Re: strange outbound connection
On Tue, Jan 17, 2006 at 03:28:55PM -0700, Justin Guerin wrote:
> Date: Tue, 17 Jan 2006 15:28:55 -0700
> From: Justin Guerin <jguerin@cso.atmel.com>
> To: debian-user@lists.debian.org
> Subject: Re: strange outbound connection
>
> > > What about `lsof -i`?
> >
> > nothing:
> > llserv:~# lsof -i @217.91.13.234
> > llserv:~# lsof -i @213.20.165.177
> >
> > (I now have two of them, according to firestarter listening on different
> > ports: 1054 and 33414)
> >
>
> If you're worried that you've got a service running that you don't want,
> try, as root, 'lsof | grep LISTEN'. This will show you all programs that
> are actively listening for connections, even if they're bound to the local
> host.
>
> If that doesn't solve the mystery, how about the output of, as root, 'lsof |
> egrep "TCP|UDP"'? That will show you some established network connections
> (mounts are missing for me), and the program responsible. I don't know if
> anything will show up here that doesn't show up in 'netstat --ip', though.
Well, if johannes really have a rootkit installed, it may be hiding
from netstat, ps etc. So I'd suggest him to boot from a livecd and run
chkrootkit.
--
Alexei Chetroi
Smile... Tomorrow will be worse. (c) Murphy's Law
Reply to: