netstat output evidence of a cracker?

To: List Debian User <debian-user@lists.debian.org>
Subject: netstat output evidence of a cracker?
From: Adam Hardy <adam.ant@cyberspaceroad.com>
Date: Sat, 10 Nov 2007 12:46:05 +0000
Message-id: <[🔎] 4735A80D.3080108@cyberspaceroad.com>

One routine check that I do on my webserver to check it's OK is netstat,and this time it looks like I was under attack from some muppet outthere via what seems to be a brute force attempt to crack my ssh login.

Trying to understand the info, what is the foreign address - is that theattacker's domain name: 59-124-248-196.HI ? If so, how come it's thisweird format? And what's 59-124-248-19:dircproxy? And how come so manylisted connections have no PID? Are they just abandoned login attempts?

I ran nmap from my home pc to see whether there were any unrecognisedports open that might have been opened up if the cracker had got it, andi see a couple of ports that show as filtered:


1720/tcp  filtered H.323/Q.931
6666/tcp  filtered irc-serv
6667/tcp  filtered irc
6668/tcp  filtered irc
6669/tcp  filtered unknown

I can't see anything running on the server now that might be using thoseports, but then if it's rootkitted, I wouldn't would I? Is there awebsite out there that I can use from outside my firewall which I canget a good look at those ports with? Or some other approach?


Thanks for any help.
Adam

Active Internet connections (servers and established)

Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program nametcp 0 0 *:mysql *:* LISTEN 313/mysqldtcp 0 0 *:ssh *:* LISTEN 273/sshdtcp 0 0 hardyaa1.miniserver:ssh 59-124-248-196.HI:57312 SYN_RECV -tcp 0 0 *:12121 *:* LISTEN 318/perltcp 0 0 *:smtp *:* LISTEN 264/mastertcp 0 0 69.10.152.114:ssh 59-124-248-196.HI:56479 TIME_WAIT -tcp 0 0 69.10.152.114:ssh 59-124-248-196.HI:56719 TIME_WAIT -tcp 0 0 hardyaa1.miniserver:ssh 59-124-248-196.HI:55740 TIME_WAIT -tcp 0 0 69.10.152.114:ssh 59-124-248-196.HI:56047 TIME_WAIT -tcp 0 0 69.10.152.114:ssh 59-124-248-196.HI:57150 TIME_WAIT -tcp 0 0 69.10.152.114:ssh 59-124-248-196.HI:55870 TIME_WAIT -tcp 0 0 hardyaa1.miniserver:ssh 59-124-248-196.HI:56621 TIME_WAIT -tcp 0 0 69.10.152.114:ssh 59-124-248-196.HI:56574 TIME_WAIT -tcp 0 0 69.10.152.114:ssh 59-124-248-196.HI:56814 TIME_WAIT -tcp 0 0 69.10.152.114:ssh 59-124-248-196.HI:56302 TIME_WAIT -tcp 0 0 hardyaa1.miniserver:ssh 59-124-248-196.HI:57151 TIME_WAIT -tcp 1 1 hardyaa1.miniserver:ssh 59-124-248-196.HI:57247 LAST_ACK -tcp 0 0 hardyaa1.miniserver:ssh 59-124-248-196.HI:55983 TIME_WAIT -tcp 0 0 69.10.152.114:ssh 59-124-248-196.HI:57308 ESTABLISHED 4746/sshdtcp 0 0 hardyaa1.miniserver:ssh 59-124-248-196.HI:56815 TIME_WAIT -tcp 0 0 hardyaa1.miniserver:ssh 59-124-248-196.HI:55791 TIME_WAIT -tcp 0 0 hardyaa1.miniserver:ssh 59-124-248-196.HI:55944 TIME_WAIT -tcp 0 0 hardyaa1.miniserver:ssh 59-124-248-19:dircproxy TIME_WAIT -tcp 0 0 hardyaa1.miniserver:ssh 59-124-248-196.HI:57097 TIME_WAIT -tcp 0 0 hardyaa1.miniserver:ssh 59-124-248-196.HI:56905 TIME_WAIT -tcp 0 0 hardyaa1.miniserver:ssh 59-124-248-196.HI:56425 TIME_WAIT -tcp 0 0 hardyaa1.miniserver:ssh 59-124-248-196.HI:56473 TIME_WAIT -tcp 0 0 69.10.152.114:ssh 59-124-248-196.HI:56633 TIME_WAIT -tcp 0 0 hardyaa1.miniserver:ssh 59-124-248-196.HI:56762 TIME_WAIT -tcp 0 0 69.10.152.114:ssh 59-124-248-196.HI:57049 TIME_WAIT -tcp 0 0 hardyaa1.miniserver:ssh 59-124-248-196.HI:56715 TIME_WAIT -tcp 0 0 69.10.152.114:ssh 59-124-248-196.HI:56968 TIME_WAIT -tcp 0 0 69.10.152.114:ssh 59-124-248-196.HI:57256 TIME_WAIT -tcp 0 0 hardyaa1.miniserver:ssh 59-124-248-196.HI:56388 TIME_WAIT -tcp 0 0 hardyaa1.miniserver:ssh 59-124-248-196.HI:57204 TIME_WAIT -tcp 0 0 69.10.152.114:ssh 59-124-248-196.HI:56775 TIME_WAIT -tcp 0 0 69.10.152.114:ssh 59-124-248-196.HI:57206 TIME_WAIT -tcp 0 0 69.10.152.114:ssh 59-124-248-196.HI:56678 TIME_WAIT -tcp 0 0 hardyaa1.miniserver:ssh 59-124-248-196.HI:57045 TIME_WAIT -tcp 0 0 hardyaa1.miniserver:ssh 59-124-248-196.HI:56277 TIME_WAIT -tcp 0 0 69.10.152.114:ssh 59-124-248-196.HI:56389 TIME_WAIT -tcp 0 0 69.10.152.114:ssh 59-124-248-196.HI:57461 TIME_WAIT -tcp 0 0 69.10.152.114:ssh 59-124-248-196.HI:57013 TIME_WAIT -tcp 0 0 hardyaa1.miniserver:ssh 59-124-248-196.HI:56864 TIME_WAIT -tcp 0 0 hardyaa1.miniserver:ssh 59-124-248-196.HI:57456 TIME_WAIT -tcp 0 0 hardyaa1.miniserver:ssh 59-124-248-196.HI:57312 TIME_WAIT -tcp 0 0 69.10.152.114:ssh 59-124-248-196.HI:56866 TIME_WAIT -tcp 0 0 69.10.152.114:ssh 59-124-248-196.HI:57410 TIME_WAIT -tcp 0 0 69.10.152.114:ssh 59-124-248-196.HI:56530 TIME_WAIT -tcp 0 0 69.10.152.114:ssh 59-124-248-196.HI:57554 TIME_WAIT -tcp 0 0 hardyaa1.miniserver:ssh 59-124-248-196.HI:57602 TIME_WAIT -tcp 0 0 69.10.152.114:ssh 59-124-248-196.HI:57601 TIME_WAIT -tcp 0 0 hardyaa1.miniserver:ssh 59-124-248-196.HI:57410 TIME_WAIT -tcp 0 0 hardyaa1.miniserver:ssh 59-124-248-196.HI:56962 TIME_WAIT -tcp 0 0 localhost:mysql localhost:2930 ESTABLISHED 313/mysqldtcp 0 0 69.10.152.114:ssh 59-124-248-196.HI:56912 TIME_WAIT -tcp 0 0 localhost:8005 *:* LISTEN 26898/javatcp 0 0 *:www *:* LISTEN 26898/javatcp 0 0 *:https *:* LISTEN 26898/javatcp 1 0 localhost:2931 localhost:mysql CLOSE_WAIT 26898/javatcp 0 0 localhost:2930 localhost:mysql ESTABLISHED 26898/javatcp 0 0 hardyaa1.miniserv:https bosch.netcraft.com:1778 ESTABLISHED 26898/java

Reply to:

Follow-Ups:
- Re: netstat output evidence of a cracker?
  - From: Mike Bird <mgb-debian@yosemite.net>
- Re: netstat output evidence of a cracker?
  - From: Gabriel Parrondo <g.parrondo@gmail.com>
- Re: netstat output evidence of a cracker?
  - From: Christian Jaeger <christian@jaeger.mine.nu>

Prev by Date: Re: what's your favourite FLOSS?
Next by Date: Re: bittorrent error: connection break down from the corrispondent
Previous by thread: Re: X Hangs a lot on Laptop
Next by thread: Re: netstat output evidence of a cracker?
Index(es):
- Date
- Thread