Security Breach ?
Chris Strzelczyk
cstrzelczyk at nobletechnology.net
Wed Mar 2 21:53:13 UTC 2005
Hello,
Upon checking my MRTG stats on a webserver I am running I found my
traffic to be up considerably and the server
to be a bit slow. After taking a look at my active connections to
processes with netstat -nap I found these to be scary:
tcp 0 0 204.11.33.35:110 198.88.119.254:23781
TIME_WAIT -
tcp 0 0 204.11.33.35:37326 161.53.2.81:6667
ESTABLISHED 16035/-bash
tcp 0 0 204.11.33.35:110 198.88.119.254:23776
TIME_WAIT -
tcp 0 0 204.11.33.35:110 198.88.119.254:23791
TIME_WAIT -
tcp 0 0 204.11.33.35:110 198.88.119.254:23775
TIME_WAIT -
tcp 0 0 204.11.33.35:110 198.88.119.254:23790
TIME_WAIT -
tcp 0 0 204.11.33.35:110 198.88.119.254:23774
TIME_WAIT -
tcp 0 0 204.11.33.35:37350 195.197.175.21:6667
ESTABLISHED 16324/-bash
tcp 0 0 204.11.33.35:37325 194.134.7.195:6667
ESTABLISHED 16026/-bash
tcp 0 0 204.11.33.35:110 198.88.119.254:23785
TIME_WAIT -
These established connections show -bash as the process running the
port. I have firewalled these IP's
off at my firewall, however, I can't find the root cause of this. I
have ran chkrootkit and found nothing. However,
this is very scary.
Could anyone provide me some clues on how to proceed at this point with
my investigation.
-cs
More information about the fedora-list
mailing list