Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
How to use /usr/sbin/iptstate command
40 views
Skip to first unread message
colin...@gmail.com
Oct 1, 2012, 3:35:11 PM10/1/12
to
I have been trying to understand some port issues.
First.
I like the command /usr/sbin/iptstate
But I only want to look at one address eg 10.1.0.52
I cant seem to see how to just have this address filtered so I only see it.
Second I have run this command found tons of the following...
10.1.0.52,139 5.190.107.130,2504 tcp ESTABLISHED 71:57:27
10.1.0.52,139 5.190.107.130,4608 tcp ESTABLISHED 88:08:17
10.1.0.52,139 5.190.107.130,4160 tcp ESTABLISHED 108:34:24
10.1.0.52,139 5.190.107.130,3125 tcp ESTABLISHED 118:15:26
10.1.0.52,139 5.190.107.130,1175 tcp ESTABLISHED 112:22:23
10.1.0.52,139 5.190.107.130,1748 tcp ESTABLISHED 80:02:52
10.1.0.52,139 5.190.107.130,1516 tcp ESTABLISHED 112:34:50
10.1.0.52,139 5.190.107.130,2015 tcp ESTABLISHED 85:27:28
10.1.0.52,139 5.190.107.130,2273 tcp ESTABLISHED 63:14:47
10.1.0.52,139 5.190.107.130,3237 tcp ESTABLISHED 101:14:18
10.1.0.52,139 5.190.107.130,2411 tcp ESTABLISHED 114:38:56
10.1.0.52,139 5.190.107.130,1058 tcp ESTABLISHED 59:13:26
10.1.0.52,139 5.190.107.130,3676 tcp ESTABLISHED 91:09:53
10.1.0.52,139 5.190.107.130,3925 tcp ESTABLISHED 108:25:34
One note I saw said if you see a lot of these you might have a worm. the .52 is a windows XP computer using the linux computer as a gateway. (the one I ran the IPTables command on.) I have tried to track the ip 5.190.107.130 but it doesnt seem bad eg. no one has reported it. But it also seems to be somewhere int he middle east. (a questionable place.)
Regards
First.
I like the command /usr/sbin/iptstate
But I only want to look at one address eg 10.1.0.52
I cant seem to see how to just have this address filtered so I only see it.
Second I have run this command found tons of the following...
10.1.0.52,139 5.190.107.130,2504 tcp ESTABLISHED 71:57:27
10.1.0.52,139 5.190.107.130,4608 tcp ESTABLISHED 88:08:17
10.1.0.52,139 5.190.107.130,4160 tcp ESTABLISHED 108:34:24
10.1.0.52,139 5.190.107.130,3125 tcp ESTABLISHED 118:15:26
10.1.0.52,139 5.190.107.130,1175 tcp ESTABLISHED 112:22:23
10.1.0.52,139 5.190.107.130,1748 tcp ESTABLISHED 80:02:52
10.1.0.52,139 5.190.107.130,1516 tcp ESTABLISHED 112:34:50
10.1.0.52,139 5.190.107.130,2015 tcp ESTABLISHED 85:27:28
10.1.0.52,139 5.190.107.130,2273 tcp ESTABLISHED 63:14:47
10.1.0.52,139 5.190.107.130,3237 tcp ESTABLISHED 101:14:18
10.1.0.52,139 5.190.107.130,2411 tcp ESTABLISHED 114:38:56
10.1.0.52,139 5.190.107.130,1058 tcp ESTABLISHED 59:13:26
10.1.0.52,139 5.190.107.130,3676 tcp ESTABLISHED 91:09:53
10.1.0.52,139 5.190.107.130,3925 tcp ESTABLISHED 108:25:34
One note I saw said if you see a lot of these you might have a worm. the .52 is a windows XP computer using the linux computer as a gateway. (the one I ran the IPTables command on.) I have tried to track the ip 5.190.107.130 but it doesnt seem bad eg. no one has reported it. But it also seems to be somewhere int he middle east. (a questionable place.)
Regards
Jorgen Grahn
Oct 1, 2012, 5:08:59 PM10/1/12
to
On Mon, 2012-10-01, colin...@gmail.com wrote:
> I have been trying to understand some port issues.
>
> First.
> I like the command /usr/sbin/iptstate
> But I only want to look at one address eg 10.1.0.52
> I cant seem to see how to just have this address filtered so I only see it.
man grep
> I have been trying to understand some port issues.
>
> First.
> I like the command /usr/sbin/iptstate
> But I only want to look at one address eg 10.1.0.52
> I cant seem to see how to just have this address filtered so I only see it.
If you maintain a Linux machine, you really need to learn basic
Unix/Linux usage. Highly recommended!
> Second I have run this command found tons of the following...
> 10.1.0.52,139 5.190.107.130,2504 tcp ESTABLISHED 71:57:27
> 10.1.0.52,139 5.190.107.130,4608 tcp ESTABLISHED 88:08:17
> 10.1.0.52,139 5.190.107.130,4160 tcp ESTABLISHED 108:34:24
> 10.1.0.52,139 5.190.107.130,3125 tcp ESTABLISHED 118:15:26
> One note I saw said if you see a lot of these you might have a worm.
> the .52 is a windows XP computer using the linux computer as a
> gateway. (the one I ran the IPTables command on.) I have tried to
> track the ip 5.190.107.130 but it doesnt seem bad eg. no one has
> reported it.
netbios-ssn 139/tcp
That's SMB and other Windows services -- things you're supposed to use
on a LAN. I assume (I don't know Windows) they are not encrypted,
either. Having successful connections from foreign networks is
probably a very Bad Thing.
Tell someone in your organization who's responsible for security
and knows his/her job. This is important.
> But it also seems to be somewhere int he middle east. (a
> questionable place.)
/Jorgen
--
// Jorgen Grahn <grahn@ Oo o. . .
\X/ snipabacken.se> O o .
Tauno Voipio
Oct 2, 2012, 1:29:14 AM10/2/12
to
to the outside world. If this is a Windows computer, the details do
not belong to Linux networking group.
--
Tauno Voipio
0 new messages