Help - Search - Members - Calendar
Full Version: Perl talking to strange IPs
The Planet Forums > Security > General Security
cybe
Apr 19 2008, 05:18 PM
Whilst using netstat to check for strange connections I came across some strange ones that perl does.

I ran netstat -anp and filtered out things I know about (httpd, exim, sshd, etc etc) with grep -v

Started to ran into these short bursts:
CODE

tcp 0 0 75.125.44.66:42180 204.0.5.25:80 ESTABLISHED 7513/perl
tcp 0 0 75.125.44.66:41577 204.0.5.10:80 ESTABLISHED -


and wonder what script is doing it...


So far I've seen three IPs.

http://204.0.5.10
http://64.132.34.94
http://204.0.5.25

All serve the same stuff on port 80:

CODE

Invalid URL
The requested URL "/", is invalid.

Reference #9.150500cc.1208645828.0


They are different networks, NTT America, Inc and Time Warner Telecom, Inc.

Strange? I wouldn't wonder if there is a perfectly simple explanation for this but I've been reading a bit too much about zombie spam networks recently.

Going to try to copy the /proc/[pid] of the process somewhere to get more info
cybe
Apr 19 2008, 06:02 PM
After a bit of googling I'm starting to get the feeling these might possible be some kind of "reverse proxys"? squid? akamai?
cybe
Apr 19 2008, 06:09 PM
QUOTE (cybe @ Apr 20 2008, 03:02 AM) *
After a bit of googling I'm starting to get the feeling these might possible be some kind of "reverse proxys"? squid? akamai?

Edit, ok it seems to be akamai....


CODE
cybe@Achromatic ~$ telnet 204.0.5.25 80
Trying 204.0.5.25...
Connected to 204.0.5.25.
Escape character is '^]'.
GET / HTTP/1.0

HTTP/1.0 400 Bad Request
Server: AkamaiGHost
Mime-Version: 1.0
Content-Type: text/html
Content-Length: 187
Expires: Sun, 20 Apr 2008 00:08:04 GMT
Date: Sun, 20 Apr 2008 00:08:04 GMT
Connection: close

<HTML><HEAD>
<TITLE>Invalid URL</TITLE>
</HEAD><BODY>
<H1>Invalid URL</H1>
The requested URL "/", is invalid.<p>
Reference #9.150500cc.1208650084.0
</BODY></HTML>
Connection closed by foreign host.
cybe@Achromatic ~$

markcausa
Apr 19 2008, 06:30 PM
I have no idea what it could be, and the forums slow down a little during weekends.

Hopefully someone that knows will stop by soon.


Good luck smile.gif
James Jhurani
Apr 19 2008, 11:21 PM
QUOTE (cybe @ Apr 19 2008, 06:18 PM) *
Whilst using netstat to check for strange connections I came across some strange ones that perl does.

I ran netstat -anp and filtered out things I know about (httpd, exim, sshd, etc etc) with grep -v

Started to ran into these short bursts:
CODE

tcp 0 0 75.125.44.66:42180 204.0.5.25:80 ESTABLISHED 7513/perl
tcp 0 0 75.125.44.66:41577 204.0.5.10:80 ESTABLISHED -


and wonder what script is doing it...
So far I've seen three IPs.

http://204.0.5.10
http://64.132.34.94
http://204.0.5.25

All serve the same stuff on port 80:

CODE

Invalid URL
The requested URL "/", is invalid.

Reference #9.150500cc.1208645828.0


They are different networks, NTT America, Inc and Time Warner Telecom, Inc.

Strange? I wouldn't wonder if there is a perfectly simple explanation for this but I've been reading a bit too much about zombie spam networks recently.

Going to try to copy the /proc/[pid] of the process somewhere to get more info


can you post the "ps aux" output for that perl pid? and the "ls -l" of the /proc/<pid goes here>
cybe
Apr 20 2008, 07:01 AM
It seemed to have been a spamcop reporting script that was the culprit. I had set it to run every 3 minute instead of every 3 hour too which confused me

CODE
cybe 21214 0.0 0.2 7476 5472 ? Ss 18:13 0:00 /usr/bin/perl /home/cybe/scripts/report_spam.pl
tcp 0 0 75.125.44.66:60470 64.132.34.94:80 ESTABLISHED 21214/perl




QUOTE (James Jhurani @ Apr 20 2008, 08:21 AM) *
can you post the "ps aux" output for that perl pid? and the "ls -l" of the /proc/<pid goes here>
James Jhurani
Apr 20 2008, 01:27 PM
I'm glad we could help get that sorted smile.gif
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.
Invision Power Board © 2001-2009 Invision Power Services, Inc.