Security Basics mailing list archives
Re: Hacked ???
From: Fernando Amatte <famatte () gmail com>
Date: Tue, 26 Jul 2005 15:45:26 -0300
Hello On a Linux Box, you can try to use the "lsof" command. Use something like .. lsof | grep LISTEN You will see, users, pids, and other information. With this information, you can try to verify other things. ( If you dont have a rootkit installed ) Regards Fernando On 7/23/05, asterisk () marnock net <asterisk () marnock net> wrote:
Hi List, I'm seeing some strange things on my box. Here is a snippit from my squid log: BTW I don't have an icq account. 1122088113.571 308 212.227.83.197 TCP_MISS/200 184 CONNECT login.icq.com:443 - DIRECT/64.12.200.89 - 1122088114.402 140 220.160.34.238 TCP_HIT/200 482 GET http://media.adrevolver.com/adrevolver/banner? - NONE/- text/html 1122088116.711 310 212.227.65.104 TCP_MISS/200 186 CONNECT login.icq.com:443 - DIRECT/64.12.200.89 - 1122088119.769 339 212.227.83.197 TCP_MISS/200 183 CONNECT login.icq.com:443 - DIRECT/64.12.200.89 - 1122088119.950 367 72.21.34.42 TCP_MISS/200 185 CONNECT login.icq.com:443 - DIRECT/64.12.200.89 - 1122088120.466 543 200.50.23.115 TCP_MISS/401 417 GET http://www.bubblebutts.com/members/ - DIRECT/216.15.219.25 text/html 1122088121.618 404 212.227.65.104 TCP_MISS/200 186 CONNECT login.icq.com:443 - DIRECT/64.12.200.89 - 1122088122.814 885 70.118.81.253 TCP_MISS/200 6085 GET http://members.yahoo.com/interests? - DIRECT/66.218.75.151 text/html 1122088123.961 620 212.227.83.197 TCP_MISS/200 251 CONNECT login.icq.com:443 - DIRECT/64.12.200.89 - 1122088125.635 356 72.21.34.42 TCP_MISS/200 185 CONNECT login.icq.com:443 - DIRECT/64.12.200.89 - 1122088126.101 309 212.227.65.104 TCP_MISS/200 186 CONNECT login.icq.com:443 - DIRECT/64.12.200.89 - 1122088126.587 309 212.227.83.197 TCP_MISS/200 182 CONNECT login.icq.com:443 - DIRECT/64.12.200.89 - 1122088129.107 376 212.227.83.197 TCP_MISS/200 184 CONNECT login.icq.com:443 - DIRECT/64.12.200.89 - 1122088129.404 446 85.138.104.205 TCP_MISS/999 4647 GET http://216.109.127.60/config/login? - DIRECT/216.109.127.60 text/html 1122088130.415 10 220.160.34.238 TCP_MEM_HIT/200 381 GET http://ad.yieldmanager.com/imp? - NONE/- image/gif 1122088130.882 385 212.227.65.104 TCP_MISS/200 186 CONNECT login.icq.com:443 - DIRECT/64.12.200.89 - 1122088132.464 348 212.227.83.197 TCP_MISS/200 185 CONNECT login.icq.com:443 - DIRECT/64.12.200.89 - 1122088132.587 307 212.227.83.197 TCP_MISS/200 184 CONNECT login.icq.com:443 - DIRECT/64.12.200.89 - 1122088135.746 391 212.227.83.197 TCP_MISS/200 184 CONNECT login.icq.com:443 - DIRECT/64.12.200.89 - 1122088135.762 380 72.21.34.42 TCP_MISS/200 182 CONNECT login.icq.com:443 - DIRECT/64.12.200.89 - I've disconected all machines except my main linux box which is used for a number of things ( asterisk telephony system / squid proxy / cvs ) etc. I've also noticed port 32768 is open and others are connecting to it from the web or an app is connecting to them. How can I see which app is connecting to port 32768 ??? Heres the first line from a netstat -an [root@zeus iptraf]# netstat -an | more Active Internet connections (servers and established) Proto Recv-Q Send-Q Local Address Foreign Address State tcp 0 0 0.0.0.0:32768 0.0.0.0:* LISTEN Thanks in advance. Phil
Current thread:
- Hacked ??? asterisk (Jul 26)
- Re: Hacked ??? Fernando Amatte (Jul 29)
- Re: Hacked ??? asterisk (Jul 29)
- Re: Hacked ??? Jeremy Heslop (Jul 29)
- Re: Hacked ??? Fernando Amatte (Jul 29)