netstat
I use netstat to check what's going on with the ports on my hosted
server each night, and I have got this entry (see below, last on the list).
This has occurred 3 days in a row now. This is not a user, and I have
jakarta-tomcat running a java appserver on that HTTPS port. I can't see
any trace of activity relating to this in the java logs.
Could it be malicious? Could it be a connection that has cracked the
port and is using it for root access? I ran chkrootkit but found nothing.
Thanks
Adam
-------- Original Message --------
To: adam
Subject: netstat
Message-Id: <2006
Date: Fri, 17 Feb 2006 05:00:07 +0000 (GMT)
From: root@hardya
Envelope-To: adam
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address
State PID/Program name
tcp 0 0 *:mysql *:*
LISTEN 296/mysqld
tcp 0 0 *:ssh *:*
LISTEN 252/sshd
tcp 0 0 *:12121 *:*
LISTEN 298/perl
tcp 0 0 *:smtp *:*
LISTEN 243/master
tcp 0 0 localhost:8005 *:*
LISTEN 421/java
tcp 0 0 *:www *:*
LISTEN 421/java
tcp 0 0 *:https *:*
LISTEN 421/java
tcp 1 0 localhost:4989 localhost:mysql
CLOSE_WAIT 421/java
tcp 0 0 hardyaa1.miniserv:https bosch.netcraft.com:4800
ESTABLISHED 421/java
Reply to: