From owner-freebsd-questions@FreeBSD.ORG Fri Sep 23 16:58:22 2005 Return-Path: X-Original-To: freebsd-questions@freebsd.org Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3428216A41F for ; Fri, 23 Sep 2005 16:58:22 +0000 (GMT) (envelope-from chris@sackofcheese.com) Received: from mail.sackofcheese.com (12-208-107-93.client.insightBB.com [12.208.107.93]) by mx1.FreeBSD.org (Postfix) with ESMTP id C847D43D45 for ; Fri, 23 Sep 2005 16:58:21 +0000 (GMT) (envelope-from chris@sackofcheese.com) Received: by mail.sackofcheese.com (Postfix, from userid 1001) id C39BE9583F; Fri, 23 Sep 2005 11:58:20 -0500 (EST) Date: Fri, 23 Sep 2005 11:58:20 -0500 From: Chris Petrovitch To: freebsd-questions@freebsd.org Message-ID: <20050923165820.GA665@mail.sackofcheese.com> Mail-Followup-To: freebsd-questions@freebsd.org References: <000001c5c052$69d6c020$640010ac@neo> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="X1bOJ3K7DJ5YkBrT" Content-Disposition: inline In-Reply-To: <000001c5c052$69d6c020$640010ac@neo> User-Agent: Mutt/1.5.10i Subject: Re: tcp connections not showing up anymore on netstat? X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 23 Sep 2005 16:58:22 -0000 --X1bOJ3K7DJ5YkBrT Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable +++ Alex [23/09/05 17:21 +0200]: > Hello list, >=20 > I've got a rather strange problem. Yestoday, when I rebooted my box I > was still able to ping the box, but no services started (apache,ssh > etc), nor did they show up on netstat. So I rebooted it again, now I > could connect to the box on port 80 (httpd) and port 22 (ssh) but > netstat still wont show tcp. >=20 > Im beginning to think I got hacked because NOTHING was changed in the > configuration. And if I have, is there any way I can do to see wich bins > where rootkited? >=20 > Anyways, here is the relevant info, I'd appreciate some help: >=20 > -bash-2.05b# dmesg -a > Copyright (c) 1992-2005 The FreeBSD Project. > Copyright (c) 1979, 1980, 1983, 1986, 1988, 1989, 1991, 1992, 1993, 1994 > The Regents of the University of California. All rights > reserved. > FreeBSD 5.4-STABLE #1: Fri Sep 2 19:31:58 CEST 2005 > root@dracula.darksniper.net:/usr/obj/usr/src/sys/DRACULA > Timecounter "i8254" frequency 1193182 Hz quality 0 > CPU: Pentium II/Pentium II Xeon/Celeron (350.80-MHz 686-class CPU) > Origin =3D "GenuineIntel" Id =3D 0x651 Stepping =3D 1 > =20 > Features=3D0x183f9ff MOV,PA > T,PSE36,MMX,FXSR> > real memory =3D 201261056 (191 MB) > avail memory =3D 187076608 (178 MB) > pnpbios: Bad PnP BIOS data checksum > ACPI disabled by blacklist. Contact your BIOS vendor. >=20 > lo0: flags=3D8049 mtu 16384 > inet 127.0.0.1 netmask 0xff000000 > Flushed all rules. > 00100 allow ip from any to any via lo0 > 00200 deny ip from any to 127.0.0.0/8 > 00300 deny ip from 127.0.0.0/8 to any > 65000 allow ip from any to any > Firewall rules loaded, starting divert daemons: > . > net.inet.ip.fw.enable: > 1 > -> > 1 >=20 > Starting dhclient. > Starting syslogd. > Sep 23 17:21:27 dracula syslogd: kernel boot file is /boot/kernel/kernel > ELF ldconfig path: /lib /usr/lib /usr/lib/compat /usr/X11R6/lib > /usr/local/lib > a.out ldconfig path: /usr/lib/aout /usr/lib/compat/aout > /usr/X11R6/lib/aout /etc > /ld.so.conf > Starting usbd. > apm: > can't open /dev/apm > : > No such file or directory > Starting local daemons: > Starting up Apache: > httpd started > Starting up idled: > ddclient: > Starting up MySQL: > 050923 17:21:37 > InnoDB: Started; log sequence number 0 122655417 > /usr/local/libexec/mysqld: ready for connections. > Version: '4.1.11' socket: '/tmp/mysql.sock' port: 0 Source > distribution >=20 >=20 >=20 > -bash-2.05b# netstat -a > Active Internet connections (including servers) > Proto Recv-Q Send-Q Local Address Foreign Address > (state) > udp4 0 0 *.snmp *.* > udp4 0 0 *.syslog *.* > udp4 0 0 *.bootpc *.* > Active UNIX domain sockets > Address Type Recv-Q Send-Q Inode Conn Refs Nextref Addr > c15e908c stream 0 0 c1790528 0 0 0 > /tmp/mysql.sock > c15e91a4 stream 0 0 c15ecb58 0 0 0 > /var/run/devd.pipe > c15e9230 dgram 0 0 0 c15e9118 0 c15e9000 > c15e9000 dgram 0 0 0 c15e9118 0 0 > c15e9118 dgram 0 0 c15ec210 0 c15e9230 0 > /var/run/log >=20 > _______________________________________________ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.o= rg" I don't really know waht the problem could be, but try using the prog. lsof. Its in the ports. It lists all the open files on the computer, and using t= he command "lsof -i4" you can see any IPv4 files that are open. =20 hope it helps chris=20 --=20 /=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D\ | Chris Petrovitch | | email: chris@sackofcheese.com | | jabber: crispy@sackofcheese.com | \=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D/ = =20 --X1bOJ3K7DJ5YkBrT Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (FreeBSD) iD8DBQFDNDQsoZwW5Nc6Y1URAouFAJ9TBgJMDe6meyLYDQDRToSYR3YK6QCgh5z2 hdZs9ZTHZu9wty9NFtLnzU0= =O2Zg -----END PGP SIGNATURE----- --X1bOJ3K7DJ5YkBrT--