Re: IP ranges used in North America, Hawaii, and Alaska?
- From: ibuprofin@xxxxxxxxxxxxxxxxxxxxxx (Moe Trin)
- Date: Thu, 26 Jan 2006 13:48:09 -0600
On Wed, 25 Jan 2006, in the Usenet newsgroup comp.os.linux.security, in article
<1138241168.3455.2.camel@xxxxxxxxxxxxxxxxxxxxx>, blueskye wrote:
>When I wrote last asking for advice re: bogus IP logons, I reported that
>the IPs in question had come back as IANA Reserved. Later, they were
>reported to belong to akamai. In another log, they were reported to
>belong to a.r.tv.com.
You're showing IPs in the 84.53.144.x range. 84.0.0.0/8 was assigned to
RIPE (the European Internet Registrar) in November 2003. Any tool you are
using that says that this IP range is reserved is severely out of date.
RIPE allocated 84.53.128.0 - 84.53.191.255 to Akamai Technologies on 5
November 2004. Akamai seems to have divided that range into six
sub-assignments, and 84.53.128.0 - 84.53.147.255 is the one you are
concerned with actually seem to be located near Washington DC in the US.
tv.com is registered to CNET in San Francisco. a.r.tv.com is a hostname
within that domain, but resolves as a CNAME to something at akamai. That
something would depend on where you are in the world, and perhaps the
time of day and traffic loads. At the moment, I see
[compton ~]$ host a.r.tv.com
a.r.tv.com is a nickname for a868.g.akamai.net
a868.g.akamai.net has address 80.67.74.10
a868.g.akamai.net has address 80.67.74.18
[compton ~]$
which seems to be an akamai server farm in San Jose, California.
You might want to do a web search who 'akamai.net' is, and how they
make their money. Briefly, they are a content provider - used by a large
number of companies to deliver stuff (everything from web pages to
software updates to streaming video) from servers they have scattered
in facilities around the world. Anecdotally, one of their customers was
microsoft - there was much hilarity some time ago when it was discovered
that microsoft was using *nix servers to deliver one of the important
security updates for windoze, and it turned out these were akamai servers.
Before that, there was a big cry raised on some user-level security news
groups because when connecting to an akamai hosted site, there would be
"attacks" to "ICMP Port 8" (a simple ping) from sites scattered all over.
The explanation was akamail trying to map the nearest/fastest server to
an individual client address. Haven't seen much of that lately, presumably
because akamai now has a reasonable map of the Internet and can tell which
server to respond with based on the client IP address.
>I have now switched to Linux completely. The software for my Windows XP
>firewall, ZoneAlarm, has nothing to do with this installation of Linux.
>There is absolutely no reason for those IPs, which they assured me were
>their servers and legitimate IPs, to have anything to do with this Linux
>installation.
Do you have no windoze boxes anywhere that might be using your Linux
box as a router?
>It is now apparent that the e-mail did not come from a legitimate source,
>for, surely, ZoneAlarm would not take over a Linux-based machine that did
>not have their software installed. Surely.
Case not proven either way.
>active connections:
>
>localhost.localdomain port 32769 service=unknown
>localhost.localdomain port 631 lpp
Your redacting prevents any comment. If those are what you see with
netstat, try using 'netstat -tupan' and identify the process involved.
>Unfortunately, I don't know _near_ enough about Linux to track down
>whatever changes were made yesterday or this morning.
man find
find / -mtime -2 -type f -exec ls -l {} \; > /tmp/files.that.changed
but be aware that is going to take some time, and may well turn up a bunch
of meaningless noise.
>I can not trust any whois or DNS name server that I might try to go to
>because at this point, I have no idea where I would be actually going.
tcpdump -n should provide clues.
>I don't even know how to kill/terminate this active connection on port
>32769 with service unknown. How does one do that under Linux?
[compton ~]$ whatis kill fuser lsof netstat
kill (1) - terminate a process
kill (2) - send signal to a process
fuser (1) - identify processes using files or sockets
lsof (8) - list open files
netstat (8) - Display network connections, routing tables,
interface statistics, masquerade connections and netlink messages
[compton ~]$
>Just wanted to report back with the IPs, now that I am sure they are not
>legitimate ZoneAlarm servers as I was told in that e-mail sent to me in
>response to my query at what I thought was the ZoneAlarm website. (It
>may have been but the real response may have been intercepted and
>edited.)
You seem to have a WAY OVER active imagination.
>One might legitimately ask why this is happening to a nobody down in
>Podunk. I can think of four reasons:
"I got my paranoia the old fashioned way: I earned it."
Old guy
.
- Follow-Ups:
- References:
- Prev by Date: Re: Urgently ! need help about iptable and internet gateway/firewall
- Next by Date: telnet to ssh (port 22)
- Previous by thread: Re: IP ranges used in North America, Hawaii, and Alaska?
- Next by thread: Re: IP ranges used in North America, Hawaii, and Alaska?
- Index(es):
Relevant Pages
|
|
