0

On Debian, Linux, I am using netstat to monitor connections. After waking my system from sleep, I noticed a change in one of the connections, using port 6667 for irssi (identified by PID).

I like to suspend my computer and wake from sleep, with my irssi open in a terminal emulator.

After performing /reconnect on irssi, everything returned to the oftc.net domain.

Below is the output of netstat at the point of performing /reconnect

terminal output at the point of reconnecting

Why did the connection change from oftc.net to getic.rdsnet.ro? Is my system security compromised? What can I do to check?

p0licat
  • 3
  • 2

1 Answers1

1

Don't be afraid, this is simply one of the several servers that host OFTC service.

Here is an explanation:

~$ dig +short irc.oftc.net
91.217.189.50
109.74.200.93
130.239.18.116
81.18.73.124
~$ for ip in $(dig +short irc.oftc.net|grep -E '^[0-9]') ; do dig +short -x ${ip} ; done
farad.oftc.net.
solenoid.acc.umu.se.
getic.rdsnet.ro.
plasma.oftc.net.

When querying DNS for ip for irc.oftc.net, DNS returns 4 records: this is round robin DNS, a kind of "poor people load balancing" ;-)

The server you reconnected to is legitimate as you can see...

EDIT If you're un-familiar with Linux and dig command, then:

  • dig is to request DNS server.
  • dig +short only output usefull information (pretty cool for scripting).
  • dig -x will do reverse DNS request (getting the name from the IP).
binarym
  • 744
  • 4
  • 8