Skype Spyware

Hi!

I just recognized that there is a lot of network-traffic when using skype. I
tried to find the reason and found the following:
mypc:~ # netstat | grep "^tcp"
tcp 0 0 localhost:25872 mtp.tvk.RWTH-Aach:18660 TIME_WAIT
tcp 0 0 localhost:25814 mtp.tvk.RWTH-Aach:18660 TIME_WAIT
tcp 0 0 localhost:15762 c196174.adsl.hanse:9809 TIME_WAIT
tcp 0 0 localhost:24403 c-12eee355.016-22:15542 TIME_WAIT
tcp 0 0 localhost:19649 240.140-136-racle-em2 TIME_WAIT
tcp 0 0 localhost:18923 c196174.adsl.hanse:9809 TIME_WAIT
tcp 0 0 localhost:24895 e179012223.adsl.a:https TIME_WAIT
tcp 0 0 localhost:23321 pc_71_245.smrw.lo:18093 TIME_WAIT
tcp 0 0 localhost:20589 458pc.wohnheimg.u:64219 TIME_WAIT

what does this mean? Why do I have connections to pc's (like
458pc.wohnheimg.u) I never heared about. Is this a security problem inside
skype?

How can I find out the complete name of the destination? In netstat it seems
to be shortened.

ciao
Detlef
--
Detlef Jockheck

Detlef Jockheck wrote:
> Hi!
>
> I just recognized that there is a lot of network-traffic when using skype. I
> tried to find the reason and found the following:
> mypc:~ # netstat | grep "^tcp"
> tcp 0 0 localhost:25872 mtp.tvk.RWTH-Aach:18660 TIME_WAIT
> tcp 0 0 localhost:25814 mtp.tvk.RWTH-Aach:18660 TIME_WAIT
> tcp 0 0 localhost:15762 c196174.adsl.hanse:9809 TIME_WAIT
> tcp 0 0 localhost:24403 c-12eee355.016-22:15542 TIME_WAIT
> tcp 0 0 localhost:19649 240.140-136-racle-em2 TIME_WAIT
> tcp 0 0 localhost:18923 c196174.adsl.hanse:9809 TIME_WAIT
> tcp 0 0 localhost:24895 e179012223.adsl.a:https TIME_WAIT
> tcp 0 0 localhost:23321 pc_71_245.smrw.lo:18093 TIME_WAIT
> tcp 0 0 localhost:20589 458pc.wohnheimg.u:64219 TIME_WAIT
>
> what does this mean? Why do I have connections to pc's (like
> 458pc.wohnheimg.u) I never heared about. Is this a security problem inside
> skype?

Skype works by connecting to a lot of computers (other people running
Skype) at once in order to assure connectivity and to find anyone you're
trying to call. Conversely, a lot of computers are connecting to you
for the same reason. Skype is based on Kazaa.

> How can I find out the complete name of the destination? In netstat it seems
> to be shortened.

man host

> How can I find out the complete name of the destination? In netstat it seems
> to be shortened.

netstat -n will give you the numeric IPs of machines you are connected
to. You can then use resolveip to get the names if you need them.
-B

On Fri, 25 May 2007, in the Usenet newsgroup comp.os.linux.networking, in
article <f37d9b$jui$(E-Mail Removed)>, Ben Carr wrote:

>> How can I find out the complete name of the destination? In netstat
>> it seems to be shortened.
>
>netstat -n will give you the numeric IPs of machines you are connected
>to. You can then use resolveip to get the names if you need them.

"resolveip" is another whizzy tool to perform DNS lookups. This one
at least uses normal resolver calls, and will therefore consult the
host services listed in /etc/nsswitch.conf (meaning that for most, it
will look at the contents of /etc/hosts in addition to a normal DNS
lookup). Most people don't have this tool (part of MySQL) installed,
but can use one of the bind utilities:

[compton ~]$ whatis dig dnsquery host nslookup
dig (1) - send domain name query packets to name servers
dnsquery (1) - query domain name servers using resolver
host (1) - look up host names using domain server
nslookup (8) - query Internet name servers interactively
[compton ~]$

Where these tools fail is that there are a significant number of
network administrators who don't feel the need to follow the RFCs
which _require_ DNS PTR records (RFCs 1034, 2050, 2131 among others)
or are to incompetent and don't know how to configure their name server
zone files. Likewise, many residential providers (cable, DSL, dialin)
use meaningless generic hostnames - usually incorporating the IP address
as a part of the name - such as c-67-164-209-122.hsd1.ca.comcast.net
which is 67.164.209.122 (some 0wn3d windoze box in the Sacramento,
California area), or ool-44c0dcc7.dyn.optonline.net (the 44c0dcc7 is
hexadecimal for 68.192.220.199 - being used by a spammer in Northeast
New Jersey). Often, you will find that a tool that queries the RIR
whois databases is more useful.

Old guy