.

Extrange process, what to do next

<<

celord

Post Wed Dec 02, 2009 2:41 pm

Extrange process, what to do next

Hello guys, I've found that a Fedora Core 5 server Kernel 2.6.15-1.2054_FC5, is doing port scans, and we hace received complains about that, the extrange connection that I've found is this one:

Netstat Oupput:

  Code:
tcp        0     65 192.168.200.8:45436         194.109.20.90:6669          ESTABLISHED 1925/bash


Everytime that I kill the procc, it gets connected again in 30 secs, so I've don this:

IPTABLES ACTION:

2. I've done this on the server as a countermeasure
  Code:
iptables -A OUTPUT -d 194.109.20.0/24 -j DROP


Thanks a lot for your advices
<<

Ketchup

User avatar

Hero Member
Hero Member

Posts: 1021

Joined: Fri Jul 04, 2008 7:44 pm

Location: Philadelphia, PA

Post Wed Dec 02, 2009 4:43 pm

Re: Extrange process, what to do next

This port has some associations with known remote control utilities.  What does netstat -antp tell the process using this port is?  In short, it looks like your box may have gotten owned.  Any chance you can decommission it and reinstall the OS?
~~~~~~~~~~~~~~
Ketchup
<<

3PIL0GU3

Newbie
Newbie

Posts: 38

Joined: Tue Aug 18, 2009 7:48 am

Post Wed Dec 02, 2009 6:31 pm

Re: Extrange process, what to do next

Have you got a hardware based firewall or an IDS ie. Snort installed
----------------------------
CEH
<<

celord

Post Thu Dec 03, 2009 8:11 am

Re: Extrange process, what to do next

Nop, nothing new installed

Return to Incident Response

Who is online

Users browsing this forum: No registered users and 0 guests

cron
.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software