Re: Need urgent help regarding security
From: Mark Jayson Alvarez (jay2xra_at_yahoo.com)
Date: 11/17/05
- Previous message: Aman Yus: "Solution for retrieving data from hard disk."
- Maybe in reply to: Mark Jayson Alvarez: "Need urgent help regarding security"
- Next in thread: Mark Jayson Alvarez: "Re: Need urgent help regarding security"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Date: Wed, 16 Nov 2005 21:26:53 -0800 (PST) To: Marco Wertejuk <wertejuk@mwcis.com>, freebsd-questions@freebsd.org
Marco Wertejuk <wertejuk@mwcis.com> wrote:
try sockstat | grep 6667 to see which process is
connecting to irc and try to see what this process
is doing with lsof, but depending on what backdoor
or rootkit is used, it's possible to see nothing
because intelligent rootkits hide themself
Ok done this... and I found something
First the output of nestat:
10.10.8.140.2994 195.204.1.132.6667 SYN_SENT
10.10.8.140.2993 195.204.1.132.6667 SYN_SENT
Then sockstat
root adjkernt 4926 445 tcp4 10.10.8.140:2994 195.204.1.132:6667
So.. is it the adjkernt that has been replaced? What should I do with it?
P.S. I just plugged this server into our private network in order to access it from my workstation.
---------------------------------
Yahoo! FareChase - Search multiple travel sites in one click.
_______________________________________________
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.org"
- Previous message: Aman Yus: "Solution for retrieving data from hard disk."
- Maybe in reply to: Mark Jayson Alvarez: "Need urgent help regarding security"
- Next in thread: Mark Jayson Alvarez: "Re: Need urgent help regarding security"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Relevant Pages
|
|
