Re: Server hacked?

---

• From: johanb <boeckx.johan@xxxxxxxxxx>
• Date: Tue, 01 Jan 2008 23:26:27 +0100

---

Joris,

There seems to be some kind of rootkit running on your server. It
concerns syn_sent , towars numbering devices, which inclines scans for
open dcc-servers, to sent packets to. What I would advice you, is to
install a package searching for installed rootkits and scan your system
with ex. chkrootkit or rkhunter.
To answer your question : yes according to my humble opinion it concerns
some kind of rootkit or trojan. (rather rootkit then trojan)
greetz,
Johan

Joris Dobbelsteen schreef:

Dear,

I'm having a Linux server running Ubuntu 6.06 LTS (under vmware) and it
seems to have some quite weird behaviour. For some reason (or another)
the box seems to create OUTGOING connections to an IRC server from a
supposed kernel address. Below is a snapshot of the netstat output...

Can anyone provide some detailed information about this?
(i.e. confirm my suspicion it is indeed a trojan or something)

If so, I'm desiring to do some more diagnosis/forensics on the box to
get to know what may caused this strange behaviour. Can anyone provide
some help on this?

The box has PostFix, PowerDNS, Apache2 and SSH exposed to the Internet.
Unfortunally its connected to the single LAN segment I have at home.
Fortunally I have a strict firewall that doesn't allow IRC out (I don't
use it, so I do not need to allow it).

Thanks in advance...

- Joris


root@shushan:~# netstat -tnp
Active Internet connections (w/o servers)
Proto Recv-Q Send-Q Local Address Foreign Address
State PID/Program name
tcp 0 1 192.168.10.xx:52020 216.152.66.54:6667
SYN_SENT 18687/[kjournald]
tcp 0 1 192.168.10.xx:49383 216.152.66.48:6667
SYN_SENT 18599/[kjournald]
tcp 0 1 192.168.10.xx:32936 216.152.66.46:6667
SYN_SENT 11304/[kjournald]
tcp 0 1 192.168.10.xx:56901 216.152.67.49:6667
SYN_SENT 29965/[kjournald]
tcp 0 1 192.168.10.xx:54354 216.152.67.30:6667
SYN_SENT 24235/[kjournald]
tcp 0 1 192.168.10.xx:60278 216.152.66.47:6667
SYN_SENT 15412/[kjournald]
[trusted entries removed]

--
ubuntu-users mailing list
ubuntu-users@xxxxxxxxxxxxxxxx
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-users

---

• Follow-Ups:
  • RE: Server hacked?
    • From: Joris Dobbelsteen

• References:
  • Server hacked?
    • From: Joris Dobbelsteen

• Prev by Date: Re: How do I mount an img (DVD image) file in ubuntu 7.10
• Next by Date: Re: Server hacked?
• Previous by thread: Server hacked?
• Next by thread: RE: Server hacked?
• Index(es):
  • Date
  • Thread

• Security
• UNIX
• Linux
• Coding
• Usenet

• Mailing-Lists
• Newsgroups
• About
• Privacy
• Search
• Imprint

linux.derkeiler.com  > Mailing-Lists  > Ubuntu  > 2008-01