I totally forgot about netstat ! I do believe I've been owned ...
[root@f1 04:06:53 ppp]# netstat -pant |grep 443 tcp 0 0 0.0.0.0:443 0.0.0.0:* LISTEN 1591/httpd [root@f1 04:06:59 ppp]# netstat -pant |grep 6667 tcp 0 0 202.7.95.227:1057 64.35.57.81:6667 ESTABLISHED 1617/syslogd tcp 0 0 202.7.95.227:1087 64.35.57.81:6667 ESTABLISHED 1617/syslogd tcp 0 0 202.7.95.227:1076 64.35.57.81:6667 ESTABLISHED 1617/syslogd tcp 0 0 202.7.95.227:1034 64.35.57.81:6667 ESTABLISHED 1617/syslogd tcp 0 0 202.7.95.227:1054 64.35.57.81:6667 ESTABLISHED 1617/syslogd tcp 0 0 202.7.95.227:1046 64.35.57.81:6667 ESTABLISHED 1617/syslogd tcp 0 0 202.7.95.227:4471 64.35.57.81:6667 ESTABLISHED - tcp 0 0 202.7.95.227:4496 64.35.57.81:6667 ESTABLISHED - tcp 0 0 202.7.95.227:4757 64.35.57.81:6667 ESTABLISHED 1617/syslogd tcp 0 0 202.7.95.227:4909 64.35.57.81:6667 ESTABLISHED - tcp 0 0 202.7.95.227:4893 64.35.57.81:6667 ESTABLISHED - tcp 0 0 202.7.95.227:4878 64.35.57.81:6667 ESTABLISHED 1617/syslogd tcp 0 0 202.7.95.227:4864 64.35.57.81:6667 ESTABLISHED 1617/syslogd tcp 0 0 202.7.95.227:3289 64.35.57.81:6667 ESTABLISHED - tcp 0 0 202.7.95.227:2660 64.35.57.81:6667 ESTABLISHED 1617/syslogd tcp 0 0 202.7.95.227:2629 64.35.57.81:6667 ESTABLISHED - tcp 0 0 202.7.95.227:2636 64.35.57.81:6667 ESTABLISHED 1617/syslogd tcp 0 0 202.7.95.227:2654 64.35.57.81:6667 ESTABLISHED 1617/syslogd tcp 0 0 202.7.95.227:2914 64.35.57.81:6667 ESTABLISHED - tcp 0 0 202.7.95.227:2916 64.35.57.81:6667 ESTABLISHED - Does the above look like the IRC server is connected to my syslogd ? -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Howard Lowndes Sent: Friday, 29 November 2002 17:35 To: Minh Van Le Cc: [EMAIL PROTECTED] Subject: Re: [SLUG] Suscpicious IRCd connections Would you be running openSSL or secure apache on this machine by any chance. Does netstat -pant |grep 443 give anything, also netstat -pant |grep 6667 will tell you what process is connecting and the name of the running process then do a find for that name, you might find it in /tmp or /var/www somewhere. On Fri, 29 Nov 2002, Minh Van Le wrote: > I've noticed the following ircd connections in tcpdump, and wondered why my > box was communicating to an IRC server (and vice versa). When I use an IRC > client to connect to 64.35.57.81:6667, I log on to a jade.va.us.dal.net > server. So I check for the existence of jade.va.us.dal.net at > http://www.irchelp.org/irchelp/networks/servers/dalnet.html and it's there. > > ----- > 14:59:57.971119 64.35.57.81.ircd > 202.7.95.227.2916: P 841:867(26) ack 701 > win 7060 <nop,nop,timestamp 3640386803 26431156> (DF) > 14:59:57.971119 202.7.95.227.2916 > 64.35.57.81.ircd: P 701:726(25) ack 867 > win 10300 <nop,nop,timestamp 26441096 3640386803> (DF) > 14:59:58.281119 64.35.57.81.ircd > 202.7.95.227.2916: . ack 726 win 7060 > <nop,nop,timestamp 3640386834 26441096> (DF) > 15:00:27.421119 202.7.95.227.64623 > 205.188.9.159.11952: P 3870:3876(6) ack > 6100 win 9089 (DF) > 15:00:27.901119 205.188.9.159.11952 > 192.168.0.8.4955: . ack 3877 win 16384 > (DF) > 15:01:38.181119 64.35.57.81.ircd > 202.7.95.227.2916: P 867:893(26) ack 726 > win 7060 <nop,nop,timestamp 3640396825 26441096> (DF) > 15:01:38.181119 202.7.95.227.2916 > 64.35.57.81.ircd: P 726:751(25) ack 893 > win 10300 <nop,nop,timestamp 26451117 3640396825> (DF) > 15:01:38.721119 202.7.95.227.2916 > 64.35.57.81.ircd: P 726:751(25) ack 893 > win 10300 <nop,nop,timestamp 26451171 3640396825> (DF) > 15:01:39.001119 64.35.57.81.ircd > 202.7.95.227.2916: . ack 751 win 7060 > <nop,nop,timestamp 3640396907 26451171> (DF) > ----- -- SLUG - Sydney Linux User's Group - http://slug.org.au/ More Info: http://lists.slug.org.au/listinfo/slug
