Date: Wed, 16 Nov 2005 21:26:53 -0800 (PST) From: Mark Jayson Alvarez <jay2xra@yahoo.com> To: Marco Wertejuk <wertejuk@mwcis.com>, freebsd-questions@freebsd.org Subject: Re: Need urgent help regarding security Message-ID: <20051117052653.32551.qmail@web51606.mail.yahoo.com> In-Reply-To: <20051117020308.GA18424@maeko.hayai.de>
next in thread | previous in thread | raw e-mail | index | archive | help
Marco Wertejuk <wertejuk@mwcis.com> wrote: try sockstat | grep 6667 to see which process is connecting to irc and try to see what this process is doing with lsof, but depending on what backdoor or rootkit is used, it's possible to see nothing because intelligent rootkits hide themself Ok done this... and I found something First the output of nestat: 10.10.8.140.2994 195.204.1.132.6667 SYN_SENT 10.10.8.140.2993 195.204.1.132.6667 SYN_SENT Then sockstat root adjkernt 4926 445 tcp4 10.10.8.140:2994 195.204.1.132:6667 So.. is it the adjkernt that has been replaced? What should I do with it? P.S. I just plugged this server into our private network in order to access it from my workstation. --------------------------------- Yahoo! FareChase - Search multiple travel sites in one click.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20051117052653.32551.qmail>