From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from pigeon.gentoo.org ([208.92.234.80] helo=lists.gentoo.org) by finch.gentoo.org with esmtp (Exim 4.60) (envelope-from ) id 1Ol8bZ-0006q8-HK for garchives@archives.gentoo.org; Mon, 16 Aug 2010 22:56:33 +0000 Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 88A24E08D0; Mon, 16 Aug 2010 22:55:36 +0000 (UTC) Received: from mail-vw0-f53.google.com (mail-vw0-f53.google.com [209.85.212.53]) by pigeon.gentoo.org (Postfix) with ESMTP id 52407E08DA for ; Mon, 16 Aug 2010 22:55:36 +0000 (UTC) Received: by vws15 with SMTP id 15so4738042vws.40 for ; Mon, 16 Aug 2010 15:55:35 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from :user-agent:mime-version:to:subject:references:in-reply-to :content-type:content-transfer-encoding; bh=yo+UrkNp96lYRwq801JzDUn4mgzieLu/dxvd54fYWIo=; b=Tr2gzCiTcrYrTNzSEGzwmeUfTcLm+0tktrMaox37rODcoQE2GnRk3Jp+/dFgjsIdJ1 cFJkGEXt1nytn9d1dhYoqzpdVEYs4ADG46js5qfNw+m4bC0ooCxxTPuJTgckjemgO/rU iGTBv45RnJWf7zgvW294qpwh662nXgkUkIIvo= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:user-agent:mime-version:to:subject:references :in-reply-to:content-type:content-transfer-encoding; b=xedsX+S59mHMDk13odAHjtSnG9lodpzVWH8cb4oEtz2JGqqwk5URlw9O6fEVJko+d8 wfOPvF77WEAbSqRRCzvWBCJ0Vfk2ATFJOLgVx+RXpKIDTHy1G7v20+oxORxlAN1YnI2K OkqwIu0zAc9CaNieeKMBnb87Ra3TwEhl4bP44= Received: by 10.220.127.4 with SMTP id e4mr3629437vcs.95.1281999335780; Mon, 16 Aug 2010 15:55:35 -0700 (PDT) Received: from [192.168.1.2] (adsl-95-148-78.jan.bellsouth.net [98.95.148.78]) by mx.google.com with ESMTPS id s41sm1989690vcz.15.2010.08.16.15.55.33 (version=SSLv3 cipher=RC4-MD5); Mon, 16 Aug 2010 15:55:34 -0700 (PDT) Message-ID: <4C69C1E4.9090309@gmail.com> Date: Mon, 16 Aug 2010 17:55:32 -0500 From: Dale User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.11) Gecko/20100801 Gentoo/2.0.6 SeaMonkey/2.0.6 Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-user@lists.gentoo.org Reply-to: gentoo-user@lists.gentoo.org MIME-Version: 1.0 To: gentoo-user@lists.gentoo.org Subject: Re: [gentoo-user] Yahoo and strange traffic. References: <4C684F59.3040903@gmail.com> <201008152329.44195.alan.mckinnon@gmail.com> In-Reply-To: <201008152329.44195.alan.mckinnon@gmail.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Archives-Salt: 2a1c3bbd-00c7-42e2-bacc-67d74d7075a7 X-Archives-Hash: 8a51249900493cc072fd84f9ec15ed74 Alan McKinnon wrote: > On Sunday 15 August 2010 22:55:23 Paul Hartman wrote: > >> On Sun, Aug 15, 2010 at 3:34 PM, Dale wrote: >> >>> Hi folks, >>> >>> I been noticing the past few weeks that something is communicating with >>> Yahoo at these addresses: >>> >>> cs210p2.msg.sp1.yahoo.com >>> >>> rdis.msg.vip.sp1.yahoo.com >>> >>> I thought it was Kopete getting some info, profile pics maybe, from the >>> server. Thing is, it does this for a really long time. It is also >>> SENDING data as well. I have no idea why it is doing this or what it is >>> sending. I closed the Kopete app but the data still carries on. This >>> "transfer" has been going for a while now and the only way I can stop it >>> is to stop the network, wait a minute or two for it to time out and then >>> restart the network. >>> >>> Anybody have any idea what the heck this is? Is Yahoo up to something? >>> >>> Some new security issue that I haven't heard of? >>> >> I think it's normal. >> >> The first address is one of their pool of messaging servers and the >> second is a web server, probably like you said for retrieving >> additional info. The sending of data could be the http request, or >> updating your status/picture/whatever kopete may be doing. You could >> try blocking it and see what breaks. :) >> > Dale, > > It could also be a weather map, or any number of widgets that get data from > the intartubes. > > netstat with -p can help track down the app that has the connection open > > OK. It finally started doing it again. Here is the short version of netstat -p. It looks like kopete but what in the heck is it sending and receiving? root@smoker / # netstat -p Active Internet connections (w/o servers) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 192.168.1.2:43577 rdis.msg.vip.sp1.y:http TIME_WAIT - tcp 0 0 192.168.1.2:43438 rdis.msg.vip.sp1.y:http TIME_WAIT - tcp 0 0 192.168.1.2:52423 cs204p1.msg.sp1.ya:5050 ESTABLISHED 9968/kopete tcp 0 0 192.168.1.2:43490 rdis.msg.vip.sp1.y:http TIME_WAIT - tcp 0 1 192.168.1.2:43586 rdis.msg.vip.sp1.y:http SYN_SENT 18971/kopeteFc9968. tcp 0 0 localhost:60971 localhost:nut ESTABLISHED 9578/upsmon tcp 1 1 192.168.1.2:43584 rdis.msg.vip.sp1.y:http CLOSING - tcp 0 0 192.168.1.2:43558 rdis.msg.vip.sp1.y:http TIME_WAIT - tcp 0 0 192.168.1.2:48301 cs201p1.msg.sp1.ya:5050 ESTABLISHED 9968/kopete tcp 0 0 192.168.1.2:43523 rdis.msg.vip.sp1.y:http TIME_WAIT - tcp 0 0 localhost:nut localhost:60971 ESTABLISHED 9640/upsd tcp 0 0 192.168.1.2:42517 cs215p2.msg.ac4.ya:5050 ESTABLISHED 9968/kopete tcp 0 0 192.168.1.2:43462 rdis.msg.vip.sp1.y:http TIME_WAIT - tcp 0 0 192.168.1.2:43516 rdis.msg.vip.sp1.y:http TIME_WAIT - tcp 0 0 192.168.1.2:43479 rdis.msg.vip.sp1.y:http TIME_WAIT - tcp 0 0 192.168.1.2:43405 rdis.msg.vip.sp1.y:http TIME_WAIT - tcp 0 0 192.168.1.2:43483 rdis.msg.vip.sp1.y:http TIME_WAIT - tcp 0 0 192.168.1.2:43563 rdis.msg.vip.sp1.y:http TIME_WAIT - tcp 0 0 192.168.1.2:43487 rdis.msg.vip.sp1.y:http TIME_WAIT - tcp 0 0 192.168.1.2:43483 rdis.msg.vip.sp1.y:http TIME_WAIT - tcp 0 0 192.168.1.2:43563 rdis.msg.vip.sp1.y:http TIME_WAIT - tcp 0 0 192.168.1.2:43487 rdis.msg.vip.sp1.y:http TIME_WAIT - One other question, if this is kopete, how does it keep sending/receiving after I have closed the kopete app? This is weird. Kopete and Yahoo have not done this before. Dale :-) :-)