[root@f1 16:35:16 init.d]# ps auxw | grep syslog USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND root 948 0.0 0.2 1476 324 ? S Nov26 0:14 syslogd -m 0 root 1617 22.0 0.3 3072 468 ? S Nov26 1311:00 syslogd root 31337 0.0 0.4 1732 600 pts/1 S 16:35 0:00 grep -i syslog
Doesn't look too good. Two syslogd processes running since the last reboot. I'm taking the box down. -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Michael Fox Sent: Saturday, 30 November 2002 8:11 To: Minh Van Le Cc: Howard Lowndes; [EMAIL PROTECTED] Subject: RE: [SLUG] Suscpicious IRCd connections Quoting Minh Van Le <[EMAIL PROTECTED]>: > I totally forgot about netstat ! > > I do believe I've been owned ... > > [root@f1 04:06:53 ppp]# netstat -pant |grep 443 > tcp 0 0 0.0.0.0:443 0.0.0.0:* > LISTEN > 1591/httpd > > [root@f1 04:06:59 ppp]# netstat -pant |grep 6667 > tcp 0 0 202.7.95.227:1057 64.35.57.81:6667 > ESTABLISHED 1617/syslogd > tcp 0 0 202.7.95.227:1087 64.35.57.81:6667 > ESTABLISHED 1617/syslogd [snip] > tcp 0 0 202.7.95.227:2914 64.35.57.81:6667 > ESTABLISHED - > tcp 0 0 202.7.95.227:2916 64.35.57.81:6667 > ESTABLISHED - > > Does the above look like the IRC server is connected to my syslogd ? No, your connecting to someone else's irc server, as you already found out from your first email. As I said, you have been owned. Disconnect the machine ASAP, and rebuild. -- SLUG - Sydney Linux User's Group - http://slug.org.au/ More Info: http://lists.slug.org.au/listinfo/slug
