[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: hack?



On Fri, 9 May 1997, Ira Abramov wrote:

> 
> 
   Hi,


> just played around with netstat -e -a, saw this weird connection:
> 
> root       
> tcp        0      0 bit.scso.com:21385      becker1.u.washingto:irc ESTABLISHED
                                              ^^^^^^^^^^^^^^^^^^^^^^^

this is weird. If you were using Irc, you wouldn't be connected to server:irc
but most probably to server:port_higher_than_1024 (usually 6665/6/7/7000
etc).

irc             194/tcp                         # Internet Relay Chat
irc             194/udp

This is the Irc port specified in the RFC, meant for server to server
connections, assuming that connect() is done as root. Since no Irc network
I know of uses suid irc daemons, this would be weird. What exact time was
this ?? I can ask the washington.edu irc-admin to have a look at the users
log (EFnet ircd's have that feature), and tell you who connected from your
machine at that time.(The admin there is a friend of mine).

--Ariel

 > 
> 
> I'm not using irc, and I'm the only one on my server...
> I forgot how to find out which process is the one that opened the
> connection... anyone?
> 
>    -------------------------------------------------------------
>    Ira Abramov          <ira@scso.com>        Scalable Solutions
>    POBox 3600, Jerusalem 91035, Israel       Tel (972)2-642-6822
>    http://www.scso.com/~ira   Check out: http://www.linux.org.il
> 

   +---------------------------------------------------------+
   | Ariel Biener                                            |
   | e-mail: ariel@post.tau.ac.il        Work ph: 03-6406086 |
   +---------------------------------------------------------+


Follow-Ups: References: