Security Breach ?
Chris Strzelczyk
cstrzelczyk at nobletechnology.net
Wed Mar 2 22:48:45 UTC 2005
Apache yes but no phpBB.
I an running a combo or nmap / nessus / chkrootkit on this server now.
I guess I wish I would have installed tripwire to, cause now
I am super paranoid.
Thanks for the help.
-cs
On Mar 2, 2005, at 5:41 PM, Alexander Dalloz wrote:
> Am Mi, den 02.03.2005 schrieb Chris Strzelczyk um 22:53:
>
>> processes with netstat -nap I found these to be scary:
>>
>> tcp 0 0 204.11.33.35:110 198.88.119.254:23781
>> TIME_WAIT -
>> tcp 0 0 204.11.33.35:37326 161.53.2.81:6667
>> ESTABLISHED 16035/-bash
>> tcp 0 0 204.11.33.35:110 198.88.119.254:23776
>> TIME_WAIT -
>> tcp 0 0 204.11.33.35:110 198.88.119.254:23791
>> TIME_WAIT -
>> tcp 0 0 204.11.33.35:110 198.88.119.254:23775
>> TIME_WAIT -
>> tcp 0 0 204.11.33.35:110 198.88.119.254:23790
>> TIME_WAIT -
>> tcp 0 0 204.11.33.35:110 198.88.119.254:23774
>> TIME_WAIT -
>> tcp 0 0 204.11.33.35:37350 195.197.175.21:6667
>> ESTABLISHED 16324/-bash
>> tcp 0 0 204.11.33.35:37325 194.134.7.195:6667
>> ESTABLISHED 16026/-bash
>> tcp 0 0 204.11.33.35:110 198.88.119.254:23785
>> TIME_WAIT -
>>
>> These established connections show -bash as the process running the
>> port. I have firewalled these IP's
>> off at my firewall, however, I can't find the root cause of this. I
>> have ran chkrootkit and found nothing. However,
>> this is very scary.
>>
>> Could anyone provide me some clues on how to proceed at this point
>> with
>> my investigation.
>>
>> -cs
>
> Port 6667 is default standard port for an irc server. By any chance, do
> you run Apache and a phpBB forum?
>
> Alexander
>
>
> --
> Alexander Dalloz | Enger, Germany | GPG http://pgp.mit.edu 0xB366A773
> legal statement: http://www.uni-x.org/legal.html
> Fedora Core 2 GNU/Linux on Athlon with kernel 2.6.10-1.14_FC2smp
> Serendipity 23:40:52 up 9 days, 10:49, load average: 0.91, 0.56, 0.39
> --
> fedora-list mailing list
> fedora-list at redhat.com
> To unsubscribe: http://www.redhat.com/mailman/listinfo/fedora-list
More information about the fedora-list
mailing list