netstat shows 206.14.213.193.stat:www from rbot.

8 views
Skip to first unread message

Ant

unread,
May 20, 2010, 3:59:56 PM5/20/10
to rbot
I noticed rbot is using a connection to 206.14.213.193 with stat:www
like and never seems to go away:
tcp 1 0 MyBox:4584 206.14.213.193.stat:www
CLOSE_WAIT

$ netstat -p
(Not all processes could be identified, non-owned process info
will not be shown, you would have to be root to see it all.)
Active Internet connections (w/o servers)
Proto Recv-Q Send-Q Local Address Foreign Address
State PID/Program name
tcp 0 0 MyBox:1105 [deleted its
location]:ircd ESTABLISHED 5659/ruby
tcp 0 0 MyBox:ssh [deleted its location]:
43665 ESTABLISHED -
tcp 1 0 MyBox:4584 206.14.213.193.stat:www
CLOSE_WAIT 5659/ruby

It seems to happen when I start up rbot based on tshark sniffing like:
# tshark |grep 206.14.213.193
Running as user "root" and group "root". This could be dangerous.
Capturing on eth0
24.514898 208.67.222.222 -> 192.168.0.46 DNS Standard query response
A 206.14.213.193
24.515001 192.168.0.46 -> 206.14.213.193 TCP ies-lm > http [SYN]
Seq=0 Win=5840 Len=0 MSS=1460 WS=6
24.645888 206.14.213.193 -> 192.168.0.46 TCP http > ies-lm [SYN, ACK]
Seq=0 Ack=1 Win=5840 Len=0 MSS=1460 WS=0
24.645921 192.168.0.46 -> 206.14.213.193 TCP ies-lm > http [ACK]
Seq=1 Ack=1 Win=5888 Len=0
24.646308 192.168.0.46 -> 206.14.213.193 HTTP GET /amitext/
indexUTF8.jsp HTTP/1.1
24.739081 206.14.213.193 -> 192.168.0.46 TCP http > ies-lm [ACK]
Seq=1 Ack=307 Win=6432 Len=0
24.756937 206.14.213.193 -> 192.168.0.46 TCP [TCP segment of a
reassembled PDU]
24.756957 192.168.0.46 -> 206.14.213.193 TCP ies-lm > http [ACK]
Seq=307 Ack=1461 Win=8768 Len=0
24.757168 206.14.213.193 -> 192.168.0.46 TCP [TCP segment of a
reassembled PDU]
24.757198 192.168.0.46 -> 206.14.213.193 TCP ies-lm > http [ACK]
Seq=307 Ack=2921 Win=11712 Len=0
24.849264 206.14.213.193 -> 192.168.0.46 TCP [TCP segment of a
reassembled PDU]
24.849341 192.168.0.46 -> 206.14.213.193 TCP ies-lm > http [ACK]
Seq=307 Ack=4381 Win=14656 Len=0
24.850189 206.14.213.193 -> 192.168.0.46 TCP [TCP segment of a
reassembled PDU]
24.850260 192.168.0.46 -> 206.14.213.193 TCP ies-lm > http [ACK]
Seq=307 Ack=5841 Win=17536 Len=0
24.850576 206.14.213.193 -> 192.168.0.46 TCP [TCP segment of a
reassembled PDU]
24.850618 192.168.0.46 -> 206.14.213.193 TCP ies-lm > http [ACK]
Seq=307 Ack=7301 Win=20480 Len=0
24.851272 206.14.213.193 -> 192.168.0.46 TCP [TCP segment of a
reassembled PDU]
24.851328 192.168.0.46 -> 206.14.213.193 TCP ies-lm > http [ACK]
Seq=307 Ack=8761 Win=23360 Len=0
24.942993 206.14.213.193 -> 192.168.0.46 HTTP HTTP/1.1 200 OK (text/
html)
24.943062 192.168.0.46 -> 206.14.213.193 TCP ies-lm > http [ACK]
Seq=307 Ack=9049 Win=26304 Len=0

I see ies-lm is connecting to http://206.14.213.193/amitext/indexUTF8.jsp
which is showing http://206.14.213.193/error/images/error_technical.gif
graphic with "The translation of this page cannot be displayed. Please
try again later. <asian characters>" message.

I also noticed different results for each startup like:
2261.662882 208.67.222.222 -> 192.168.0.46 DNS Standard query response
A 206.14.213.193
2261.663011 192.168.0.46 -> 206.14.213.193 TCP clvm-cfg > http [SYN]
Seq=0 Win=5840 Len=0 MSS=1460 WS=6
2261.773652 206.14.213.193 -> 192.168.0.46 TCP http > clvm-cfg [SYN,
ACK] Seq=0 Ack=1 Win=5840 Len=0 MSS=1460 WS=0
2261.773707 192.168.0.46 -> 206.14.213.193 TCP clvm-cfg > http [ACK]
Seq=1 Ack=1 Win=5888 Len=0
2261.774219 192.168.0.46 -> 206.14.213.193 HTTP GET /amitext/
indexUTF8.jsp HTTP/1.1
2261.909904 206.14.213.193 -> 192.168.0.46 TCP http > clvm-cfg [ACK]
Seq=1 Ack=307 Win=6432 Len=0
2261.921882 206.14.213.193 -> 192.168.0.46 TCP [TCP segment of a
reassembled PDU]
2261.921903 192.168.0.46 -> 206.14.213.193 TCP clvm-cfg > http [ACK]
Seq=307 Ack=1461 Win=8768 Len=0
2261.922110 206.14.213.193 -> 192.168.0.46 TCP [TCP segment of a
reassembled PDU]
2261.922128 192.168.0.46 -> 206.14.213.193 TCP clvm-cfg > http [ACK]
Seq=307 Ack=2921 Win=11712 Len=0
2262.047047 206.14.213.193 -> 192.168.0.46 TCP [TCP segment of a
reassembled PDU]
2262.047134 192.168.0.46 -> 206.14.213.193 TCP clvm-cfg > http [ACK]
Seq=307 Ack=4381 Win=14656 Len=0
2262.047270 206.14.213.193 -> 192.168.0.46 TCP [TCP segment of a
reassembled PDU]
2262.047287 192.168.0.46 -> 206.14.213.193 TCP clvm-cfg > http [ACK]
Seq=307 Ack=5841 Win=17536 Len=0
2262.047715 206.14.213.193 -> 192.168.0.46 TCP [TCP segment of a
reassembled PDU]
2262.047754 192.168.0.46 -> 206.14.213.193 TCP clvm-cfg > http [ACK]
Seq=307 Ack=7301 Win=20480 Len=0
2262.048408 206.14.213.193 -> 192.168.0.46 TCP [TCP segment of a
reassembled PDU]
2262.048466 192.168.0.46 -> 206.14.213.193 TCP clvm-cfg > http [ACK]
Seq=307 Ack=8761 Win=23360 Len=0
2262.197622 206.14.213.193 -> 192.168.0.46 HTTP HTTP/1.1 200 OK (text/
html)
2262.197700 192.168.0.46 -> 206.14.213.193 TCP clvm-cfg > http [ACK]
Seq=307 Ack=9051 Win=26304 Len=0
2278.365465 206.14.213.193 -> 192.168.0.46 TCP http > clvm-cfg [FIN,
ACK] Seq=9051 Ack=307 Win=6432 Len=0
2278.402794 192.168.0.46 -> 206.14.213.193 TCP clvm-cfg > http [ACK]
Seq=307 Ack=9052 Win=26304 Len=0

# tshark |grep 206.14.213.193
Running as user "root" and group "root". This could be dangerous.
Capturing on eth0
12.073852 208.67.222.222 -> 192.168.0.46 DNS Standard query response
A 206.14.213.193
12.073971 192.168.0.46 -> 206.14.213.193 TCP 4908 > http [SYN] Seq=0
Win=5840 Len=0 MSS=1460 WS=6
12.195214 206.14.213.193 -> 192.168.0.46 TCP http > 4908 [SYN, ACK]
Seq=0 Ack=1 Win=5840 Len=0 MSS=1460 WS=0
12.195242 192.168.0.46 -> 206.14.213.193 TCP 4908 > http [ACK] Seq=1
Ack=1 Win=5888 Len=0
12.199448 192.168.0.46 -> 206.14.213.193 HTTP GET /amitext/
indexUTF8.jsp HTTP/1.1
12.294031 206.14.213.193 -> 192.168.0.46 TCP http > 4908 [ACK] Seq=1
Ack=307 Win=6432 Len=0
12.513059 206.14.213.193 -> 192.168.0.46 TCP [TCP segment of a
reassembled PDU]
12.513087 192.168.0.46 -> 206.14.213.193 TCP 4908 > http [ACK]
Seq=307 Ack=1461 Win=8768 Len=0
12.513287 206.14.213.193 -> 192.168.0.46 TCP [TCP segment of a
reassembled PDU]
12.513305 192.168.0.46 -> 206.14.213.193 TCP 4908 > http [ACK]
Seq=307 Ack=2921 Win=11712 Len=0
12.609024 206.14.213.193 -> 192.168.0.46 TCP [TCP segment of a
reassembled PDU]
12.609122 192.168.0.46 -> 206.14.213.193 TCP 4908 > http [ACK]
Seq=307 Ack=4381 Win=14656 Len=0
12.609450 206.14.213.193 -> 192.168.0.46 TCP [TCP segment of a
reassembled PDU]
12.609483 192.168.0.46 -> 206.14.213.193 TCP 4908 > http [ACK]
Seq=307 Ack=5841 Win=17536 Len=0
12.611052 206.14.213.193 -> 192.168.0.46 TCP [TCP segment of a
reassembled PDU]
12.611116 192.168.0.46 -> 206.14.213.193 TCP 4908 > http [ACK]
Seq=307 Ack=7301 Win=20480 Len=0
12.612656 206.14.213.193 -> 192.168.0.46 TCP [TCP segment of a
reassembled PDU]
12.612710 192.168.0.46 -> 206.14.213.193 TCP 4908 > http [ACK]
Seq=307 Ack=8761 Win=23360 Len=0
12.713711 206.14.213.193 -> 192.168.0.46 HTTP HTTP/1.1 200 OK (text/
html)
12.713772 192.168.0.46 -> 206.14.213.193 TCP 4908 > http [ACK]
Seq=307 Ack=9048 Win=26304 Len=0
29.269514 206.14.213.193 -> 192.168.0.46 TCP http > 4908 [FIN, ACK]
Seq=9048 Ack=307 Win=6432 Len=0
29.306973 192.168.0.46 -> 206.14.213.193 TCP 4908 > http [ACK]
Seq=307 Ack=9049 Win=26304 Len=0


77.292568 206.14.213.193 -> 192.168.0.46 TCP [TCP ACKed lost segment]
http > 4908 [RST, ACK] Seq=849780245 Ack=52306957 Win=0 Len=3
132.986019 192.168.0.46 -> 206.14.213.193 TCP checksum > http [SYN]
Seq=0 Win=5840 Len=0 MSS=1460 WS=6
133.083871 206.14.213.193 -> 192.168.0.46 TCP http > checksum [SYN,
ACK] Seq=0 Ack=1 Win=5840 Len=0 MSS=1460 WS=0
133.083951 192.168.0.46 -> 206.14.213.193 TCP checksum > http [ACK]
Seq=1 Ack=1 Win=5888 Len=0
133.084583 192.168.0.46 -> 206.14.213.193 HTTP GET /amitext/
indexUTF8.jsp HTTP/1.1
133.184581 206.14.213.193 -> 192.168.0.46 TCP http > checksum [ACK]
Seq=1 Ack=323 Win=6432 Len=0
133.312646 206.14.213.193 -> 192.168.0.46 HTTP HTTP/1.1 500 Internal
Server Error (text/html)
133.312664 192.168.0.46 -> 206.14.213.193 TCP checksum > http [ACK]
Seq=323 Ack=715 Win=7296 Len=0
133.312648 206.14.213.193 -> 192.168.0.46 TCP http > checksum [FIN,
ACK] Seq=715 Ack=323 Win=6432 Len=0
133.313980 192.168.0.46 -> 206.14.213.193 TCP checksum > http [FIN,
ACK] Seq=323 Ack=716 Win=7296 Len=0
133.470828 206.14.213.193 -> 192.168.0.46 TCP http > checksum [ACK]
Seq=716 Ack=324 Win=6432 Len=0
146.033509 192.168.0.46 -> 206.14.213.193 TCP cadsi-lm > http [SYN]
Seq=0 Win=5840 Len=0 MSS=1460 WS=6
146.127439 206.14.213.193 -> 192.168.0.46 TCP http > cadsi-lm [SYN,
ACK] Seq=0 Ack=1 Win=5840 Len=0 MSS=1460 WS=0
146.127519 192.168.0.46 -> 206.14.213.193 TCP cadsi-lm > http [ACK]
Seq=1 Ack=1 Win=5888 Len=0
146.128150 192.168.0.46 -> 206.14.213.193 HTTP GET /error/images/
error_technical.gif HTTP/1.1
146.242642 206.14.213.193 -> 192.168.0.46 TCP http > cadsi-lm [ACK]
Seq=1 Ack=334 Win=6432 Len=0
146.244761 206.14.213.193 -> 192.168.0.46 TCP [TCP segment of a
reassembled PDU]
146.244780 192.168.0.46 -> 206.14.213.193 TCP cadsi-lm > http [ACK]
Seq=334 Ack=1461 Win=8768 Len=0
146.244789 206.14.213.193 -> 192.168.0.46 HTTP HTTP/1.1 200 OK
(GIF89a)
146.244800 192.168.0.46 -> 206.14.213.193 TCP cadsi-lm > http [ACK]
Seq=334 Ack=1742 Win=11712 Len=0
146.288692 192.168.0.46 -> 206.14.213.193 TCP cadsi-lm > http [FIN,
ACK] Seq=334 Ack=1742 Win=11712 Len=0
146.408189 206.14.213.193 -> 192.168.0.46 TCP http > cadsi-lm [FIN,
ACK] Seq=1742 Ack=335 Win=6432 Len=0
146.408276 192.168.0.46 -> 206.14.213.193 TCP cadsi-lm > http [ACK]
Seq=335 Ack=1743 Win=11712 Len=0

!version showed: "I'm a v. 0.9.15-git (master branch, revision 43fe51c
[Survive active_support idiocy], 4 files changed) [8 days, 7 hours, 14
minutes and 25 seconds ago] rubybot, (c) Tom Gilbert and the rbot
development team - http://ruby-rbot.org".

What's up with this? Thank you in advance. :)

--
You received this message because you are subscribed to the Google Groups "rbot" group.
To post to this group, send email to rb...@googlegroups.com.
To unsubscribe from this group, send email to rbot+uns...@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/rbot?hl=en.

Ant

unread,
May 20, 2010, 4:38:21 PM5/20/10
to rbot
I found out more. translator.rb's http://nifty.amikai.com/amitext/indexUTF8.jsp
seems to be broken.

Is this server broken? I tried going to that URL directly, but it
didn't seem to work. Rbot's as well:
[01:29pm] <WorkerAnt> !nifty en ja ant
01:29PM <Bender> WorkerAnt: Translation not available

I e-mailed yaoha...@gmail.com about this as well. This needs to be
fixed/removed. :(
Reply all
Reply to author
Forward
0 new messages