speaking about Linux firewalls
David Demland
demland at cox.net
Thu Sep 22 21:29:44 MST 2005
Craig,
I do not think it is CA software because I have not seen it on my network
and I use CA software. When I do a lookup on the IP 213.254.229.147 I get
the following information:
OrgName: RIPE Network Coordination Centre
OrgID: RIPE
Address: P.O. Box 10096
City: Amsterdam
StateProv:
PostalCode: 1001EB
Country: NL
This also supports my idea that it is not CA since the IP is in Amsterdam.
When I try to connect a HTTPS connection to the same IP I got a message with
a SSL certificate from a248.e.akamai.net. The look up for akamai.net show:
Akamai Technologies, Inc.
8 Cambridge Center
Cambridge, MA 02142
US
When I connected a to akamai.net I get a coming soon page. So I tried to
connect to akamai.net through a HTTPS connection. This time I get s
certificate from plesk of SWsoft, Inc. in Virginia.
I am not sure what all this means, but it just feels funny to me. Maybe some
else could shed some more light.
David
-----Original Message-----
From: plug-discuss-bounces at lists.plug.phoenix.az.us
[mailto:plug-discuss-bounces at lists.plug.phoenix.az.us]On Behalf Of Craig
White
Sent: Thursday, September 22, 2005 8:34 PM
To: plug-discuss at lists.plug.phoenix.az.us
Subject: speaking about Linux firewalls
A network where I have one.
Just set up a new Win2K3 server (don't lecture, I have as much religion
as the next guy). It's been up for 3 weeks or so and before we went
live, it punked out (seems to be a memory problem - ahem - Dell)...
Anyway, I happened to run netstat on the sucker and what do I see but a
connection that makes no sense at all since it is not exposed to the
internet in any fashion.
TCP MY_HOSTNAME:3289 213.254.229.147:http ESTABLISHED
I can ping that ip address and it's really bothering me. I am going to
block it at the firewall but I can't get a handle on it.
fingerprinting...
# nmap -O 213.254.229.147
Starting nmap 3.50 ( http://www.insecure.org/nmap/ ) at 2005-09-22 19:53
MST
Interesting ports on 213.254.229.147:
(The 1655 ports scanned but not shown below are in state: closed)
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
443/tcp open https
500/tcp open isakmp
Device type: general purpose
Running: Linux 2.4.X
OS details: Linux 2.4.20 (Itanium)
Uptime 24.386 days (since Mon Aug 29 10:37:26 2005)
Nmap run completed -- 1 IP address (1 host up) scanned in 16.391 seconds
Anybody have any ideas what is going on?
Obviously I put new rules into Linux firewall and rebooted both systems
but blocking that one ip address isn't likely to stop whatever it was
that was connected - it may be something like Computer Associates
BrightStor/ArcServe doing a phone home thing but it really bothered me.
Craig
--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
---------------------------------------------------
PLUG-discuss mailing list - PLUG-discuss at lists.plug.phoenix.az.us
To subscribe, unsubscribe, or to change you mail settings:
http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
More information about the PLUG-discuss
mailing list