HomeCalendarCertificationsColumnsFeaturesForumResourcesVitals
 
Image
 
linkedin_logo.png rss_logo.jpg
twitter_logo.png youtube_logo.jpg
Latest Additions
 
EH-Net Login
Welcome Guest.
Lost Password?
No account yet? Register
Who's Online
We have 53 guests and 1 member online
EH-Net News Feeds
Latest Additions
 
Advertisement

You are here: Home arrow Forum arrow Ethical Hacking Discussions and Related Certificationsarrow Incident Responsearrow Extrange process, what to do next
EH-Net
May 25, 2012, 02:54:37 PM *
Welcome, Guest. Please login or register.
Did you miss your activation email?

Login with username, password and session length
News: Advertise on EH-Net!! - Reasonable Rates, Highly Targeted Audience.
 
   Home   Help Calendar Login Register  
Pages: [1]   Go Down
« previous next »
  Print  
Author Topic: Extrange process, what to do next  (Read 8185 times)
0 Members and 1 Guest are viewing this topic.
celord
Newbie
*
Offline Offline

Posts: 17


View Profile
« on: December 02, 2009, 01:41:31 PM »
Hello guys, I've found that a Fedora Core 5 server Kernel 2.6.15-1.2054_FC5, is doing port scans, and we hace received complains about that, the extrange connection that I've found is this one:

Netstat Oupput:

Code:
tcp        0     65 192.168.200.8:45436         194.109.20.90:6669          ESTABLISHED 1925/bash

Everytime that I kill the procc, it gets connected again in 30 secs, so I've don this:

IPTABLES ACTION:

2. I've done this on the server as a countermeasure
Code:
iptables -A OUTPUT -d 194.109.20.0/24 -j DROP

Thanks a lot for your advices
Logged
Ketchup
Hero Member
*****
Offline Offline

Posts: 1006



View Profile
« Reply #1 on: December 02, 2009, 03:43:12 PM »
This port has some associations with known remote control utilities.   What does netstat -antp tell the process using this port is?   In short, it looks like your box may have gotten owned.   Any chance you can decommission it and reinstall the OS?
Logged
~~~~~~~~~~~~~~
Ketchup
3PIL0GU3
Newbie
*
Offline Offline

Posts: 38


View Profile
« Reply #2 on: December 02, 2009, 05:31:28 PM »
Have you got a hardware based firewall or an IDS ie. Snort installed
Logged
----------------------------
CEH
celord
Newbie
*
Offline Offline

Posts: 17


View Profile
« Reply #3 on: December 03, 2009, 07:11:55 AM »
Nop, nothing new installed
Logged
Pages: [1]   Go Up
  Print  
« previous next »
 
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.16 | SMF © 2011, Simple Machines
Joomla Bridge by JoomlaHacks.com 		Valid XHTML 1.0! Valid CSS!
Page created in 0.61 seconds with 23 queries.
 

gk_static-ad_feb2012.jpg
Global Knowledge: Build Security Skills to Protect & Defend

els_130x200fixed2.gif
eLearnSecurity Student Course Now Live!
5% Off with Code
ELS-EH-5

SANS Deals 4 EH-Netters
$150 OFF Any SANS Course in Any Format!
Coupon Code: EHN_Connect Including SANS Security West 2012 & SANSFIRE 2012
Recent Forum Topics

cbtnuggets_logo_125.jpg
Try CBT Nuggets Free!

Vote For EH-Net

Add to Technorati Favorites
technorati fave

 
         
Advertisement

© 2012 The Ethical Hacker Network
Joomla! is Free Software released under the GNU/GPL License.