[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: finding a process that bind a spcific port

if you think you are been hacked, you can use ps, lsof and others commands from other not hacked server, for example scp goodserver:/bin/ps /tmp/ps and use /tmp/ps, this isn't secure, because maybe the attacker installed one rootkit


2014/1/22 Matias Mucciolo <mmucciolo@suteba.org.ar>

can you paste a ps auxf output ?
maybe someone see some strange process

--

Matias

On Wednesday, January 22, 2014 10:57:14 AM Nico Angenon wrote:
> Hello,
>
> i’ve put a firewall rules on this before the box, so, there is no connexion left on this port... but there was a lot of trafic on this port before the rule...
>
> Nico
>
> From: Lesley Binks
> Sent: Wednesday, January 22, 2014 2:46 PM
> To: Nico Angenon
> Cc: debian-security@lists.debian.org
> Subject: Re: finding a process that bind a spcific port
>
> Sorry for top posting. I'm on my phone.
>
> You can always check for data on the interface using tcpdump.
> Worth using it to verify what's happening.
>
> Lesley
>
> On 22 Jan 2014 13:33, "Nico Angenon" <nico@creaweb.fr> wrote:
>
>   no output....
>
>   Thanks for all...
>
>   Nico
>
>   -----Message d'origine----- From: johan A. van Zanten
>   Sent: Wednesday, January 22, 2014 1:56 PM
>   To: nico@creaweb.fr
>   Cc: debian-security@lists.debian.org
>   Subject: Re: finding a process that bind a spcific port
>
>
>   "Nico Angenon" <nico@creaweb.fr> wrote:
>
>     nope... never used this service...
>     Still looking for an explanation, try chrootkit and rkhunter right
>     now....
>
>
>   Try fuser:
>
>   fuser -n udp 10001
>
>   -johan
>
>
>   --
>   To UNSUBSCRIBE, email to debian-security-REQUEST@lists.debian.org
>   with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
>   Archive: [🔎] 20140122.125650.367853660900983582.johan@brandwatch.com" target="_blank">http://lists.debian.org/[🔎] 20140122.125650.367853660900983582.johan@brandwatch.com
>
>   --
>   To UNSUBSCRIBE, email to debian-security-REQUEST@lists.debian.org
>   with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
>   Archive: [🔎] 4DBF73DFC57C4F76AF3902A5199BB05C@NicoPC" target="_blank">http://lists.debian.org/[🔎] 4DBF73DFC57C4F76AF3902A5199BB05C@NicoPC
>
>


--
To UNSUBSCRIBE, email to debian-security-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: [🔎] 201401221100.48230.mmucciolo@suteba.org.ar" target="_blank">http://lists.debian.org/[🔎] 201401221100.48230.mmucciolo@suteba.org.ar




--
esta es mi vida e me la vivo hasta que dios quiera
Reply to: