[PLUG] Mysterious connections
Alan
alan at clueserver.org
Wed Mar 23 23:40:53 UTC 2005
On Wed, 2005-03-23 at 06:57 -0800, Michael Montagne wrote:
> I was doing a netstat -n on my server at work this morning and noticed
> these two connections. Seem awfully odd to me. Should I be worried?
> How can investigate further?
>
> tcp 0 0 10.10.10.100:55519 66.197.0.145:6667 ESTABLISHED
> tcp 0 0 10.10.10.100:36921 193.110.95.1:6667 ESTABLISHED
Be afraid. Be very afraid.
If you or one of your users using IRC, you may have been hacked.
The last few hacked systems I have seen had IRC reflectors installed on
them.
chkrootkit and other rootkit detectors are your friend. Using netcat to
observe the traffic is also helpful.
Here is what the addresses translate to:
[alan at dagon ~]$ host 193.110.95.1
1.95.110.193.in-addr.arpa domain name pointer
carouge.ch.eu.undernet.org.
[alan at dagon ~]$ host 66.197.0.145
145.0.197.66.in-addr.arpa domain name pointer rhodium.4ph.com.
Looks like a reflector to me.
--
"If any sign of pleasure is exhibited,
report to me and it will be prohibited.
So shall it be! This is the Land of the Free!"
- George W. Firefly
More information about the PLUG
mailing list