Server hacked?

[Joris Dobbelsteen]

Dear,

I'm having a Linux server running Ubuntu 6.06 LTS (under vmware) and it
seems to have some quite weird behaviour. For some reason (or another)
the box seems to create OUTGOING connections to an IRC server from a
supposed kernel address. Below is a snapshot of the netstat output...

Can anyone provide some detailed information about this?
(i.e. confirm my suspicion it is indeed a trojan or something)

If so, I'm desiring to do some more diagnosis/forensics on the box to
get to know what may caused this strange behaviour. Can anyone provide
some help on this?

The box has PostFix, PowerDNS, Apache2 and SSH exposed to the Internet.
Unfortunally its connected to the single LAN segment I have at home.
Fortunally I have a strict firewall that doesn't allow IRC out (I don't
use it, so I do not need to allow it).

Thanks in advance...

- Joris


root at shushan:~# netstat -tnp
Active Internet connections (w/o servers)
Proto Recv-Q Send-Q Local Address           Foreign Address
State       PID/Program name
tcp        0      1 192.168.10.xx:52020     216.152.66.54:6667
SYN_SENT   18687/[kjournald]
tcp        0      1 192.168.10.xx:49383     216.152.66.48:6667
SYN_SENT   18599/[kjournald]
tcp        0      1 192.168.10.xx:32936     216.152.66.46:6667
SYN_SENT   11304/[kjournald]
tcp        0      1 192.168.10.xx:56901     216.152.67.49:6667
SYN_SENT   29965/[kjournald]
tcp        0      1 192.168.10.xx:54354     216.152.67.30:6667
SYN_SENT   24235/[kjournald]
tcp        0      1 192.168.10.xx:60278     216.152.66.47:6667
SYN_SENT   15412/[kjournald]
[trusted entries removed]