"SRC=69.28.159."

Like, hello,

I have a lot of log entries from the same netblock/domain, and want to know why.

[root@localhost root]# grep -c "SRC=69.28.159." /var/log/messages
58

[root@localhost root]# grep -c "SRC=69.28.159." /var/log/messages.1
206

[root@localhost root]# grep -c "SRC=69.28.159." /var/log/messages.2
94

[root@localhost root]# grep -c "SRC=69.28.159." /var/log/messages.3
31

The "whois comes back like this:

[root@localhost root]# host 69.28.159.7
7.159.28.69.in-addr.arpa domain name pointer
cdn-69-28-159-7.iad.llnw.net.

[root@localhost root]# whois
llnw.net [whois.crsnic.net]

Whois Server Version 1.3

Domain names in the .com and .net domains can now be registered with many
different competing registrars. Go to http://www.internic.net for detailed
information.

Domain Name: LLNW.NET
Registrar: GO DADDY SOFTWARE, INC.
Whois Server: whois.godaddy.com
Referral URL: http://registrar.godaddy.com Name Server:
DNS.LAX.LLNS.NET
Name Server: DNS.SJC.LLNS.NET
Name Server: DNS.LGA.LLNS.NET
Name Server: DNS.IAD.LLNS.NET
Status: REGISTRAR-LOCK
Updated Date: 22-nov-2004
Creation Date: 23-jun-2001
Expiration Date: 23-jun-2007

[...]

Registrant:
Limelight Networks, LLC.
8936 N. Central Avenue
Phoenix, Arizona 85020
United States

[...]

(me:) What is this? Maybe an ad agency that is connected to a site I use?
Else why am I getting this for weeks on end? The firewall is obviously
blocking it so I need not worry. Or should I? It seems to happen at the
same time in the early morning here. Should I call them? Would they
care?

I'm changing computers and os's tomorrow (or next week?), so if this box
is killed, it's ok for me. I don't yet have any reason to think it is
killed. Just would like to understand wtf is going on here.

Thanks!
Walt

--
n e w s b o x /AT/ c u s t o m e r s - o f - a d e l p h i a (dot) o r g

On Fri, 10 Dec 2004 04:51:12 -0500, Newsbox
<dontspamme@thanks.invalid> wrote:
>
> (me:) What is this? Maybe an ad agency that is connected to a site I use?
> Else why am I getting this for weeks on end? The firewall is obviously
> blocking it so I need not worry. Or should I? It seems to happen at the
> same time in the early morning here. Should I call them? Would they
> care?
>
Insufficient data. What port are they trying to connect to?
Have your email filters been blocking traffic from the same address?


--
Programming Department:
Mistakes made while you wait.

On Fri, 10 Dec 2004 10:11:11 -0500, Bill Marcum wrote:

> On Fri, 10 Dec 2004 04:51:12 -0500, Newsbox
> <dontspamme@thanks.invalid> wrote:
>>
>> (me:) What is this? Maybe an ad agency that is connected to a site I
>> use?
>> Else why am I getting this for weeks on end? The firewall is
>> obviously
>> blocking it so I need not worry. Or should I? It seems to happen at
>> the same time in the early morning here. Should I call them? Would
>> they care?
>>
> Insufficient data. What port are they trying to connect to? Have your
> email filters been blocking traffic from the same address?

Thanks Bill.

Here's what the log entries look like:

Dec 10 00:37:40 localhost kernel: IN=ppp0 OUT= MAC= SRC=69.28.159.7
DST=aaa.bbb.ccc.ddd LEN=44 TOS=0x00 PREC=0x00 TTL=53 ID=16002 DF PROTO=TCP
SPT=80 DPT=2388 WINDOW=65535 RES=0x00 ACK SYN URGP=0

They vary with DPT, but apparently not much else. But I haven't checked
that exhaustively.

I would think these might be responses to http "get" requests (maybe from
a web page?) that were blocked by the firewall. (I'm using Firestarter to
set the scripts, for convenience.) I have one drop rule in that range,
but not that exact interface. It is:

[root@localhost root]# iptables --list | grep "69.28.159"

DROP all -- cdn-69-28-159-9.iad.llnw.net anywhere

This is in line with what I had set for that address.

This rule is for 69.28.159.9,
- which had previously at some time been doing some annoying things which
I
didn't want logged anymore.
These most recent firewall hits are from 69.28.159.7, and they are being
logged, so that (DROP) rule above is not coming into play here. But
possibly whatever rule that originally logged the ...9 traffic is also now
logging the ...7 stuff.

But I don't understand (a.) what the traffic is about, or (b.)
specifically why it is being blocked and logged.

I'm not seeing any e-mail from them (either one). But my outside e-mail
addys are already heavily filtered by ISP's, and I wouldn't necessarily
see it without manually wading through a ton of junk online.

It's probably nothing. I ignored the ...9 traffic before with no problem
and I could just ignore the ...7 traffic now. It's just bugging me
because I don't know what it's about. Thanks again.

Walt

--
n e w s b o x /AT/ c u s t o m e r s - o f - a d e l p h i a (dot) o r g

In article <69qdnQLHxNM67CTcRVn-hQ@acadia.net>, Newsbox wrote:

>I have a lot of log entries from the same netblock/domain, and want to
>know why.

A count of hits from the block doesn't provide clues. What ports (source,
destination), what addresses? What else is going on on your system(s) at
the time? Is there any reason you might be talking to those hosts?

>[root@localhost root]# host 69.28.159.7
>7.159.28.69.in-addr.arpa domain name pointer
>cdn-69-28-159-7.iad.llnw.net.
>
>[root@localhost root]# whois

Why are you running network applications as root?

[compton ~]$ whois -h whois.arin.net 69.28.159.7
[whois.arin.net]

OrgName: Limelight Networks, LLC
OrgID: LLNW
Address: 2220 W. 14th Street
City: Tempe
StateProv: AZ
PostalCode: 85281
Country: US

ReferralServer: rwhois://rwhois.llnw.net:4321/

[snip]

OrgAbuseHandle: LNAD-ARIN
OrgAbuseName: Limelight Networks Abuse Dept
OrgAbusePhone: +1-602-850-5095
OrgAbuseEmail: ipadmin@limelightnetworks.com

[snip]
[compton ~]$

An rwhois query seem to indicate that specific address is a corporate
address, rather than a customer.

>(me:) What is this? Maybe an ad agency that is connected to a site I use?

Possible - not enough details.

> Else why am I getting this for weeks on end? The firewall is obviously
>blocking it so I need not worry. Or should I? It seems to happen at the
>same time in the early morning here.

Again - not enough details. FWIW, the 'IAD' _suggests_ a Northern Virginia
location (IAD is the airport code for Washington Dulles, while LAX is Los
Angles, SJC is San Jose, and LGA is La Guardia in New York). As you are
posting from a Stentor address block, the 'cdn' in the hostname you looked
up _could_ refer to 'Canadian' but that's pure speculation.

>Should I call them? Would they care?

If this is all you show, no - don't bother wasting their/your time. If you
have some details of nefarious deeds (including relatively accurate times,
specific ports/addresses, etc), then it might be worth a shot. You might
also google for them in the news.admin.net-abuse.* mewsgroups.

>I'm changing computers and os's tomorrow (or next week?), so if this box
>is killed, it's ok for me. I don't yet have any reason to think it is
>killed. Just would like to understand wtf is going on here.

Look at the source and destination port numbers. Look at the source
addresses. Is there any pattern?

(Note: While I am near Phoenix, I have nothing to do with Limelight.
They are in the Phoenix telephone book, but not in the Yellow Pages,
and I get no response to http:www.llnw.net which forwards to
www.limelightnetworks.com - so you know as much as I do about them.)

Old guy

On Fri, 10 Dec 2004 19:02:03 -0500, Moe Trin wrote:

> In article <69qdnQLHxNM67CTcRVn-hQ@acadia.net>, Newsbox wrote:
>
>>I have a lot of log entries from the same netblock/domain, and want to
>>know why.
>
> A count of hits from the block doesn't provide clues. What ports
> (source, destination), what addresses? What else is going on on your
> system(s) at the time? Is there any reason you might be talking to those
> hosts?
>
Thanks Moe.

Looks like they are all coming from port 80 and going to various ports
>1024. That's why I thought it might be some web page that I was
visiting pulling down ads, or some such. I have blocked some ad sites in
my browser (Galeon), but don't believe that would show in my firewall
logs. I'll pull down the whole list and do a statistical analysis if
necessary. They are all coming from 69.28.159.7. I had blocked and
DROPped access from 69.28.159.9 some time ago for the same reasons, and
have not missed anything of importance coming back. My IP address here is
dynamic and changes several times each day. I posted a sample log line in
my answer to Bill earlier. I do not know of any reason I would be talking
to those hosts. I'll repeat the sample log line that I posted earlier
below:

Dec 10 00:37:40 localhost kernel: IN=ppp0 OUT= MAC= SRC=69.28.159.7
DST=aaa.bbb.ccc.ddd LEN=44 TOS=0x00 PREC=0x00 TTL=53 ID=16002 DF PROTO=TCP
SPT=80 DPT=2388 WINDOW=65535 RES=0x00 ACK SYN URGP=0

At the daily times this is happening, I have usually finished my e-mail
for the day (might recheck for new messages), I check a variety of web
pages of interest to me on a regular basis and read (mostly just) this
newsgroup on my ISP's news server.

>>[root@localhost root]# host 69.28.159.7 7.159.28.69.in-addr.arpa domain
>>name pointer cdn-69-28-159-7.iad.llnw.net.
>>
>>[root@localhost root]# whois
>
> Why are you running network applications as root?
>
Noted. As a serious person responding to a serious point, you are right
and I was negligent. Thank you for pointing that out. No application
that will run in unpriveledged mode should ever be run as superuser.

To answer the question, I was running a root x-terminal so that I could
examine the firewall logs, owned by root and not accessible by
unpriveledged users. I made a mistake, and instead of running the whois
in an unpriviledged terminal, I ran it in the superuser terminal that was
open. Mia Culpa.

Details _DO_ matter, and anyone reading should note Mr. Trin's issue. He
is right. Never run as superuser what will run as a regular,
unpriviledged user.

> [compton ~]$ whois -h whois.arin.net 69.28.159.7 [whois.arin.net]
>
> OrgName: Limelight Networks, LLC
> OrgID: LLNW
> Address: 2220 W. 14th Street
> City: Tempe
> StateProv: AZ
> PostalCode: 85281
> Country: US
>
> ReferralServer: rwhois://rwhois.llnw.net:4321/
>
> [snip]
>
> OrgAbuseHandle: LNAD-ARIN
> OrgAbuseName: Limelight Networks Abuse Dept OrgAbusePhone:
> +1-602-850-5095
> OrgAbuseEmail: ipadmin@limelightnetworks.com
>
> [snip]
> [compton ~]$
>
> An rwhois query seem to indicate that specific address is a corporate
> address, rather than a customer.
>
>>(me:) What is this? Maybe an ad agency that is connected to a site I
>>use?
>
> Possible - not enough details.
>
>> Else why am I getting this for weeks on end? The firewall is obviously
>>blocking it so I need not worry. Or should I? It seems to happen at
>>the same time in the early morning here.
>
> Again - not enough details. FWIW, the 'IAD' _suggests_ a Northern
> Virginia location (IAD is the airport code for Washington Dulles, while
> LAX is Los Angles, SJC is San Jose, and LGA is La Guardia in New York).
> As you are posting from a Stentor address block, the 'cdn' in the
> hostname you looked up _could_ refer to 'Canadian' but that's pure
> speculation.
>
>>Should I call them? Would they care?
>
> If this is all you show, no - don't bother wasting their/your time. If
> you have some details of nefarious deeds (including relatively accurate
> times, specific ports/addresses, etc), then it might be worth a shot.
> You might also google for them in the news.admin.net-abuse.* mewsgroups.
>
That's pretty much what I thought. There is nothing obviously nefarious
of which I am aware. I think the worst it probably is, is banner ads or
popup windows, if that. Or maybe less notable even than that. IDK.

I want to set up an iptables rule to log any outgoing requests to that
address to give me more details. Not finished yet, but so far I have
this:

iptables -I OUTPUT -p tcp --syn -d 69.28.159.0/24 --dport 80 -j LOG
--log-prefix " --llnw-- "

I am no iptables wizard, -- Comments and/or suggestions are definitely
welcome !!

>>I'm changing computers and os's tomorrow (or next week?), so if this box
>>is killed, it's ok for me. I don't yet have any reason to think it is
>>killed. Just would like to understand wtf is going on here.
>
> Look at the source and destination port numbers. Look at the source
> addresses. Is there any pattern?
>
I will do the analysis (but not tonight). From my first looks, the source
numbers are all port 80 and the destination ports are all normal >1024
ports. Does _NOT_ look like a trojan or worm to me, at all. Very mild by
comparison.

I will continue to look. Thank you.

> (Note: While I am near Phoenix, I have nothing to do with Limelight.
> They are in the Phoenix telephone book, but not in the Yellow Pages, and
> I get no response to http:www.llnw.net which forwards to
> www.limelightnetworks.com - so you know as much as I do about them.)
>
> Old guy

You are a nice (Old) guy to help me, and I appreciate your help and thank you.
I'll post back if I can find anything significant.

Thanks again.
Walt

--
n e w s b o x /AT/ c u s t o m e r s - o f - a d e l p h i a (dot) o r g

On Sat, 11 Dec 2004 00:45:58 -0500, Newsbox wrote:

> Details _DO_ matter, and anyone reading should note Mr. Trin's issue. He
> is right. Never run as superuser what will run as a regular,
> unpriviledged user.

Sorry to go slightly off topic and also sorry if this seems a stupid and
ignorant question but ... why shouldn't you run network apps as root and
how could something like whois be exploited?

Thanks,
--
Jon

On Sat, 11 Dec 2004 02:08:55 -0500, Jon wrote:

> On Sat, 11 Dec 2004 00:45:58 -0500, Newsbox wrote:
>
>> Details _DO_ matter, and anyone reading should note Mr. Trin's issue.
>> He is right. Never run as superuser what will run as a regular,
>> unpriviledged user.
>
> Sorry to go slightly off topic and also sorry if this seems a stupid and
> ignorant question but ... why shouldn't you run network apps as root and
> how could something like whois be exploited?
>
> Thanks,

No problem Jon to answer that, and it's a good question that probably many
need to know the answer to. Thanks for asking !!

Even when there are no "known vulnerabilities" or "published exploits" --
of which there are very many (that probably most people are not
immediately aware), even then, ...

When you run as an unpriveledged (normal) user, then any vulnerability or
exploit (search zero day exploit) that may be deployed against the
application, and which succeeds in running "arbitrary code", only gets to
run that arbitrary code in the priviledges of the user that was running
the application. If the user is not allowed to (does not have ownership
of) writing system files, then, in order to compromise the system, the
attacker must then deploy a second vulnerability exploit before s/he can
escalate the priveledge (ownership) to change system files (much, much
more difficult).

If you run as root, whoever gets in, gets everything, right off. Very bad
strategy if it can be avoided. It can be avoided by running as a normal
user.

I don't think whois has a vulnerability. If it doesn't, then there is no
problem. But whois will run as a normal user and as such should always
_be_ run as a normal user. If in fact there were a vulnerability in
whois, for example, or an exploit for the (hypothetical) vulnerability,
then whomever did exploit it ( the dirty criminal!!) could access the
system with the rights of whoever called the process. And a normal user
doesn't have system rights, whereas root does.

Mr. Trin was right and I did make a mistake. Do not make this mistake !!

It's late here for me, and my spelling and typing may be less than
perfect. But when it comes to security, details _do_ matter.

Don't be sorry for asking. This is a very relevant question. We don't
want to all be like those users of that "other" os, now do we !?

Thanks for asking, hope I answered, and best wishes.

Walt

Take care, and best wishes.

--
n e w s b o x /AT/ c u s t o m e r s - o f - a d e l p h i a (dot) o r g

On Sat, 11 Dec 2004 03:29:08 -0500, Newsbox wrote:

> On Sat, 11 Dec 2004 02:08:55 -0500, Jon wrote:
>
>> On Sat, 11 Dec 2004 00:45:58 -0500, Newsbox wrote:
>>
>>> Details _DO_ matter, and anyone reading should note Mr. Trin's issue.
>>> He is right. Never run as superuser what will run as a regular,
>>> unpriviledged user.
>>
>> Sorry to go slightly off topic and also sorry if this seems a stupid and
>> ignorant question but ... why shouldn't you run network apps as root and
>> how could something like whois be exploited?
>>
>> Thanks,
>
> No problem Jon to answer that, and it's a good question that probably many
> need to know the answer to. Thanks for asking !!
>
> Even when there are no "known vulnerabilities" or "published exploits" --
> of which there are very many (that probably most people are not
> immediately aware), even then, ...
>
> When you run as an unpriveledged (normal) user, then any vulnerability or
> exploit (search zero day exploit) that may be deployed against the
> application, and which succeeds in running "arbitrary code", only gets to
> run that arbitrary code in the priviledges of the user that was running
> the application. If the user is not allowed to (does not have ownership
> of) writing system files, then, in order to compromise the system, the
> attacker must then deploy a second vulnerability exploit before s/he can
> escalate the priveledge (ownership) to change system files (much, much
> more difficult).
>
> If you run as root, whoever gets in, gets everything, right off. Very bad
> strategy if it can be avoided. It can be avoided by running as a normal
> user.
>
> I don't think whois has a vulnerability. If it doesn't, then there is no
> problem. But whois will run as a normal user and as such should always
> _be_ run as a normal user. If in fact there were a vulnerability in
> whois, for example, or an exploit for the (hypothetical) vulnerability,
> then whomever did exploit it ( the dirty criminal!!) could access the
> system with the rights of whoever called the process. And a normal user
> doesn't have system rights, whereas root does.
>
> Mr. Trin was right and I did make a mistake. Do not make this mistake !!
>
> It's late here for me, and my spelling and typing may be less than
> perfect. But when it comes to security, details _do_ matter.

Thank you for your detailed answer, it makes sense :)

--
Jon

In article <44idnco3lL0vFCfcRVn-gg@acadia.net>, Newsbox wrote:

>Looks like they are all coming from port 80 and going to various ports
>>1024. That's why I thought it might be some web page that I was
>visiting pulling down ads, or some such. I have blocked some ad sites in
>my browser (Galeon), but don't believe that would show in my firewall
>logs.

OK, I finally was able to get to their web site this morning.

Limelight Networks provides a substantial infrastructure cost reduction
for any organization committed to enhancing their web presence via our
comprehensive suite of Digital Delivery services.

So it does look like ads or some such.

>I'll pull down the whole list and do a statistical analysis if
>necessary. They are all coming from 69.28.159.7. I had blocked and
>DROPped access from 69.28.159.9 some time ago for the same reasons, and
>have not missed anything of importance coming back.

That being the case - you could block the 69.28.128.0/18 and be done with
it. Actually, blocking the /17 gets Peer1 net (69.28.1920/18) as well. If
you do a google search for 'spyware sites' you should pick up on a site
run by someone using the handle 'sponge' or 'yosponge' - he has a fairly
comprehensive list of sites you may want to block.

These ad sites really do have a reason for existence. The Internet really
does cost money to construct, operate, and maintain. There are companies
that are willing to pay for this, because they think they can make money
by selling other products/services. Just as your subscription price does
not pay the costs of a magazine or newspaper (never mind your favorite
shows on radio or TV), those publishers sell ads to defray these costs.
Don't get me wrong - I'm not advocating that you shouldn't block the ads
(I nearly always use lynx or links, and am rarely bothered by them).

>Noted. As a serious person responding to a serious point, you are right
>and I was negligent. Thank you for pointing that out.

It's not my dog, but you know why it's a problem. Your response to 'Jon' is
quite reasoned and correct.

>> If this is all you show, no - don't bother wasting their/your time. If
>> you have some details of nefarious deeds (including relatively accurate
>> times, specific ports/addresses, etc), then it might be worth a shot.
>> You might also google for them in the news.admin.net-abuse.* mewsgroups.
>
>That's pretty much what I thought. There is nothing obviously nefarious
>of which I am aware. I think the worst it probably is, is banner ads or
>popup windows, if that. Or maybe less notable even than that. IDK.

I think you are correct. As you indicate that not accepting connections
from them doesn't hurt you, it's probably best to just block and forget.

>I want to set up an iptables rule to log any outgoing requests to that
>address to give me more details. Not finished yet, but so far I have
>this:
>
>iptables -I OUTPUT -p tcp --syn -d 69.28.159.0/24 --dport 80 -j LOG
>--log-prefix " --llnw-- "

Looks OK to me - as mentioned above, I'd expand it to 69.28.128/18 and
probably not bother logging, as the log doesn't show the page request.

>I appreciate your help and thank you.

Happy to be able to help!

Old guy

In article <pan.2004.12.11.07.08.55.418004@ihug.co.nz>, Jon wrote:

>On Sat, 11 Dec 2004 00:45:58 -0500, Newsbox wrote:
>
>> Details _DO_ matter, and anyone reading should note Mr. Trin's issue. He
>> is right. Never run as superuser what will run as a regular,
>> unpriviledged user.
>
>Sorry to go slightly off topic and also sorry if this seems a stupid and
>ignorant question but ... why shouldn't you run network apps as root and
>how could something like whois be exploited?

See the reply from 'Newsbox'. I agree, it's not a stupid/ignorant/off topic
question. There are two real reasons not to run anything unnecessary as root.
The first is that you avoid unknown exploits. Few of the applications that
run in Unix (not just Linux) are all that dangerous over the net, but why
risk it?

The second reason might seem less obvious, but it's going to get you some
day - no matter how careful you are. You _WILL_ make a typo of some kind.
And let's take the worst example - the classic 'rm -Rf / tmp/somefile'.
See that space between the first slash and 'tmp'. As a user, you will
have several seconds of

rm:/bin/mumble: Permission denied

and so on, while you frantically hit the Ctrl and C keys. As root on the
other hand, you will be treated to a blazing display of speed as your
computer goes down the tubes. Here are three classic comments (seen on
various newsgroups) that explain this.

---------------------
Somehow - even a Sparc Classic box moves extremely fast when it comes
to put in practice a big scale f?ckup. [like chmod -R .* as root]
(Classic is a 4/15, bottom of the Sun4m line about equal to a 386DX-16.)
---------------------
The speed at which a mistyped command executes is directly
proportional to the cube of the amount of damage done.
---------------------
Long story, I was clearing some files that had accumulated in /tmp/

# cd /tmp/
# ls -a
..randomCrap .morestuff ....
# rm -r .*
[... Hmmm, this is taking an awful long time...]

After about 30s I panicked and pressed ^C. Bash didn't come back up.
Oops.
---------------------

In repeat - some day, some way, you WILL make a typo. As a user, it might
be bad enough, but as root, TRUST ME; "it will be worse". This is why we
have backups made on a regular schedule. Just looking in this newsgroup
right now, the next thread is "Accidentally deleted /etc/init.d/iptables
script"

Any more questions ? ;-)

Old guy