So in investigating my problem with mysterious spoofing packets, I learned/relearned some useful commands.
First "netstat -a -W" is good to see all the ports that are open. It also seems to give the same results if you're root and if you're not.
One problem I had with that output was that it doesn't relate the process to the socket. "lsof -i -n" on the other hand does just that. However, the output changes depending on whether or not your root. The info is much more complete when you're root.
So, for a while now I've been getting e-mail like this from my Sonicwall firewall:
From:
Date: Wed Dec 10, 2003 1:50:19 PM America/New_York
To:
Subject: *** Alert from SonicWALL *** [0040100CF2DA]
12/10/2003 13:48:54.672 - IP spoof detected - Source:172.208.217.243, 138, LAN - Destination:172.208.255.255, 138, WAN - MAC address: 00.30.65.A9.15.36 -
I had always assumed that it coincided with times when I ran the AOL client on my G4 Cube.
Today I realized that it was sending messages when I wasn't using the computer.
Puzzled, I ran "netstat -W" and found these:
udp4 0 0 acd0d9f3.ipt.aol.com.netbios-dgm *.*
udp4 0 0 acd0d9f3.ipt.aol.com.netbios-ns *.*
And of course, acd0d9f3.ipt.aol.com is 172.208.217.243 according to nslookup. So, why do I have this connection running from my machine to the universe ? What app has that connection ?
[paris:~/Desktop/Web Downloads] rob% lsof -i
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
iCal 430 rob 11u inet 0x03309a4c 0t0 TCP localhost:55578->localhost:ipp (CLOSE_WAIT)
iCal 430 rob 14u inet 0x02c737bc 0t0 TCP localhost:55557->localhost:ipp (CLOSE_WAIT)
Safari 1559 rob 14u inet 0x03321a2c 0t0 TCP localhost:57864->localhost:ipp (CLOSE_WAIT)
Safari 1559 rob 23u inet 0x033094ec 0t0 TCP localhost:57854->localhost:ipp (CLOSE_WAIT)
Safari 1559 rob 28u inet 0x033101dc 0t0 TCP paris.balboa1321.bogus:59959->216.239.37.99:http (ESTABLISHED)
Safari 1559 rob 38u inet 0x02c73a6c 0t0 TCP paris.balboa1321.bogus:59960->nurse.csi.cam.ac.uk:http (CLOSE_WAIT)
Mail 2672 rob 9u inet 0x033084cc 0t0 TCP paris.balboa1321.bogus:59396->montauk.balboa1321.bogus:imaps (ESTABLISHED)
Mail 2672 rob 12u inet 0x032c1a0c 0t0 TCP paris.balboa1321.bogus:58072->montauk.balboa1321.bogus:imaps (ESTABLISHED)
Mail 2672 rob 16u inet 0x033214cc 0t0 TCP paris.balboa1321.bogus:57884->montauk.balboa1321.bogus:imaps (CLOSE_WAIT)
Mail 2672 rob 17u inet 0t0 TCP no PCB, CANTSENDMORE, CANTRCVMORE
Mail 2672 rob 18u inet 0t0 TCP no PCB, CANTSENDMORE, CANTRCVMORE
Mail 2672 rob 19u inet 0x0331073c 0t0 TCP paris.balboa1321.bogus:59835->montauk.balboa1321.bogus:imaps (ESTABLISHED)
ssh 3648 rob 3u inet 0x0330923c 0t0 TCP paris.balboa1321.bogus:59769->montauk.balboa1321.bogus:ssh (ESTABLISHED)
I'm pretty confused at this point. I tried killing processes until I could get the netstat to show that the AOL netbios ports were gone. They seemed to go away when I killed nmbd. I thought that maybe somehow they were being created when I ran AOL client like AOL itself or an AIM client like iChat, but I just tried that and the connections were not recreated.
Mysterious...
I came across this article on the O'Reilly Network about LocalFeeds. It looks like a kind of cool idea. You can enter in a location and find blogs that are geographically close to you.