Re: finding a process that bind a spcific port
pache2 -k start root 13277 0.0 0.0 3916 572 ?Ss 12:42 0:00 /usr/sbin/acpid clamav 14012 0.0 6.1 313124 249112 ? Ssl 12:42 0:07 /usr/sbin/clamd clamav 14346 0.0 0.0 38484 1356 ?Ss 12:43 0:00 /usr/bin/freshclam -d --quiet root 14729 0.0 0.0 17072 1068 ?Sudevd --daemon root 14955 0.0 0.0 17128 1008 ?S< 12:44 0:00 \_ udevd --daemon root 14957 0.0 0.0 17128 936 ?S< 12:44 0:00 \_ udevd --daemon root 15402 0.1 0.0 118024 1708 ?Sl 12:45 0:10 /usr/sbin/rsyslogd -c5 root 15966 0.1 0.1 67284 7580 ?Sl 12:46 0:13 /usr/bin/python /usr/bin/fail2ban-server -b -s /var/run/fail2ban/fail2ban.sock root 25592 3.9 0.1 93136 6004 ?Ss 13:06 5:07 /usr/bin/perl -w /usr/sbin/mailgraph -l /var/log/mail.log -d --daemon_rrd=/var/lib/mailgraph root 29114 0.0 0.0 18736 812 ?Ss 13:16 0:00 /sbin/rpcbind -w -Message d'origine- From: Matias Mucciolo Sent: Wednesday, January 22, 2014 3:00 PM To: debian-security@lists.debian.org Cc: Nico Angenon ; lesley.bi...@gmail.com Subject: Re: finding a process that bind a spcific port can you paste a ps auxf output ? maybe someone see some strange process -- Matias On Wednesday, January 22, 2014 10:57:14 AM Nico Angenon wrote: Hello, i’ve put a firewall rules on this before the box, so, there is no connexion left on this port... but there was a lot of trafic on this port before the rule... Nico From: Lesley Binks Sent: Wednesday, January 22, 2014 2:46 PM To: Nico Angenon Cc: debian-security@lists.debian.org Subject: Re: finding a process that bind a spcific port Sorry for top posting. I'm on my phone. You can always check for data on the interface using tcpdump. Worth using it to verify what's happening. Lesley On 22 Jan 2014 13:33, "Nico Angenon" wrote: no output Thanks for all... Nico -Message d'origine- From: johan A. van Zanten Sent: Wednesday, January 22, 2014 1:56 PM To: n...@creaweb.fr Cc: debian-security@lists.debian.org Subject: Re: finding a process that bind a spcific port "Nico Angenon" wrote: nope... never used this service... Still looking for an explanation, try chrootkit and rkhunter right now Try fuser: fuser -n udp 10001 -johan -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20140122.125650.367853660900983582.jo...@brandwatch.com -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/4DBF73DFC57C4F76AF3902A5199BB05C@NicoPC -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/201401221100.48230.mmucci...@suteba.org.ar -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/89EFA4B2386A4FEC924143CAD094C41C@NicoPC
Re: finding a process that bind a spcific port
Hello, i’ve put a firewall rules on this before the box, so, there is no connexion left on this port... but there was a lot of trafic on this port before the rule... Nico From: Lesley Binks Sent: Wednesday, January 22, 2014 2:46 PM To: Nico Angenon Cc: debian-security@lists.debian.org Subject: Re: finding a process that bind a spcific port Sorry for top posting. I'm on my phone. You can always check for data on the interface using tcpdump. Worth using it to verify what's happening. Lesley On 22 Jan 2014 13:33, "Nico Angenon" wrote: no output Thanks for all... Nico -Message d'origine- From: johan A. van Zanten Sent: Wednesday, January 22, 2014 1:56 PM To: n...@creaweb.fr Cc: debian-security@lists.debian.org Subject: Re: finding a process that bind a spcific port "Nico Angenon" wrote: nope... never used this service... Still looking for an explanation, try chrootkit and rkhunter right now Try fuser: fuser -n udp 10001 -johan -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20140122.125650.367853660900983582.jo...@brandwatch.com -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/4DBF73DFC57C4F76AF3902A5199BB05C@NicoPC
Re: finding a process that bind a spcific port
no output Thanks for all... Nico -Message d'origine- From: johan A. van Zanten Sent: Wednesday, January 22, 2014 1:56 PM To: n...@creaweb.fr Cc: debian-security@lists.debian.org Subject: Re: finding a process that bind a spcific port "Nico Angenon" wrote: nope... never used this service... Still looking for an explanation, try chrootkit and rkhunter right now Try fuser: fuser -n udp 10001 -johan -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20140122.125650.367853660900983582.jo...@brandwatch.com -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/4DBF73DFC57C4F76AF3902A5199BB05C@NicoPC
Re: finding a process that bind a spcific port
File /tmp/a and tmp/b gives me the same numberlist... I'll fromat the box, it'll go faster... Nico -Message d'origine- From: Matias Mucciolo Sent: Wednesday, January 22, 2014 2:14 PM To: debian-security@lists.debian.org Cc: Nico Angenon Subject: Re: finding a process that bind a spcific port You can try something like: cd /proc/ && ls -d1 [0-9]* | sort -n > /tmp/a && ps ax -o pid | grep "[0-9]" | tr -d " " | sort -n > /tmp/b and check with ip exits in /proc dir but not in ps example in my box: .. 46154615 46244624 46474647 4702 | 4704 4703 | 4705 > 4706 > 4707 in my case i have difference but is because the grep/etc pid -- Matias On Wednesday, January 22, 2014 10:01:09 AM Nico Angenon wrote: Same : No output... Nico -Message d'origine- From: johan A. van Zanten Sent: Wednesday, January 22, 2014 1:56 PM To: n...@creaweb.fr Cc: debian-security@lists.debian.org Subject: Re: finding a process that bind a spcific port "Nico Angenon" wrote: > nope... never used this service... > Still looking for an explanation, try chrootkit and rkhunter right > now Try fuser: fuser -n udp 10001 -johan -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/7FDB49F9BD694384B75B034AE72A5825@NicoPC -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/201401221014.14815.mmucci...@suteba.org.ar -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/2982F3BBF0F24EE283ACDB8DF366C387@NicoPC
Re: finding a process that bind a spcific port
if it installed, i didn’t do it... i’ve never heard about this... Nico From: Kevin Olbrich Sent: Wednesday, January 22, 2014 2:04 PM To: Nico Angenon Cc: debian security Subject: Re: finding a process that bind a spcific port Do you have IntelliJ installed in this box? http://stackoverflow.com/questions/13345986/intellij-idea-using-10001-port Mit freundlichen Grüßen / best regards, Kevin Olbrich. (mobil vom iPhone) -- Diese E-Mail enthält vertrauliche und/oder rechtlich geschützte Informationen. Wenn Sie nicht der richtige Adressat sind und/oder diese E-Mail irrtümlich erhalten haben, informieren Sie bitte sofort den Absender und vernichten Sie diese Mail. Das unerlaubte Kopieren sowie die unbefugte Weitergabe dieser Mail ist nicht gestattet. Am 22.01.2014 um 14:01 schrieb "Nico Angenon" : Same : No output... Nico -Message d'origine- From: johan A. van Zanten Sent: Wednesday, January 22, 2014 1:56 PM To: n...@creaweb.fr Cc: debian-security@lists.debian.org Subject: Re: finding a process that bind a spcific port "Nico Angenon" wrote: nope... never used this service... Still looking for an explanation, try chrootkit and rkhunter right now Try fuser: fuser -n udp 10001 -johan -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/7FDB49F9BD694384B75B034AE72A5825@NicoPC
Re: finding a process that bind a spcific port
Same : No output... Nico -Message d'origine- From: johan A. van Zanten Sent: Wednesday, January 22, 2014 1:56 PM To: n...@creaweb.fr Cc: debian-security@lists.debian.org Subject: Re: finding a process that bind a spcific port "Nico Angenon" wrote: nope... never used this service... Still looking for an explanation, try chrootkit and rkhunter right now Try fuser: fuser -n udp 10001 -johan -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/7FDB49F9BD694384B75B034AE72A5825@NicoPC
Re: finding a process that bind a spcific port
i do try as root... Nico From: Frank Sent: Wednesday, January 22, 2014 1:45 PM To: debian-security@lists.debian.org Subject: Re: finding a process that bind a spcific port On 01/22/2014 01:20 PM, Nico Angenon wrote: Hello, i think i’ve been hacked on one of my boxes... I try to find with process bind a specific port : # netstat -anpe |grep udp gives me udp0 0 0.0.0.0:10001 0.0.0.0:* 0 5950269 - Try as root. Best Frank
Re: finding a process that bind a spcific port
nope... never used this service... Still looking for an explanation, try chrootkit and rkhunter right now Nico From: wootanaz Sent: Wednesday, January 22, 2014 1:45 PM To: Nico Angenon Cc: debian security Subject: Re: finding a process that bind a spcific port Maybe you are using (or had been) cloud service tonido? http://www.tonido.com/forum/viewtopic.php?f=55&t=3368&start=10 hth 2014/1/22 Nico Angenon the same...no output Nico -Message d'origine- From: Andika Triwidada Sent: Wednesday, January 22, 2014 1:33 PM To: Nico Angenon Cc: debian security Subject: Re: finding a process that bind a spcific port On Wed, Jan 22, 2014 at 7:20 PM, Nico Angenon wrote: Hello, i think i’ve been hacked on one of my boxes... I try to find with process bind a specific port : # netstat -anpe |grep udp gives me udp0 0 0.0.0.0:10001 0.0.0.0:* 0 5950269 - but # lsof |grep 10001 doesn’t show me anything lsof -i -n | grep 10001 -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/B0AA26B538DD4C15884CB658AD15788D@NicoPC
Re: finding a process that bind a spcific port
The same... no output using lsof -i :10001 Nico -Message d'origine- From: Marco De Benedetto Sent: Wednesday, January 22, 2014 1:35 PM To: debian-security@lists.debian.org Subject: Re: finding a process that bind a spcific port On mer 22 gen, Andika Triwidada wrote: On Wed, Jan 22, 2014 at 7:20 PM, Nico Angenon wrote: > Hello, > > i think i’ve been hacked on one of my boxes... > > I try to find with process bind a specific port : > > # netstat -anpe |grep udp > gives me > udp0 0 0.0.0.0:10001 0.0.0.0:* > 0 5950269 - > > > but > # lsof |grep 10001 > doesn’t show me anything lsof -i -n | grep 10001 sudo lsof -i :10001 -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20140122123529.ga11...@galliera.it -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/150A2DAFDE394A189BEAA72993B697F4@NicoPC
Re: finding a process that bind a spcific port
the same...no output Nico -Message d'origine- From: Andika Triwidada Sent: Wednesday, January 22, 2014 1:33 PM To: Nico Angenon Cc: debian security Subject: Re: finding a process that bind a spcific port On Wed, Jan 22, 2014 at 7:20 PM, Nico Angenon wrote: Hello, i think i’ve been hacked on one of my boxes... I try to find with process bind a specific port : # netstat -anpe |grep udp gives me udp0 0 0.0.0.0:10001 0.0.0.0:* 0 5950269 - but # lsof |grep 10001 doesn’t show me anything lsof -i -n | grep 10001 -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/B0AA26B538DD4C15884CB658AD15788D@NicoPC
finding a process that bind a spcific port
Hello, i think i’ve been hacked on one of my boxes... I try to find with process bind a specific port : # netstat -anpe |grep udp gives me udp0 0 0.0.0.0:10001 0.0.0.0:* 0 5950269 - but # lsof |grep 10001 doesn’t show me anything i’ve tried to cat /proc/*/cmdline... no 10001 found no 10001 in ‘ps aux’ no 10001 in ‘rpcinfo –p’ any idea ? Thanks Nico