security problem
James McDonald
james at jamesmcdonald.id.au
Mon Jun 30 01:31:14 PDT 2008
Gilles Germon wrote:
> See the remarks section here :
> http://www.db.ripe.net/whois?form_type=simple&full_query_string=&searchtext=
> 194.68.45.50&do_search=Search
>
> Gilles
>
So what you are saying is someone is sending controlling commands from
an irc server on the http://www.dal.net irc farm.
I suppose you could use tcpdump and try and see what's it's actually
saying over the wire... unless the -DSSL is being used.
+
> -----Message d'origine-----
> De : linux-users-bounces at linux-sxs.org
> [mailto:linux-users-bounces at linux-sxs.org] De la part de David A. Bandel
> Envoyé : lundi 30 juin 2008 00:48
> À : Linux tips and tricks
> Objet : security problem
>
> Folks (Matt maybe?),
>
> Hoping someone can help me out here. I found this running on a client's
> server:
> 25454 ? Z 0:00 [perl] <defunct>
> 25455 ? S 7481:51 /hsphere/shared/apache/bin/httpd -DSSL
>
> I included 25454 because apparently, perl spawned the activity (which
> as in turn spawned by the web server). Running as user www-data (web
> server).
>
> Apparently been running since about 24 Jun. Netstat -pan has this to say:
> tcp 0 1 192.168.8.2:55323 194.68.45.50:6667
> SYN_SENT 25455/httpd -DSSL
>
> I've blocked port 6667 outgoing. It keeps trying various IPs. Not
> sure what it is, but doubt it's benign. Searches on port 6667 turn up
> some things, but nothing substantial (i.e., lots of Windoze bots, but
> nothing I can identify as Linux).
>
> Any ideas?
>
> TIA,
>
> David A. Bandel
>
More information about the Linux-users
mailing list