I didn't think of RedHat as a virus

Kevin O'Gorman kevin
Mon May 17 11:37:06 PDT 2004 

I'm monitoring some of my local network traffic for another reason,
and the first thing I saw surprised me.  It appears to be a very
quick HTTPS conversation between one of my machines and the host
   xmlrpc.rhn.redhat.com.  (216.148.218.160)

My machine at this moment had NO browsers open, only xterms and
a Java application for which I have the source code.  I was not
conscious of any daemons that need to contact RedHat.  Anybody
know what this might be?

Partial trace is attached.  It was cut-and-paste from the xterm
where I ran the program, so I can't get any more information than
this, but presumably this will happen again.

++ kevin


-- 
Kevin O'Gorman, PhD  (805) 650-6274  mailto:kevin at kosmanor.com
Permanent e-mail forwarder: mailto:Kevin.O'Gorman.64 at Alum.Dartmouth.org
Permanent e-mail forwarder  mailto:kogorman at umail.ucsb.edu
Web: http://kosmanor.com/~kevin/index.html
-------------- next part --------------

[root at glynnis root]# tcpdump -N -i eth0
tcpdump: listening on eth0
13:48:48.713923 treat.631 > 63.194.39.151.631:  udp 90 (DF)
13:49:04.975736 glynnis.32769 > trixie.domain:  3769+ A? www.rhns.redhat.com. (37)                                                   (DF)
13:49:04.977267 trixie.3307 > psisf.domain:  27037+ A? www.rhns.redhat.com. (37)
13:49:05.014376 psisf.domain > trixie.3307:  27037 7/3/3 CNAME[|domain] (DF)
13:49:05.017605 trixie.domain > glynnis.32769:  3769 7/3/3 CNAME[|domain]
13:49:05.018730 glynnis.32895 > 216.148.218.160.https: S 3469308837:3469308837(0)                                                   win 5840 <mss 1460,sackOK,timestamp 7932000 0,nop,wscale 0> (DF)
13:49:05.044153 216.148.218.160.https > glynnis.32895: S 3459776326:3459776326(0)                                                   ack 3469308838 win 32120 <mss 1460,nop,wscale 0> (DF)
13:49:05.044279 glynnis.32895 > 216.148.218.160.https: . ack 1 win 5840 (DF)
13:49:05.047616 glynnis.32895 > 216.148.218.160.https: P 1:125(124) ack 1 win 5840                                                   (DF)
13:49:05.083815 216.148.218.160.https > glynnis.32895: . ack 125 win 32120 (DF)
13:49:05.132318 216.148.218.160.https > glynnis.32895: P 1:1461(1460) ack 125 win                                                   32120 (DF)
13:49:05.132413 216.148.218.160.https > glynnis.32895: P 1461:1616(155) ack 125 wi                                                  n 32120 (DF)
13:49:05.134220 glynnis.32895 > 216.148.218.160.https: . ack 1461 win 8760 (DF)
13:49:05.134282 glynnis.32895 > 216.148.218.160.https: . ack 1616 win 11680 (DF)
13:49:05.233558 glynnis.32895 > 216.148.218.160.https: P 125:315(190) ack 1616 win                                                   11680 (DF)
13:49:05.281903 216.148.218.160.https > glynnis.32895: . ack 315 win 31930 (DF)
13:49:05.300673 216.148.218.160.https > glynnis.32895: P 1616:1667(51) ack 315 win                                                   32120 (DF)
13:49:05.306009 glynnis.32895 > 216.148.218.160.https: . ack 1667 win 11680 (DF)
13:49:05.307460 glynnis.32895 > 216.148.218.160.https: P 315:392(77) ack 1667 win                                                   11680 (DF)
13:49:05.309939 glynnis.32895 > 216.148.218.160.https: . 392:1852(1460) ack 1667 w                                                  in 11680 (DF)
13:49:05.361727 216.148.218.160.https > glynnis.32895: . ack 392 win 32120 (DF)
13:49:05.362885 glynnis.32895 > 216.148.218.160.https: P 1852:2936(1084) ack 1667                                                   win 11680 (DF)
13:49:05.552177 216.148.218.160.https > glynnis.32895: . ack 2936 win 32120 (DF)
13:49:05.735941 216.148.218.160.https > glynnis.32895: P 1667:3127(1460) ack 2936                                                   win 32120 (DF)
13:49:05.735983 216.148.218.160.https > glynnis.32895: P 3127:3128(1) ack 2936 win                                                   32120 (DF)
13:49:05.736032 216.148.218.160.https > glynnis.32895: P 3128:3157(29) ack 2936 wi                                                  n 32120 (DF)
13:49:05.736218 216.148.218.160.https > glynnis.32895: F 3157:3157(0) ack 2936 win                                                   32120 (DF)
13:49:05.736507 glynnis.32895 > 216.148.218.160.https: . ack 3128 win 14600 (DF)
13:49:05.752797 glynnis.32895 > 216.148.218.160.https: R 2936:2936(0) ack 3158 win                                                   14600 (DF)
13:49:09.970824 arp who-has trixie tell glynnis
13:49:09.971157 arp reply trixie is-at 0:50:ba:8d:cc:3a
13:49:09.975675 arp who-has IPGateway tell trixie
13:49:09.997793 arp reply IPGateway is-at 0:10:67:0:b5:66
13:49:19.710752 treat.631 > 63.194.39.151.631:  udp 90 (DF)
13:49:24.394469 trixie.ntp > lovenun.ntp:  v4 client strat 2 poll 10 prec -18
13:49:24.396333 glynnis.32769 > trixie.domain:  15237+ PTR? 3.96.192.63.in-addr.ar                                                  pa. (42) (DF)

More information about the Linux-users mailing list