137-63-13.lhr3.cloudfront.net.www > 192.168.1.2.43034: F 2136823304:2136823304(0) ack 273815452 win 8944
21:53:39.933138 IP 192.168.1.2.43034 > server-216-137-63-13.lhr3.cloudfront.net.www: . ack 1 win 28400

41 packets captured
41 packets received by filter
0 packets dropped by kernel
ranjit@dell-laptop:~$

or use tcpdump -ni ath0

the links below are the outcome of the amazon related stuff

http://aws.amazon.com/ec2/
http://www.malwareurl.com/listing.php?as=AS14618

0 comments:

Post a Comment

top