Security Breach ?

Chris Strzelczyk cstrzelczyk at nobletechnology.net
Wed Mar 2 22:48:45 UTC 2005 

Apache yes but no phpBB.

I an running a combo or nmap / nessus / chkrootkit on this server now.  
I guess I wish I would have installed tripwire to, cause now
I am super paranoid.

Thanks for the help.

-cs
On Mar 2, 2005, at 5:41 PM, Alexander Dalloz wrote:

> Am Mi, den 02.03.2005 schrieb Chris Strzelczyk um 22:53:
>
>> processes with netstat -nap I found these to be scary:
>>
>> tcp        0      0 204.11.33.35:110            198.88.119.254:23781
>>      TIME_WAIT   -
>> tcp        0      0 204.11.33.35:37326          161.53.2.81:6667
>>      ESTABLISHED 16035/-bash
>> tcp        0      0 204.11.33.35:110            198.88.119.254:23776
>>      TIME_WAIT   -
>> tcp        0      0 204.11.33.35:110            198.88.119.254:23791
>>      TIME_WAIT   -
>> tcp        0      0 204.11.33.35:110            198.88.119.254:23775
>>      TIME_WAIT   -
>> tcp        0      0 204.11.33.35:110            198.88.119.254:23790
>>      TIME_WAIT   -
>> tcp        0      0 204.11.33.35:110            198.88.119.254:23774
>>      TIME_WAIT   -
>> tcp        0      0 204.11.33.35:37350          195.197.175.21:6667
>>      ESTABLISHED 16324/-bash
>> tcp        0      0 204.11.33.35:37325          194.134.7.195:6667
>>      ESTABLISHED 16026/-bash
>> tcp        0      0 204.11.33.35:110            198.88.119.254:23785
>>      TIME_WAIT   -
>>
>> These established connections show -bash as the process running the
>> port.  I have firewalled these IP's
>> off at my firewall, however, I can't find the root cause of this.  I
>> have ran chkrootkit and found nothing.  However,
>> this is very scary.
>>
>> Could anyone provide me some clues on how to proceed at this point 
>> with
>> my investigation.
>>
>> -cs
>
> Port 6667 is default standard port for an irc server. By any chance, do
> you run Apache and a phpBB forum?
>
> Alexander
>
>
> -- 
> Alexander Dalloz | Enger, Germany | GPG http://pgp.mit.edu 0xB366A773
> legal statement: http://www.uni-x.org/legal.html
> Fedora Core 2 GNU/Linux on Athlon with kernel 2.6.10-1.14_FC2smp
> Serendipity 23:40:52 up 9 days, 10:49, load average: 0.91, 0.56, 0.39
> -- 
> fedora-list mailing list
> fedora-list at redhat.com
> To unsubscribe: http://www.redhat.com/mailman/listinfo/fedora-list

More information about the fedora-list mailing list