I have a Redhat machine on my network that I use as a game server and as an ftp server. I recently tried to access the ftp server from inside my network and find that I can connect but all commands time out with a message (425 Can't create data socket (192.168.1.200,20): Address already in use.). I also notice on my network hub that traffic is moving between the server and the firewall even when non of the servers are active. I tried tcpdump and found this message: 17:18:48.197561 carnage.21907 > Amsterdam2.NL.EU.undernet.org.ircd: P 54:70(16) ack 160 win 10810 <nop,nop,timestamp 663918 106846226> (DF) 17:18:48.337561 Amsterdam2.NL.EU.undernet.org.ircd > carnage.21907: P 160:241(81 ) ack 70 win 8688 <nop,nop,timestamp 106846539 663918> (DF) [tos 0x8] 17:18:48.337561 carnage.21907 > Amsterdam2.NL.EU.undernet.org.ircd: . ack 241 wi n 10810 <nop,nop,timestamp 663932 106846539> (DF)
This concerns me since undernet .org is a large IRC chat host and I wonder if this is evidence of someone having compromised my server for use by an IRC bot of some kind. Can anyone decipher the log entry and tell me what my next step should be to find and stop the package that is using my ftp port? Thank you, Kory Krofft _______________________________________________ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
