[PLUG] tcpdump data interpretation
Stafford A. Rau
srau at rauhaus.org
Mon Mar 10 15:56:02 UTC 2003
* mikeraz at patch.com <mikeraz at patch.com> [030310 12:45]:
>
> Some process on your machine is talking to the irc daemon at 213.92.8.4 aka calvino.freenode.net. So, yes, you are right about that. The irc server is on the other machine and whether you know it or not, you had an active irc client going when you did the tcpdump.
>
> netstat should show the connection. Did you `netstat -nt` ?
Lots of rootkits & other bits of nasty software will open (without your
knowlege) a connection to an IRC server in order to receive their
instructions, such as which victim to start DOSing, where to email your
credit card/social security/bank account numbers, and so on.
So unless you knowingly had an IRC client running, assume that your
machine has been compromised.
--Stafford
More information about the PLUG
mailing list