View Single Post
  #13  
Old 26th March 2006, 13:08
Hagforce Hagforce is offline
Senior Member
 
Join Date: Feb 2006
Posts: 210
Thanks: 37
Thanked 1 Time in 1 Post
Default

netstat -tap output:
Code:
Proto Recv-Q Send-Q Local Address               Foreign Address             State       PID/Program name
tcp        0      0 *:41318                     *:*                         LISTEN      2220/rpc.statd
tcp        0      0 *:mysql                     *:*                         LISTEN      2572/mysqld
tcp        0      0 www.xxx.xxx:783              *:*                         LISTEN      2672/spamd.pid
tcp        0      0 *:sunrpc                    *:*                         LISTEN      2203/portmap
tcp        0      0 *:81                        *:*                         LISTEN      2898/ispconfig_http
tcp        0      0 *:ftp                       *:*                         LISTEN      4527/proftpd: (acce
tcp        0      0 static47.xxx.xx:domain *:*                         LISTEN      26203/named
tcp        0      0 static49.xxx.xx:domain *:*                         LISTEN      26203/named
tcp        0      0 static48.xxx.xx:domain *:*                         LISTEN      26203/named
tcp        0      0 www.xxx.xx:domain           *:*                         LISTEN      26203/named
tcp        0      0 www.xxx.xx:ipp              *:*                         LISTEN      10121/cupsd
tcp        0      0 www.xxx.xx:5335             *:*                         LISTEN      2412/mDNSResponder
tcp        0      0 *:smtp                      *:*                         LISTEN      4706/master
tcp        0      0 www.xxx.xx:rndc             *:*                         LISTEN      26203/named
tcp        0      0 static48.xxx.xx:41390 host196.101.vtm-net.ev:http ESTABLISHED 3044/freshclam
tcp        0      0 *:23314                     *:*                         LISTEN      20893/sshd
tcp        0      0 *:imaps                     *:*                         LISTEN      2592/dovecot
tcp        0      0 *:pop3s                     *:*                         LISTEN      2592/dovecot
tcp        0      0 *:pop3                      *:*                         LISTEN      2592/dovecot
tcp        0      0 *:imap                      *:*                         LISTEN      2592/dovecot
tcp        0      0 *:http                      *:*                         LISTEN      13136/httpd
tcp        0      0 localhost:rndc              *:*                         LISTEN      26203/named
tcp        0      0 *:https                     *:*                         LISTEN      13136/httpd
tcp        0    888 static48.xxx.xx:23314 static67.xxx.xxx:63425 ESTABLISHED 25776/0
What`s this one?:
Code:
tcp        0      0 static48.xxx.xx:41390 host196.101.vtm-net.ev:http ESTABLISHED 3044/freshclam
Some other info in the logs that got me worried is that this happens every 30 min (from logcheck):
Code:
Mar 26 00:30:02 www proftpd[5430]: www.xxx.xxx (127.0.0.1[127.0.0.1]) - FTP session opened. 
Mar 26 00:30:02 www proftpd[5430]: www.xxx.xxx (127.0.0.1[127.0.0.1]) - FTP session closed
And lots of these (from logcheck):
Code:
Mar 25 05:57:45 www named[26203]: unexpected RCODE (REFUSED) resolving '55.165.161.72.in-addr.arpa/PTR/IN': 209.142.136.142#53
Mar 25 05:57:47 www named[26203]: unexpected RCODE (REFUSED) resolving '55.165.161.72.in-addr.arpa/PTR/IN': 207.230.192.252#53
Mar 25 09:51:15 www named[26203]: unexpected RCODE (REFUSED) resolving 'rose.man.poznan.pl/A/IN': 150.254.65.7#53
Mar 25 09:51:15 www named[26203]: unexpected RCODE (REFUSED) resolving 'sunflower.man.poznan.pl/A/IN': 150.254.65.7#53
Mar 25 09:51:15 www named[26203]: unexpected RCODE (REFUSED) resolving 'sunflower.man.poznan.pl/AAAA/IN': 150.254.65.7#53
Mar 25 09:51:15 www named[26203]: unexpected RCODE (REFUSED) resolving 'sol.put.poznan.pl/A/IN': 150.254.65.7#53

Am I hacked, or what is going on here?

I installed logcheck and chkrootkit, and set them up with cron to run every night.

I also changed the SSH port to none standard.

I haven`t installed portsentry yet....
I`m a bit unsure if it`s the right thing for me.
With dial up users and dhcp I can`t just put adresses in hosts.deny, wouldn`t this cause problems?.

Should I install a firewall to, in addition to the one in ISPConfig?.

Last edited by Hagforce; 26th March 2006 at 13:15.
Reply With Quote