# unwanted traffic

## rootnt

hi all

several days ago i found eth0 is exchanging  a lot of traffic with internet even after closing session/programs such as firefox- pidgin

once i saw it from system monitor applet and ran netstat -t 

```
Active Internet connections (w/o servers)

Proto Recv-Q Send-Q Local Address           Foreign Address         State     

tcp        0      1 192.168.1.2:33175       ey-in-f165.1e100.n:http LAST_ACK   

tcp        0      1 192.168.1.2:33176       ey-in-f165.1e100.n:http LAST_ACK   

tcp        0      1 192.168.1.2:33182       ey-in-f165.1e100.n:http LAST_ACK   

tcp        0      1 192.168.1.2:33181       ey-in-f165.1e100.n:http LAST_ACK   

tcp        0      1 192.168.1.2:33180       ey-in-f165.1e100.n:http LAST_ACK   

tcp        0      1 192.168.1.2:58599       74.125.232.57:http      LAST_ACK   

tcp        0      0 192.168.1.2:41317       ey-in-f100.1e100.n:http ESTABLISHED

tcp        0      0 192.168.1.2:60005       87.106.93.206:http      ESTABLISHED

tcp        0      0 192.168.1.2:58601       74.125.232.57:http      ESTABLISHED

tcp        0      1 192.168.1.2:33170       ey-in-f165.1e100.n:http LAST_ACK   

tcp        0      1 192.168.1.2:58596       74.125.232.57:http      LAST_ACK   

tcp       74      0 192.168.1.2:60176       218.240.28.131:dict     CLOSE_WAIT

tcp        0      0 192.168.1.2:43642       ey-in-f101.1e100.n:http ESTABLISHED

tcp        0      1 192.168.1.2:33172       ey-in-f165.1e100.n:http LAST_ACK   

tcp       74      0 192.168.1.2:60172       218.240.28.131:dict     CLOSE_WAIT

tcp        0      0 192.168.1.2:54885       74.125.232.50:http      ESTABLISHED

tcp        0      0 192.168.1.2:32846       unknown.scnet.net:http  ESTABLISHED

tcp        0      1 192.168.1.2:58595       74.125.232.57:http      LAST_ACK 
```

and it's whois:

NetRange: 74.125.0.0 - 74.125.255.255

CIDR: 74.125.0.0/16

OriginAS:

NetName: GOOGLE

NetHandle: NET-74-125-0-0-1

Parent: NET-74-0-0-0-0

NetType: Direct Allocation

RegDate: 2007-03-13

Updated: 2007-05-22

Ref: http://whois.arin.net/rest/net/NET-74-125-0-0-1

OrgName: Google Inc.

OrgId: GOGL

Address: 1600 Amphitheatre Parkway

City: Mountain View

StateProv: CA

PostalCode: 94043

Country: US

RegDate: 2000-03-30

Updated: 2009-08-07

OMG its from google

after it i installed 2 softwares to monitor network traffic and hunt that fking session that is doing it

first nethogs and look at its result:

[IMG]http://ramtnt.persiangig.com/image/Screensho.png[/IMG]

unfortunately you can see superuser (root) there but it doesnt show which session/process is request from

second netactview:

[IMG]http://ramtnt.persiangig.com/image/Screenshot-Net%20Activity%20Viewer.png[/IMG]

still nothing and i dont know wich process is doing it (dont forget that i took this screen shots while nothing was open and using internet connection)

what's your idea?

how can i block it?

----------

## msalerno

try netstat -ntp

----------

## rootnt

```
Active Internet connections (w/o servers)

Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name    

tcp        0      1 192.168.1.2:33458       66.102.13.154:80        LAST_ACK    -                   

tcp        0      1 192.168.1.2:33452       66.102.13.154:80        LAST_ACK    -                   

tcp        0      0 192.168.1.2:55895       209.160.32.20:80        TIME_WAIT   -                   

tcp        0      0 192.168.1.2:51485       204.246.169.243:80      TIME_WAIT   -                   

tcp        0      0 192.168.1.2:47872       66.102.13.100:80        TIME_WAIT   -                   

tcp        0      0 192.168.1.2:49590       209.160.40.17:80        TIME_WAIT   -                   

tcp        0      0 192.168.1.2:47877       66.102.13.100:80        TIME_WAIT   -                   

tcp        0      0 192.168.1.2:36287       63.135.86.11:80         TIME_WAIT   -                   

tcp        0      1 192.168.1.2:48249       83.222.126.118:80       LAST_ACK    -                   

tcp        0      1 192.168.1.2:33453       66.102.13.154:80        LAST_ACK    -                   

tcp        0      0 192.168.1.2:47878       66.102.13.100:80        TIME_WAIT   -                   

tcp        0      0 192.168.1.2:49099       82.99.218.126:80        TIME_WAIT   -                   

tcp        0      1 192.168.1.2:53546       88.212.196.104:80       LAST_ACK    -                   

tcp        0      0 192.168.1.2:49245       174.132.135.186:80      TIME_WAIT   -                   

```

----------

## msalerno

You are not going to see a pid associated with those ports due to the fact that they are in the process of shutting down.  You could use 

```
netstat -ntp -c 1 > output
```

 and then review the output and match up the ports.

----------

## rootnt

well, recently this shutting downs take too long (30sec-1 min after closing all programs) and too much internet usage makes me worried

going to install chkrootkit

anyway thanks   :Wink: Last edited by rootnt on Mon Apr 04, 2011 2:16 pm; edited 1 time in total

----------

## msalerno

You should still review the output of the netstat command to see what's opening the sockets.

----------

