Netstat reveals suspicious activity
--------------------------------------------------------------------------------
tcp 0 253 www.carhopper.net
mtp 222.108.6.220:gdp-port ESTABLISHEDtcp 0 0 www.carhopper.net
mtp 59.34.169.56:2240 TIME_WAITudp 0 0 www.carhopper.ne:domain *:*
--------------------------------------------------------------------------------
$ netstat -r
www.carhopper.n * 255.255.255.255 UH 0 0 0 eth0
--------------------------------------------------------------------------------
$ netstat -a
tcp 0 0 www.carhopper.net
mtp dsl-201-129-15-24:60807 TIME_WAITtcp 0 0 www.carhopper.net:http crawl-66-249-71-5:43374 TIME_WAIT
tcp 0 0 www.carhopper.net
mtp 22067.rjo.virtua.c:4463 ESTABLISHEDcp 0 59 www.carhopper.net
mtp 60.0.150.44:2745 ESTABLISHEDtcp 0 0 www.carhopper.net:http ip68-14-52-214.no.:1989 ESTABLISHED
tcp 0 0 www.carhopper.net:http ip68-14-52-214.no.:1988 ESTABLISHED
--------------------------------------------------------------------------------
carhopper.net is a domain I owned a few years ago, and had hosted on a server which was hacked. The domain expired quite a while ago. When I tried two days ago to research for any traces of the domain, I found nothing. It's listed in the whois as "available". The IPs I've found at different time, associated with the Netstat readout I've traced to Korea and China, among other countries.
I'm concerned about a backdoor trojan - the type that "cloaks" itself successfully from detection by RKhunter, Chkrootkit, LogWatch, etc. When I see my former domain appear in the results of a Netstat call, then can't find any trace of who, if anyone, might be using that domain, I get very nervous.
I checked /var/named and grepped /var/log for clues. Nothing with carhopper.net.
Any thoughts about this mystery? carhopper.net appears faithfully whenever I run Netstat. It never "goes away". I asked the tech at the NOC if there may be some offbeat chance that carhopper.net was somehow still in some file on his network, but haven't had a response from him.
best wishes ...
the-muse
