Shawn, I am using RH 7.2. I found the problem. I have in fact been hacked. I found a process "muhh" running from the /var/run directory. I will have to reformat and rebuild the game server. I would love to find out what the hacker was using my machine for. Any suggestions on how to find out? There were several subdirectorys and many files. I have looked at the logs it used but it doesn't make any sense to me.
Thanks for the answer, Kory Shawn wrote: > > what version of RH? compromised, that might be possible. run 'netstat -an' > and look for any suspicious ports. www.portsdb.org has a good listing of > ports by protocol. also check the running processes for anything strange, > 'ps -auxwww or -aef'. if in fact it is compromise, the best thing to do is > format and start over again. you might also think about testing the > integrity of your system when you do get it cleaned. www.grc.com is a good > place to start. good luck! > > greyhat > www.intrusiondefense.com > > ----- Original Message ----- > From: "Kory Krofft" <[EMAIL PROTECTED]> > Newsgroups: comp.os.linux.redhat > Sent: Monday, March 25, 2002 6:06 PM > Subject: need help with tcpdump > > > I have a Redhat machine on my network that I use as a game server and > > as an ftp server. I recently tried to access the ftp server from inside > > my network and find that I can connect but all commands time out with a > > message (425 Can't create data socket (192.168.1.200,20): Address > > already in use.). I also notice on my network hub that traffic is moving > > between > > the server and the firewall even when non of the servers are active. I > > tried tcpdump and found this message: > > 17:18:48.197561 carnage.21907 > Amsterdam2.NL.EU.undernet.org.ircd: P > > 54:70(16) > > ack 160 win 10810 <nop,nop,timestamp 663918 106846226> (DF) > > 17:18:48.337561 Amsterdam2.NL.EU.undernet.org.ircd > carnage.21907: P > > 160:241(81 > > ) ack 70 win 8688 <nop,nop,timestamp 106846539 663918> (DF) [tos 0x8] > > 17:18:48.337561 carnage.21907 > Amsterdam2.NL.EU.undernet.org.ircd: . > > ack 241 wi > > n 10810 <nop,nop,timestamp 663932 106846539> (DF) > > > > This concerns me since undernet .org is a large IRC chat host and I > > wonder if this is evidence of someone having compromised my server for > > use by an IRC bot of some kind. > > Can anyone decipher the log entry and tell me what my next step should > > be > > to find and stop the package that is using my ftp port? > > > > Thank you, > > > > Kory Krofft _______________________________________________ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
