[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: hack?






This might be a silly question - but were you using backweb at the time?
And what did /etc/services say about irc in your machine? 6667 or 194? :)

N.


On Sat, 10 May 1997, Viktorie Navratilova wrote:

> On Fri, 9 May 1997, Ariel Biener wrote:
> > On Fri, 9 May 1997, Ira Abramov wrote:
> >
> > > just played around with netstat -e -a, saw this weird connection:
> > >
> > > root
> > > tcp        0      0 bit.scso.com:21385      becker1.u.washingto:irc ESTABLISHED
> >                                               ^^^^^^^^^^^^^^^^^^^^^^^
> >
> > this is weird. If you were using Irc, you wouldn't be connected to
> server:irc
> > but most probably to server:port_higher_than_1024 (usually 6665/6/7/7000
> > etc).
> >
> > irc             194/tcp                         # Internet Relay Chat
> > irc             194/udp
> 
> 
> Well first off, the information Ira provides indicates nothing about
> whether root initiated the connection.  If you would look at the format in
> which netstat gives info, the user who initiated the connection is listed
> in the last field of information;  if the term window was not long enough,
> the line would wrap and the user ends up listed *below* the connection
> line. Root started the connection listed before this one, not this
> connection itself.
> 
> What Ariel says may be accurate by the RFC, but in the /etc/services file
> in RH3.0.3 (which we can assume would stay the same through 4.1), irc is
> associated with port 6667.  Someone using IRC under this setup would cause
> a netstat message of the form server:irc, not
> server:port_higher_than_1024, as the RFC might lead you to believe.
> 
> Alot of this confusion would be cleared up with a netstat -n.
> 
> >  What exact time was
> > this ?? I can ask the washington.edu irc-admin to have a look at the users
> > log (EFnet ircd's have that feature), and tell you who connected from your
> > machine at that time.(The admin there is a friend of mine).
> 
> If bit.scso.com is running an ident daemon, then looking up the connection
> initiator at washington.edu with the info that provides should be a
> trivial matter.
> As it is, the information provided is rather cryptic and doesn't say much.
> 
> > > I'm not using irc, and I'm the only one on my server...
> > > I forgot how to find out which process is the one that opened the
> > > connection... anyone?
> 
> There are two ways you can do this: turn on ip auditing in the kernel and
> you can track all of your connections.  There is also a utility for linux
> called lsof (list open files) that lists what processes own what
> connections as long as the processes are still running.
> 
> Good luck!
> 
> -------------
>       Say union yes!!	   "And if I die today I'll be the Happy Phantom;
>     ___        \  .    ,.	And I'll go chasin' the nuns out in the yard
> _.-|   |          |\__/,|   (`\  |And I'll run naked through the streets
> {   |   |          |o o  |__ _) ) | without my mask on; And I will never
> "-.|___|        _.( T   )  `  /  | need umbrellas in the rain; I'll wake
>  .--'-`-.     _((_ `^--' /_<  \  | up in strawberry fields every day; And
> _.+|______|__.-||__)`-'(((/  (((/  | the atrocities of school I can forgive;
> "Jesus can't play rugby 'cuz     ` the Happy Phantom has no right to bitch;"
>       he only has twelve men"    `_ _ _ _ _ -- Tori Amos _ _ _ _ _ _ _ _
> 
> 

--
Nir Soffer AKA ScorpioS, scorpios@cs.huji.ac.il .
USER, n.:
        The word computer professionals use when they mean "idiot."
                -- Dave Barry, "Claw Your Way to the Top"



Follow-Ups: References: