[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: hack?
This might be a silly question - but were you using backweb at the time?
And what did /etc/services say about irc in your machine? 6667 or 194? :)
N.
On Sat, 10 May 1997, Viktorie Navratilova wrote:
> On Fri, 9 May 1997, Ariel Biener wrote:
> > On Fri, 9 May 1997, Ira Abramov wrote:
> >
> > > just played around with netstat -e -a, saw this weird connection:
> > >
> > > root
> > > tcp 0 0 bit.scso.com:21385 becker1.u.washingto:irc ESTABLISHED
> > ^^^^^^^^^^^^^^^^^^^^^^^
> >
> > this is weird. If you were using Irc, you wouldn't be connected to
> server:irc
> > but most probably to server:port_higher_than_1024 (usually 6665/6/7/7000
> > etc).
> >
> > irc 194/tcp # Internet Relay Chat
> > irc 194/udp
>
>
> Well first off, the information Ira provides indicates nothing about
> whether root initiated the connection. If you would look at the format in
> which netstat gives info, the user who initiated the connection is listed
> in the last field of information; if the term window was not long enough,
> the line would wrap and the user ends up listed *below* the connection
> line. Root started the connection listed before this one, not this
> connection itself.
>
> What Ariel says may be accurate by the RFC, but in the /etc/services file
> in RH3.0.3 (which we can assume would stay the same through 4.1), irc is
> associated with port 6667. Someone using IRC under this setup would cause
> a netstat message of the form server:irc, not
> server:port_higher_than_1024, as the RFC might lead you to believe.
>
> Alot of this confusion would be cleared up with a netstat -n.
>
> > What exact time was
> > this ?? I can ask the washington.edu irc-admin to have a look at the users
> > log (EFnet ircd's have that feature), and tell you who connected from your
> > machine at that time.(The admin there is a friend of mine).
>
> If bit.scso.com is running an ident daemon, then looking up the connection
> initiator at washington.edu with the info that provides should be a
> trivial matter.
> As it is, the information provided is rather cryptic and doesn't say much.
>
> > > I'm not using irc, and I'm the only one on my server...
> > > I forgot how to find out which process is the one that opened the
> > > connection... anyone?
>
> There are two ways you can do this: turn on ip auditing in the kernel and
> you can track all of your connections. There is also a utility for linux
> called lsof (list open files) that lists what processes own what
> connections as long as the processes are still running.
>
> Good luck!
>
> -------------
> Say union yes!! "And if I die today I'll be the Happy Phantom;
> ___ \ . ,. And I'll go chasin' the nuns out in the yard
> _.-| | |\__/,| (`\ |And I'll run naked through the streets
> { | | |o o |__ _) ) | without my mask on; And I will never
> "-.|___| _.( T ) ` / | need umbrellas in the rain; I'll wake
> .--'-`-. _((_ `^--' /_< \ | up in strawberry fields every day; And
> _.+|______|__.-||__)`-'(((/ (((/ | the atrocities of school I can forgive;
> "Jesus can't play rugby 'cuz ` the Happy Phantom has no right to bitch;"
> he only has twelve men" `_ _ _ _ _ -- Tori Amos _ _ _ _ _ _ _ _
>
>
--
Nir Soffer AKA ScorpioS, scorpios@cs.huji.ac.il .
USER, n.:
The word computer professionals use when they mean "idiot."
-- Dave Barry, "Claw Your Way to the Top"
Follow-Ups:
References:
- Re: hack?
- From: Viktorie Navratilova <vnavrat@orion.it.luc.edu>