Server hacked?
Joris Dobbelsteen
Joris at familiedobbelsteen.nl
Tue Jan 1 22:00:19 UTC 2008
Dear,
I'm having a Linux server running Ubuntu 6.06 LTS (under vmware) and it
seems to have some quite weird behaviour. For some reason (or another)
the box seems to create OUTGOING connections to an IRC server from a
supposed kernel address. Below is a snapshot of the netstat output...
Can anyone provide some detailed information about this?
(i.e. confirm my suspicion it is indeed a trojan or something)
If so, I'm desiring to do some more diagnosis/forensics on the box to
get to know what may caused this strange behaviour. Can anyone provide
some help on this?
The box has PostFix, PowerDNS, Apache2 and SSH exposed to the Internet.
Unfortunally its connected to the single LAN segment I have at home.
Fortunally I have a strict firewall that doesn't allow IRC out (I don't
use it, so I do not need to allow it).
Thanks in advance...
- Joris
root at shushan:~# netstat -tnp
Active Internet connections (w/o servers)
Proto Recv-Q Send-Q Local Address Foreign Address
State PID/Program name
tcp 0 1 192.168.10.xx:52020 216.152.66.54:6667
SYN_SENT 18687/[kjournald]
tcp 0 1 192.168.10.xx:49383 216.152.66.48:6667
SYN_SENT 18599/[kjournald]
tcp 0 1 192.168.10.xx:32936 216.152.66.46:6667
SYN_SENT 11304/[kjournald]
tcp 0 1 192.168.10.xx:56901 216.152.67.49:6667
SYN_SENT 29965/[kjournald]
tcp 0 1 192.168.10.xx:54354 216.152.67.30:6667
SYN_SENT 24235/[kjournald]
tcp 0 1 192.168.10.xx:60278 216.152.66.47:6667
SYN_SENT 15412/[kjournald]
[trusted entries removed]
More information about the ubuntu-users
mailing list