[PLUG] Mysterious connections

[Alan]

On Wed, 2005-03-23 at 06:57 -0800, Michael Montagne wrote:
> I was doing a netstat -n on my server at work this morning and noticed
> these two connections.  Seem awfully odd to me.  Should I be worried?
> How can investigate further?
> 
> tcp        0      0 10.10.10.100:55519      66.197.0.145:6667 ESTABLISHED
> tcp        0      0 10.10.10.100:36921      193.110.95.1:6667 ESTABLISHED 

Be afraid. Be very afraid.

If you or one of your users using IRC, you may have been hacked.

The last few hacked systems I have seen had IRC reflectors installed on
them.

chkrootkit and other rootkit detectors are your friend.  Using netcat to
observe the traffic is also helpful.

Here is what the addresses translate to:

[alan at dagon ~]$ host 193.110.95.1
1.95.110.193.in-addr.arpa domain name pointer
carouge.ch.eu.undernet.org.
[alan at dagon ~]$ host 66.197.0.145
145.0.197.66.in-addr.arpa domain name pointer rhodium.4ph.com.

Looks like a reflector to me.

-- 
"If any sign of pleasure is exhibited,
 report to me and it will be prohibited.
 So shall it be! This is the Land of the Free!"
                  - George W. Firefly