[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]

Security Breach ?

From: Chris Strzelczyk <cstrzelczyk nobletechnology net>
To: fedora-list redhat com
Subject: Security Breach ?
Date: Wed, 2 Mar 2005 16:53:13 -0500

Hello,

Upon checking my MRTG stats on a webserver I am running I found my traffic to be up considerably and the server to be a bit slow. After taking a look at my active connections to processes with netstat -nap I found these to be scary:

tcp 0 0 204.11.33.35:110 198.88.119.254:23781 TIME_WAIT - tcp 0 0 204.11.33.35:37326 161.53.2.81:6667 ESTABLISHED 16035/-bash tcp 0 0 204.11.33.35:110 198.88.119.254:23776 TIME_WAIT - tcp 0 0 204.11.33.35:110 198.88.119.254:23791 TIME_WAIT - tcp 0 0 204.11.33.35:110 198.88.119.254:23775 TIME_WAIT - tcp 0 0 204.11.33.35:110 198.88.119.254:23790 TIME_WAIT - tcp 0 0 204.11.33.35:110 198.88.119.254:23774 TIME_WAIT - tcp 0 0 204.11.33.35:37350 195.197.175.21:6667 ESTABLISHED 16324/-bash tcp 0 0 204.11.33.35:37325 194.134.7.195:6667 ESTABLISHED 16026/-bash tcp 0 0 204.11.33.35:110 198.88.119.254:23785 TIME_WAIT -

These established connections show -bash as the process running the port. I have firewalled these IP's off at my firewall, however, I can't find the root cause of this. I have ran chkrootkit and found nothing. However, this is very scary.

Could anyone provide me some clues on how to proceed at this point with my investigation.

-cs

Follow-Ups:
- Re: Security Breach ?
  - From: Alexander Dalloz
- Re: Security Breach ?
  - From: Aleksandar Milivojevic

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]