netstat -tap output:
Code:
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 *:41318 *:* LISTEN 2220/rpc.statd
tcp 0 0 *:mysql *:* LISTEN 2572/mysqld
tcp 0 0 www.xxx.xxx:783 *:* LISTEN 2672/spamd.pid
tcp 0 0 *:sunrpc *:* LISTEN 2203/portmap
tcp 0 0 *:81 *:* LISTEN 2898/ispconfig_http
tcp 0 0 *:ftp *:* LISTEN 4527/proftpd: (acce
tcp 0 0 static47.xxx.xx:domain *:* LISTEN 26203/named
tcp 0 0 static49.xxx.xx:domain *:* LISTEN 26203/named
tcp 0 0 static48.xxx.xx:domain *:* LISTEN 26203/named
tcp 0 0 www.xxx.xx:domain *:* LISTEN 26203/named
tcp 0 0 www.xxx.xx:ipp *:* LISTEN 10121/cupsd
tcp 0 0 www.xxx.xx:5335 *:* LISTEN 2412/mDNSResponder
tcp 0 0 *:smtp *:* LISTEN 4706/master
tcp 0 0 www.xxx.xx:rndc *:* LISTEN 26203/named
tcp 0 0 static48.xxx.xx:41390 host196.101.vtm-net.ev:http ESTABLISHED 3044/freshclam
tcp 0 0 *:23314 *:* LISTEN 20893/sshd
tcp 0 0 *:imaps *:* LISTEN 2592/dovecot
tcp 0 0 *:pop3s *:* LISTEN 2592/dovecot
tcp 0 0 *:pop3 *:* LISTEN 2592/dovecot
tcp 0 0 *:imap *:* LISTEN 2592/dovecot
tcp 0 0 *:http *:* LISTEN 13136/httpd
tcp 0 0 localhost:rndc *:* LISTEN 26203/named
tcp 0 0 *:https *:* LISTEN 13136/httpd
tcp 0 888 static48.xxx.xx:23314 static67.xxx.xxx:63425 ESTABLISHED 25776/0
What`s this one?:
Code:
tcp 0 0 static48.xxx.xx:41390 host196.101.vtm-net.ev:http ESTABLISHED 3044/freshclam
Some other info in the logs that got me worried is that this happens every 30 min (from logcheck):
Code:
Mar 26 00:30:02 www proftpd[5430]: www.xxx.xxx (127.0.0.1[127.0.0.1]) - FTP session opened.
Mar 26 00:30:02 www proftpd[5430]: www.xxx.xxx (127.0.0.1[127.0.0.1]) - FTP session closed
And lots of these (from logcheck):
Code:
Mar 25 05:57:45 www named[26203]: unexpected RCODE (REFUSED) resolving '55.165.161.72.in-addr.arpa/PTR/IN': 209.142.136.142#53
Mar 25 05:57:47 www named[26203]: unexpected RCODE (REFUSED) resolving '55.165.161.72.in-addr.arpa/PTR/IN': 207.230.192.252#53
Mar 25 09:51:15 www named[26203]: unexpected RCODE (REFUSED) resolving 'rose.man.poznan.pl/A/IN': 150.254.65.7#53
Mar 25 09:51:15 www named[26203]: unexpected RCODE (REFUSED) resolving 'sunflower.man.poznan.pl/A/IN': 150.254.65.7#53
Mar 25 09:51:15 www named[26203]: unexpected RCODE (REFUSED) resolving 'sunflower.man.poznan.pl/AAAA/IN': 150.254.65.7#53
Mar 25 09:51:15 www named[26203]: unexpected RCODE (REFUSED) resolving 'sol.put.poznan.pl/A/IN': 150.254.65.7#53
Am I hacked, or what is going on here?
I installed logcheck and chkrootkit, and set them up with cron to run every night.
I also changed the SSH port to none standard.
I haven`t installed portsentry yet....
I`m a bit unsure if it`s the right thing for me.
With dial up users and dhcp I can`t just put adresses in hosts.deny, wouldn`t this cause problems?.
Should I install a firewall to, in addition to the one in ISPConfig?.