Looks like there is a bot/bnc connected to Undernet IRC network through your box.
*** Resolved 205.252.46.98 to babble-on.systems.cais.net and *** Resolved McLean.VA.us.undernet.org to 205.252.46.98 I suggest you unplug your server from network Immediately, then Replace the server with another server If it's an important operational server. Remember to patch the replaced server with all the patches available from RedHat errata website for your distribution and services that you run. Bytheway Default ftp in RH7.2 is indeed a vulnerable version and it's update is available on RedHat 7.2 errata website. If you backup anything from the compromised server then remember not to backup system files because they are most probably trojanned. After you're done with your backup server, Consider doing a forensic analysis on your hacked system or take help from some Security Expert, Inorder to findout what rootkits are installed, what were the patterns and all, How did you most probably got hacked? and If it was running a bot/psyBNC from your server then you can findout his/her's bot's nick or his/her's own nick and ident, It will help you a lot in finding out who probably hacked you. It's all not necessary, If you dont want to, you can just format and re-install it as well. But If you're curious then take that step. Regards, --------- Muhammad Faisal Rauf Danka Chief Technology Officer Gem Internet Services (Pvt) Ltd. web: www.gem.net.pk Vice President Pakistan Computer Emergency Responce Team (PakCERT) web: www.pakcert.org Chief Security Analyst Applied Technology Research Center (ATRC) web: www.atrc.net.pk --- "Huter.Liu" <[EMAIL PROTECTED]> wrote: >hi,everyone! > I'm using rh7.2,but my machine is hackered recently,I open wu-ftpd and www >server only,I really don't know how the hacker cracked in,I guess maybe is from >wu-ftpd,the ftp server,now I found there is a tcp link: >Proto Recv-Q Send-Q Local Address Foreign Address State >tcp 0 0 My IP:41430 205.252.46.98:6667 ESTABLISHED >What this mean? > the ps and netstat command is unusable,I download the psproc and net-tools rpms >and upgrade the two package,so I found the strange 41430 port,but when I use ps >aux|less found the running process looks like quite well,what should I do next step? > [EMAIL PROTECTED] > 2002-06-02 > > > > >_______________________________________________ >Redhat-list mailing list >[EMAIL PROTECTED] >https://listman.redhat.com/mailman/listinfo/redhat-list _____________________________________________________________ --------------------------- [ATTITUDEX.COM] http://www.attitudex.com/ --------------------------- _____________________________________________________________ Promote your group and strengthen ties to your members with [EMAIL PROTECTED] by Everyone.net http://www.everyone.net/?btn=tag _______________________________________________ Redhat-list mailing list [EMAIL PROTECTED] https://listman.redhat.com/mailman/listinfo/redhat-list
