Security Basics mailing list archives

Re: Hacked ???

From: Fernando Amatte <famatte () gmail com>
Date: Tue, 26 Jul 2005 15:45:26 -0300

Hello

On a Linux Box, you can try to use the   "lsof" command.
Use something like   ..   lsof | grep LISTEN

You will see, users, pids, and other information.
With this information, you can try to verify other things. ( If you
dont have a rootkit installed )

Regards

Fernando


On 7/23/05, asterisk () marnock net <asterisk () marnock net> wrote:


Hi List,

I'm seeing some strange things on my box.  Here is a snippit from my squid
log:  BTW I don't have an icq account.


1122088113.571    308 212.227.83.197 TCP_MISS/200 184 CONNECT
login.icq.com:443 - DIRECT/64.12.200.89 -
1122088114.402    140 220.160.34.238 TCP_HIT/200 482 GET
http://media.adrevolver.com/adrevolver/banner? - NONE/- text/html
1122088116.711    310 212.227.65.104 TCP_MISS/200 186 CONNECT
login.icq.com:443 - DIRECT/64.12.200.89 -
1122088119.769    339 212.227.83.197 TCP_MISS/200 183 CONNECT
login.icq.com:443 - DIRECT/64.12.200.89 -
1122088119.950    367 72.21.34.42 TCP_MISS/200 185 CONNECT
login.icq.com:443 - DIRECT/64.12.200.89 -
1122088120.466    543 200.50.23.115 TCP_MISS/401 417 GET
http://www.bubblebutts.com/members/ - DIRECT/216.15.219.25 text/html
1122088121.618    404 212.227.65.104 TCP_MISS/200 186 CONNECT
login.icq.com:443 - DIRECT/64.12.200.89 -
1122088122.814    885 70.118.81.253 TCP_MISS/200 6085 GET
http://members.yahoo.com/interests? - DIRECT/66.218.75.151 text/html
1122088123.961    620 212.227.83.197 TCP_MISS/200 251 CONNECT
login.icq.com:443 - DIRECT/64.12.200.89 -
1122088125.635    356 72.21.34.42 TCP_MISS/200 185 CONNECT
login.icq.com:443 - DIRECT/64.12.200.89 -
1122088126.101    309 212.227.65.104 TCP_MISS/200 186 CONNECT
login.icq.com:443 - DIRECT/64.12.200.89 -
1122088126.587    309 212.227.83.197 TCP_MISS/200 182 CONNECT
login.icq.com:443 - DIRECT/64.12.200.89 -
1122088129.107    376 212.227.83.197 TCP_MISS/200 184 CONNECT
login.icq.com:443 - DIRECT/64.12.200.89 -
1122088129.404    446 85.138.104.205 TCP_MISS/999 4647 GET
http://216.109.127.60/config/login? - DIRECT/216.109.127.60 text/html
1122088130.415     10 220.160.34.238 TCP_MEM_HIT/200 381 GET
http://ad.yieldmanager.com/imp? - NONE/- image/gif
1122088130.882    385 212.227.65.104 TCP_MISS/200 186 CONNECT
login.icq.com:443 - DIRECT/64.12.200.89 -
1122088132.464    348 212.227.83.197 TCP_MISS/200 185 CONNECT
login.icq.com:443 - DIRECT/64.12.200.89 -
1122088132.587    307 212.227.83.197 TCP_MISS/200 184 CONNECT
login.icq.com:443 - DIRECT/64.12.200.89 -
1122088135.746    391 212.227.83.197 TCP_MISS/200 184 CONNECT
login.icq.com:443 - DIRECT/64.12.200.89 -
1122088135.762    380 72.21.34.42 TCP_MISS/200 182 CONNECT
login.icq.com:443 - DIRECT/64.12.200.89 -


I've disconected all machines except my main linux box which is used for a
number of things ( asterisk telephony system / squid proxy / cvs ) etc.
I've also noticed port 32768 is open and others are connecting to it from
the web or an app is connecting to them.  How can I see which app is
connecting to port 32768 ???

Heres the first line from a netstat -an

[root@zeus iptraf]# netstat -an | more
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address               Foreign Address
State
tcp        0      0 0.0.0.0:32768               0.0.0.0:*
LISTEN


Thanks in advance.



Phil

Current thread:

Hacked ??? asterisk (Jul 26)
- Re: Hacked ??? Fernando Amatte (Jul 29)
  - Re: Hacked ??? asterisk (Jul 29)
- Re: Hacked ??? Jeremy Heslop (Jul 29)