questionable tcp ports
Hi Folks,
I'm almost sure that my server has been compromised by some heinous
cracker and am taking steps to remedy this. I've grepped tcp from lsof
and came up with this and would like to know if there is something there
that shouldn't be.
dnsserver 478 squid 0u IPv4 508 TCP
localhost.localdomain:1024->localhost.localdomain:listen (ESTABLISHED)
dnsserver 478 squid 1u IPv4 508 TCP
localhost.localdomain:1024->localhost.localdomain:listen (ESTABLISHED)
dnsserver 479 squid 0u IPv4 511 TCP
localhost.localdomain:nterm->localhost.localdomain:1027 (ESTABLISHED)
dnsserver 479 squid 1u IPv4 511 TCP
localhost.localdomain:nterm->localhost.localdomain:1027 (ESTABLISHED)
dnsserver 480 squid 0u IPv4 514 TCP
localhost.localdomain:1028->localhost.localdomain:1029 (ESTABLISHED)
dnsserver 480 squid 1u IPv4 514 TCP
localhost.localdomain:1028->localhost.localdomain:1029 (ESTABLISHED)
dnsserver 481 squid 0u IPv4 517 TCP
localhost.localdomain:1030->localhost.localdomain:1031 (ESTABLISHED)
dnsserver 481 squid 1u IPv4 517 TCP
localhost.localdomain:1030->localhost.localdomain:1031 (ESTABLISHED)
dnsserver 483 squid 0u IPv4 521 TCP
localhost.localdomain:1032->localhost.localdomain:1033 (ESTABLISHED)
dnsserver 483 squid 1u IPv4 521 TCP
localhost.localdomain:1032->localhost.localdomain:1033 (ESTABLISHED)
httpd 420 root 16u IPv4 457 TCP *:http
(LISTEN)
httpd 423 root 16u IPv4 457 TCP *:http
(LISTEN)
httpd 424 root 16u IPv4 457 TCP *:http
(LISTEN)
httpd 425 root 16u IPv4 457 TCP *:http
(LISTEN)
httpd 426 root 16u IPv4 457 TCP *:http
(LISTEN)
httpd 428 root 16u IPv4 457 TCP *:http
(LISTEN)
httpd 429 root 16u IPv4 457 TCP *:http
(LISTEN)
httpd 430 root 16u IPv4 457 TCP *:http
(LISTEN)
httpd 431 root 16u IPv4 457 TCP *:http
(LISTEN)
httpd 435 root 16u IPv4 457 TCP *:http
(LISTEN)
httpd 436 root 16u IPv4 457 TCP *:http
(LISTEN)
inetd 337 root 5u IPv4 304 TCP
*:poppassd (LISTEN)
inetd 337 root 6u IPv4 305 TCP *:pop-3
(LISTEN)
inetd 337 root 7u IPv4 306 TCP *:auth
(LISTEN)
master 402 root 11u IPv4 382 TCP *:smtp
(LISTEN)
named 353 root 21u IPv4 323 TCP
localhost.localdomain:domain (LISTEN)
named 353 root 23u IPv4 325 TCP
bonifacio.centinet.com:domain (LISTEN)
smtpd 1327 root 4u IPv4 382 TCP *:smtp
(LISTEN)
smtpd 1327 root 7u IPv4 3260 TCP
bonifacio.centinet.com:smtp->203.176.36.70:2144 (ESTABLISHED)
squid 465 root 2u IPv4 507 TCP
localhost.localdomain:listen->localhost.localdomain:1024 (ESTABLISHED)
squid 465 root 33u IPv4 619 TCP *:8888
(LISTEN)
squid 465 root 3u IPv4 510 TCP
localhost.localdomain:1027->localhost.localdomain:nterm (ESTABLISHED)
squid 465 root 4u IPv4 513 TCP
localhost.localdomain:1029->localhost.localdomain:1028 (ESTABLISHED)
squid 465 root 5u IPv4 516 TCP
localhost.localdomain:1031->localhost.localdomain:1030 (ESTABLISHED)
squid 465 root 6u IPv4 520 TCP
localhost.localdomain:1033->localhost.localdomain:1032 (ESTABLISHED)
Thanks in advance again.
Mabuhay!
Erik
Reply to: