3

Today i went to the library. I was looking at my netstat -an output and i saw this.

tcp        0      0 127.0.0.1:6379          127.0.0.1:46376         ESTABLISHED
tcp        0      0 127.0.0.1:46376         127.0.0.1:6379          ESTABLISHED
tcp        1      0 172.16.10.99:41582      123.123.123.123:80      CLOSE_WAIT 
tcp        0      0 172.16.10.99:34960      172.217.2.238:443       TIME_WAIT  
tcp        0      0 127.0.0.1:6379          127.0.0.1:43480         ESTABLISHED
tcp        0      0 127.0.0.1:43526         127.0.0.1:6379          ESTABLISHED

I noticed the 123.123.123.123 address which connected to me on port 41582. When i geolocated the IP the website said it belonged to a place in Beijing, China. Then i remembered that i haven't accepted the terms of use for the library internet connection i was using.

So this made me feel more odd about it. I am curious to know if this connection was being made from the internal library network or being proxied through the library which would mean that a device in the library was being used as a proxy?

Because 172.16.10.99 was my internal IP when i was at the library. The public IP of the library was something different.

I run Ubuntu Linux and when this occurred i was not browsing any websites in China or accessing anything in the Asian continent.

So this all seems a bit odd.

Just trying to make sense of this event.

Could anyone provide some insight?

My concern is that i have something on my box which is listening on these ports and it is being accessed when there is an active internet connection.

Here is what shodan mentions regarding this IP: https://www.shodan.io/host/123.123.123.123

Thanks.

Dan
  • 131
  • 4
  • 2
    That line represents a request FROM your machine TO that address, not the other way around. If you see it again, you can use lsof to determine what process has that connection open. – Jonah Benton Mar 23 '18 at 16:57
  • Oh ok, so just trying to understand. So you are saying some piece of code is running on my machine which requested that ip address? The other question i have is how are you able to infer that a request was made by my machine and not the other way around? I understand port 80 is usually meant for a webserver. – Dan Mar 23 '18 at 17:04
  • I'd guess that's your browser viewing the TOS splash screen of the public wifi you're in. If you're still in that network, you might try to open up `123.123.123.123:80` and see what it says. – Arminius Mar 23 '18 at 17:06
  • Now i am even more confused. I am in the US. The splash screen to the public wifi had not been shown at this point. When i did visit the splash screen, the address corresponds to the gateway address of the network. Which is not 123.123.123.123. – Dan Mar 23 '18 at 17:09
  • It says nothing. The browser says, the site can't be reached. The connection was reset. – Dan Mar 23 '18 at 17:11
  • How can one infer the direction of the connection- aside from the local and remote ports- high ports are standard for clients, port 80 is standard http server- in order for a connection to be inbound, there usually has to be a socket in LISTEN state using that port. No mention of LISTEN in the question. Can do netstat -an | grep LISTEN to see what ports are in that state. Also, the IP address of your machine is not "public" which means that it can't be connected to unless there is something explicitly set up on the edge of the network to forward inbound requests. That's extremely unlikely. – Jonah Benton Mar 23 '18 at 18:42

2 Answers2

1

It's your laptop that was connecting (or trying to connect) to that IP, not the other way around. I tried connecting to that IP, and basically it won't connect.

Your netstat didn't really show an established connection either, since it's in CLOSE_WAIT. Googling that IP didn't bring up anything about possible related threats, but I found at least one discussion where that mysterious IP was explained as "likely misconfigured default setting". If you think about it, it is a very peculiar IP, 123.123.123.123, which might well be a string used as an example IP address, just like "abc123" for a password, or contact@domain.com for an email address. So there's nothing there, it's might just be a random default setting that makes no sense.

I have no idea where that misconfigured default IP could be set though: applications on your laptop, scripts or any assets in web pages, etc. If you run netstat with the -e and -p options you might be able to understand a bit more.

ThoriumBR
  • 50,648
  • 13
  • 127
  • 142
reed
  • 15,398
  • 6
  • 43
  • 64
  • interesting deduction, i grepped /etc and was not able to find something, maybe i will dig some more to look for that string in my files – Dan Apr 26 '18 at 01:21
0

It is hard to say but those addresses look like your box is talking to resources on the network. Normal ports being 80 and 443 for HTTP and HTTPS in that order. 6379 being used for keys, could be to authenticate to the network.

Jonah Bentons mention of the output of that command is valid as linux will spit out the connections left to right (your box) >> (resource on the network).

In regards to the 123.123.123.123 IP it might be a resource at the library connecting out to a chinese server.

Heigou
  • 49
  • 1
  • thanks for your response. when you say "resource connection out to a chinese server". i ran the netstat -an on my box doesn't that mean that my box was connected directly to that chinese ip address? i will reconnect from scratch and see if that IP address shows up again as part of the negotiation process with the router – Dan Mar 23 '18 at 18:02
  • You could kill the connection all together to feel more at ease using sudo tcpkill -i wlan0 host 123.123.123.123 for standard linux or sudo dsniff -i wlan0 host 123.123.123.123 for ubuntu – Heigou Mar 23 '18 at 18:15
  • The connection is no longer there, i am simply trying to figure out how it got there and if it will be happening again. – Dan Mar 23 '18 at 18:17