Re: [expert] Compromised kflushd?

Civileme Tue, 18 Jul 2000 21:26:36 -0700
ls -l -a /proc/sys/net/ipv4/

are you running firewall or masquerade?

also you might want to run nmap -sS 127.0.0.1 to gain a little more info. 
nmapfe is on 7.1.

Civileme



On Tue, 18 Jul 2000, you wrote:
> I notieed that if I telnet to port 65535 on my machine, I almost get a
> telnet prompt.  Here is what I get:
> 
> > telnet ad1440.net 65535
> Trying 209.95.121.219...
> Connected to ad1440.net.
> Escape character is '^]'.
> 
> Then it sits there forever.   However, as far as I knew, I had nothing
> supposed to be listening on port 65535.  So I decided to check out what
> was listening on that port with
> 
> # fuser -n tcp local_port 65535
> local_port/tcp: invalid specificiation
> 65535/tcp:           12463
> 
> # ps -alxww | grep 12268 | grep -v grep
>   F   UID   PID  PPID PRI  NI   VSZ  RSS WCHAN  STAT TTY        TIME COMMAND
> 040     0 12463     1   0   0   852   24 wait_f S    ?          0:00 (kflushd)
> 
> So, it appears that kflushd is listening on port 65535 and returning an
> almost-telnet prompt when connected to.  This does not seem normal to me.
> Am I running a compromised kflushd?  Or do the parentheses around the
> process name mean something?   I notice that I'm running 2 kflushd
> processes, and that's possibly quite significant, but I'm not sure what
> the brackets/parens around the process name mean.  Both have a parent
> process of 1 (init)
> 
> # ps -alxww | grep kflushd | grep -v grep
>   F   UID   PID  PPID PRI  NI   VSZ  RSS WCHAN  STAT TTY        TIME COMMAND
> 040     0     2     1   0   0     0    0 bdflus SW   ?         13:52 [kflushd]
> 040     0 12463     1   0   0   852   24 wait_f S    ?          0:00 (kflushd)
> 
> Does anyone have any clues what is going on?
> 
> ==============================================================================
> [EMAIL PROTECTED]          S/W Developer       http://www.ad1440.net/~devnull 
> ==============================================================================
>         Linux Viruscan:  Windows 95/98/NT Found Remove it ? (Y/y) 
> ==============================================================================
> GCS/IT@ d? s+:++>: a30 C++++$ ULS++++$ P++ L++>+++ E W+++ N+ o? K- w O- M- V--
> PS+ PE Y+ PGP+ t+@ 5++ X+ R++ tv--@ b+++ DI++ D G e++ h----@(++) r+++() y++++*
>                   (http://www.ebb.org/ungeek to decode)
> ==============================================================================
Re: [expert] Compromised kflushd?

Reply via email to
