Would you be running openSSL or secure apache on this machine by any chance. Does netstat -pant |grep 443 give anything, also netstat -pant |grep 6667 will tell you what process is connecting and the name of the running process then do a find for that name, you might find it in /tmp or /var/www somewhere.
On Fri, 29 Nov 2002, Minh Van Le wrote: > I've noticed the following ircd connections in tcpdump, and wondered why my > box was communicating to an IRC server (and vice versa). When I use an IRC > client to connect to 64.35.57.81:6667, I log on to a jade.va.us.dal.net > server. So I check for the existence of jade.va.us.dal.net at > http://www.irchelp.org/irchelp/networks/servers/dalnet.html and it's there. > > ----- > 14:59:57.971119 64.35.57.81.ircd > 202.7.95.227.2916: P 841:867(26) ack 701 > win 7060 <nop,nop,timestamp 3640386803 26431156> (DF) > 14:59:57.971119 202.7.95.227.2916 > 64.35.57.81.ircd: P 701:726(25) ack 867 > win 10300 <nop,nop,timestamp 26441096 3640386803> (DF) > 14:59:58.281119 64.35.57.81.ircd > 202.7.95.227.2916: . ack 726 win 7060 > <nop,nop,timestamp 3640386834 26441096> (DF) > 15:00:27.421119 202.7.95.227.64623 > 205.188.9.159.11952: P 3870:3876(6) ack > 6100 win 9089 (DF) > 15:00:27.901119 205.188.9.159.11952 > 192.168.0.8.4955: . ack 3877 win 16384 > (DF) > 15:01:38.181119 64.35.57.81.ircd > 202.7.95.227.2916: P 867:893(26) ack 726 > win 7060 <nop,nop,timestamp 3640396825 26441096> (DF) > 15:01:38.181119 202.7.95.227.2916 > 64.35.57.81.ircd: P 726:751(25) ack 893 > win 10300 <nop,nop,timestamp 26451117 3640396825> (DF) > 15:01:38.721119 202.7.95.227.2916 > 64.35.57.81.ircd: P 726:751(25) ack 893 > win 10300 <nop,nop,timestamp 26451171 3640396825> (DF) > 15:01:39.001119 64.35.57.81.ircd > 202.7.95.227.2916: . ack 751 win 7060 > <nop,nop,timestamp 3640396907 26451171> (DF) > ----- > > This seems to be a newly formed IRC server, with a missing MOTD, 4 channels, > with weird looking users like "infCATBON" "infWHGIMQ" "infUILYIP" and > "LMLMLMLM" in the 3 available channels (using /list), with user uptimes of > 173hrs 10mins 38secs, a compile date of Thu Nov 21 2002 at 04:24:17 EST > using Unreal3.2-Selene[beta12] which is described to be a derivitive of a > former IRCd used by DALnet from http://www.unrealircd.com/about.html. > > One of the users had a logon date of Fri Nov 22 12:11:40. > > I log on to another listed DALnet IRC server - dingo.vic.au.dal.net:6667. > This looks like a real and/or active DALnet server: > > There are 1290 users and 79286 invisible on 22 servers > 68 IRC Operators online > 33188 channels formed > I have 2208 clients and 1 servers > - > Current local users: 2208 Max: 3504 > Current global users: 80576 Max: 96604 > > Question > -------- > Why would my box try to talk to this server ? > > The server compile (21 Nov) and user logon (22 Nov) times seem to nearly > coincide with a recent DoS attack against my machine on the 23 Nov and 25 > Nov. > > I've been monitoring my ppp0 traffic very closely lately and haven't noticed > any auto-startup initiated DoS ie. my machine seems quiet and humble as > normal when the ADSL is online when I use the net. If my box is compromised, > then the DoS attacks could be command triggered. Could I be talking to the > bots on this "new" DALnet server ? > > Also DALnet is predominantly US-based. And I have reserved suspicions that > the attackers are in the US. > > What do people think ? > > -- Howard. LANNet Computing Associates - Your Linux people Contact detail at http://www.lannetlinux.com "Flatter government, not fatter government." - me Get rid of the Australian states. ------------------------------------------ If electricity comes from electrons, does morality come from morons? -- SLUG - Sydney Linux User's Group - http://slug.org.au/ More Info: http://lists.slug.org.au/listinfo/slug
