Security Breach ?
Alexander Dalloz
ad+lists at uni-x.org
Wed Mar 2 22:41:47 UTC 2005
Am Mi, den 02.03.2005 schrieb Chris Strzelczyk um 22:53:
> processes with netstat -nap I found these to be scary:
>
> tcp 0 0 204.11.33.35:110 198.88.119.254:23781
> TIME_WAIT -
> tcp 0 0 204.11.33.35:37326 161.53.2.81:6667
> ESTABLISHED 16035/-bash
> tcp 0 0 204.11.33.35:110 198.88.119.254:23776
> TIME_WAIT -
> tcp 0 0 204.11.33.35:110 198.88.119.254:23791
> TIME_WAIT -
> tcp 0 0 204.11.33.35:110 198.88.119.254:23775
> TIME_WAIT -
> tcp 0 0 204.11.33.35:110 198.88.119.254:23790
> TIME_WAIT -
> tcp 0 0 204.11.33.35:110 198.88.119.254:23774
> TIME_WAIT -
> tcp 0 0 204.11.33.35:37350 195.197.175.21:6667
> ESTABLISHED 16324/-bash
> tcp 0 0 204.11.33.35:37325 194.134.7.195:6667
> ESTABLISHED 16026/-bash
> tcp 0 0 204.11.33.35:110 198.88.119.254:23785
> TIME_WAIT -
>
> These established connections show -bash as the process running the
> port. I have firewalled these IP's
> off at my firewall, however, I can't find the root cause of this. I
> have ran chkrootkit and found nothing. However,
> this is very scary.
>
> Could anyone provide me some clues on how to proceed at this point with
> my investigation.
>
> -cs
Port 6667 is default standard port for an irc server. By any chance, do
you run Apache and a phpBB forum?
Alexander
--
Alexander Dalloz | Enger, Germany | GPG http://pgp.mit.edu 0xB366A773
legal statement: http://www.uni-x.org/legal.html
Fedora Core 2 GNU/Linux on Athlon with kernel 2.6.10-1.14_FC2smp
Serendipity 23:40:52 up 9 days, 10:49, load average: 0.91, 0.56, 0.39
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: Dies ist ein digital signierter Nachrichtenteil
URL: <http://listman.redhat.com/archives/fedora-list/attachments/20050302/1c1f2713/attachment-0001.sig>
More information about the fedora-list
mailing list