Hacked ???
asterisk_at_marnock.net
Date: 07/23/05
- Previous message: Fernando Gont: "ICMP attacks against TCP: Conclusions"
- Next in thread: Fernando Amatte: "Re: Hacked ???"
- Reply: Fernando Amatte: "Re: Hacked ???"
- Reply: Jeremy Heslop: "Re: Hacked ???"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: security-basics@securityfocus.com Date: Sat, 23 Jul 2005 04:19:45 +0100
Hi List,
I'm seeing some strange things on my box. Here is a snippit from my squid
log: BTW I don't have an icq account.
1122088113.571 308 212.227.83.197 TCP_MISS/200 184 CONNECT
login.icq.com:443 - DIRECT/64.12.200.89 -
1122088114.402 140 220.160.34.238 TCP_HIT/200 482 GET
http://media.adrevolver.com/adrevolver/banner? - NONE/- text/html
1122088116.711 310 212.227.65.104 TCP_MISS/200 186 CONNECT
login.icq.com:443 - DIRECT/64.12.200.89 -
1122088119.769 339 212.227.83.197 TCP_MISS/200 183 CONNECT
login.icq.com:443 - DIRECT/64.12.200.89 -
1122088119.950 367 72.21.34.42 TCP_MISS/200 185 CONNECT
login.icq.com:443 - DIRECT/64.12.200.89 -
1122088120.466 543 200.50.23.115 TCP_MISS/401 417 GET
http://www.bubblebutts.com/members/ - DIRECT/216.15.219.25 text/html
1122088121.618 404 212.227.65.104 TCP_MISS/200 186 CONNECT
login.icq.com:443 - DIRECT/64.12.200.89 -
1122088122.814 885 70.118.81.253 TCP_MISS/200 6085 GET
http://members.yahoo.com/interests? - DIRECT/66.218.75.151 text/html
1122088123.961 620 212.227.83.197 TCP_MISS/200 251 CONNECT
login.icq.com:443 - DIRECT/64.12.200.89 -
1122088125.635 356 72.21.34.42 TCP_MISS/200 185 CONNECT
login.icq.com:443 - DIRECT/64.12.200.89 -
1122088126.101 309 212.227.65.104 TCP_MISS/200 186 CONNECT
login.icq.com:443 - DIRECT/64.12.200.89 -
1122088126.587 309 212.227.83.197 TCP_MISS/200 182 CONNECT
login.icq.com:443 - DIRECT/64.12.200.89 -
1122088129.107 376 212.227.83.197 TCP_MISS/200 184 CONNECT
login.icq.com:443 - DIRECT/64.12.200.89 -
1122088129.404 446 85.138.104.205 TCP_MISS/999 4647 GET
http://216.109.127.60/config/login? - DIRECT/216.109.127.60 text/html
1122088130.415 10 220.160.34.238 TCP_MEM_HIT/200 381 GET
http://ad.yieldmanager.com/imp? - NONE/- image/gif
1122088130.882 385 212.227.65.104 TCP_MISS/200 186 CONNECT
login.icq.com:443 - DIRECT/64.12.200.89 -
1122088132.464 348 212.227.83.197 TCP_MISS/200 185 CONNECT
login.icq.com:443 - DIRECT/64.12.200.89 -
1122088132.587 307 212.227.83.197 TCP_MISS/200 184 CONNECT
login.icq.com:443 - DIRECT/64.12.200.89 -
1122088135.746 391 212.227.83.197 TCP_MISS/200 184 CONNECT
login.icq.com:443 - DIRECT/64.12.200.89 -
1122088135.762 380 72.21.34.42 TCP_MISS/200 182 CONNECT
login.icq.com:443 - DIRECT/64.12.200.89 -
I've disconected all machines except my main linux box which is used for a
number of things ( asterisk telephony system / squid proxy / cvs ) etc.
I've also noticed port 32768 is open and others are connecting to it from
the web or an app is connecting to them. How can I see which app is
connecting to port 32768 ???
Heres the first line from a netstat -an
[root@zeus iptraf]# netstat -an | more
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address
State
tcp 0 0 0.0.0.0:32768 0.0.0.0:*
LISTEN
Thanks in advance.
Phil
- Previous message: Fernando Gont: "ICMP attacks against TCP: Conclusions"
- Next in thread: Fernando Amatte: "Re: Hacked ???"
- Reply: Fernando Amatte: "Re: Hacked ???"
- Reply: Jeremy Heslop: "Re: Hacked ???"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
