Hello,
Upon checking my MRTG stats on a webserver I am running I found my traffic to be up considerably and the server
to be a bit slow. After taking a look at my active connections to processes with netstat -nap I found these to be scary:
tcp 0 0 204.11.33.35:110 198.88.119.254:23781 TIME_WAIT -
tcp 0 0 204.11.33.35:37326 161.53.2.81:6667 ESTABLISHED 16035/-bash
tcp 0 0 204.11.33.35:110 198.88.119.254:23776 TIME_WAIT -
tcp 0 0 204.11.33.35:110 198.88.119.254:23791 TIME_WAIT -
tcp 0 0 204.11.33.35:110 198.88.119.254:23775 TIME_WAIT -
tcp 0 0 204.11.33.35:110 198.88.119.254:23790 TIME_WAIT -
tcp 0 0 204.11.33.35:110 198.88.119.254:23774 TIME_WAIT -
tcp 0 0 204.11.33.35:37350 195.197.175.21:6667 ESTABLISHED 16324/-bash
tcp 0 0 204.11.33.35:37325 194.134.7.195:6667 ESTABLISHED 16026/-bash
tcp 0 0 204.11.33.35:110 198.88.119.254:23785 TIME_WAIT -
These established connections show -bash as the process running the port. I have firewalled these IP's
off at my firewall, however, I can't find the root cause of this. I have ran chkrootkit and found nothing. However,
this is very scary.
Could anyone provide me some clues on how to proceed at this point with my investigation.
-cs
