|
|
| Applications |
| Mailing Lists |
| Miscellaneous |
| Operating Systems |
| Programming |
netstat output evidence of a cracker?
Date: Sat Nov 10 2007 - 07:46:05 EST
One routine check that I do on my webserver to check it's OK is netstat,
and this time it looks like I was under attack from some muppet out
there via what seems to be a brute force attempt to crack my ssh login.
Trying to understand the info, what is the foreign address - is that the attacker's domain name: 59-124-248-196.HI ? If so, how come it's this weird format? And what's 59-124-248-19:dircproxy? And how come so many listed connections have no PID? Are they just abandoned login attempts?
I ran nmap from my home pc to see whether there were any unrecognised ports open that might have been opened up if the cracker had got it, and i see a couple of ports that show as filtered:
1720/tcp filtered H.323/Q.931 6666/tcp filtered irc-serv 6667/tcp filtered irc 6668/tcp filtered irc 6669/tcp filtered unknown
I can't see anything running on the server now that might be using those ports, but then if it's rootkitted, I wouldn't would I? Is there a website out there that I can use from outside my firewall which I can get a good look at those ports with? Or some other approach?
Thanks for any help.
Adam
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 *:mysql *:* LISTEN 313/mysqld tcp 0 0 *:ssh *:* LISTEN 273/sshd tcp 0 0 hardyaa1.miniserver:ssh 59-124-248-196.HI:57312 SYN_RECV - tcp 0 0 *:12121 *:* LISTEN 318/perl tcp 0 0 *:smtp *:* LISTEN 264/master tcp 0 0 69.10.152.114:ssh 59-124-248-196.HI:56479 TIME_WAIT - tcp 0 0 69.10.152.114:ssh 59-124-248-196.HI:56719 TIME_WAIT - tcp 0 0 hardyaa1.miniserver:ssh 59-124-248-196.HI:55740 TIME_WAIT - tcp 0 0 69.10.152.114:ssh 59-124-248-196.HI:56047 TIME_WAIT - tcp 0 0 69.10.152.114:ssh 59-124-248-196.HI:57150 TIME_WAIT - tcp 0 0 69.10.152.114:ssh 59-124-248-196.HI:55870 TIME_WAIT - tcp 0 0 hardyaa1.miniserver:ssh 59-124-248-196.HI:56621 TIME_WAIT - tcp 0 0 69.10.152.114:ssh 59-124-248-196.HI:56574 TIME_WAIT - tcp 0 0 69.10.152.114:ssh 59-124-248-196.HI:56814 TIME_WAIT - tcp 0 0 69.10.152.114:ssh 59-124-248-196.HI:56302 TIME_WAIT - tcp 0 0 hardyaa1.miniserver:ssh 59-124-248-196.HI:57151 TIME_WAIT - tcp 1 1 hardyaa1.miniserver:ssh 59-124-248-196.HI:57247 LAST_ACK - tcp 0 0 hardyaa1.miniserver:ssh 59-124-248-196.HI:55983 TIME_WAIT - tcp 0 0 69.10.152.114:ssh 59-124-248-196.HI:57308 ESTABLISHED 4746/sshd tcp 0 0 hardyaa1.miniserver:ssh 59-124-248-196.HI:56815 TIME_WAIT - tcp 0 0 hardyaa1.miniserver:ssh 59-124-248-196.HI:55791 TIME_WAIT - tcp 0 0 hardyaa1.miniserver:ssh 59-124-248-196.HI:55944 TIME_WAIT - tcp 0 0 hardyaa1.miniserver:ssh 59-124-248-19:dircproxy TIME_WAIT - tcp 0 0 hardyaa1.miniserver:ssh 59-124-248-196.HI:57097 TIME_WAIT - tcp 0 0 hardyaa1.miniserver:ssh 59-124-248-196.HI:56905 TIME_WAIT - tcp 0 0 hardyaa1.miniserver:ssh 59-124-248-196.HI:56425 TIME_WAIT - tcp 0 0 hardyaa1.miniserver:ssh 59-124-248-196.HI:56473 TIME_WAIT - tcp 0 0 69.10.152.114:ssh 59-124-248-196.HI:56633 TIME_WAIT - tcp 0 0 hardyaa1.miniserver:ssh 59-124-248-196.HI:56762 TIME_WAIT - tcp 0 0 69.10.152.114:ssh 59-124-248-196.HI:57049 TIME_WAIT - tcp 0 0 hardyaa1.miniserver:ssh 59-124-248-196.HI:56715 TIME_WAIT - tcp 0 0 69.10.152.114:ssh 59-124-248-196.HI:56968 TIME_WAIT - tcp 0 0 69.10.152.114:ssh 59-124-248-196.HI:57256 TIME_WAIT - tcp 0 0 hardyaa1.miniserver:ssh 59-124-248-196.HI:56388 TIME_WAIT - tcp 0 0 hardyaa1.miniserver:ssh 59-124-248-196.HI:57204 TIME_WAIT - tcp 0 0 69.10.152.114:ssh 59-124-248-196.HI:56775 TIME_WAIT - tcp 0 0 69.10.152.114:ssh 59-124-248-196.HI:57206 TIME_WAIT - tcp 0 0 69.10.152.114:ssh 59-124-248-196.HI:56678 TIME_WAIT - tcp 0 0 hardyaa1.miniserver:ssh 59-124-248-196.HI:57045 TIME_WAIT - tcp 0 0 hardyaa1.miniserver:ssh 59-124-248-196.HI:56277 TIME_WAIT - tcp 0 0 69.10.152.114:ssh 59-124-248-196.HI:56389 TIME_WAIT - tcp 0 0 69.10.152.114:ssh 59-124-248-196.HI:57461 TIME_WAIT - tcp 0 0 69.10.152.114:ssh 59-124-248-196.HI:57013 TIME_WAIT - tcp 0 0 hardyaa1.miniserver:ssh 59-124-248-196.HI:56864 TIME_WAIT - tcp 0 0 hardyaa1.miniserver:ssh 59-124-248-196.HI:57456 TIME_WAIT - tcp 0 0 hardyaa1.miniserver:ssh 59-124-248-196.HI:57312 TIME_WAIT - tcp 0 0 69.10.152.114:ssh 59-124-248-196.HI:56866 TIME_WAIT - tcp 0 0 69.10.152.114:ssh 59-124-248-196.HI:57410 TIME_WAIT - tcp 0 0 69.10.152.114:ssh 59-124-248-196.HI:56530 TIME_WAIT - tcp 0 0 69.10.152.114:ssh 59-124-248-196.HI:57554 TIME_WAIT - tcp 0 0 hardyaa1.miniserver:ssh 59-124-248-196.HI:57602 TIME_WAIT - tcp 0 0 69.10.152.114:ssh 59-124-248-196.HI:57601 TIME_WAIT - tcp 0 0 hardyaa1.miniserver:ssh 59-124-248-196.HI:57410 TIME_WAIT - tcp 0 0 hardyaa1.miniserver:ssh 59-124-248-196.HI:56962 TIME_WAIT - tcp 0 0 localhost:mysql localhost:2930 ESTABLISHED 313/mysqld tcp 0 0 69.10.152.114:ssh 59-124-248-196.HI:56912 TIME_WAIT - tcp 0 0 localhost:8005 *:* LISTEN 26898/java tcp 0 0 *:www *:* LISTEN 26898/java tcp 0 0 *:https *:* LISTEN 26898/java tcp 1 0 localhost:2931 localhost:mysql CLOSE_WAIT 26898/java tcp 0 0 localhost:2930 localhost:mysql ESTABLISHED 26898/java tcp 0 0 hardyaa1.miniserv:https bosch.netcraft.com:1778 ESTABLISHED 26898/java
-- To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.orgReceived on Sat Nov 10 07:46:54 2007
This archive was generated by hypermail 2.1.8 : Mon Feb 25 2008 - 14:58:49 EST
|
Contact Us Legal Notices Order Services Online Pantek Home Privacy Policy IT news Site Map Pantek Library |