Pardon me for the late response, but I have been kinda stuck on few things.
OK here we go.
# netstat -tap
(Not all processes could be identified, non-owned process info
will not be shown, you would have to be root to see it all.)
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State
PID/Program name
tcp 0 1 host114.oaz.com:2844 irc2.worldnet.att.:6660 SYN_SENT
155/mech
# ps aux | grep mech
# ps aux | grep 155
#
strings /bin/ps does not anything fishy.
Now what?
Some history:
This box of mine has been under attack, yes attack, from a number of
hackers. I was naive and a novice about Linux thrown in the world with bad
boys of Linux. At one point of time, there were three different hackers in
the system - there were two different rootkits being used, buffer overflows,
security exploits using PERL even!
I have finally been able to recover. I had to re-install about 9 rpms (I
found that ps, pstree, ls, top, vmstat, etc) had been replaced. I now have:
1. shadow passwords
2. all "r" services disabled.
3. logs monitored using logcheck.
4. ACLs to allow access only to me and couple of boxes from my network
5. MD5 signatures of all rpms stored locally.
6. All suid programs disabled.
7. all un-necessary services disabled.
8. I still have apache and tomcat running as root. I cannot re-install them
in future, but I plan to.
9. ipchains installed and configured.
10. Bastille-linux scripts executed to harden the box more.
11. Connections possible only through SSH.
I do NOT, repeat do NOT want to format/rebuild the box - yes, I agree that
the list above is not complete.
So,
1. What else do I need to do protect the box?
2. How can I provide you guys with more information? Yes, in my naivette a
lot of information is already lost - due to hasty actions, etc, but if you
point me in the right direction I can provide whatever info you want.
3. What is the best security checklist used by the Gurus out there?
4. Yes, I accept outright I still have a lot to learn. Are there any online
URLs you can point me to?
Thanks,
Manav.
----- Original Message -----
From: "Travis LaWall" <tlawall@peakpeak.com>
To: <redhat-secure-server@redhat.com>
Sent: Sunday, June 09, 2002 1:05 AM
Subject: Re: port to process
> Manav.
>
> /sbin/fuser -n tcp 1074,irc2.worldnet.att,6660 to find the process id of
> the application.
>
> -travis
>
> Manavendra Gupta wrote:
>
> >Hi,
> >
> >when i do a netstat i see the following line:
> >
> >tcp 0 1 host114.oaz.com:1074 irc2.worldnet.att.:6660
SYN_SENT> >
> >
> >I am sure there are no applications configured to talk to an irc
server.
> >
> >How do i find the offending application?
> >
> >Regards,
> >Manav.
> >
> >
> >
> >
> >_______________________________________________
> >Redhat-secure-server mailing list
> >Redhat-secure-server@redhat.com
> >https://listman.redhat.com/mailman/listinfo/redhat-secure-server
> >
> >.
> >
>
>
>
>
> _______________________________________________
> Redhat-secure-server mailing list
> Redhat-secure-server@redhat.com
> https://listman.redhat.com/mailman/listinfo/redhat-secure-server
>