nethogs opening raw socket and seeing unidentified connection attempts
This bug report was converted into a question: question #94220: nethogs opening raw socket and seeing unidentified connection attempts.
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| nethogs (Ubuntu) |
Invalid
|
Undecided
|
Unassigned | ||
Bug Description
Binary package hint: nethogs
I got iptables log entries about access attempts to IPs (port 80) I could not identify as legitimate traffic.
(Unfortunately it seems iptables can filter by, but not log PIDs (or commands) by which local packets where generated, only --log-uid.)
Searching for the origin of the packets I found that the nethogs that was running had a socket open:
# netstat -epan --inet
Proto Recv-Q Send-Q Local Address Foreign Address State User Inode PID/Program name
tcp 0 0 127.0.0.1:50001 0.0.0.0:* LISTEN 1003 110063 4901/firefox
tcp 0 0 127.0.0.1:631 0.0.0.0:* LISTEN 0 7810 2387/cupsd
udp 0 0 0.0.0.0:68 0.0.0.0:* 0 5328 1100/dhclient
udp 0 0 0.0.0.0:5353 0.0.0.0:* 106 5245 1105/avahi-daemon:
udp 0 0 0.0.0.0:47387 0.0.0.0:* 106 5247 1105/avahi-daemon:
raw 0 0 0.0.0.0:1544 0.0.0.0:* 7 0 58580 4751/nethogs
The packets could come from nethogs or from another short running non UID 1003 process (which are allowed).
In any case I found it strange that nethogs has at all a socket on 0.0.0.0:1544 open.
I installed nethogs from the repositories and have not found any mention of this on the net or in the /usr documetation.
| Kees Cook (kees) wrote | #1 |
| security vulnerability: | yes → no |
| visibility: | private → public |
| Changed in nethogs (Ubuntu): | |
| status: | New → Invalid |
| Changed in nethogs (Ubuntu): | |
| status: | Invalid → New |
| status: | New → Invalid |
Thanks for your comments. This does not appear to be a bug report and we are closing it. We appreciate the difficulties you are facing, but it would make more sense to raise your question in the support tracker. Please visit https:/