# netstat output

## trikmik

i noticed this output in netstat but i can not understand it is something wrong?

```
# iptables -L

Chain INPUT (policy DROP)

target     prot opt source               destination         

Chain FORWARD (policy DROP)

target     prot opt source               destination         

Chain OUTPUT (policy DROP)

target     prot opt source               destination         
```

```
# netstat -tupln

Active Internet connections (only servers)

Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name    

tcp        0      0 0.0.0.0:5355            0.0.0.0:*               LISTEN      4634/systemd-resolv 

tcp6       0      0 :::5355                 :::*                    LISTEN      4634/systemd-resolv 

udp        0      0 0.0.0.0:5355            0.0.0.0:*                           4634/systemd-resolv 

udp        0      0 127.0.0.53:53           0.0.0.0:*                           4634/systemd-resolv 

udp        0      0 192.168.42.26:68        0.0.0.0:*                           4619/systemd-networ 

udp6       0      0 :::5355                 :::*                                4634/systemd-resolv 

udp6       0      0 fe80::c8e9:5dff:feb:546 :::*                                4619/systemd-networ 

udp6       0      0 fe80::2e4d:54ff:fee:546 :::*                                4619/systemd-networ 
```

----------

## Ant P.

You chose systemd - it comes with manpages for all those programs, why not read them?

Side note: your system is going to be very, very broken if you blindly block network traffic over localhost like that.

----------

## Maitreya

Netstat just shows what is listening.

The iptables will decide what goes trough.

So this all looks ok??

----------

## bunder

with no rules and policy drop, nothing will be able to do anything in either direction

----------

## trikmik

i noticed this ip: 52.213.89.190 giving tls encrypted handshake on whireshark  

i did whois and it is not normal that my usb phone android connected 3g network is connected to my gentoo box and then gives away tls handshake to I.P in 52-213 Wrocław, Polen ? what do i do now?

i turn on computer then it gives away ip to 52.213.89.190 without starting firefox or emerge or anything.

i need to turn this box offline and investigate

bye

----------

## trikmik

my android phone is tethering to my gentoo desktop and as soon as i turn on the computer i get:

Capture from wireshark when turning on the gentoo machine: my ip address is NOT 52.213.89.190 however as soon as i turn on the machine it starts sending to that ip address.

```
1   0.000000000   192.168.42.129   192.168.42.119   DNS   191   Standard query response 0x0c0d A location.services.mozilla.com CNAME locprod1-elb-eu-west-1.prod.mozaws.net A 52.213.89.190 A 34.249.232.228 A 52.31.122.196

2   0.042792965   192.168.42.129   192.168.42.119   DNS   225   Standard query response 0xce2b AAAA location.services.mozilla.com CNAME locprod1-elb-eu-west-1.prod.mozaws.net SOA ns-1260.awsdns-29.org

3   0.043319222   192.168.42.119   52.213.89.190   TCP   76   51448 → 443 [SYN] Seq=0 Win=29200 Len=0 MSS=1460 SACK_PERM=1 TSval=3592023883 TSecr=0 WS=128

4   0.152622488   52.213.89.190           192.168.42.119   TCP   76   443 → 51448 [SYN, ACK] Seq=0 Ack=1 Win=26847 Len=0 MSS=1409 SACK_PERM=1 TSval=2143902162 TSecr=3592023883 WS=256

5   0.152674683   192.168.42.119   52.213.89.190   TCP   68   51448 → 443 [ACK] Seq=1 Ack=1 Win=29312 Len=0 TSval=3592023993 TSecr=2143902162

6   0.153382233   192.168.42.119   52.213.89.190   TLSv1.2   589   Client Hello

7   0.312685022   52.213.89.190           192.168.42.119   TCP   68   443 → 51448 [ACK] Seq=1 Ack=522 Win=28160 Len=0 TSval=2143902201 TSecr=3592023993

8   0.382628457   52.213.89.190           192.168.42.119   TLSv1.2   1465   Server Hello

9   0.382663138   192.168.42.119    52.213.89.190   TCP   68   51448 → 443 [ACK] Seq=522 Ack=1398 Win=32128 Len=0 TSval=3592024223 TSecr=2143902202

10   0.382705451   52.213.89.190           192.168.42.119   TCP   1465   443 → 51448 [ACK] Seq=1398 Ack=522 Win=28160 Len=1397 TSval=2143902202 TSecr=3592023993 [TCP segment of a reassembled PDU]

11   0.382723493   192.168.42.119     52.213.89.190   TCP   68   51448 → 443 [ACK] Seq=522 Ack=2795 Win=35072 Len=0 TSval=3592024223 TSecr=2143902202

12   0.384705842   52.213.89.190             192.168.42.119   TLSv1.2   1203   Certificate, Server Key Exchange, Server Hello Done

13   0.384740954   192.168.42.119     52.213.89.190   TCP   68   51448 → 443 [ACK] Seq=522 Ack=3930 Win=37888 Len=0 TSval=3592024225 TSecr=2143902202

14   0.388051376   192.168.42.119     52.213.89.190   TLSv1.2   143   Client Key Exchange

15   0.388082536   192.168.42.119     52.213.89.190   TLSv1.2   74   Change Cipher Spec

16   0.388093388   192.168.42.119     52.213.89.190   TLSv1.2   113   Encrypted Handshake Message

17   0.460496525   52.213.89.190   192.   168.42.119   TCP   68   443 → 51448 [ACK] Seq=3930 Ack=648 Win=28160 Len=0 TSval=2143902239 TSecr=3592024228

18   0.462667003   52.213.89.190   192.   168.42.119   TLSv1.2   119   Change Cipher Spec, Encrypted Handshake Message

19   0.465289925   192.168.42.119   52.213.89.190   TLSv1.2   284   Application Data

20   0.465395634   192.168.42.119   52.213.89.190   TLSv1.2   99   Application Data

21   0.542538035   52.213.89.190           192.168.42.119   TCP   68   443 → 51448 [ACK] Seq=3981 Ack=895 Win=29184 Len=0 TSval=2143902259 TSecr=3592024305

22   0.549758692   52.213.89.190           192.168.42.119   TLSv1.2   391   Application Data

23   0.590403428   192.168.42.119   52.213.89.190   TCP   68   51448 → 443 [ACK] Seq=895 Ack=4304 Win=40704 Len=0 TSval=3592024390 TSecr=2143902261

24   1.574562810   fe80::8821:c2ff:fe4e:7857   ff02::2   ICMPv6   72   Router Solicitation from 8a:21:c2:4e:78:57

25   5.004541847   8a:21:c2:4e:78:57      ARP   44   Who has 192.168.42.119? Tell 192.168.42.129

26   5.004562532   26:17:9e:ae:a0:d7      ARP   44   192.168.42.119 is at 26:17:9e:ae:a0:d7

27   5.584734786   fe80::8821:c2ff:fe4e:7857   ff02::2   ICMPv6   72   Router Solicitation from 8a:21:c2:4e:78:57

```

who is that ? why is my gentoo machine sending tcp tls2 over port 443 to that i.p address that i do not recognize?

can someone please help i am desprate am i hacked? do i need to reinstall gentoo? how can i provide more evidence?[/post]

[Moderator edit: added [code] tags to preserve output layout. -Hu]

----------

## trikmik

where does the ip address noted in above post comes from?

I am not sure if i need reinstall gentoo please help

*Edit*

When connecting to a other network my computer still sends out packets to 

52.31.122.196

52.213.89.190

I unmerged and depclean Firefox, and my system is pretty much default gnome gentoo.

Why does the machine sends packets to those ip's ?

Wireshark shows those lines in bright Red color what does that mean?

How can i know where those ip's are comming from?

Please help

*Edit2*

After closing Port 443 i do not send anymore tcp to ip noted above.

Question remains why do i send out over network Port 443 when not doing anything network related

I checked it is not my router dns

----------

## Ant P.

 *trikmik wrote:*   

> who is that ? why is my gentoo machine sending tcp tls2 over port 443 to that i.p address that i do not recognize?

 

Because you've installed crapware, be it GNOME, systemd or something else, that asks that remote server to geolocate you based on your public IP. There's probably a setting to disable it, which you have obviously failed to even look for before flying off the handle. Be glad it's only mozilla's service and not google.

 *Quote:*   

> can someone please help i am desprate am i hacked? do i need to reinstall gentoo? how can i provide more evidence?[/post]

 

Nobody can help you if you won't learn how to help yourself. Your system's already on the way to destruction since you've screwed up the firewall, installed a mountain of things you clearly lack the capacity or patience to understand, and are too busy yelling paranoid schizophrenic rants over the top of every other voice here to RTFM.

We've suffered paranoid help vampires here in the past. They refused to listen and wasted everyone's time, and eventually got the boot. Don't start being another one, our patience is not infinite.

----------

## Hu

If you need help, post specific problems.  When you change system state, describe that change in a way that we could make the same change.  Don't expect us to guess how to make a similar change.  For example, you wrote "After closing Port 443 ...".  What does that mean?  What commands did you use?  I can think of three very different commands that might be described that way, and their impacts vary widely.

Use complete sentences and good English grammar.  Perfect grammar/spelling is not required, but the more we need to interpret around imperfections, the greater the chance we will either make a mistake (leading to misunderstanding and bad advice) or lose patience (leading to a lack of response).

----------

