[Techtalk] Port question

James Sutherland james at deadnode.org
Wed Oct 29 07:59:55 UTC 2014


On Wed, Oct 29, 2014, at 04:51 AM, mgmonza at sdf.lonestar.org wrote:
> Hi, all,
> 
> I'm afraid this is a pretty basic question, but here goes:
> 
> I may have picked up some kind of intruder, or even intruders, who has 
> taken over a lot of the higher numbered ports on my Ubuntu box.
> 
> A representative set of lines from iftop look like this:
> (none of these ip addresses is mine)
> 
> none.local:35930                => iad23s07-in-f1.1e100.net:www        0b 
> none.local:43850                => yk-in-f101.1e100.net:www            0b 
> none.local:33935                => 67.220.127.199:https                0b

Those are all *outgoing* connections: you connected to ports 80 ("www")
and 443 ("https") of those machines. (Well, technically it would be
possible for those web servers to have connected to you, but that would
be very unusual in many ways.)

1e100 is a very large number known as a Googol, and 1e100.net is the
domain Google uses for all their back-end systems. So, those first two
entries are connections from your machine to Google's web servers:
nothing suspicious about that.

The third entry,  67.220.127.199, is the North Carolina State Library.

(snip)
> Updated to add: just did a search on "close ports in Linux" and was about 
> to open one of the links returned, when that whole set in Icecat shut 
> down.  Now I'm really depressed - looks like it may be worse than I 
> thought.

Don't be depressed: all these entries indicate is that you use a Google
web service and were doing something on the NC State Library system!


James.


More information about the Techtalk mailing list