How do I track down what was using my connection?

I noticed my network usage was suddenly high and sustained, and I wasn't doing anything. Syslog shows:

Jul  1 22:27:03 drookenstein tcpspy[1096]: connect: user root, local 67.39.201.108:33051, remote 66.35.250.210:www\nJul  1 22:27:06 drookenstein tcpspy[1096]: disconnect: user root, local 67.39.201.108:33051, remote 66.35.250.210:www

Over and over and over again. Try that IP in a browser you get sourceforge. Whois shows:

drook@drookenstein:~$ whois 66.35.250.210\n\nOrgName:    Cable & Wireless\nOrgID:      EXCW\nAddress:    3300 Regency Pkwy\nCity:       Cary\nStateProv:  NC\nPostalCode: 27511\nCountry:    US\n\nReferralServer: rwhois://rwhois.exodus.net:4321/\n\nNetRange:   66.35.192.0 - 66.35.255.255\nCIDR:       66.35.192.0/18\nNetName:    SC8-2\nNetHandle:  NET-66-35-192-0-1\nParent:     NET-66-0-0-0-0\nNetType:    Direct Allocation\nNameServer: DNS01.SAVVIS.NET\nNameServer: DNS02.SAVVIS.NET\nNameServer: DNS03.SAVVIS.NET\nNameServer: DNS04.SAVVIS.NET\nComment:    * Rwhois reassignment information for this block is available at:\nComment:    * rwhois.exodus.net 4321\nComment:    * For abuse please contact abuse@exodus.net\nRegDate:\nUpdated:    2004-05-05\n\nTechHandle: ZC221-ARIN\nTechName:   Cable & Wireless\nTechPhone:  +1-919-465-4023\nTechEmail:  ip@gnoc.cw.net\n\nOrgAbuseHandle: ABUSE11-ARIN\nOrgAbuseName:   Abuse\nOrgAbusePhone:  +1-877-393-7878\nOrgAbuseEmail:  abuse@savvis.net\n\nOrgNOCHandle: NOC99-ARIN\nOrgNOCName:   Network Operations Center\nOrgNOCPhone:  +1-800-977-4662\nOrgNOCEmail:  trouble@cw.net\n\nOrgTechHandle: EIAA-ARIN\nOrgTechName:   Exodus IP Address Administration\nOrgTechPhone:  +1-888-239-6387\nOrgTechEmail:  ipaddressadmin@exodus.net\n\nOrgTechHandle: GIAA-ARIN\nOrgTechName:   Global IP Address Administration\nOrgTechPhone:  +1-919-465-4096\nOrgTechEmail:  ip@gnoc.cw.net\n\n# ARIN WHOIS database, last updated 2004-06-30 19:10\n# Enter ? for additional hints on searching ARIN's WHOIS database.\n\n\nFound a referral to rwhois.exodus.net:4321.\n\n%rwhois V-1.5:001ab7:00 rwhois.exodus.net (Exodus Communications)\nnetwork:Class-Name:network\nnetwork:Auth-Area:0.0.0.0/0\nnetwork:Network-Name:66.35.250.0\nnetwork:IP-Network:66.35.250.0/24\nnetwork:Organization;I:VA Software\nnetwork:Street;I:1382 Bordeaux\nnetwork:City;I:Sunnyvale\nnetwork:State;I:CA\nnetwork:Postal-Code;I:94089\nnetwork:Country-Code;I:USA\n\nnetwork:Class-Name:network\nnetwork:Auth-Area:0.0.0.0/0\nnetwork:Network-Name:66.35.192.0\nnetwork:IP-Network:66.35.192.0/18\nnetwork:Organization;I:Exodus IDC - SV/SC8\nnetwork:Name;I:IP Address Administrator\nnetwork:Email;I:ipaddressadmin@exodus.net\nnetwork:Street;I:2831 Mission College Blvd.\nnetwork:City;I:Santa Clara, CA 95054

So what the hell was burning up my connection for five minutes or so?

Post #162,575 by drewk 7/1/04 10:36:20 PM Reply	How do I track down what was using my connection? I noticed my network usage was suddenly high and sustained, and I wasn't doing anything. Syslog shows: Jul 1 22:27:03 drookenstein tcpspy[1096]: connect: user root, local 67.39.201.108:33051, remote 66.35.250.210:www\nJul 1 22:27:06 drookenstein tcpspy[1096]: disconnect: user root, local 67.39.201.108:33051, remote 66.35.250.210:www Over and over and over again. Try that IP in a browser you get sourceforge. Whois shows: drook@drookenstein:~$ whois 66.35.250.210\n\nOrgName: Cable & Wireless\nOrgID: EXCW\nAddress: 3300 Regency Pkwy\nCity: Cary\nStateProv: NC\nPostalCode: 27511\nCountry: US\n\nReferralServer: rwhois://rwhois.exodus.net:4321/\n\nNetRange: 66.35.192.0 - 66.35.255.255\nCIDR: 66.35.192.0/18\nNetName: SC8-2\nNetHandle: NET-66-35-192-0-1\nParent: NET-66-0-0-0-0\nNetType: Direct Allocation\nNameServer: DNS01.SAVVIS.NET\nNameServer: DNS02.SAVVIS.NET\nNameServer: DNS03.SAVVIS.NET\nNameServer: DNS04.SAVVIS.NET\nComment: * Rwhois reassignment information for this block is available at:\nComment: * rwhois.exodus.net 4321\nComment: * For abuse please contact abuse@exodus.net\nRegDate:\nUpdated: 2004-05-05\n\nTechHandle: ZC221-ARIN\nTechName: Cable & Wireless\nTechPhone: +1-919-465-4023\nTechEmail: ip@gnoc.cw.net\n\nOrgAbuseHandle: ABUSE11-ARIN\nOrgAbuseName: Abuse\nOrgAbusePhone: +1-877-393-7878\nOrgAbuseEmail: abuse@savvis.net\n\nOrgNOCHandle: NOC99-ARIN\nOrgNOCName: Network Operations Center\nOrgNOCPhone: +1-800-977-4662\nOrgNOCEmail: trouble@cw.net\n\nOrgTechHandle: EIAA-ARIN\nOrgTechName: Exodus IP Address Administration\nOrgTechPhone: +1-888-239-6387\nOrgTechEmail: ipaddressadmin@exodus.net\n\nOrgTechHandle: GIAA-ARIN\nOrgTechName: Global IP Address Administration\nOrgTechPhone: +1-919-465-4096\nOrgTechEmail: ip@gnoc.cw.net\n\n# ARIN WHOIS database, last updated 2004-06-30 19:10\n# Enter ? for additional hints on searching ARIN's WHOIS database.\n\n\nFound a referral to rwhois.exodus.net:4321.\n\n%rwhois V-1.5:001ab7:00 rwhois.exodus.net (Exodus Communications)\nnetwork:Class-Name:network\nnetwork:Auth-Area:0.0.0.0/0\nnetwork:Network-Name:66.35.250.0\nnetwork:IP-Network:66.35.250.0/24\nnetwork:Organization;I:VA Software\nnetwork:Street;I:1382 Bordeaux\nnetwork:City;I:Sunnyvale\nnetwork:State;I:CA\nnetwork:Postal-Code;I:94089\nnetwork:Country-Code;I:USA\n\nnetwork:Class-Name:network\nnetwork:Auth-Area:0.0.0.0/0\nnetwork:Network-Name:66.35.192.0\nnetwork:IP-Network:66.35.192.0/18\nnetwork:Organization;I:Exodus IDC - SV/SC8\nnetwork:Name;I:IP Address Administrator\nnetwork:Email;I:ipaddressadmin@exodus.net\nnetwork:Street;I:2831 Mission College Blvd.\nnetwork:City;I:Santa Clara, CA 95054 So what the hell was burning up my connection for five minutes or so? === Implicitly condoning stupidity since 2001.
Post #162,580 by folkert 7/1/04 11:10:03 PM Reply	Think aboout it. What proceess runs as root, is a listening process, and run things based on that info? inetd or xinetd. It may listen, but won't respond. Oh, someone or something was looking for the "t0rn rootkit" which happens to listen on 33051 if available or 2222 if not. Also: host -t ptr 66.35.250.210\n210.250.35.66.in-addr.arpa is an alias for 210.0/24.250.35.66.in-addr.arpa.\n210.0/24.250.35.66.in-addr.arpa domain name pointer vhost.sourceforge.net. Kinda explains it, might be a service that is checking for the rootkits. -- [link\|mailto:greg@gregfolkert.net\|greg], [link\|http://www.iwethey.org/ed_curry\|REMEMBER ED CURRY!] @ *i_wethey* Heard near the SCOG employee entry/exit way: `Security: We got another Mass Exodus Doorway Jam.`
Post #162,584 by drewk 7/1/04 11:25:36 PM Reply	I suspected it's something looking/trying a rootkit But the addy returns as sourceforge. I hope there's nothing in their range trying to root people. Time to start learning about security and install a firewall. === Implicitly condoning stupidity since 2001.
Post #162,656 by FuManChu 7/2/04 12:26:28 PM Reply	Time to START? You'll have to change your sig, then. ;)
Post #162,651 by Arkadiy 7/2/04 11:30:58 AM Reply	Looked at my firewall log In one hour: SQL Server worm Bagle/Beagle root kit Windows Mesenger Spam Sasser Backdoor.CrashCool Netbios attack (don't know which) SMTP attempts from Korea. Oh, that hurts. -- "...was poorly, lugubrious and intoxicated." -- Patrick O'Brian, "Master and Commander"

Welcome to IWETHEY!