[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: hack?
On Fri, 9 May 1997, Ariel Biener wrote:
> On Fri, 9 May 1997, Ira Abramov wrote:
>
> > just played around with netstat -e -a, saw this weird connection:
> >
> > root
> > tcp 0 0 bit.scso.com:21385 becker1.u.washingto:irc ESTABLISHED
> ^^^^^^^^^^^^^^^^^^^^^^^
>
> this is weird. If you were using Irc, you wouldn't be connected to
server:irc
> but most probably to server:port_higher_than_1024 (usually 6665/6/7/7000
> etc).
>
> irc 194/tcp # Internet Relay Chat
> irc 194/udp
Well first off, the information Ira provides indicates nothing about
whether root initiated the connection. If you would look at the format in
which netstat gives info, the user who initiated the connection is listed
in the last field of information; if the term window was not long enough,
the line would wrap and the user ends up listed *below* the connection
line. Root started the connection listed before this one, not this
connection itself.
What Ariel says may be accurate by the RFC, but in the /etc/services file
in RH3.0.3 (which we can assume would stay the same through 4.1), irc is
associated with port 6667. Someone using IRC under this setup would cause
a netstat message of the form server:irc, not
server:port_higher_than_1024, as the RFC might lead you to believe.
Alot of this confusion would be cleared up with a netstat -n.
> What exact time was
> this ?? I can ask the washington.edu irc-admin to have a look at the users
> log (EFnet ircd's have that feature), and tell you who connected from your
> machine at that time.(The admin there is a friend of mine).
If bit.scso.com is running an ident daemon, then looking up the connection
initiator at washington.edu with the info that provides should be a
trivial matter.
As it is, the information provided is rather cryptic and doesn't say much.
> > I'm not using irc, and I'm the only one on my server...
> > I forgot how to find out which process is the one that opened the
> > connection... anyone?
There are two ways you can do this: turn on ip auditing in the kernel and
you can track all of your connections. There is also a utility for linux
called lsof (list open files) that lists what processes own what
connections as long as the processes are still running.
Good luck!
-------------
Say union yes!! "And if I die today I'll be the Happy Phantom;
___ \ . ,. And I'll go chasin' the nuns out in the yard
_.-| | |\__/,| (`\ |And I'll run naked through the streets
{ | | |o o |__ _) ) | without my mask on; And I will never
"-.|___| _.( T ) ` / | need umbrellas in the rain; I'll wake
.--'-`-. _((_ `^--' /_< \ | up in strawberry fields every day; And
_.+|______|__.-||__)`-'(((/ (((/ | the atrocities of school I can forgive;
"Jesus can't play rugby 'cuz ` the Happy Phantom has no right to bitch;"
he only has twelve men" `_ _ _ _ _ -- Tori Amos _ _ _ _ _ _ _ _
Follow-Ups:
- Re: hack?
- From: Nir Soffer <scorpios@cs.huji.ac.il>
References:
- Re: hack?
- From: Ariel Biener <ariel@fireball.tau.ac.il>