[opensuse] what is this traffic on my eth0?
Hello, All of a sudden I had a lot of internet traffic (seen on gkrellm) but didn't have any internet application open... I logged out an in again, had less, but still have traffic (see below). I see google, blogger, likedin, my own website, many more etc. How comes? Is this something I should worry? I don't have any idea about network etc., but maybe the listing below sais something to somebody who has? Thanks for hints! Daniel
tcpdump -i eth0 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes 12:29:17.892834 IP 192.168.1.36.54051 > 250.Red-80-58-61.staticIP.rima-tde.net.domain: 55122+ A? img1.blogblog.com. (35) 12:29:17.893468 IP 192.168.1.36.57780 > 250.Red-80-58-61.staticIP.rima-tde.net.domain: 24803+ PTR? 36.1.168.192.in-addr.arpa. (43) 12:29:17.929639 IP 250.Red-80-58-61.staticIP.rima-tde.net.domain > 192.168.1.36.54051: 55122 2/0/0 CNAME blogger.l.google.com., A 173.194.66.191 (82) 12:29:17.929756 IP 192.168.1.36.46637 > 250.Red-80-58-61.staticIP.rima-tde.net.domain: 7321+ A? img2.blogblog.com. (35) 12:29:17.931315 IP 250.Red-80-58-61.staticIP.rima-tde.net.domain > 192.168.1.36.57780: 24803 NXDomain* 0/1/0 (102) 12:29:17.966284 IP 250.Red-80-58-61.staticIP.rima-tde.net.domain > 192.168.1.36.46637: 7321 2/0/0 CNAME blogger.l.google.com., A 74.125.206.191 (82) 12:29:17.966471 IP 192.168.1.36.38370 > 250.Red-80-58-61.staticIP.rima-tde.net.domain: 22323+ A? www.blogger.com. (33) 12:29:18.000919 IP 250.Red-80-58-61.staticIP.rima-tde.net.domain > 192.168.1.36.38370: 22323 2/0/0 CNAME blogger.l.google.com., A 173.194.66.191 (80) 12:29:21.261728 IP 192.168.1.1 > all-systems.mcast.net: igmp query v2 [max resp time 5] 12:29:21.262031 IP 192.168.1.36.43978 > 250.Red-80-58-61.staticIP.rima-tde.net.domain: 34441+ PTR? 1.1.168.192.in-addr.arpa. (42) 12:29:21.298464 IP 250.Red-80-58-61.staticIP.rima-tde.net.domain > 192.168.1.36.43978: 34441 NXDomain 0/1/0 (119) 12:29:21.950746 IP 192.168.1.36.ntp > guti.uc3m.es.ntp: NTPv4, Client, length 48 12:29:21.951081 IP 192.168.1.36.58377 > 250.Red-80-58-61.staticIP.rima-tde.net.domain: 14687+ PTR? 33.202.117.163.in-addr.arpa. (45) 12:29:21.987356 IP 250.Red-80-58-61.staticIP.rima-tde.net.domain > 192.168.1.36.58377: 14687 1/0/0 PTR guti.uc3m.es. (71) 12:29:21.995901 IP guti.uc3m.es.ntp > 192.168.1.36.ntp: NTPv4, Server, length 48 12:29:22.904589 ARP, Request who-has 192.168.1.1 tell 192.168.1.36, length 28 12:29:22.904976 ARP, Reply 192.168.1.1 is-at 00:02:cf:56:7c:a0 (oui Unknown), length 46 12:29:32.264629 IP 192.168.1.1.router > 192.168.1.255.router: RIPv2, Response, length: 64 12:29:32.264943 IP 192.168.1.36.47458 > 250.Red-80-58-61.staticIP.rima-tde.net.domain: 58833+ PTR? 255.1.168.192.in-addr.arpa. (44) 12:29:32.301324 IP 250.Red-80-58-61.staticIP.rima-tde.net.domain > 192.168.1.36.47458: 58833 NXDomain* 0/1/0 (103) 12:29:33.001399 IP 192.168.1.36.43151 > 250.Red-80-58-61.staticIP.rima-tde.net.domain: 16752+ A? labs.domaintools.com. (38) 12:29:33.071888 IP 250.Red-80-58-61.staticIP.rima-tde.net.domain > 192.168.1.36.43151: 16752 1/0/0 A 199.30.228.83 (54) 12:29:33.072075 IP 192.168.1.36.51057 > 250.Red-80-58-61.staticIP.rima-tde.net.domain: 2316+ A? www.inteligentcomp.com. (40) 12:29:33.176330 IP 250.Red-80-58-61.staticIP.rima-tde.net.domain > 192.168.1.36.51057: 2316 3/0/0 CNAME ghs.google.com., CNAME ghs.l.google.com., A 173.194.66.121 (101) 12:29:33.176486 IP 192.168.1.36.58612 > 250.Red-80-58-61.staticIP.rima-tde.net.domain: 37971+ PTR? 199.49.26.217.in-addr.arpa. (44) 12:29:33.211630 IP 250.Red-80-58-61.staticIP.rima-tde.net.domain > 192.168.1.36.58612: 37971 1/0/0 PTR imap.mail.hostpoint.ch. (80) 12:29:36.263301 IP 192.168.1.1 > all-systems.mcast.net: igmp query v2 [max resp time 5] 12:29:36.984661 IP 192.168.1.1.ssdp > 239.255.255.250.ssdp: UDP, length 304 12:29:36.984956 IP 192.168.1.36.56713 > 250.Red-80-58-61.staticIP.rima-tde.net.domain: 48073+ PTR? 250.255.255.239.in-addr.arpa. (46) 12:29:37.020628 IP 250.Red-80-58-61.staticIP.rima-tde.net.domain > 192.168.1.36.56713: 48073 NXDomain 0/1/0 (103) 12:29:37.084505 IP 192.168.1.1.ssdp > 239.255.255.250.ssdp: UDP, length 299 12:29:37.184685 IP 192.168.1.1.ssdp > 239.255.255.250.ssdp: UDP, length 371 12:29:37.284520 IP 192.168.1.1.ssdp > 239.255.255.250.ssdp: UDP, length 304 12:29:37.384695 IP 192.168.1.1.ssdp > 239.255.255.250.ssdp: UDP, length 347 12:29:37.484501 IP 192.168.1.1.ssdp > 239.255.255.250.ssdp: UDP, length 304 12:29:37.584672 IP 192.168.1.1.ssdp > 239.255.255.250.ssdp: UDP, length 367 12:29:37.684497 IP 192.168.1.1.ssdp > 239.255.255.250.ssdp: UDP, length 304 12:29:37.784658 IP 192.168.1.1.ssdp > 239.255.255.250.ssdp: UDP, length 347 12:29:37.984639 IP 192.168.1.1.ssdp > 239.255.255.250.ssdp: UDP, length 363 12:29:38.084811 IP 192.168.1.1.ssdp > 239.255.255.250.ssdp: UDP, length 379 12:29:38.184649 IP 192.168.1.1.ssdp > 239.255.255.250.ssdp: UDP, length 363 12:29:38.284809 IP 192.168.1.1.ssdp > 239.255.255.250.ssdp: UDP, length 361 12:29:38.384633 IP 192.168.1.1.ssdp > 239.255.255.250.ssdp: UDP, length 377 12:29:48.212084 IP 192.168.1.36.42014 > 250.Red-80-58-61.staticIP.rima-tde.net.domain: 35763+ A? whois.domaintools.com. (39) 12:29:48.285337 IP 250.Red-80-58-61.staticIP.rima-tde.net.domain > 192.168.1.36.42014: 35763 2/0/0 CNAME whois.domaintools.com.c.footprint.net., A 8.247.6.160 (106) 12:29:48.285534 IP 192.168.1.36.45337 > 250.Red-80-58-61.staticIP.rima-tde.net.domain: 59863+ A? ettercap.sf.net. (33) 12:29:48.363848 IP 250.Red-80-58-61.staticIP.rima-tde.net.domain > 192.168.1.36.45337: 59863 1/0/0 A 216.34.181.96 (49) 12:29:48.364026 IP 192.168.1.36.49004 > 250.Red-80-58-61.staticIP.rima-tde.net.domain: 59233+ A? www.daniel-bauer.com. (38) 12:29:48.519073 IP 250.Red-80-58-61.staticIP.rima-tde.net.domain > 192.168.1.36.49004: 59233 1/0/0 A 217.26.50.29 (54) 12:29:51.262713 IP 192.168.1.1 > all-systems.mcast.net: igmp query v2 [max resp time 5] 12:30:02.264601 IP 192.168.1.1.router > 192.168.1.255.router: RIPv2, Response, length: 64 12:30:03.519587 IP 192.168.1.36.57927 > 250.Red-80-58-61.staticIP.rima-tde.net.domain: 45024+ A? linkedin.com. (30) 12:30:03.554148 IP 250.Red-80-58-61.staticIP.rima-tde.net.domain > 192.168.1.36.57927: 45024 1/0/0 A 216.52.242.86 (46) 12:30:06.263232 IP 192.168.1.1 > all-systems.mcast.net: igmp query v2 [max resp time 5] 12:30:08.536678 ARP, Request who-has 192.168.1.1 tell 192.168.1.36, length 28 12:30:08.537079 ARP, Reply 192.168.1.1 is-at 00:02:cf:56:7c:a0 (oui Unknown), length 46 12:30:21.263706 IP 192.168.1.1 > all-systems.mcast.net: igmp query v2 [max resp time 5] 12:30:32.266592 IP 192.168.1.1.router > 192.168.1.255.router: RIPv2, Response, length: 64 12:30:33.554870 IP 192.168.1.36.33980 > 250.Red-80-58-61.staticIP.rima-tde.net.domain: 20740+ PTR? 84.67.194.173.in-addr.arpa. (44) 12:30:33.589164 IP 250.Red-80-58-61.staticIP.rima-tde.net.domain > 192.168.1.36.33980: 20740 1/0/0 PTR wi-in-f84.1e100.net. (77) 12:30:33.589355 IP 192.168.1.36.57673 > 250.Red-80-58-61.staticIP.rima-tde.net.domain: 46372+ A? www.inteligentcomp.com. (40) 12:30:33.625683 IP 250.Red-80-58-61.staticIP.rima-tde.net.domain > 192.168.1.36.57673: 46372 3/0/0 CNAME ghs.google.com., CNAME ghs.l.google.com., A 173.194.66.121 (101) 12:30:33.625856 IP 192.168.1.36.43331 > 250.Red-80-58-61.staticIP.rima-tde.net.domain: 56039+ PTR? 208.217.245.63.in-addr.arpa. (45) 12:30:33.696940 IP 250.Red-80-58-61.staticIP.rima-tde.net.domain > 192.168.1.36.43331: 56039 1/0/0 PTR sync02.phx.services.mozilla.com. (90) 12:30:33.697112 IP 192.168.1.36.39176 > 250.Red-80-58-61.staticIP.rima-tde.net.domain: 38932+ PTR? 23.41.194.173.in-addr.arpa. (44) 12:30:33.733580 IP 250.Red-80-58-61.staticIP.rima-tde.net.domain > 192.168.1.36.39176: 38932 1/0/0 PTR mad01s14-in-f23.1e100.net. (83) 12:30:33.733747 IP 192.168.1.36.41130 > 250.Red-80-58-61.staticIP.rima-tde.net.domain: 42042+ PTR? 228.41.194.173.in-addr.arpa. (45) 12:30:33.769881 IP 250.Red-80-58-61.staticIP.rima-tde.net.domain > 192.168.1.36.41130: 42042 1/0/0 PTR mad01s15-in-f4.1e100.net. (83) 12:30:33.770048 IP 192.168.1.36.50991 > 250.Red-80-58-61.staticIP.rima-tde.net.domain: 2430+ PTR? 139.253.215.67.in-addr.arpa. (45) 12:30:33.805512 IP 250.Red-80-58-61.staticIP.rima-tde.net.domain > 192.168.1.36.50991: 2430 1/0/0 PTR 1.counter.a.statcounter.com. (86) 12:30:33.805680 IP 192.168.1.36.48923 > 250.Red-80-58-61.staticIP.rima-tde.net.domain: 38159+ PTR? 29.50.26.217.in-addr.arpa. (43) 12:30:33.909179 IP 250.Red-80-58-61.staticIP.rima-tde.net.domain > 192.168.1.36.48923: 38159 1/0/0 PTR www.daniel-bauer.com. (77) 12:30:33.909316 IP 192.168.1.36.42281 > 250.Red-80-58-61.staticIP.rima-tde.net.domain: 33172+ PTR? 3.41.194.173.in-addr.arpa. (43) 12:30:33.944897 IP 250.Red-80-58-61.staticIP.rima-tde.net.domain > 192.168.1.36.42281: 33172 1/0/0 PTR mad01s14-in-f3.1e100.net. (81) 12:30:33.945026 IP 192.168.1.36.43238 > 250.Red-80-58-61.staticIP.rima-tde.net.domain: 62285+ PTR? 41.34.194.173.in-addr.arpa. (44) 12:30:33.980957 IP 250.Red-80-58-61.staticIP.rima-tde.net.domain > 192.168.1.36.43238: 62285 1/0/0 PTR par03s03-in-f9.1e100.net. (82) 12:30:33.981085 IP 192.168.1.36.47322 > 250.Red-80-58-61.staticIP.rima-tde.net.domain: 57773+ PTR? 248.34.194.173.in-addr.arpa. (45) 12:30:34.017930 IP 250.Red-80-58-61.staticIP.rima-tde.net.domain > 192.168.1.36.47322: 57773 1/0/0 PTR mad01s09-in-f24.1e100.net. (84) 12:30:34.018062 IP 192.168.1.36.47332 > 250.Red-80-58-61.staticIP.rima-tde.net.domain: 49187+ PTR? 234.34.194.173.in-addr.arpa. (45) 12:30:34.054564 IP 250.Red-80-58-61.staticIP.rima-tde.net.domain > 192.168.1.36.47332: 49187 1/0/0 PTR mad01s09-in-f10.1e100.net. (84) 12:30:36.265199 IP 192.168.1.1 > all-systems.mcast.net: igmp query v2 [max resp time 5] 12:30:49.055056 IP 192.168.1.36.39989 > 250.Red-80-58-61.staticIP.rima-tde.net.domain: 15001+ A? 1.gravatar.com. (32) 12:30:49.091464 IP 250.Red-80-58-61.staticIP.rima-tde.net.domain > 192.168.1.36.39989: 15001 2/0/0 CNAME cs91.wac.edgecastcdn.net., A 68.232.35.121 (86) 12:30:51.264657 IP 192.168.1.1 > all-systems.mcast.net: igmp query v2 [max resp time 5] 12:30:54.072671 ARP, Request who-has 192.168.1.1 tell 192.168.1.36, length 28 12:30:54.073052 ARP, Reply 192.168.1.1 is-at 00:02:cf:56:7c:a0 (oui Unknown), length 46 12:31:02.266585 IP 192.168.1.1.router > 192.168.1.255.router: RIPv2, Response, length: 64 12:31:06.265150 IP 192.168.1.1 > all-systems.mcast.net: igmp query v2 [max resp time 5] 12:31:21.265653 IP 192.168.1.1 > all-systems.mcast.net: igmp query v2 [max resp time 5] 12:31:32.268546 IP 192.168.1.1.router > 192.168.1.255.router: RIPv2, Response, length: 64 12:31:34.092677 IP 192.168.1.36.51976 > 250.Red-80-58-61.staticIP.rima-tde.net.domain: 4676+ A? www.inteligentcomp.com. (40) 12:31:34.128480 IP 250.Red-80-58-61.staticIP.rima-tde.net.domain > 192.168.1.36.51976: 4676 3/0/0 CNAME ghs.google.com., CNAME ghs.l.google.com., A 173.194.66.121 (101) 12:31:36.267176 IP 192.168.1.1 > all-systems.mcast.net: igmp query v2 [max resp time 5] ^C 93 packets captured 93 packets received by filter 0 packets dropped by kernel
-- Daniel Bauer photographer Basel Barcelona professional photography: http://www.daniel-bauer.com google+: https://plus.google.com/109534388657020287386 -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 07/05/2014 06:37 AM, Daniel Bauer wrote:
I don't have any idea about network etc., but maybe the listing below sais something to somebody who has?
There's a lot of stuff there, but one thing stands out. The SSDP stuff is for multimedia multicasts. https://en.wikipedia.org/wiki/Simple_Service_Discovery_Protocol -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
El 05/07/14 06:37, Daniel Bauer escribió:
Hello,
All of a sudden I had a lot of internet traffic (seen on gkrellm) but didn't have any internet application open...
I logged out an in again, had less, but still have traffic (see below). I see google, blogger, likedin, my own website, many more etc. How comes?
Is this something I should worry?
I don't have any idea about network etc., but maybe the listing below sais something to somebody who has?
Thanks for hints!
Well, there are many applications that do http requests in the background.. It may be your browser, for example chrome/chromium will keep working in the background if you do not tell it to stop. Also, desktop applets might perform network activity. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
(argh, sorry for pm...) Am 05.07.2014 16:42, schrieb Cristian Rodríguez:
El 05/07/14 06:37, Daniel Bauer escribió:
Hello,
All of a sudden I had a lot of internet traffic (seen on gkrellm) but didn't have any internet application open...
I logged out an in again, had less, but still have traffic (see below). I see google, blogger, likedin, my own website, many more etc. How comes?
Is this something I should worry?
I don't have any idea about network etc., but maybe the listing below sais something to somebody who has?
Thanks for hints!
Well, there are many applications that do http requests in the background.. It may be your browser, for example chrome/chromium will keep working in the background if you do not tell it to stop.
I don't use chrome because it's connected to google, the most un-trustworthy organisation imaginable; "don't do nothing thats not evel"
Also, desktop applets might perform network activity.
But which one? I have not installed anything.... -- Daniel Bauer photographer Basel Barcelona professional photography: http://www.daniel-bauer.com google+: https://plus.google.com/109534388657020287386 -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Daniel Bauer wrote:
(argh, sorry for pm...)
Am 05.07.2014 16:42, schrieb Cristian Rodríguez:
El 05/07/14 06:37, Daniel Bauer escribió:
Hello,
All of a sudden I had a lot of internet traffic (seen on gkrellm) but didn't have any internet application open...
I logged out an in again, had less, but still have traffic (see below). I see google, blogger, likedin, my own website, many more etc. How comes?
Is this something I should worry?
I don't have any idea about network etc., but maybe the listing below sais something to somebody who has?
Thanks for hints!
Well, there are many applications that do http requests in the background.. It may be your browser, for example chrome/chromium will keep working in the background if you do not tell it to stop.
I don't use chrome because it's connected to google, the most un-trustworthy organisation imaginable; "don't do nothing thats not evel"
Also, desktop applets might perform network activity.
But which one? I have not installed anything....
try this lsof will show both open files and network connections. lsof -iTCP This will show ONLY your network connections. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Hi Daniel, (forgive the top-posting, I think it appropriate here) I hate to even think it, but your computer "might" have been compromised. I had experience with this last month when I had an openSuSE 12.1 server rooted from China via Korea. I don't know what they were doing, but it had the net effect of launching a DOS against Google over port 53 (domain). Take a look around at running processes using "top" and look for anything unusual, especially process names beginning with a ".". Also look in /etc/init.d for new/unusual entries. You might also find binaries in /boot that are used to restart the malware after booting. You might also see and edit of root's "history". I saw references to IptabLes and IptabLex. There's lots on Google about this, but no clear indication of the vulnerability. Here's one link: http://lowendtalk.com/discussion/28795/vps-got-hacked-with-iptables-iptablex Feel free to post a top printout, we might be able to notice something. In my case, the malware was rather crude, which made it easy to detect. That may not always be the case. If compromised, you'll need to slick and reinstall your box, since it can never be fully trusted again. For the record, my compromised box had only anonymous ftp (vsftp) and ssh listening publicly. I used sshguard to block ssh password guesses, but it looks like they got in by supplying the root password correctly. The dedicated host provider had just moved the box to a new data center and had reset the root password, possibly an easy one to guess? If that's not what happened, ssh or vsftp may have a zero-day remote root vulnerability in the wild? I decommissioned the server since I really don't need it at this time. Regards, Lew On 07/05/2014 03:37 AM, Daniel Bauer wrote:
Hello,
All of a sudden I had a lot of internet traffic (seen on gkrellm) but didn't have any internet application open...
I logged out an in again, had less, but still have traffic (see below). I see google, blogger, likedin, my own website, many more etc. How comes?
Is this something I should worry?
I don't have any idea about network etc., but maybe the listing below sais something to somebody who has?
Thanks for hints!
Daniel
tcpdump -i eth0 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes 12:29:17.892834 IP 192.168.1.36.54051 > 250.Red-80-58-61.staticIP.rima-tde.net.domain: 55122+ A? img1.blogblog.com. (35) 12:29:17.893468 IP 192.168.1.36.57780 > 250.Red-80-58-61.staticIP.rima-tde.net.domain: 24803+ PTR? 36.1.168.192.in-addr.arpa. (43) 12:29:17.929639 IP 250.Red-80-58-61.staticIP.rima-tde.net.domain > 192.168.1.36.54051: 55122 2/0/0 CNAME blogger.l.google.com., A 173.194.66.191 (82) 12:29:17.929756 IP 192.168.1.36.46637 > 250.Red-80-58-61.staticIP.rima-tde.net.domain: 7321+ A? img2.blogblog.com. (35) 12:29:17.931315 IP 250.Red-80-58-61.staticIP.rima-tde.net.domain > 192.168.1.36.57780: 24803 NXDomain* 0/1/0 (102) 12:29:17.966284 IP 250.Red-80-58-61.staticIP.rima-tde.net.domain > 192.168.1.36.46637: 7321 2/0/0 CNAME blogger.l.google.com., A 74.125.206.191 (82) 12:29:17.966471 IP 192.168.1.36.38370 > 250.Red-80-58-61.staticIP.rima-tde.net.domain: 22323+ A? www.blogger.com. (33) 12:29:18.000919 IP 250.Red-80-58-61.staticIP.rima-tde.net.domain > 192.168.1.36.38370: 22323 2/0/0 CNAME blogger.l.google.com., A 173.194.66.191 (80) 12:29:21.261728 IP 192.168.1.1 > all-systems.mcast.net: igmp query v2 [max resp time 5] 12:29:21.262031 IP 192.168.1.36.43978 > 250.Red-80-58-61.staticIP.rima-tde.net.domain: 34441+ PTR? 1.1.168.192.in-addr.arpa. (42) 12:29:21.298464 IP 250.Red-80-58-61.staticIP.rima-tde.net.domain > 192.168.1.36.43978: 34441 NXDomain 0/1/0 (119) 12:29:21.950746 IP 192.168.1.36.ntp > guti.uc3m.es.ntp: NTPv4, Client, length 48 12:29:21.951081 IP 192.168.1.36.58377 > 250.Red-80-58-61.staticIP.rima-tde.net.domain: 14687+ PTR? 33.202.117.163.in-addr.arpa. (45) 12:29:21.987356 IP 250.Red-80-58-61.staticIP.rima-tde.net.domain > 192.168.1.36.58377: 14687 1/0/0 PTR guti.uc3m.es. (71) 12:29:21.995901 IP guti.uc3m.es.ntp > 192.168.1.36.ntp: NTPv4, Server, length 48 12:29:22.904589 ARP, Request who-has 192.168.1.1 tell 192.168.1.36, length 28 12:29:22.904976 ARP, Reply 192.168.1.1 is-at 00:02:cf:56:7c:a0 (oui Unknown), length 46 12:29:32.264629 IP 192.168.1.1.router > 192.168.1.255.router: RIPv2, Response, length: 64 12:29:32.264943 IP 192.168.1.36.47458 > 250.Red-80-58-61.staticIP.rima-tde.net.domain: 58833+ PTR? 255.1.168.192.in-addr.arpa. (44) 12:29:32.301324 IP 250.Red-80-58-61.staticIP.rima-tde.net.domain > 192.168.1.36.47458: 58833 NXDomain* 0/1/0 (103) 12:29:33.001399 IP 192.168.1.36.43151 > 250.Red-80-58-61.staticIP.rima-tde.net.domain: 16752+ A? labs.domaintools.com. (38) 12:29:33.071888 IP 250.Red-80-58-61.staticIP.rima-tde.net.domain > 192.168.1.36.43151: 16752 1/0/0 A 199.30.228.83 (54) 12:29:33.072075 IP 192.168.1.36.51057 > 250.Red-80-58-61.staticIP.rima-tde.net.domain: 2316+ A? www.inteligentcomp.com. (40) 12:29:33.176330 IP 250.Red-80-58-61.staticIP.rima-tde.net.domain > 192.168.1.36.51057: 2316 3/0/0 CNAME ghs.google.com., CNAME ghs.l.google.com., A 173.194.66.121 (101) 12:29:33.176486 IP 192.168.1.36.58612 > 250.Red-80-58-61.staticIP.rima-tde.net.domain: 37971+ PTR? 199.49.26.217.in-addr.arpa. (44) 12:29:33.211630 IP 250.Red-80-58-61.staticIP.rima-tde.net.domain > 192.168.1.36.58612: 37971 1/0/0 PTR imap.mail.hostpoint.ch. (80) 12:29:36.263301 IP 192.168.1.1 > all-systems.mcast.net: igmp query v2 [max resp time 5] 12:29:36.984661 IP 192.168.1.1.ssdp > 239.255.255.250.ssdp: UDP, length 304 12:29:36.984956 IP 192.168.1.36.56713 > 250.Red-80-58-61.staticIP.rima-tde.net.domain: 48073+ PTR? 250.255.255.239.in-addr.arpa. (46) 12:29:37.020628 IP 250.Red-80-58-61.staticIP.rima-tde.net.domain > 192.168.1.36.56713: 48073 NXDomain 0/1/0 (103) 12:29:37.084505 IP 192.168.1.1.ssdp > 239.255.255.250.ssdp: UDP, length 299 12:29:37.184685 IP 192.168.1.1.ssdp > 239.255.255.250.ssdp: UDP, length 371 12:29:37.284520 IP 192.168.1.1.ssdp > 239.255.255.250.ssdp: UDP, length 304 12:29:37.384695 IP 192.168.1.1.ssdp > 239.255.255.250.ssdp: UDP, length 347 12:29:37.484501 IP 192.168.1.1.ssdp > 239.255.255.250.ssdp: UDP, length 304 12:29:37.584672 IP 192.168.1.1.ssdp > 239.255.255.250.ssdp: UDP, length 367 12:29:37.684497 IP 192.168.1.1.ssdp > 239.255.255.250.ssdp: UDP, length 304 12:29:37.784658 IP 192.168.1.1.ssdp > 239.255.255.250.ssdp: UDP, length 347 12:29:37.984639 IP 192.168.1.1.ssdp > 239.255.255.250.ssdp: UDP, length 363 12:29:38.084811 IP 192.168.1.1.ssdp > 239.255.255.250.ssdp: UDP, length 379 12:29:38.184649 IP 192.168.1.1.ssdp > 239.255.255.250.ssdp: UDP, length 363 12:29:38.284809 IP 192.168.1.1.ssdp > 239.255.255.250.ssdp: UDP, length 361 12:29:38.384633 IP 192.168.1.1.ssdp > 239.255.255.250.ssdp: UDP, length 377 12:29:48.212084 IP 192.168.1.36.42014 > 250.Red-80-58-61.staticIP.rima-tde.net.domain: 35763+ A? whois.domaintools.com. (39) 12:29:48.285337 IP 250.Red-80-58-61.staticIP.rima-tde.net.domain > 192.168.1.36.42014: 35763 2/0/0 CNAME whois.domaintools.com.c.footprint.net., A 8.247.6.160 (106) 12:29:48.285534 IP 192.168.1.36.45337 > 250.Red-80-58-61.staticIP.rima-tde.net.domain: 59863+ A? ettercap.sf.net. (33) 12:29:48.363848 IP 250.Red-80-58-61.staticIP.rima-tde.net.domain > 192.168.1.36.45337: 59863 1/0/0 A 216.34.181.96 (49) 12:29:48.364026 IP 192.168.1.36.49004 > 250.Red-80-58-61.staticIP.rima-tde.net.domain: 59233+ A? www.daniel-bauer.com. (38) 12:29:48.519073 IP 250.Red-80-58-61.staticIP.rima-tde.net.domain > 192.168.1.36.49004: 59233 1/0/0 A 217.26.50.29 (54) 12:29:51.262713 IP 192.168.1.1 > all-systems.mcast.net: igmp query v2 [max resp time 5] 12:30:02.264601 IP 192.168.1.1.router > 192.168.1.255.router: RIPv2, Response, length: 64 12:30:03.519587 IP 192.168.1.36.57927 > 250.Red-80-58-61.staticIP.rima-tde.net.domain: 45024+ A? linkedin.com. (30) 12:30:03.554148 IP 250.Red-80-58-61.staticIP.rima-tde.net.domain > 192.168.1.36.57927: 45024 1/0/0 A 216.52.242.86 (46) 12:30:06.263232 IP 192.168.1.1 > all-systems.mcast.net: igmp query v2 [max resp time 5] 12:30:08.536678 ARP, Request who-has 192.168.1.1 tell 192.168.1.36, length 28 12:30:08.537079 ARP, Reply 192.168.1.1 is-at 00:02:cf:56:7c:a0 (oui Unknown), length 46 12:30:21.263706 IP 192.168.1.1 > all-systems.mcast.net: igmp query v2 [max resp time 5] 12:30:32.266592 IP 192.168.1.1.router > 192.168.1.255.router: RIPv2, Response, length: 64 12:30:33.554870 IP 192.168.1.36.33980 > 250.Red-80-58-61.staticIP.rima-tde.net.domain: 20740+ PTR? 84.67.194.173.in-addr.arpa. (44) 12:30:33.589164 IP 250.Red-80-58-61.staticIP.rima-tde.net.domain > 192.168.1.36.33980: 20740 1/0/0 PTR wi-in-f84.1e100.net. (77) 12:30:33.589355 IP 192.168.1.36.57673 > 250.Red-80-58-61.staticIP.rima-tde.net.domain: 46372+ A? www.inteligentcomp.com. (40) 12:30:33.625683 IP 250.Red-80-58-61.staticIP.rima-tde.net.domain > 192.168.1.36.57673: 46372 3/0/0 CNAME ghs.google.com., CNAME ghs.l.google.com., A 173.194.66.121 (101) 12:30:33.625856 IP 192.168.1.36.43331 > 250.Red-80-58-61.staticIP.rima-tde.net.domain: 56039+ PTR? 208.217.245.63.in-addr.arpa. (45) 12:30:33.696940 IP 250.Red-80-58-61.staticIP.rima-tde.net.domain > 192.168.1.36.43331: 56039 1/0/0 PTR sync02.phx.services.mozilla.com. (90) 12:30:33.697112 IP 192.168.1.36.39176 > 250.Red-80-58-61.staticIP.rima-tde.net.domain: 38932+ PTR? 23.41.194.173.in-addr.arpa. (44) 12:30:33.733580 IP 250.Red-80-58-61.staticIP.rima-tde.net.domain > 192.168.1.36.39176: 38932 1/0/0 PTR mad01s14-in-f23.1e100.net. (83) 12:30:33.733747 IP 192.168.1.36.41130 > 250.Red-80-58-61.staticIP.rima-tde.net.domain: 42042+ PTR? 228.41.194.173.in-addr.arpa. (45) 12:30:33.769881 IP 250.Red-80-58-61.staticIP.rima-tde.net.domain > 192.168.1.36.41130: 42042 1/0/0 PTR mad01s15-in-f4.1e100.net. (83) 12:30:33.770048 IP 192.168.1.36.50991 > 250.Red-80-58-61.staticIP.rima-tde.net.domain: 2430+ PTR? 139.253.215.67.in-addr.arpa. (45) 12:30:33.805512 IP 250.Red-80-58-61.staticIP.rima-tde.net.domain > 192.168.1.36.50991: 2430 1/0/0 PTR 1.counter.a.statcounter.com. (86) 12:30:33.805680 IP 192.168.1.36.48923 > 250.Red-80-58-61.staticIP.rima-tde.net.domain: 38159+ PTR? 29.50.26.217.in-addr.arpa. (43) 12:30:33.909179 IP 250.Red-80-58-61.staticIP.rima-tde.net.domain > 192.168.1.36.48923: 38159 1/0/0 PTR www.daniel-bauer.com. (77) 12:30:33.909316 IP 192.168.1.36.42281 > 250.Red-80-58-61.staticIP.rima-tde.net.domain: 33172+ PTR? 3.41.194.173.in-addr.arpa. (43) 12:30:33.944897 IP 250.Red-80-58-61.staticIP.rima-tde.net.domain > 192.168.1.36.42281: 33172 1/0/0 PTR mad01s14-in-f3.1e100.net. (81) 12:30:33.945026 IP 192.168.1.36.43238 > 250.Red-80-58-61.staticIP.rima-tde.net.domain: 62285+ PTR? 41.34.194.173.in-addr.arpa. (44) 12:30:33.980957 IP 250.Red-80-58-61.staticIP.rima-tde.net.domain > 192.168.1.36.43238: 62285 1/0/0 PTR par03s03-in-f9.1e100.net. (82) 12:30:33.981085 IP 192.168.1.36.47322 > 250.Red-80-58-61.staticIP.rima-tde.net.domain: 57773+ PTR? 248.34.194.173.in-addr.arpa. (45) 12:30:34.017930 IP 250.Red-80-58-61.staticIP.rima-tde.net.domain > 192.168.1.36.47322: 57773 1/0/0 PTR mad01s09-in-f24.1e100.net. (84) 12:30:34.018062 IP 192.168.1.36.47332 > 250.Red-80-58-61.staticIP.rima-tde.net.domain: 49187+ PTR? 234.34.194.173.in-addr.arpa. (45) 12:30:34.054564 IP 250.Red-80-58-61.staticIP.rima-tde.net.domain > 192.168.1.36.47332: 49187 1/0/0 PTR mad01s09-in-f10.1e100.net. (84) 12:30:36.265199 IP 192.168.1.1 > all-systems.mcast.net: igmp query v2 [max resp time 5] 12:30:49.055056 IP 192.168.1.36.39989 > 250.Red-80-58-61.staticIP.rima-tde.net.domain: 15001+ A? 1.gravatar.com. (32) 12:30:49.091464 IP 250.Red-80-58-61.staticIP.rima-tde.net.domain > 192.168.1.36.39989: 15001 2/0/0 CNAME cs91.wac.edgecastcdn.net., A 68.232.35.121 (86) 12:30:51.264657 IP 192.168.1.1 > all-systems.mcast.net: igmp query v2 [max resp time 5] 12:30:54.072671 ARP, Request who-has 192.168.1.1 tell 192.168.1.36, length 28 12:30:54.073052 ARP, Reply 192.168.1.1 is-at 00:02:cf:56:7c:a0 (oui Unknown), length 46 12:31:02.266585 IP 192.168.1.1.router > 192.168.1.255.router: RIPv2, Response, length: 64 12:31:06.265150 IP 192.168.1.1 > all-systems.mcast.net: igmp query v2 [max resp time 5] 12:31:21.265653 IP 192.168.1.1 > all-systems.mcast.net: igmp query v2 [max resp time 5] 12:31:32.268546 IP 192.168.1.1.router > 192.168.1.255.router: RIPv2, Response, length: 64 12:31:34.092677 IP 192.168.1.36.51976 > 250.Red-80-58-61.staticIP.rima-tde.net.domain: 4676+ A? www.inteligentcomp.com. (40) 12:31:34.128480 IP 250.Red-80-58-61.staticIP.rima-tde.net.domain > 192.168.1.36.51976: 4676 3/0/0 CNAME ghs.google.com., CNAME ghs.l.google.com., A 173.194.66.121 (101) 12:31:36.267176 IP 192.168.1.1 > all-systems.mcast.net: igmp query v2 [max resp time 5] ^C 93 packets captured 93 packets received by filter 0 packets dropped by kernel
-- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
* Lew Wolfgang
Hi Daniel,
(forgive the top-posting, I think it appropriate here)
Instead, why not *just* post your reply and delete the repeated/full-quote which is available to anyone who wishes to see it w/o you posting it again. Remember we still have members using metered/slow internet service, Carlos for one. -- (paka)Patrick Shanahan Plainfield, Indiana, USA @ptilopteri http://en.opensuse.org openSUSE Community Member facebook/ptilopteri http://wahoo.no-ip.org Photo Album: http://wahoo.no-ip.org/gallery2 Registered Linux User #207535 @ http://linuxcounter.net -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 2014-07-05 18:53, Patrick Shanahan wrote:
* Lew Wolfgang
[07-05-14 12:47]: Hi Daniel,
(forgive the top-posting, I think it appropriate here)
Instead, why not *just* post your reply and delete the repeated/full-quote which is available to anyone who wishes to see it w/o you posting it again.
True. The only excuse is when using a mobile app which makes very difficult to control the post.
Remember we still have members using metered/slow internet service, Carlos for one.
Yes, but not always, fortunately :-) Nowdays, only when not at home and using tethering to my mobile phone. Probably on vacation days ;-) However, I'm not the only one on slow/limited Internet. -- Cheers / Saludos, Carlos E. R. (from 13.1 x86_64 "Bottle" at Telcontar)
On 07/05/2014 10:28 AM, Carlos E. R. wrote:
On 2014-07-05 18:53, Patrick Shanahan wrote:
* Lew Wolfgang
[07-05-14 12:47]: Hi Daniel,
(forgive the top-posting, I think it appropriate here) Instead, why not *just* post your reply and delete the repeated/full-quote which is available to anyone who wishes to see it w/o you posting it again. True.
The only excuse is when using a mobile app which makes very difficult to control the post.
Hi Carlos, As long as we're discussing it, I generally agree with editing replies. But my experience with using email lists for coordinating operational teams, network security for one, is to top post, leaving the content below for reference as operationally needed. If you bottom-post and don't edit, the "meat" of the message can be difficult to find, but if you do edit, you can carve needed references, possibly then requiring searching through previous messages that might not even be available at that time. I considered that this message, as it relates to security, was important enough to top post. After all, it's not every day that we get what could be a remote-root ssh zero-day. Regards, Lew -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Lew Wolfgang wrote:
On 07/05/2014 10:28 AM, Carlos E. R. wrote:
On 2014-07-05 18:53, Patrick Shanahan wrote:
* Lew Wolfgang
[07-05-14 12:47]: Hi Daniel,
(forgive the top-posting, I think it appropriate here) Instead, why not *just* post your reply and delete the repeated/full-quote which is available to anyone who wishes to see it w/o you posting it again. True.
The only excuse is when using a mobile app which makes very difficult to control the post.
Hi Carlos,
As long as we're discussing it, I generally agree with editing replies. But my experience with using email lists for coordinating operational teams,
I never saw people top-post routinely before the widespread use of MS Outhouse. Personally, I think top-posting impedes clear communication, because it completely discourages in-line comments among the lazy, who generally don't put much effort into communicating clearly to begin with.
network security for one, is to top post, leaving the content below for reference as operationally needed. If you bottom-post and don't edit,
That, I think is a special case. In general, I've yet to see anything outside of e-mail hold a convention of keeping records in reverse-chronological order, or that people are expected to review records in reverse chronological order.
the "meat" of the message can be difficult to find, but if you do edit, you can carve needed references, possibly then requiring searching through previous messages that might not even be available at that time.
I considered that this message, as it relates to security, was important enough to top post. After all, it's not every day that we get what could be a remote-root ssh zero-day.
Regards, Lew
-- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Dirk Gently wrote:
I never saw people top-post routinely before the widespread use of MS Outhouse.
Coincidence w/GUI's for reading email. I'd still be using it if it reliably supported IMAP, but it didn't (broke the protocol, leaving IMAP server in deadlock on a per-connection basis). That killed off Outhouse from Office97 -- up to 2002 when they went to multiple connections/IMAP server -- which mostly hid the problem (wasn't certain it was fixed, but was already using other readers then). Thing is, when you display a message, a GUI displays the 1st page(30-40 lines), but line-oriented readers will leave the last 25 lines of the message on the screen. For short messages, on line-oriented readers, it was more common to display the whole message than to type in the necessary filter option to display the message a page-at-a-time. Thus if you put new content at the end, and it was <~25 lines, the person saw the new content and could reply to it w/o redisplaying the message through a "pager". Most people today display email on a GUI and TTY's are only emulated for console-related work. I don't know of ANY email reader that displays the last page of an email, by default, when you display it. This means that if the new content isn't on the first page, people have to move off of the message selection interface over to the reading interface to adjust it.
Personally, I think top-posting impedes clear communication, because it completely discourages in-line comments among the lazy, who generally don't put much effort into communicating clearly to begin with.
---- Oh contrare! I favor top posting for short replies, but do inline comments as needed.
network security for one, is to top post, leaving the content below for reference as operationally needed. If you bottom-post and don't edit,
That, I think is a special case.
---- no more so than any professional field (doctors and lawyers, for example have always had top-posted charting). The earth is arranged with the most recent stuff at the top, archeologically speaking, and people's piles are organized the same way. Reading things from the last page first is consistent with the anachronistic TTY interface.
In general, I've yet to see anything outside of e-mail hold a convention of keeping records in reverse-chronological order, or that people are expected to review records in reverse chronological order.
---- See doctors, lawyers -- professional fields where time is money... Also it's a natural order. The thing is, the mail being responded to is a *courtesy*, to allow those tuning in to go back if they want. The alternative to not posting inline, and not top-posting, is to not give any context. Some people illogically think that email is a book organized for their benefit. If you have read all the stuff before, you don't want to read it again. If you are new to the conversation, you shouldn't expect that the entire conversation will be included, or require that people waste their time skimming through old content looking for the start of new.
the "meat" of the message can be difficult to find, but if you do edit, you can carve needed references, possibly then requiring searching through previous messages that might not even be available at that time.
---- The meat isn't hard to find if it is the first thing they see (i.e. on top). -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 2014-07-08 00:35, Linda Walsh wrote:
Most people today display email on a GUI and TTY's are only emulated for console-related work. I don't know of ANY email reader that displays the last page of an email, by default, when you display it. This means that if the new content isn't on the first page, people have to move off of the message selection interface over to the reading interface to adjust it.
Did you have to page down to see this reply? I guess not. >:-) -- Cheers / Saludos, Carlos E. R. (from 13.1 x86_64 "Bottle" at Telcontar)
On 07/07/2014 03:53 PM, Carlos E. R. wrote:
On 2014-07-08 00:35, Linda Walsh wrote:
Most people today display email on a GUI and TTY's are only emulated for console-related work. I don't know of ANY email reader that displays the last page of an email, by default, when you display it. This means that if the new content isn't on the first page, people have to move off of the message selection interface over to the reading interface to adjust it. Did you have to page down to see this reply? I guess not. >:-)
Nope, but then if I forgot what this was all about, I'd have to fish through eleventy-hundred previous emails, some of which might be deleted by now. As Linda says, editing/bottom-posting is fine for casual conversations, but when you need to preserve context and references as concisely and reliably as possible, you top-post. What does a bottom posted thread look like when you have to print it out for archival purposes, after all? But be honest, how many times have you had to page down many times in order to see a one-lined bone-headed response in a bottom-posted missive? How many times have you started to page down and said to yourself, "Screw it, I've got better things to do!". I've done this many times myself... Please note that it is what it is, and if the custom here is to bottom post I'm personally fine with that. I still think my one exception was reasonable in that particular case. This top/bottom post religious war has been going on forever, let's let it die or bring it to offtopic? It might distract us from the incessant wars about same-sex marriage! Regards, Lew -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 07/07/2014 04:19 PM, Lew Wolfgang wrote:
What does a bottom posted thread look like when you have to print it out for archival purposes, after all?
Har! I just realized that I stepped on my own crank on that one! I concede that bottom-posting is better when hard-copy printouts are required. Regards, Lew -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 2014-07-08 01:19, Lew Wolfgang wrote:
On 07/07/2014 03:53 PM, Carlos E. R. wrote:
but when you need to preserve context and references as concisely and reliably as possible, you top-post.
But as it is a mail list, everything you send is resent possibly to thousands of people, so bytes count. And then, being a mail list, there is an archive, where we can all retrieve any post we wish, or read online, complete, any time.
Please note that it is what it is, and if the custom here is to bottom post I'm personally fine with that.
That's the whole point :-) Each mail list has its customs and rules (we have a link to them). When I post on any list, I try to adhere to the conventions there, no matter what I may think about them, or how different they are of what I'm used to or prefer. -- Cheers / Saludos, Carlos E. R. (from 13.1 x86_64 "Bottle" at Telcontar)
Hey, On 08.07.2014 01:19, Lew Wolfgang wrote:
But when you need to preserve context and references as concisely and reliably as possible, you top-post.
Not on this list, you don't. As stated in the openSUSE Mailing List Etiquette[1]: Use bottom-posting or interleaved style to answer. End of discussion. Henne [1] http://en.opensuse.org/openSUSE:Mailing_list_netiquette#Use_bottom-posting_o... -- Henne Vogelsang, Mailinglist Admin http://www.opensuse.org -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 07/07/2014 07:19 PM, Lew Wolfgang pecked at the keyboard and wrote:
On 07/07/2014 03:53 PM, Carlos E. R. wrote:
On 2014-07-08 00:35, Linda Walsh wrote:
Most people today display email on a GUI and TTY's are only emulated for console-related work. I don't know of ANY email reader that displays the last page of an email, by default, when you display it. This means that if the new content isn't on the first page, people have to move off of the message selection interface over to the reading interface to adjust it. Did you have to page down to see this reply? I guess not. >:-)
Nope, but then if I forgot what this was all about, I'd have to fish through eleventy-hundred previous emails, some of which might be deleted by now. As Linda says, editing/bottom-posting is fine for casual conversations,
No, it is needed for technical discussions to keep everything in perspective.
but when you need to preserve context and references as concisely and reliably as possible, you top-post. What does a bottom posted thread look like when you have to print it out for archival purposes, after all?
But be honest, how many times have you had to page down many times in order to see a one-lined bone-headed response in a bottom-posted missive? How many times have you started to page down and said to yourself, "Screw it, I've got better things to do!". I've done this many times myself...
Ah yes, hitting the PgDn key is so hard to do. This discussion has taken place many times on this list and I would venture a guess that it will comes up many more times. But, the default for this list is interleaved or bottom posting and has been this way since I joined the list in 1998. Perhaps you can start your own list with the etiquette the way you want it. -- Ken Schneider SuSe since Version 5.2, June 1998 -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Ken Schneider - openSUSE wrote:
Ah yes, hitting the PgDn key is so hard to do.
If it comes down to having to hit a pagedn, I often skip the message unless it is a thread I'm following. If the 1st page doesn't catch my interest, not worth reading. I look at mail headers 1st, then look at the first page to see what they said. Usually people who have only quotes on the 1st page aren't worth reading.
This discussion has taken place many times on this list and I would venture a guess that it will comes up many more times. But, the default for this list is interleaved or bottom posting and has been this way since I joined the list in 1998. Perhaps you can start your own list with the etiquette the way you want it.
--- And it was my grandpappies default before that, and goes back to my first ancestors coming out of africa... yup... Arguing historical precedent, in a community based on cutting edge software tech seems more than a bit ironic. No problem changing the way your system works to the point of it not working, but dealing with top posting?... frothing at the mouth... geez. Truly, that puzzles me. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Hey, On 09.07.2014 03:07, Linda Walsh wrote:
More top-post rant
What about "End of discussion" didn't you guys understand? Do I really need to block each and every thread? Henne -- Henne Vogelsang, Mailinglist Admin http://www.opensuse.org -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Henne Vogelsang wrote:
Hey,
On 09.07.2014 03:07, Linda Walsh wrote:
More top-post rant
What about "End of discussion" didn't you guys understand? Do I really need to block each and every thread?
Maybe they didn't read your post? -- Per Jessen, Zürich (13.4°C) http://www.dns24.ch/ - your free DNS host, made in Switzerland. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 07/08/2014 09:07 PM, Linda Walsh wrote:
Ken Schneider - openSUSE wrote:
Ah yes, hitting the PgDn key is so hard to do.
If it comes down to having to hit a pagedn, I often skip the message unless it is a thread I'm following.
If the 1st page doesn't catch my interest, not worth reading. I look at mail headers 1st, then look at the first page to see what they said.
Yes, I can understand that, but its not an issue of 'top posting' so much as an issue of people not trimming back the post they are replying to and only commenting on the relevant parts. We really, really don't need the full history of the thread. And kudos to you for being a good practitioner in this respect. -- /"\ \ / ASCII Ribbon Campaign X Against HTML Mail / \ -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 07/07/2014 06:53 PM, Carlos E. R. wrote:
Did you have to page down to see this reply?
I had to roll back a lot of paper. ;-) -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Am 05.07.2014 18:46, schrieb Lew Wolfgang:
Hi Daniel, ...
I hate to even think it, but your computer "might" have been compromised. I had experience with this last month when I had an openSuSE 12.1 server rooted from China via Korea. I don't know what they were doing, but it had the net effect of launching a DOS against Google over port 53 (domain).
Take a look around at running processes using "top" and look for anything unusual, especially process names beginning with a ".". Also look in /etc/init.d for new/unusual entries. You might also find binaries in /boot that are used to restart the malware after booting. You might also see and edit of root's "history". I saw references to IptabLes and IptabLex. There's lots on Google about this, but no clear indication of the vulnerability. Here's one link:
http://lowendtalk.com/discussion/28795/vps-got-hacked-with-iptables-iptablex
... I'll have a look at the details tomorrow and, quite sure, come up with more questions... Daniel -- Daniel Bauer photographer Basel Barcelona professional photography: http://www.daniel-bauer.com google+: https://plus.google.com/109534388657020287386 -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Daniel Bauer wrote:
Hello,
All of a sudden I had a lot of internet traffic (seen on gkrellm) but didn't have any internet application open...
Filter your dump of known traffic...then get rid of variable info. This is your dump w/o the DNS and duplicates filtered: ARP, Reply 192.168.1.1 is-at 00:02:cf:56:7c:a0 (oui Unknown), length 46 ARP, Request who-has 192.168.1.1 tell 192.168.1.36, length 28 IP 192.168.1.1 > all-systems.mcast.net: igmp query v2 [max resp time 5] IP 192.168.1.1.router > 192.168.1.255.router: RIPv2, Response, length: 64 IP 192.168.1.1.ssdp > 239.255.255.250.ssdp: UDP, length IP 192.168.1.36.ntp > guti.uc3m.es.ntp: NTPv4, Client, length 48 IP guti.uc3m.es.ntp > 192.168.1.36.ntp: NTPv4, Server, length 48 ---------- Nothing looks like a hack in this... I see NTP (time) kernel does ARP, routing service discovery protocol. Nothing indicates a hack, IMO... The DNS lookups could be from tcpdump resolving names it sees or a webpage loading...did you have a browser active? That's all normal traffic, IMO... -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Am 07.07.2014 04:02, schrieb Linda Walsh:
Daniel Bauer wrote:
Hello,
All of a sudden I had a lot of internet traffic (seen on gkrellm) but didn't have any internet application open...
Filter your dump of known traffic...then get rid of variable info.
This is your dump w/o the DNS and duplicates filtered: ARP, Reply 192.168.1.1 is-at 00:02:cf:56:7c:a0 (oui Unknown), length 46 ARP, Request who-has 192.168.1.1 tell 192.168.1.36, length 28 IP 192.168.1.1 > all-systems.mcast.net: igmp query v2 [max resp time 5] IP 192.168.1.1.router > 192.168.1.255.router: RIPv2, Response, length: 64 IP 192.168.1.1.ssdp > 239.255.255.250.ssdp: UDP, length IP 192.168.1.36.ntp > guti.uc3m.es.ntp: NTPv4, Client, length 48 IP guti.uc3m.es.ntp > 192.168.1.36.ntp: NTPv4, Server, length 48 ----------
Nothing looks like a hack in this...
I see NTP (time) kernel does ARP, routing service discovery protocol.
Nothing indicates a hack, IMO...
The DNS lookups could be from tcpdump resolving names it sees or a webpage loading...did you have a browser active? That's all normal traffic, IMO...
Hi Linda and everybody :-) I searched my system, read the mentioned blogs, installed and run rkhunter, and as much as I can see: nothing not normal... I was wondering because at the moment I took the tcpdum-list, there was - except ntp - nothing open that should connect to internet (and I checked in the process-list (ctrl-esc) that no browser, email, radio, skype or torrent program was running. Still I saw gkrellm showing eth0 traffic and the mentioned list resulted from tcpdump... So after reading the answers here I am not very worried anymore, but I'll keep an eye on it and use lsof -iTCP etc. to see what happens. In case I detect something that makes me feel insecure I'll post to a new thread... Thanks everybody for having a look at my problem :-) Daniel -- Daniel Bauer photographer Basel Barcelona professional photography: http://www.daniel-bauer.com google+: https://plus.google.com/109534388657020287386 -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Hi, try watching netstat -putec as root. If you are lucky you can catch it. On 07/05/2014 12:37 PM, Daniel Bauer wrote:
Hello,
All of a sudden I had a lot of internet traffic (seen on gkrellm) but didn't have any internet application open...
I logged out an in again, had less, but still have traffic (see below). I see google, blogger, likedin, my own website, many more etc. How comes?
Is this something I should worry?
I don't have any idea about network etc., but maybe the listing below sais something to somebody who has?
Thanks for hints!
Daniel
tcpdump -i eth0 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes 12:29:17.892834 IP 192.168.1.36.54051 > 250.Red-80-58-61.staticIP.rima-tde.net.domain: 55122+ A? img1.blogblog.com. (35) 12:29:17.893468 IP 192.168.1.36.57780 > 250.Red-80-58-61.staticIP.rima-tde.net.domain: 24803+ PTR? 36.1.168.192.in-addr.arpa. (43) 12:29:17.929639 IP 250.Red-80-58-61.staticIP.rima-tde.net.domain > 192.168.1.36.54051: 55122 2/0/0 CNAME blogger.l.google.com., A 173.194.66.191 (82) 12:29:17.929756 IP 192.168.1.36.46637 > 250.Red-80-58-61.staticIP.rima-tde.net.domain: 7321+ A? img2.blogblog.com. (35) 12:29:17.931315 IP 250.Red-80-58-61.staticIP.rima-tde.net.domain > 192.168.1.36.57780: 24803 NXDomain* 0/1/0 (102) 12:29:17.966284 IP 250.Red-80-58-61.staticIP.rima-tde.net.domain > 192.168.1.36.46637: 7321 2/0/0 CNAME blogger.l.google.com., A 74.125.206.191 (82) 12:29:17.966471 IP 192.168.1.36.38370 > 250.Red-80-58-61.staticIP.rima-tde.net.domain: 22323+ A? www.blogger.com. (33) 12:29:18.000919 IP 250.Red-80-58-61.staticIP.rima-tde.net.domain > 192.168.1.36.38370: 22323 2/0/0 CNAME blogger.l.google.com., A 173.194.66.191 (80) 12:29:21.261728 IP 192.168.1.1 > all-systems.mcast.net: igmp query v2 [max resp time 5] 12:29:21.262031 IP 192.168.1.36.43978 > 250.Red-80-58-61.staticIP.rima-tde.net.domain: 34441+ PTR? 1.1.168.192.in-addr.arpa. (42) 12:29:21.298464 IP 250.Red-80-58-61.staticIP.rima-tde.net.domain > 192.168.1.36.43978: 34441 NXDomain 0/1/0 (119) 12:29:21.950746 IP 192.168.1.36.ntp > guti.uc3m.es.ntp: NTPv4, Client, length 48 12:29:21.951081 IP 192.168.1.36.58377 > 250.Red-80-58-61.staticIP.rima-tde.net.domain: 14687+ PTR? 33.202.117.163.in-addr.arpa. (45) 12:29:21.987356 IP 250.Red-80-58-61.staticIP.rima-tde.net.domain > 192.168.1.36.58377: 14687 1/0/0 PTR guti.uc3m.es. (71) 12:29:21.995901 IP guti.uc3m.es.ntp > 192.168.1.36.ntp: NTPv4, Server, length 48 12:29:22.904589 ARP, Request who-has 192.168.1.1 tell 192.168.1.36, length 28 12:29:22.904976 ARP, Reply 192.168.1.1 is-at 00:02:cf:56:7c:a0 (oui Unknown), length 46 12:29:32.264629 IP 192.168.1.1.router > 192.168.1.255.router: RIPv2, Response, length: 64 12:29:32.264943 IP 192.168.1.36.47458 > 250.Red-80-58-61.staticIP.rima-tde.net.domain: 58833+ PTR? 255.1.168.192.in-addr.arpa. (44) 12:29:32.301324 IP 250.Red-80-58-61.staticIP.rima-tde.net.domain > 192.168.1.36.47458: 58833 NXDomain* 0/1/0 (103) 12:29:33.001399 IP 192.168.1.36.43151 > 250.Red-80-58-61.staticIP.rima-tde.net.domain: 16752+ A? labs.domaintools.com. (38) 12:29:33.071888 IP 250.Red-80-58-61.staticIP.rima-tde.net.domain > 192.168.1.36.43151: 16752 1/0/0 A 199.30.228.83 (54) 12:29:33.072075 IP 192.168.1.36.51057 > 250.Red-80-58-61.staticIP.rima-tde.net.domain: 2316+ A? www.inteligentcomp.com. (40) 12:29:33.176330 IP 250.Red-80-58-61.staticIP.rima-tde.net.domain > 192.168.1.36.51057: 2316 3/0/0 CNAME ghs.google.com., CNAME ghs.l.google.com., A 173.194.66.121 (101) 12:29:33.176486 IP 192.168.1.36.58612 > 250.Red-80-58-61.staticIP.rima-tde.net.domain: 37971+ PTR? 199.49.26.217.in-addr.arpa. (44) 12:29:33.211630 IP 250.Red-80-58-61.staticIP.rima-tde.net.domain > 192.168.1.36.58612: 37971 1/0/0 PTR imap.mail.hostpoint.ch. (80) 12:29:36.263301 IP 192.168.1.1 > all-systems.mcast.net: igmp query v2 [max resp time 5] 12:29:36.984661 IP 192.168.1.1.ssdp > 239.255.255.250.ssdp: UDP, length 304 12:29:36.984956 IP 192.168.1.36.56713 > 250.Red-80-58-61.staticIP.rima-tde.net.domain: 48073+ PTR? 250.255.255.239.in-addr.arpa. (46) 12:29:37.020628 IP 250.Red-80-58-61.staticIP.rima-tde.net.domain > 192.168.1.36.56713: 48073 NXDomain 0/1/0 (103) 12:29:37.084505 IP 192.168.1.1.ssdp > 239.255.255.250.ssdp: UDP, length 299 12:29:37.184685 IP 192.168.1.1.ssdp > 239.255.255.250.ssdp: UDP, length 371 12:29:37.284520 IP 192.168.1.1.ssdp > 239.255.255.250.ssdp: UDP, length 304 12:29:37.384695 IP 192.168.1.1.ssdp > 239.255.255.250.ssdp: UDP, length 347 12:29:37.484501 IP 192.168.1.1.ssdp > 239.255.255.250.ssdp: UDP, length 304 12:29:37.584672 IP 192.168.1.1.ssdp > 239.255.255.250.ssdp: UDP, length 367 12:29:37.684497 IP 192.168.1.1.ssdp > 239.255.255.250.ssdp: UDP, length 304 12:29:37.784658 IP 192.168.1.1.ssdp > 239.255.255.250.ssdp: UDP, length 347 12:29:37.984639 IP 192.168.1.1.ssdp > 239.255.255.250.ssdp: UDP, length 363 12:29:38.084811 IP 192.168.1.1.ssdp > 239.255.255.250.ssdp: UDP, length 379 12:29:38.184649 IP 192.168.1.1.ssdp > 239.255.255.250.ssdp: UDP, length 363 12:29:38.284809 IP 192.168.1.1.ssdp > 239.255.255.250.ssdp: UDP, length 361 12:29:38.384633 IP 192.168.1.1.ssdp > 239.255.255.250.ssdp: UDP, length 377 12:29:48.212084 IP 192.168.1.36.42014 > 250.Red-80-58-61.staticIP.rima-tde.net.domain: 35763+ A? whois.domaintools.com. (39) 12:29:48.285337 IP 250.Red-80-58-61.staticIP.rima-tde.net.domain > 192.168.1.36.42014: 35763 2/0/0 CNAME whois.domaintools.com.c.footprint.net., A 8.247.6.160 (106) 12:29:48.285534 IP 192.168.1.36.45337 > 250.Red-80-58-61.staticIP.rima-tde.net.domain: 59863+ A? ettercap.sf.net. (33) 12:29:48.363848 IP 250.Red-80-58-61.staticIP.rima-tde.net.domain > 192.168.1.36.45337: 59863 1/0/0 A 216.34.181.96 (49) 12:29:48.364026 IP 192.168.1.36.49004 > 250.Red-80-58-61.staticIP.rima-tde.net.domain: 59233+ A? www.daniel-bauer.com. (38) 12:29:48.519073 IP 250.Red-80-58-61.staticIP.rima-tde.net.domain > 192.168.1.36.49004: 59233 1/0/0 A 217.26.50.29 (54) 12:29:51.262713 IP 192.168.1.1 > all-systems.mcast.net: igmp query v2 [max resp time 5] 12:30:02.264601 IP 192.168.1.1.router > 192.168.1.255.router: RIPv2, Response, length: 64 12:30:03.519587 IP 192.168.1.36.57927 > 250.Red-80-58-61.staticIP.rima-tde.net.domain: 45024+ A? linkedin.com. (30) 12:30:03.554148 IP 250.Red-80-58-61.staticIP.rima-tde.net.domain > 192.168.1.36.57927: 45024 1/0/0 A 216.52.242.86 (46) 12:30:06.263232 IP 192.168.1.1 > all-systems.mcast.net: igmp query v2 [max resp time 5] 12:30:08.536678 ARP, Request who-has 192.168.1.1 tell 192.168.1.36, length 28 12:30:08.537079 ARP, Reply 192.168.1.1 is-at 00:02:cf:56:7c:a0 (oui Unknown), length 46 12:30:21.263706 IP 192.168.1.1 > all-systems.mcast.net: igmp query v2 [max resp time 5] 12:30:32.266592 IP 192.168.1.1.router > 192.168.1.255.router: RIPv2, Response, length: 64 12:30:33.554870 IP 192.168.1.36.33980 > 250.Red-80-58-61.staticIP.rima-tde.net.domain: 20740+ PTR? 84.67.194.173.in-addr.arpa. (44) 12:30:33.589164 IP 250.Red-80-58-61.staticIP.rima-tde.net.domain > 192.168.1.36.33980: 20740 1/0/0 PTR wi-in-f84.1e100.net. (77) 12:30:33.589355 IP 192.168.1.36.57673 > 250.Red-80-58-61.staticIP.rima-tde.net.domain: 46372+ A? www.inteligentcomp.com. (40) 12:30:33.625683 IP 250.Red-80-58-61.staticIP.rima-tde.net.domain > 192.168.1.36.57673: 46372 3/0/0 CNAME ghs.google.com., CNAME ghs.l.google.com., A 173.194.66.121 (101) 12:30:33.625856 IP 192.168.1.36.43331 > 250.Red-80-58-61.staticIP.rima-tde.net.domain: 56039+ PTR? 208.217.245.63.in-addr.arpa. (45) 12:30:33.696940 IP 250.Red-80-58-61.staticIP.rima-tde.net.domain > 192.168.1.36.43331: 56039 1/0/0 PTR sync02.phx.services.mozilla.com. (90) 12:30:33.697112 IP 192.168.1.36.39176 > 250.Red-80-58-61.staticIP.rima-tde.net.domain: 38932+ PTR? 23.41.194.173.in-addr.arpa. (44) 12:30:33.733580 IP 250.Red-80-58-61.staticIP.rima-tde.net.domain > 192.168.1.36.39176: 38932 1/0/0 PTR mad01s14-in-f23.1e100.net. (83) 12:30:33.733747 IP 192.168.1.36.41130 > 250.Red-80-58-61.staticIP.rima-tde.net.domain: 42042+ PTR? 228.41.194.173.in-addr.arpa. (45) 12:30:33.769881 IP 250.Red-80-58-61.staticIP.rima-tde.net.domain > 192.168.1.36.41130: 42042 1/0/0 PTR mad01s15-in-f4.1e100.net. (83) 12:30:33.770048 IP 192.168.1.36.50991 > 250.Red-80-58-61.staticIP.rima-tde.net.domain: 2430+ PTR? 139.253.215.67.in-addr.arpa. (45) 12:30:33.805512 IP 250.Red-80-58-61.staticIP.rima-tde.net.domain > 192.168.1.36.50991: 2430 1/0/0 PTR 1.counter.a.statcounter.com. (86) 12:30:33.805680 IP 192.168.1.36.48923 > 250.Red-80-58-61.staticIP.rima-tde.net.domain: 38159+ PTR? 29.50.26.217.in-addr.arpa. (43) 12:30:33.909179 IP 250.Red-80-58-61.staticIP.rima-tde.net.domain > 192.168.1.36.48923: 38159 1/0/0 PTR www.daniel-bauer.com. (77) 12:30:33.909316 IP 192.168.1.36.42281 > 250.Red-80-58-61.staticIP.rima-tde.net.domain: 33172+ PTR? 3.41.194.173.in-addr.arpa. (43) 12:30:33.944897 IP 250.Red-80-58-61.staticIP.rima-tde.net.domain > 192.168.1.36.42281: 33172 1/0/0 PTR mad01s14-in-f3.1e100.net. (81) 12:30:33.945026 IP 192.168.1.36.43238 > 250.Red-80-58-61.staticIP.rima-tde.net.domain: 62285+ PTR? 41.34.194.173.in-addr.arpa. (44) 12:30:33.980957 IP 250.Red-80-58-61.staticIP.rima-tde.net.domain > 192.168.1.36.43238: 62285 1/0/0 PTR par03s03-in-f9.1e100.net. (82) 12:30:33.981085 IP 192.168.1.36.47322 > 250.Red-80-58-61.staticIP.rima-tde.net.domain: 57773+ PTR? 248.34.194.173.in-addr.arpa. (45) 12:30:34.017930 IP 250.Red-80-58-61.staticIP.rima-tde.net.domain > 192.168.1.36.47322: 57773 1/0/0 PTR mad01s09-in-f24.1e100.net. (84) 12:30:34.018062 IP 192.168.1.36.47332 > 250.Red-80-58-61.staticIP.rima-tde.net.domain: 49187+ PTR? 234.34.194.173.in-addr.arpa. (45) 12:30:34.054564 IP 250.Red-80-58-61.staticIP.rima-tde.net.domain > 192.168.1.36.47332: 49187 1/0/0 PTR mad01s09-in-f10.1e100.net. (84) 12:30:36.265199 IP 192.168.1.1 > all-systems.mcast.net: igmp query v2 [max resp time 5] 12:30:49.055056 IP 192.168.1.36.39989 > 250.Red-80-58-61.staticIP.rima-tde.net.domain: 15001+ A? 1.gravatar.com. (32) 12:30:49.091464 IP 250.Red-80-58-61.staticIP.rima-tde.net.domain > 192.168.1.36.39989: 15001 2/0/0 CNAME cs91.wac.edgecastcdn.net., A 68.232.35.121 (86) 12:30:51.264657 IP 192.168.1.1 > all-systems.mcast.net: igmp query v2 [max resp time 5] 12:30:54.072671 ARP, Request who-has 192.168.1.1 tell 192.168.1.36, length 28 12:30:54.073052 ARP, Reply 192.168.1.1 is-at 00:02:cf:56:7c:a0 (oui Unknown), length 46 12:31:02.266585 IP 192.168.1.1.router > 192.168.1.255.router: RIPv2, Response, length: 64 12:31:06.265150 IP 192.168.1.1 > all-systems.mcast.net: igmp query v2 [max resp time 5] 12:31:21.265653 IP 192.168.1.1 > all-systems.mcast.net: igmp query v2 [max resp time 5] 12:31:32.268546 IP 192.168.1.1.router > 192.168.1.255.router: RIPv2, Response, length: 64 12:31:34.092677 IP 192.168.1.36.51976 > 250.Red-80-58-61.staticIP.rima-tde.net.domain: 4676+ A? www.inteligentcomp.com. (40) 12:31:34.128480 IP 250.Red-80-58-61.staticIP.rima-tde.net.domain > 192.168.1.36.51976: 4676 3/0/0 CNAME ghs.google.com., CNAME ghs.l.google.com., A 173.194.66.121 (101) 12:31:36.267176 IP 192.168.1.1 > all-systems.mcast.net: igmp query v2 [max resp time 5] ^C 93 packets captured 93 packets received by filter 0 packets dropped by kernel
participants (13)
-
Anton Aylward
-
Carlos E. R.
-
Cristian Rodríguez
-
Daniel Bauer
-
Dirk Gently
-
Florian Gleixner
-
Henne Vogelsang
-
James Knott
-
Ken Schneider - openSUSE
-
Lew Wolfgang
-
Linda Walsh
-
Patrick Shanahan
-
Per Jessen