| Forum Home | ||||
| Press F1 | ||||
| Thread ID: 96809 | 2009-01-24 04:45:00 | Linux Spyware??? | somebody (208) | Press F1 |
| Post ID | Timestamp | Content | User | ||
| 741554 | 2009-01-24 04:45:00 | I've just noticed some interesting connections originating from one of my Debian servers, by running "netstat": tcp 0 0 10.0.0.xxx:3168 cargolinerplus.co:37528 TIME_WAIT tcp 0 0 10.0.0.xxx:1668 cargolinerplus.co:38400 TIME_WAIT tcp 0 0 10.0.0.xxx:1561 cargolinerplus.co:37953 TIME_WAIT tcp 0 0 10.0.0.xxx:4527 cargolinerplus.co:54918 TIME_WAIT tcp 0 0 10.0.0.xxx:3389 cargolinerplus.co:37665 TIME_WAIT tcp 0 0 10.0.0.xxx:4001 cargolinerplus.co:52994 TIME_WAIT tcp 0 0 10.0.0.xxx:4055 cargolinerplus.com:ftp TIME_WAIT tcp 0 0 10.0.0.xxx:4056 cargolinerplus.com:ftp TIME_WAIT This machine runs headless, and is not configured as a proxy or anything like that. I have certainly not done anything myself which has anything to do with this cargolinerplus website. This seems quite unusual, as that machine is one I have built recently, and is used on the internal network only. It is of concern as it holds some confidential information which I don't want leaking onto the internet. Does anyone have any thoughts as to what might be causing this, and what I can do about it? |
somebody (208) | ||
| 741555 | 2009-01-24 05:35:00 | So what do you have installed that could be accessing the net - like Skype, filesharing sw etc. | pctek (84) | ||
| 741556 | 2009-01-24 06:07:00 | So what do you have installed that could be accessing the net - like Skype, filesharing sw etc. I've installed a basic LAMPP stack, and various compilation tools (GCC etc) - and that's pretty much it. As it's running headless, and without a GUI, I don't have a web browser, skype, torrent, or anything along those lines. |
somebody (208) | ||
| 741557 | 2009-01-24 08:33:00 | What program does netstat say is using those connections? You should be able to tell from that. It's unlikely to be anything malicious unless your server has been cracked - and if that's the case you have far more to worry about that just a few strange connections... | Erayd (23) | ||
| 741558 | 2009-01-24 08:43:00 | What program does netstat say is using those connections? You should be able to tell from that. It's unlikely to be anything malicious unless your server has been cracked - and if that's the case you have far more to worry about that just a few strange connections... Looks like it's ncftp. tcp 0 81840 [myserver]:2149 cargolinerplus.co:52025 ESTABLISHED17527/ncftp tcp 0 0 [myserver]:proofd cargolinerplus.com:ftp ESTABLISHED17527/ncftp tcp 0 0 [myserver]:1092 cargolinerplus.com:ftp TIME_WAIT - tcp 0 0 [myserver]:rootd cargolinerplus.com:ftp ESTABLISHED17539/ncftp tcp 0 0 [myserver]:1091 cargolinerplus.com:ftp TIME_WAIT - tcp 0 0 [myserver]:3723 cargolinerplus.co:57580 TIME_WAIT - tcp 0 0 [myserver]:4469 cargolinerplus.co:44814 TIME_WAIT - tcp 0 0 [myserver]:1992 cargolinerplus.co:35624 TIME_WAIT - tcp 0 65912 [myserver]:1896 cargolinerplus.co:49087 ESTABLISHED17539/ncftp tcp 0 0 [myserver]:1027 cargolinerplus.co:44495 TIME_WAIT - |
somebody (208) | ||
| 741559 | 2009-01-24 08:47:00 | This is very worrying - after doing a reverse ip lookup on 69.64.155.120, it looks like this is definetely something dodgy. Apparently there are over 123000 domains hosted at that IP www.domaintools.com so it could be one of those domain squatting services. | somebody (208) | ||
| 741560 | 2009-01-24 19:30:00 | Just an update - Erayd kindly offered to take a look at the machine in question for me, and couldn't find any obvious cause of the problem. As a precaution I will be migrating my data off that machine and starting from scratch. | somebody (208) | ||
| 1 | |||||