- Community Home
- >
- Servers and Operating Systems
- >
- Operating Systems
- >
- Operating System - HP-UX
- >
- Re: Internet Usage
Categories
Company
Local Language
Forums
Discussions
Forums
- Data Protection and Retention
- Entry Storage Systems
- Legacy
- Midrange and Enterprise Storage
- Storage Networking
- HPE Nimble Storage
Discussions
Forums
Discussions
Discussions
Discussions
Forums
Discussions
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
- BladeSystem Infrastructure and Application Solutions
- Appliance Servers
- Alpha Servers
- BackOffice Products
- Internet Products
- HPE 9000 and HPE e3000 Servers
- Networking
- Netservers
- Secure OS Software for Linux
- Server Management (Insight Manager 7)
- Windows Server 2003
- Operating System - Tru64 Unix
- ProLiant Deployment and Provisioning
- Linux-Based Community / Regional
- Microsoft System Center Integration
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Community
Resources
Forums
Blogs
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-13-2003 05:29 AM
08-13-2003 05:29 AM
Internet Usage
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-13-2003 05:33 AM
08-13-2003 05:33 AM
Re: Internet Usage
You could have a cron job that logs the output of `netstat -a | grep 80` to a file somewhere.
This will catch any port 80, or 8080 accesses (outgoing or incoming), but may also catch non-web traffic.
HTH.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-13-2003 05:41 AM
08-13-2003 05:41 AM
Re: Internet Usage
what is pwgr ?
910
6b08da00 dgram 0 0 7a512800 0 0 0 /var/spool/sockets/pwgr/client23987
6acee400 dgram 0 0 70f96800 0 0 0 /var/spool/sockets/pwgr/client16767
7128e800 stream 0 0 80432000 0 0 0 /opt/hpservices/adm/.serverSocket
6ad2e800 dgram 0 0 708fd000 0 0 0 /var/spool/sockets/pwgr/client16779
6bbbea00 dgram 0 0 726c7800 0 0 0 /var/spool/sockets/pwgr/client16751
6295ec00 dgram 0 0 8c287800 0 0 0 /var/spool/sockets/pwgr/client10320
611ff000 dgram 0 0 60777800 0 0 0 /var/spool/pwgr/daemon
6090f000 dgram 0 0 60c97800 0 0 0 /opt/dcelocal/var/rpc/local/00984/reaper
62d0f400 dgram 0 0 86ac7800 0 0 0 /var/spool/sockets/pwgr/client17287
6ad0f600 dgram 0 0 71228000 0 0 0 /var/spool/sockets/pwgr/client16773
6bc9f800 dgram 0 0 71226800 0 0 0 /var/spool/sockets/pwgr/client16745
6ae8f800 dgram 0 0 6a5ac800 0 0 0 /var/spool/sockets/pwgr/client16729
62ecfe00 dgram 0 0 93286800 0 0 0 /var/spool/sockets/pwgr/client11125
62e7fe00 dgram 0 0 62757800 0 0 0 /var/spool/sockets/pwgr/client4987
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-13-2003 05:52 AM
08-13-2003 05:52 AM
Re: Internet Usage
HTH.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-13-2003 06:08 AM
08-13-2003 06:08 AM
Re: Internet Usage
Active Internet connections (including servers)
Proto Recv-Q Send-Q Local Address Foreign Address (state)
tcp 0 0 ihshp10.49979 ihshp10.registrar TIME_WAIT
tcp 0 0 *.dtspc *.* LISTEN
tcp 0 0 *.4045 *.* LISTEN
tcp 0 0 ihshp10.8052 *.* LISTEN
tcp 0 0 ihshp10.8050 *.* LISTEN
tcp 0 0 ihshp10.8003 *.* LISTEN
tcp 0 0 ihshp10.8002 *.* LISTEN
tcp 0 0 ihshp10.8001 *.* LISTEN
tcp 0 0 ihshp10.8000 *.* LISTEN
tcp 0 0 ihshp10.65340 ihshp10.610 ESTABLISHED
tcp 0 0 ihshp10.57068 ihshp14.1521 ESTABLISHED
tcp 0 0 ihshp10.57065 ihshp14.1521 ESTABLISHED
tcp 0 0 ihshp10.57062 ihshp14.1521 ESTABLISHED
like ihshp10.57602
What is 57602, a port being used?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-13-2003 06:09 AM
08-13-2003 06:09 AM
Re: Internet Usage
Do you have sendmail running on these servers? Do your applications or databases send automated mail outside your network, to a pop mailer outside your network? Check with your applications people to see if you had anyone coming in via telnet or ftp or ssh from outside your network to do work on any of your systems.
Are your running security_patch_check on these systems, or doing any other FTPs to systms outside your network? If this the first time your network group has run this sort of audit, they may actually be seeing a normal month's usage of the network.
mark
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-20-2003 02:35 AM
08-20-2003 02:35 AM
Re: Internet Usage
/opt/hpservices/vendors/HP_Services/vendor.pref
and change the variable "POLL_INTERVAL". By default it is set to 190 seconds. The systems should at least poll a few times per day. After changing the POLL_INTERVAL restart the hpservices by /sbin/init.d/hpservices stop/start
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-20-2003 06:36 PM
08-20-2003 06:36 PM
Re: Internet Usage
tcp 0 0 ihshp10.65340 ihshp10.610 ESTABLISHED
tcp 0 0 ihshp10.57068 ihshp14.1521 ESTABLISHED
The 65340 is the port it (the local machine called ihshp10) used as the source of the connnection. (Port numbers are chosen at random these days. They used to go up one at a time but a spoofer could exploit the predictability so they changed it.) It made a connection to itself on port 610. TCP/IP is often used to communicte between two processes running on the same machine so this is normal. 610 is a registered port and is supposed to be used for: npmp-local whatever that may be.
On the second line it uses port 57068 to connect to ihshp14 on port 1521. 1521 is also a registered port and is supposed to be used for: nCube License Manager
I suspect someone (Peoplesoft or Oracle) is reusing these ports for their own purposes.
You might look at
netstat -s
and see if you have a large number or UDP packets being sent out since it does not appear that you are going out to the internet via tcp at this instant in time. To see these packets would require something like tcpdump, snort or a sniffer. The network guys should have a sniffer so ask them to tell you where this supposed internet traffic is going to.
Ron
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-20-2003 06:59 PM
08-20-2003 06:59 PM
Re: Internet Usage
If you installed Bastille and answered the security_patch_check question y there will be some Internet access, though not a lot. That product could be installed standalone as well.
If you get the website you might get the product.
Also, if you installed IP filter firewall, it can bet set up to provide NAT access to other servers and workstations, which will show up on some analaysis as server access. This should only be an issue if there is a direct connection to the Internet on those servers.
This gives you an idea of how big a fishing expedition you might have been sent on. If they are tracking access they should be able to tell you where it goes.
If its those sites with pictures nice guys don't look at, you've got a security problem.
Alos note, if you have netscape or IE for HP-UX or mozilla installed, any X windows user on your servers can access the net. Wow that fishing exedition just got huge.
Sorry, home from vacation, in kind of a mood. Must have been all that thin air.
SEP
aka
former Sundance Wyoming HP Sysadmin.
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com