Am Mi, den 02.03.2005 schrieb Chris Strzelczyk um 22:53: > processes with netstat -nap I found these to be scary: > > tcp 0 0 204.11.33.35:110 198.88.119.254:23781 > TIME_WAIT - > tcp 0 0 204.11.33.35:37326 161.53.2.81:6667 > ESTABLISHED 16035/-bash > tcp 0 0 204.11.33.35:110 198.88.119.254:23776 > TIME_WAIT - > tcp 0 0 204.11.33.35:110 198.88.119.254:23791 > TIME_WAIT - > tcp 0 0 204.11.33.35:110 198.88.119.254:23775 > TIME_WAIT - > tcp 0 0 204.11.33.35:110 198.88.119.254:23790 > TIME_WAIT - > tcp 0 0 204.11.33.35:110 198.88.119.254:23774 > TIME_WAIT - > tcp 0 0 204.11.33.35:37350 195.197.175.21:6667 > ESTABLISHED 16324/-bash > tcp 0 0 204.11.33.35:37325 194.134.7.195:6667 > ESTABLISHED 16026/-bash > tcp 0 0 204.11.33.35:110 198.88.119.254:23785 > TIME_WAIT - > > These established connections show -bash as the process running the > port. I have firewalled these IP's > off at my firewall, however, I can't find the root cause of this. I > have ran chkrootkit and found nothing. However, > this is very scary. > > Could anyone provide me some clues on how to proceed at this point with > my investigation. > > -cs Port 6667 is default standard port for an irc server. By any chance, do you run Apache and a phpBB forum? Alexander -- Alexander Dalloz | Enger, Germany | GPG http://pgp.mit.edu 0xB366A773 legal statement: http://www.uni-x.org/legal.html Fedora Core 2 GNU/Linux on Athlon with kernel 2.6.10-1.14_FC2smp Serendipity 23:40:52 up 9 days, 10:49, load average: 0.91, 0.56, 0.39
Attachment:
signature.asc
Description: Dies ist ein digital signierter Nachrichtenteil