Re: possibly hacked

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Thu, 16 Nov 2006 10:26:20 -0600, olga wrote:

> Hi,
> 
>  I wrote about kernel errors which somebody pointed out was because the
> server was running out of memory.
> 
> Now I found the following which makes me think that that server may have
> been compromized.
> 
> Here's what I get when I issued: netstat -nap
> 
> tcp    0      0 131.x.x.x:38423       72.x.x.x:80      ESTABLISHED 5226/ps x
> tcp    0      0 131.x.x.x:38420       72.x.x.x:80      ESTABLISHED 5365/ps x
> 
> About a hundred instances of that program 'ps x' running.
> 

It's strange that your ps is talking over the network with a web server.
That ain't no ordinary ps. And their web server (on port 80) ain't no
ordinary web server. So yeah, it's possible that "you've been had" as they
say. It may be that they are scanning other networks for vulnerabilities,
trying to berak in, and they replaced the clean netstat with something that
simply reports what you posted. It did happen to me once. 

If you want to know what your ps and the remote machine are talking about,
you can run wireshark (formerly known as ethereal) and look at the packets. 
Of course, you should do so on a machine known not to be compromised. On
the machine you suspect it has been hacked, you cannot trust any program. 

And often if you do a portscan on the suspected attacker (e.g. with nmap,
or xnmap), or even if you simply open the web page at that address, you
may find out what's going on. 

If you can, unplug the network wire (though if they know what they are
doing, your hard drive might be wiped off when their scripts detect that
the network is down. It's your call.). Run rpm -V from a rescue cd (not the
one in /usr/bin) on procps, net-tools, and the other essential system
utilities (including rpm itself). Then you'll know for sure.


[Index of Archives]     [Current Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite News]     [Yosemite Photos]     [KDE Users]     [Fedora Tools]     [Fedora Docs]

  Powered by Linux