Hi, when i do a netstat i see the following line: tcp 0 1 host114.oaz.com:1074 irc2.worldnet.att.:6660 SYN_SENT I am sure there are no applications configured to talk to an irc server. How do i find the offending application? Regards, Manav.
Manav. /sbin/fuser -n tcp 1074,irc2.worldnet.att,6660 to find the process id of the application. -travis Manavendra Gupta wrote:>Hi, > >when i do a netstat i see the following line: > >tcp 0 1 host114.oaz.com:1074 irc2.worldnet.att.:6660 SYN_SENT > > >I am sure there are no applications configured to talk to an irc server. > >How do i find the offending application? > >Regards, >Manav. > > > > >_______________________________________________ >Redhat-secure-server mailing list >Redhat-secure-server@redhat.com >https://listman.redhat.com/mailman/listinfo/redhat-secure-server > >. >
I''m not sure if I understand your problem right but # netstat -tap should help. The parameter p gives you the process''s PID and the program name that started the process. Vlad -----Original Message----- From: redhat-secure-server-admin@redhat.com [mailto:redhat-secure-server-admin@redhat.com]On Behalf Of Manavendra Gupta Sent: Saturday, June 08, 2002 9:26 PM To: redhat-secure-server@redhat.com Subject: Re: port to process Hi, when i do a netstat i see the following line: tcp 0 1 host114.oaz.com:1074 irc2.worldnet.att.:6660 SYN_SENT I am sure there are no applications configured to talk to an irc server. How do i find the offending application? Regards, Manav. _______________________________________________ Redhat-secure-server mailing list Redhat-secure-server@redhat.com https://listman.redhat.com/mailman/listinfo/redhat-secure-server
Pardon me for the late response, but I have been kinda stuck on few things. OK here we go. # netstat -tap (Not all processes could be identified, non-owned process info will not be shown, you would have to be root to see it all.) Active Internet connections (servers and established) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 1 host114.oaz.com:2844 irc2.worldnet.att.:6660 SYN_SENT 155/mech # ps aux | grep mech # ps aux | grep 155 # strings /bin/ps does not anything fishy. Now what? Some history: This box of mine has been under attack, yes attack, from a number of hackers. I was naive and a novice about Linux thrown in the world with bad boys of Linux. At one point of time, there were three different hackers in the system - there were two different rootkits being used, buffer overflows, security exploits using PERL even! I have finally been able to recover. I had to re-install about 9 rpms (I found that ps, pstree, ls, top, vmstat, etc) had been replaced. I now have: 1. shadow passwords 2. all "r" services disabled. 3. logs monitored using logcheck. 4. ACLs to allow access only to me and couple of boxes from my network 5. MD5 signatures of all rpms stored locally. 6. All suid programs disabled. 7. all un-necessary services disabled. 8. I still have apache and tomcat running as root. I cannot re-install them in future, but I plan to. 9. ipchains installed and configured. 10. Bastille-linux scripts executed to harden the box more. 11. Connections possible only through SSH. I do NOT, repeat do NOT want to format/rebuild the box - yes, I agree that the list above is not complete. So, 1. What else do I need to do protect the box? 2. How can I provide you guys with more information? Yes, in my naivette a lot of information is already lost - due to hasty actions, etc, but if you point me in the right direction I can provide whatever info you want. 3. What is the best security checklist used by the Gurus out there? 4. Yes, I accept outright I still have a lot to learn. Are there any online URLs you can point me to? Thanks, Manav. ----- Original Message ----- From: "Travis LaWall" <tlawall@peakpeak.com> To: <redhat-secure-server@redhat.com> Sent: Sunday, June 09, 2002 1:05 AM Subject: Re: port to process> Manav. > > /sbin/fuser -n tcp 1074,irc2.worldnet.att,6660 to find the process id of > the application. > > -travis > > Manavendra Gupta wrote: > > >Hi, > > > >when i do a netstat i see the following line: > > > >tcp 0 1 host114.oaz.com:1074 irc2.worldnet.att.:6660SYN_SENT> > > > > >I am sure there are no applications configured to talk to an irc server. > > > >How do i find the offending application? > > > >Regards, > >Manav. > > > > > > > > > >_______________________________________________ > >Redhat-secure-server mailing list > >Redhat-secure-server@redhat.com > >https://listman.redhat.com/mailman/listinfo/redhat-secure-server > > > >. > > > > > > > _______________________________________________ > Redhat-secure-server mailing list > Redhat-secure-server@redhat.com > https://listman.redhat.com/mailman/listinfo/redhat-secure-server >
I am not sure whether this post is reaching the list (I get an error message everytime I send this)..so this is the last attempt. ============================Pardon me for the late response, but I have been kinda stuck on few things. OK here we go. # netstat -tap (Not all processes could be identified, non-owned process info will not be shown, you would have to be root to see it all.) Active Internet connections (servers and established) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 1 host114.oaz.com:2844 irc2.worldnet.att.:6660 SYN_SENT 155/mech # ps aux | grep mech # ps aux | grep 155 # strings /bin/ps does not anything fishy. Now what? Some history: This box of mine has been under attack, yes attack, from a number of hackers. I was naive and a novice about Linux thrown in the world with bad boys of Linux. At one point of time, there were three different hackers in the system - there were two different rootkits being used, buffer overflows, security exploits using PERL even! I have finally been able to recover. I had to re-install about 9 rpms (I found that ps, pstree, ls, top, vmstat, etc) had been replaced. I now have: 1. shadow passwords 2. all "r" services disabled. 3. logs monitored using logcheck. 4. ACLs to allow access only to me and couple of boxes from my network 5. MD5 signatures of all rpms stored locally. 6. All suid programs disabled. 7. all un-necessary services disabled. 8. I still have apache and tomcat running as root. I cannot re-install them in future, but I plan to. 9. ipchains installed and configured. 10. Bastille-linux scripts executed to harden the box more. 11. Connections possible only through SSH. I do NOT, repeat do NOT want to format/rebuild the box - yes, I agree that the list above is not complete. So, 1. What else do I need to do protect the box? 2. How can I provide you guys with more information? Yes, in my naivette a lot of information is already lost - due to hasty actions, etc, but if you point me in the right direction I can provide whatever info you want. 3. What is the best security checklist used by the Gurus out there? 4. Yes, I accept outright I still have a lot to learn. Are there any online URLs you can point me to? Thanks, Manav. ----- Original Message ----- From: "Travis LaWall" <tlawall@peakpeak.com> To: <redhat-secure-server@redhat.com> Sent: Sunday, June 09, 2002 1:05 AM Subject: Re: port to process> Manav. > > /sbin/fuser -n tcp 1074,irc2.worldnet.att,6660 to find the process id of > the application. > > -travis > > Manavendra Gupta wrote: > > >Hi, > > > >when i do a netstat i see the following line: > > > >tcp 0 1 host114.oaz.com:1074 irc2.worldnet.att.:6660SYN_SENT> > > > > >I am sure there are no applications configured to talk to an irc server. > > > >How do i find the offending application? > > > >Regards, > >Manav. > > > > > > > > > >_______________________________________________ > >Redhat-secure-server mailing list > >Redhat-secure-server@redhat.com > >https://listman.redhat.com/mailman/listinfo/redhat-secure-server > > > >. > > > > > > > _______________________________________________ > Redhat-secure-server mailing list > Redhat-secure-server@redhat.com > https://listman.redhat.com/mailman/listinfo/redhat-secure-server >_______________________________________________ Redhat-secure-server mailing list Redhat-secure-server@redhat.com https://listman.redhat.com/mailman/listinfo/redhat-secure-server
may be you can follow, Securing & optimising red hat linux available on linuxdocs.org I am not sure if its updated but for red Hat 6.2, it was probably the best guide. Also, instead of ipchains, possibly you might consider using iptables. -Akshay PS: I am not GURU but just a small time linux admin. On Mon, 2002-06-10 at 15:44, Manavendra Gupta wrote:> Pardon me for the late response, but I have been kinda stuck on few things. > > OK here we go. > # netstat -tap > (Not all processes could be identified, non-owned process info > will not be shown, you would have to be root to see it all.) > Active Internet connections (servers and established) > Proto Recv-Q Send-Q Local Address Foreign Address State > PID/Program name > tcp 0 1 host114.oaz.com:2844 irc2.worldnet.att.:6660 SYN_SENT > 155/mech > # ps aux | grep mech > # ps aux | grep 155 > # > > strings /bin/ps does not anything fishy. > > Now what? > > Some history: > > This box of mine has been under attack, yes attack, from a number of > hackers. I was naive and a novice about Linux thrown in the world with bad > boys of Linux. At one point of time, there were three different hackers in > the system - there were two different rootkits being used, buffer overflows, > security exploits using PERL even! > > I have finally been able to recover. I had to re-install about 9 rpms (I > found that ps, pstree, ls, top, vmstat, etc) had been replaced. I now have: > 1. shadow passwords > 2. all "r" services disabled. > 3. logs monitored using logcheck. > 4. ACLs to allow access only to me and couple of boxes from my network > 5. MD5 signatures of all rpms stored locally. > 6. All suid programs disabled. > 7. all un-necessary services disabled. > 8. I still have apache and tomcat running as root. I cannot re-install them > in future, but I plan to. > 9. ipchains installed and configured. > 10. Bastille-linux scripts executed to harden the box more. > 11. Connections possible only through SSH. > > I do NOT, repeat do NOT want to format/rebuild the box - yes, I agree that > the list above is not complete. > > So, > 1. What else do I need to do protect the box? > 2. How can I provide you guys with more information? Yes, in my naivette a > lot of information is already lost - due to hasty actions, etc, but if you > point me in the right direction I can provide whatever info you want. > 3. What is the best security checklist used by the Gurus out there? > 4. Yes, I accept outright I still have a lot to learn. Are there any online > URLs you can point me to? > > Thanks, > Manav. > ----- Original Message ----- > From: "Travis LaWall" <tlawall@peakpeak.com> > To: <redhat-secure-server@redhat.com> > Sent: Sunday, June 09, 2002 1:05 AM > Subject: Re: port to process > > > > Manav. > > > > /sbin/fuser -n tcp 1074,irc2.worldnet.att,6660 to find the process id of > > the application. > > > > -travis > > > > Manavendra Gupta wrote: > > > > >Hi, > > > > > >when i do a netstat i see the following line: > > > > > >tcp 0 1 host114.oaz.com:1074 irc2.worldnet.att.:6660 > SYN_SENT > > > > > > > > >I am sure there are no applications configured to talk to an irc server. > > > > > >How do i find the offending application? > > > > > >Regards, > > >Manav. > > > > > > > > > > > > > > >_______________________________________________ > > >Redhat-secure-server mailing list > > >Redhat-secure-server@redhat.com > > >https://listman.redhat.com/mailman/listinfo/redhat-secure-server > > > > > >. > > > > > > > > > > > > > _______________________________________________ > > Redhat-secure-server mailing list > > Redhat-secure-server@redhat.com > > https://listman.redhat.com/mailman/listinfo/redhat-secure-server > > > > > > _______________________________________________ > Redhat-secure-server mailing list > Redhat-secure-server@redhat.com > https://listman.redhat.com/mailman/listinfo/redhat-secure-server >
Yes, I have been using the "Securiting and Optimizing Linux" Guide to harden the OS, but unfortunately, it provides you mechanism to make the box secure and not the ways to detect any break-ins. Thanks for the info on iptables. I did hear passing mention about them (hey, i never said I am a full-time linux admin) - I will explore them, figure out how beneficial is it over ipchains :-) Thanks, Manav. ----- Original Message ----- From: "Akshay Guleria" <akshay@himline.com> To: <redhat-secure-server@redhat.com> Sent: Wednesday, June 12, 2002 10:19 AM Subject: Re: port to process> may be you can follow, > Securing & optimising red hat linux > available on linuxdocs.org > > I am not sure if its updated but for red Hat 6.2, it was probably the > best guide. > > Also, instead of ipchains, possibly you might consider using iptables. > > -Akshay > PS: I am not GURU but just a small time linux admin. > > On Mon, 2002-06-10 at 15:44, Manavendra Gupta wrote: > > Pardon me for the late response, but I have been kinda stuck on fewthings.> > > > OK here we go. > > # netstat -tap > > (Not all processes could be identified, non-owned process info > > will not be shown, you would have to be root to see it all.) > > Active Internet connections (servers and established) > > Proto Recv-Q Send-Q Local Address Foreign AddressState> > PID/Program name > > tcp 0 1 host114.oaz.com:2844 irc2.worldnet.att.:6660SYN_SENT> > 155/mech > > # ps aux | grep mech > > # ps aux | grep 155 > > # > > > > strings /bin/ps does not anything fishy. > > > > Now what? > > > > Some history: > > > > This box of mine has been under attack, yes attack, from a number of > > hackers. I was naive and a novice about Linux thrown in the world withbad> > boys of Linux. At one point of time, there were three different hackersin> > the system - there were two different rootkits being used, bufferoverflows,> > security exploits using PERL even! > > > > I have finally been able to recover. I had to re-install about 9 rpms (I > > found that ps, pstree, ls, top, vmstat, etc) had been replaced. I nowhave:> > 1. shadow passwords > > 2. all "r" services disabled. > > 3. logs monitored using logcheck. > > 4. ACLs to allow access only to me and couple of boxes from my network > > 5. MD5 signatures of all rpms stored locally. > > 6. All suid programs disabled. > > 7. all un-necessary services disabled. > > 8. I still have apache and tomcat running as root. I cannot re-installthem> > in future, but I plan to. > > 9. ipchains installed and configured. > > 10. Bastille-linux scripts executed to harden the box more. > > 11. Connections possible only through SSH. > > > > I do NOT, repeat do NOT want to format/rebuild the box - yes, I agreethat> > the list above is not complete. > > > > So, > > 1. What else do I need to do protect the box? > > 2. How can I provide you guys with more information? Yes, in my naivettea> > lot of information is already lost - due to hasty actions, etc, but ifyou> > point me in the right direction I can provide whatever info you want. > > 3. What is the best security checklist used by the Gurus out there? > > 4. Yes, I accept outright I still have a lot to learn. Are there anyonline> > URLs you can point me to? > > > > Thanks, > > Manav. > > ----- Original Message ----- > > From: "Travis LaWall" <tlawall@peakpeak.com> > > To: <redhat-secure-server@redhat.com> > > Sent: Sunday, June 09, 2002 1:05 AM > > Subject: Re: port to process > > > > > > > Manav. > > > > > > /sbin/fuser -n tcp 1074,irc2.worldnet.att,6660 to find the process idof> > > the application. > > > > > > -travis > > > > > > Manavendra Gupta wrote: > > > > > > >Hi, > > > > > > > >when i do a netstat i see the following line: > > > > > > > >tcp 0 1 host114.oaz.com:1074 irc2.worldnet.att.:6660 > > SYN_SENT > > > > > > > > > > > >I am sure there are no applications configured to talk to an ircserver.> > > > > > > >How do i find the offending application? > > > > > > > >Regards, > > > >Manav. > > > > > > > > > > > > > > > > > > > >_______________________________________________ > > > >Redhat-secure-server mailing list > > > >Redhat-secure-server@redhat.com > > > >https://listman.redhat.com/mailman/listinfo/redhat-secure-server > > > > > > > >. > > > > > > > > > > > > > > > > > > > _______________________________________________ > > > Redhat-secure-server mailing list > > > Redhat-secure-server@redhat.com > > > https://listman.redhat.com/mailman/listinfo/redhat-secure-server > > > > > > > > > > > _______________________________________________ > > Redhat-secure-server mailing list > > Redhat-secure-server@redhat.com > > https://listman.redhat.com/mailman/listinfo/redhat-secure-server > > > > > > _______________________________________________ > Redhat-secure-server mailing list > Redhat-secure-server@redhat.com > https://listman.redhat.com/mailman/listinfo/redhat-secure-server >
-----Mensaje original----- De: redhat-secure-server-admin@redhat.com [mailto:redhat-secure-server-admin@redhat.com] En nombre de Manavendra Gupta Enviado el: Miércoles, 12 de Junio de 2002 05:00 a.m. Para: redhat-secure-server@redhat.com Asunto: Re: port to process Yes, I have been using the "Securiting and Optimizing Linux" Guide to harden the OS, but unfortunately, it provides you mechanism to make the box secure and not the ways to detect any break-ins. Thanks for the info on iptables. I did hear passing mention about them (hey, i never said I am a full-time linux admin) - I will explore them, figure out how beneficial is it over ipchains :-) Thanks, Manav. ----- Original Message ----- From: "Akshay Guleria" <akshay@himline.com> To: <redhat-secure-server@redhat.com> Sent: Wednesday, June 12, 2002 10:19 AM Subject: Re: port to process> may be you can follow, > Securing & optimising red hat linux > available on linuxdocs.org > > I am not sure if its updated but for red Hat 6.2, it was probably the > best guide. > > Also, instead of ipchains, possibly you might consider using iptables. > > -Akshay > PS: I am not GURU but just a small time linux admin. > > On Mon, 2002-06-10 at 15:44, Manavendra Gupta wrote: > > Pardon me for the late response, but I have been kinda stuck on fewthings.> > > > OK here we go. > > # netstat -tap > > (Not all processes could be identified, non-owned process info will> > not be shown, you would have to be root to see it all.) Active > > Internet connections (servers and established) > > Proto Recv-Q Send-Q Local Address Foreign AddressState> > PID/Program name > > tcp 0 1 host114.oaz.com:2844 irc2.worldnet.att.:6660SYN_SENT> > 155/mech > > # ps aux | grep mech > > # ps aux | grep 155 > > # > > > > strings /bin/ps does not anything fishy. > > > > Now what? > > > > Some history: > > > > This box of mine has been under attack, yes attack, from a number of> > hackers. I was naive and a novice about Linux thrown in the world > > withbad> > boys of Linux. At one point of time, there were three different > > hackersin> > the system - there were two different rootkits being used, bufferoverflows,> > security exploits using PERL even! > > > > I have finally been able to recover. I had to re-install about 9 > > rpms (I found that ps, pstree, ls, top, vmstat, etc) had been > > replaced. I nowhave:> > 1. shadow passwords > > 2. all "r" services disabled. > > 3. logs monitored using logcheck. > > 4. ACLs to allow access only to me and couple of boxes from my > > network 5. MD5 signatures of all rpms stored locally. 6. All suid > > programs disabled. 7. all un-necessary services disabled. > > 8. I still have apache and tomcat running as root. I cannotre-install them> > in future, but I plan to. > > 9. ipchains installed and configured. > > 10. Bastille-linux scripts executed to harden the box more. 11. > > Connections possible only through SSH. > > > > I do NOT, repeat do NOT want to format/rebuild the box - yes, I > > agreethat> > the list above is not complete. > > > > So, > > 1. What else do I need to do protect the box? > > 2. How can I provide you guys with more information? Yes, in my > > naivettea> > lot of information is already lost - due to hasty actions, etc, but > > ifyou> > point me in the right direction I can provide whatever info you > > want. 3. What is the best security checklist used by the Gurus out > > there? 4. Yes, I accept outright I still have a lot to learn. Are > > there anyonline> > URLs you can point me to? > > > > Thanks, > > Manav. > > ----- Original Message ----- > > From: "Travis LaWall" <tlawall@peakpeak.com> > > To: <redhat-secure-server@redhat.com> > > Sent: Sunday, June 09, 2002 1:05 AM > > Subject: Re: port to process > > > > > > > Manav. > > > > > > /sbin/fuser -n tcp 1074,irc2.worldnet.att,6660 to find the process> > > idof> > > the application. > > > > > > -travis > > > > > > Manavendra Gupta wrote: > > > > > > >Hi, > > > > > > > >when i do a netstat i see the following line: > > > > > > > >tcp 0 1 host114.oaz.com:1074irc2.worldnet.att.:6660> > SYN_SENT > > > > > > > > > > > >I am sure there are no applications configured to talk to an ircserver.> > > > > > > >How do i find the offending application? > > > > > > > >Regards, > > > >Manav. > > > > > > > > > > > > > > > > > > > >_______________________________________________ > > > >Redhat-secure-server mailing list Redhat-secure-server@redhat.com > > > >https://listman.redhat.com/mailman/listinfo/redhat-secure-server > > > > > > > >. > > > > > > > > > > > > > > > > > > > _______________________________________________ > > > Redhat-secure-server mailing list Redhat-secure-server@redhat.com > > > https://listman.redhat.com/mailman/listinfo/redhat-secure-server > > > > > > > > > > > _______________________________________________ > > Redhat-secure-server mailing list Redhat-secure-server@redhat.com > > https://listman.redhat.com/mailman/listinfo/redhat-secure-server > > > > > > _______________________________________________ > Redhat-secure-server mailing list Redhat-secure-server@redhat.com > https://listman.redhat.com/mailman/listinfo/redhat-secure-server >_______________________________________________ Redhat-secure-server mailing list Redhat-secure-server@redhat.com https://listman.redhat.com/mailman/listinfo/redhat-secure-server