Re: finding a process that bind a spcific port
* emmanuel segura [2014-01-22 15:06 +0100]: > if you think you are been hacked, you can use ps, lsof and others commands > from other not hacked server, for example scp goodserver:/bin/ps /tmp/ps > and use /tmp/ps, this isn't secure, because maybe the attacker installed > one rootkit If you have used the password for goodserver, then the attacker may now have this as well. Or the passphrase to your key. If you do not need any of these, the goodserver might not be that good. Nicolas -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20140123081654.ga69...@mid.pc5.i.0x5.de
Re: finding a process that bind a spcific port
I believe it's better for rkhunter to be initialised on a fresh install, but I think it also checks for the existence of files known to be part of a rootkit. Admittedly of minor value. The thing *not* to do with an infected system is initialise the rkhunter db. Lesley Yes but this is only the case when rkhunter was active before. AFAIK rkhunter itself has no signatures, it generates the initial checksumms on first start. Mit freundlichen Grüßen / best regards, Kevin Olbrich. Web: http://kevin-olbrich.de/ -- *Diese E-Mail enthält vertrauliche und/oder rechtlich geschützte Informationen. Wenn Sie nicht der richtige Adressat sind und/oder diese E-Mail irrtümlich erhalten haben, informieren Sie bitte sofort den Absender und vernichten Sie diese Mail. Das unerlaubte Kopieren sowie die unbefugte Weitergabe dieser Mail ist nicht gestattet.* Am 23.01.2014 um 00:22 schrieb NOKUBI Takatsugu : At Wed, 22 Jan 2014 19:47:27 +0700, Andika Triwidada wrote: On Wed, Jan 22, 2014 at 7:37 PM, Nico Angenon wrote: the same...no output could be hidden by rootkit :( I think so too. Could you try to use debsum and rkhunter? It would find cracked commands. -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/87ob3338mc.wl%k...@daionet.gr.jp
Re: finding a process that bind a spcific port
Yes but this is only the case when rkhunter was active before. AFAIK rkhunter itself has no signatures, it generates the initial checksumms on first start. Mit freundlichen Grüßen / best regards, Kevin Olbrich. Web: http://kevin-olbrich.de/ -- Diese E-Mail enthält vertrauliche und/oder rechtlich geschützte Informationen. Wenn Sie nicht der richtige Adressat sind und/oder diese E-Mail irrtümlich erhalten haben, informieren Sie bitte sofort den Absender und vernichten Sie diese Mail. Das unerlaubte Kopieren sowie die unbefugte Weitergabe dieser Mail ist nicht gestattet. Am 23.01.2014 um 00:22 schrieb NOKUBI Takatsugu : > At Wed, 22 Jan 2014 19:47:27 +0700, > Andika Triwidada wrote: >> >> On Wed, Jan 22, 2014 at 7:37 PM, Nico Angenon wrote: >>> the same...no output >> >> could be hidden by rootkit :( > > I think so too. > > Could you try to use debsum and rkhunter? It would find cracked > commands. > > > -- > To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org > with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org > Archive: http://lists.debian.org/87ob3338mc.wl%k...@daionet.gr.jp >
Re: finding a process that bind a spcific port
At Wed, 22 Jan 2014 19:47:27 +0700, Andika Triwidada wrote: > > On Wed, Jan 22, 2014 at 7:37 PM, Nico Angenon wrote: > > the same...no output > > could be hidden by rootkit :( I think so too. Could you try to use debsum and rkhunter? It would find cracked commands. -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/87ob3338mc.wl%k...@daionet.gr.jp
Re: finding a process that bind a spcific port
On Jan 22, 2014 9:11 AM, Nico Angenon wrote: > > Here is the ps aufx result... (a bit long) (Please excuse any wonky formatting or glaring oversights, I'm on a mobile device.) You appear to be running an nfs server on this host. Try stopping the nfs-kernel-server service and see if anything changes. > root 11015 0.0 0.0 0 0 ? S 2013 0:00 \_ > [rpciod/0] > root 11017 0.0 0.0 0 0 ? S 2013 0:00 \_ > [rpciod/1] > root 11018 0.0 0.0 0 0 ? S 2013 0:00 \_ > [rpciod/2] > root 11019 0.0 0.0 0 0 ? S 2013 0:00 \_ > [rpciod/3] ... > root 11024 0.0 0.0 0 0 ? S 2013 0:00 \_ > [nfsiod] ... > root 29114 0.0 0.0 18736 812 ? Ss 13:16 0:00 > /sbin/rpcbind -w
Re: finding a process that bind a spcific port
Perhaps in your haste, you missed something. If I run netstat -anpe as a user I get this specific message and the PID column is populated with only a "-" for all entries, just like you showed. I.E. netstat -anpe |grep udp (Not all processes could be identified, non-owned process info will not be shown, you would have to be root to see it all.) udp0 0 0.0.0.0:631 0.0.0.0:* 0 5285429 - see the message? However, running "sudo netstat -anpe |grep udp" actually displays the PID/Binary udp0 0 0.0.0.0:631 0.0.0.0:* 0 5285429 3334/cupsd The Process ID is what you are supposed to use to match a socket to the binary that opened it. **Try "sudo netstat -anpeev" You can also try to fine the inode. Though, it is a large number and you may not find it on disk. **Also, try "find / -inum 5950269 -print" You might also try starting a packet capture and removing the firewall. After a bit kill the packet capture and see what Wireshark tells you. **"sudo tcpdump -i eth0? -nASs0 -c 500 -w `hostname`-`date +%F-%H% M`.pcap port 10001" This will automatically stop after 500 packets to/from port 10001. On Wed, 2014-01-22 at 13:20 +0100, Nico Angenon wrote: > Hello, > > i think i’ve been hacked on one of my boxes... > > I try to find with process bind a specific port : > > # netstat -anpe |grep udp > gives me > udp0 0 0.0.0.0:10001 0.0.0.0:* > 0 5950269 - > > > but > # lsof |grep 10001 > doesn’t show me anything > > i’ve tried to cat /proc/*/cmdline... no 10001 found > no 10001 in ‘ps aux’ > no 10001 in ‘rpcinfo –p’ > > any idea ? > > Thanks > Nico
Re: finding a process that bind a spcific port
pache2 -k start root 13277 0.0 0.0 3916 572 ?Ss 12:42 0:00 /usr/sbin/acpid clamav 14012 0.0 6.1 313124 249112 ? Ssl 12:42 0:07 /usr/sbin/clamd clamav 14346 0.0 0.0 38484 1356 ?Ss 12:43 0:00 /usr/bin/freshclam -d --quiet root 14729 0.0 0.0 17072 1068 ?Sudevd --daemon root 14955 0.0 0.0 17128 1008 ?S< 12:44 0:00 \_ udevd --daemon root 14957 0.0 0.0 17128 936 ?S< 12:44 0:00 \_ udevd --daemon root 15402 0.1 0.0 118024 1708 ?Sl 12:45 0:10 /usr/sbin/rsyslogd -c5 root 15966 0.1 0.1 67284 7580 ?Sl 12:46 0:13 /usr/bin/python /usr/bin/fail2ban-server -b -s /var/run/fail2ban/fail2ban.sock root 25592 3.9 0.1 93136 6004 ?Ss 13:06 5:07 /usr/bin/perl -w /usr/sbin/mailgraph -l /var/log/mail.log -d --daemon_rrd=/var/lib/mailgraph root 29114 0.0 0.0 18736 812 ?Ss 13:16 0:00 /sbin/rpcbind -w -Message d'origine- From: Matias Mucciolo Sent: Wednesday, January 22, 2014 3:00 PM To: debian-security@lists.debian.org Cc: Nico Angenon ; lesley.bi...@gmail.com Subject: Re: finding a process that bind a spcific port can you paste a ps auxf output ? maybe someone see some strange process -- Matias On Wednesday, January 22, 2014 10:57:14 AM Nico Angenon wrote: Hello, i’ve put a firewall rules on this before the box, so, there is no connexion left on this port... but there was a lot of trafic on this port before the rule... Nico From: Lesley Binks Sent: Wednesday, January 22, 2014 2:46 PM To: Nico Angenon Cc: debian-security@lists.debian.org Subject: Re: finding a process that bind a spcific port Sorry for top posting. I'm on my phone. You can always check for data on the interface using tcpdump. Worth using it to verify what's happening. Lesley On 22 Jan 2014 13:33, "Nico Angenon" wrote: no output Thanks for all... Nico -Message d'origine- From: johan A. van Zanten Sent: Wednesday, January 22, 2014 1:56 PM To: n...@creaweb.fr Cc: debian-security@lists.debian.org Subject: Re: finding a process that bind a spcific port "Nico Angenon" wrote: nope... never used this service... Still looking for an explanation, try chrootkit and rkhunter right now Try fuser: fuser -n udp 10001 -johan -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20140122.125650.367853660900983582.jo...@brandwatch.com -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/4DBF73DFC57C4F76AF3902A5199BB05C@NicoPC -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/201401221100.48230.mmucci...@suteba.org.ar -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/89EFA4B2386A4FEC924143CAD094C41C@NicoPC
Re: finding a process that bind a spcific port
if you think you are been hacked, you can use ps, lsof and others commands from other not hacked server, for example scp goodserver:/bin/ps /tmp/ps and use /tmp/ps, this isn't secure, because maybe the attacker installed one rootkit 2014/1/22 Matias Mucciolo > > can you paste a ps auxf output ? > maybe someone see some strange process > > -- > > Matias > > On Wednesday, January 22, 2014 10:57:14 AM Nico Angenon wrote: > > Hello, > > > > i’ve put a firewall rules on this before the box, so, there is no > connexion left on this port... but there was a lot of trafic on this port > before the rule... > > > > Nico > > > > From: Lesley Binks > > Sent: Wednesday, January 22, 2014 2:46 PM > > To: Nico Angenon > > Cc: debian-security@lists.debian.org > > Subject: Re: finding a process that bind a spcific port > > > > Sorry for top posting. I'm on my phone. > > > > You can always check for data on the interface using tcpdump. > > Worth using it to verify what's happening. > > > > Lesley > > > > On 22 Jan 2014 13:33, "Nico Angenon" wrote: > > > > no output > > > > Thanks for all... > > > > Nico > > > > -----Message d'origine- From: johan A. van Zanten > > Sent: Wednesday, January 22, 2014 1:56 PM > > To: n...@creaweb.fr > > Cc: debian-security@lists.debian.org > > Subject: Re: finding a process that bind a spcific port > > > > > > "Nico Angenon" wrote: > > > > nope... never used this service... > > Still looking for an explanation, try chrootkit and rkhunter right > > now > > > > > > Try fuser: > > > > fuser -n udp 10001 > > > > -johan > > > > > > -- > > To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org > > with a subject of "unsubscribe". Trouble? Contact > listmas...@lists.debian.org > > Archive: > http://lists.debian.org/20140122.125650.367853660900983582.jo...@brandwatch.com > > > > -- > > To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org > > with a subject of "unsubscribe". Trouble? Contact > listmas...@lists.debian.org > > Archive: > http://lists.debian.org/4DBF73DFC57C4F76AF3902A5199BB05C@NicoPC > > > > > > > -- > To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org > with a subject of "unsubscribe". Trouble? Contact > listmas...@lists.debian.org > Archive: > http://lists.debian.org/201401221100.48230.mmucci...@suteba.org.ar > > -- esta es mi vida e me la vivo hasta que dios quiera
Re: finding a process that bind a spcific port
can you paste a ps auxf output ? maybe someone see some strange process -- Matias On Wednesday, January 22, 2014 10:57:14 AM Nico Angenon wrote: > Hello, > > i’ve put a firewall rules on this before the box, so, there is no connexion > left on this port... but there was a lot of trafic on this port before the > rule... > > Nico > > From: Lesley Binks > Sent: Wednesday, January 22, 2014 2:46 PM > To: Nico Angenon > Cc: debian-security@lists.debian.org > Subject: Re: finding a process that bind a spcific port > > Sorry for top posting. I'm on my phone. > > You can always check for data on the interface using tcpdump. > Worth using it to verify what's happening. > > Lesley > > On 22 Jan 2014 13:33, "Nico Angenon" wrote: > > no output > > Thanks for all... > > Nico > > -Message d'origine- From: johan A. van Zanten > Sent: Wednesday, January 22, 2014 1:56 PM > To: n...@creaweb.fr > Cc: debian-security@lists.debian.org > Subject: Re: finding a process that bind a spcific port > > > "Nico Angenon" wrote: > > nope... never used this service... > Still looking for an explanation, try chrootkit and rkhunter right > now > > > Try fuser: > > fuser -n udp 10001 > > -johan > > > -- > To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org > with a subject of "unsubscribe". Trouble? Contact > listmas...@lists.debian.org > Archive: > http://lists.debian.org/20140122.125650.367853660900983582.jo...@brandwatch.com > > > -- > To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org > with a subject of "unsubscribe". Trouble? Contact > listmas...@lists.debian.org > Archive: http://lists.debian.org/4DBF73DFC57C4F76AF3902A5199BB05C@NicoPC > > -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/201401221100.48230.mmucci...@suteba.org.ar
Re: finding a process that bind a spcific port
Hello, i’ve put a firewall rules on this before the box, so, there is no connexion left on this port... but there was a lot of trafic on this port before the rule... Nico From: Lesley Binks Sent: Wednesday, January 22, 2014 2:46 PM To: Nico Angenon Cc: debian-security@lists.debian.org Subject: Re: finding a process that bind a spcific port Sorry for top posting. I'm on my phone. You can always check for data on the interface using tcpdump. Worth using it to verify what's happening. Lesley On 22 Jan 2014 13:33, "Nico Angenon" wrote: no output Thanks for all... Nico -Message d'origine- From: johan A. van Zanten Sent: Wednesday, January 22, 2014 1:56 PM To: n...@creaweb.fr Cc: debian-security@lists.debian.org Subject: Re: finding a process that bind a spcific port "Nico Angenon" wrote: nope... never used this service... Still looking for an explanation, try chrootkit and rkhunter right now Try fuser: fuser -n udp 10001 -johan -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20140122.125650.367853660900983582.jo...@brandwatch.com -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/4DBF73DFC57C4F76AF3902A5199BB05C@NicoPC
Re: finding a process that bind a spcific port
On Wed, 2014-01-22 at 14:26, Nico Angenon wrote: > File /tmp/a and tmp/b gives me the same numberlist... > > I'll fromat the box, it'll go faster... True! But if there is vulnerability (security hole) in your system it's just a question of time when you'll have this situation again. > -Message d'origine- From: Matias Mucciolo > Sent: Wednesday, January 22, 2014 2:14 PM > To: debian-security@lists.debian.org > Cc: Nico Angenon > Subject: Re: finding a process that bind a spcific port > > > You can try something like: > > cd /proc/ && ls -d1 [0-9]* | sort -n > /tmp/a && ps ax -o pid | > grep "[0-9]" | tr -d " " | sort -n > /tmp/b > > and check with ip exits in /proc dir but not in ps > example in my box: > > .. > 46154615 > 46244624 > 46474647 > 4702 | 4704 > 4703 | 4705 > > 4706 > > 4707 > > in my case i have difference but is because the grep/etc pid > > > > -- > > Matias > > > On Wednesday, January 22, 2014 10:01:09 AM Nico Angenon wrote: > >Same : No output... > > > >Nico > > > >-----Message d'origine- From: johan A. van Zanten > >Sent: Wednesday, January 22, 2014 1:56 PM > >To: n...@creaweb.fr > >Cc: debian-security@lists.debian.org > >Subject: Re: finding a process that bind a spcific port > > > > > >"Nico Angenon" wrote: > >> nope... never used this service... > >> Still looking for an explanation, try chrootkit and rkhunter right > >> now > > > >Try fuser: > > > >fuser -n udp 10001 > > > >-johan > > > > > >-- > >To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org > >with a subject of "unsubscribe". Trouble? Contact > >listmas...@lists.debian.org > >Archive: http://lists.debian.org/7FDB49F9BD694384B75B034AE72A5825@NicoPC > > > > > > > -- > To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org > with a subject of "unsubscribe". Trouble? Contact > listmas...@lists.debian.org > Archive: > http://lists.debian.org/201401221014.14815.mmucci...@suteba.org.ar > > > -- > To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org > with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org > Archive: http://lists.debian.org/2982F3BBF0F24EE283ACDB8DF366C387@NicoPC > -- Kind regards, Milan -- Arvanta,http://www.arvanta.net Please do not send me e-mail containing HTML code or documents in proprietary format (word, excel, pps and so on) -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20140122135637.ga18...@arvanta.net
Re: finding a process that bind a spcific port
Sorry for top posting. I'm on my phone. You can always check for data on the interface using tcpdump. Worth using it to verify what's happening. Lesley On 22 Jan 2014 13:33, "Nico Angenon" wrote: > no output > > Thanks for all... > > Nico > > -Message d'origine- From: johan A. van Zanten > Sent: Wednesday, January 22, 2014 1:56 PM > To: n...@creaweb.fr > Cc: debian-security@lists.debian.org > Subject: Re: finding a process that bind a spcific port > > > "Nico Angenon" wrote: > >> nope... never used this service... >> Still looking for an explanation, try chrootkit and rkhunter right >> now >> > > Try fuser: > > fuser -n udp 10001 > > -johan > > > -- > To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org > with a subject of "unsubscribe". Trouble? Contact > listmas...@lists.debian.org > Archive: http://lists.debian.org/20140122.125650.367853660900983582.johan@ > brandwatch.com > > -- > To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org > with a subject of "unsubscribe". Trouble? Contact > listmas...@lists.debian.org > Archive: http://lists.debian.org/4DBF73DFC57C4F76AF3902A5199BB05C@NicoPC > >
Re: finding a process that bind a spcific port
On Wed, Jan 22, 2014 at 02:33:27PM CET, Nico Angenon said: > no output > > Thanks for all... > > Nico You may also try lsof -i udp:10001 Launch it as root, because a normal user cannot see the descriptors of processes owned by others. -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20140122133528.gi11...@rail.eu.org
Re: finding a process that bind a spcific port
no output Thanks for all... Nico -Message d'origine- From: johan A. van Zanten Sent: Wednesday, January 22, 2014 1:56 PM To: n...@creaweb.fr Cc: debian-security@lists.debian.org Subject: Re: finding a process that bind a spcific port "Nico Angenon" wrote: nope... never used this service... Still looking for an explanation, try chrootkit and rkhunter right now Try fuser: fuser -n udp 10001 -johan -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20140122.125650.367853660900983582.jo...@brandwatch.com -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/4DBF73DFC57C4F76AF3902A5199BB05C@NicoPC
Re: finding a process that bind a spcific port
"Nico Angenon" wrote: > nope... never used this service... > Still looking for an explanation, try chrootkit and rkhunter right > now Try fuser: fuser -n udp 10001 -johan -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20140122.125650.367853660900983582.jo...@brandwatch.com
Re: finding a process that bind a spcific port
File /tmp/a and tmp/b gives me the same numberlist... I'll fromat the box, it'll go faster... Nico -Message d'origine- From: Matias Mucciolo Sent: Wednesday, January 22, 2014 2:14 PM To: debian-security@lists.debian.org Cc: Nico Angenon Subject: Re: finding a process that bind a spcific port You can try something like: cd /proc/ && ls -d1 [0-9]* | sort -n > /tmp/a && ps ax -o pid | grep "[0-9]" | tr -d " " | sort -n > /tmp/b and check with ip exits in /proc dir but not in ps example in my box: .. 46154615 46244624 46474647 4702 | 4704 4703 | 4705 > 4706 > 4707 in my case i have difference but is because the grep/etc pid -- Matias On Wednesday, January 22, 2014 10:01:09 AM Nico Angenon wrote: Same : No output... Nico -Message d'origine- From: johan A. van Zanten Sent: Wednesday, January 22, 2014 1:56 PM To: n...@creaweb.fr Cc: debian-security@lists.debian.org Subject: Re: finding a process that bind a spcific port "Nico Angenon" wrote: > nope... never used this service... > Still looking for an explanation, try chrootkit and rkhunter right > now Try fuser: fuser -n udp 10001 -johan -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/7FDB49F9BD694384B75B034AE72A5825@NicoPC -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/201401221014.14815.mmucci...@suteba.org.ar -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/2982F3BBF0F24EE283ACDB8DF366C387@NicoPC
Re: finding a process that bind a spcific port
You can try something like: cd /proc/ && ls -d1 [0-9]* | sort -n > /tmp/a && ps ax -o pid | grep "[0-9]" | tr -d " " | sort -n > /tmp/b and check with ip exits in /proc dir but not in ps example in my box: .. 46154615 46244624 46474647 4702 | 4704 4703 | 4705 > 4706 > 4707 in my case i have difference but is because the grep/etc pid -- Matias On Wednesday, January 22, 2014 10:01:09 AM Nico Angenon wrote: > Same : No output... > > Nico > > -Message d'origine- > From: johan A. van Zanten > Sent: Wednesday, January 22, 2014 1:56 PM > To: n...@creaweb.fr > Cc: debian-security@lists.debian.org > Subject: Re: finding a process that bind a spcific port > > > "Nico Angenon" wrote: > > nope... never used this service... > > Still looking for an explanation, try chrootkit and rkhunter right > > now > > Try fuser: > > fuser -n udp 10001 > > -johan > > > -- > To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org > with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org > Archive: http://lists.debian.org/7FDB49F9BD694384B75B034AE72A5825@NicoPC > > -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/201401221014.14815.mmucci...@suteba.org.ar
Re: finding a process that bind a spcific port
if it installed, i didn’t do it... i’ve never heard about this... Nico From: Kevin Olbrich Sent: Wednesday, January 22, 2014 2:04 PM To: Nico Angenon Cc: debian security Subject: Re: finding a process that bind a spcific port Do you have IntelliJ installed in this box? http://stackoverflow.com/questions/13345986/intellij-idea-using-10001-port Mit freundlichen Grüßen / best regards, Kevin Olbrich. (mobil vom iPhone) -- Diese E-Mail enthält vertrauliche und/oder rechtlich geschützte Informationen. Wenn Sie nicht der richtige Adressat sind und/oder diese E-Mail irrtümlich erhalten haben, informieren Sie bitte sofort den Absender und vernichten Sie diese Mail. Das unerlaubte Kopieren sowie die unbefugte Weitergabe dieser Mail ist nicht gestattet. Am 22.01.2014 um 14:01 schrieb "Nico Angenon" : Same : No output... Nico -Message d'origine- From: johan A. van Zanten Sent: Wednesday, January 22, 2014 1:56 PM To: n...@creaweb.fr Cc: debian-security@lists.debian.org Subject: Re: finding a process that bind a spcific port "Nico Angenon" wrote: nope... never used this service... Still looking for an explanation, try chrootkit and rkhunter right now Try fuser: fuser -n udp 10001 -johan -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/7FDB49F9BD694384B75B034AE72A5825@NicoPC
Re: finding a process that bind a spcific port
Do you have IntelliJ installed in this box? http://stackoverflow.com/questions/13345986/intellij-idea-using-10001-port Mit freundlichen Grüßen / best regards, Kevin Olbrich. (mobil vom iPhone) -- Diese E-Mail enthält vertrauliche und/oder rechtlich geschützte Informationen. Wenn Sie nicht der richtige Adressat sind und/oder diese E-Mail irrtümlich erhalten haben, informieren Sie bitte sofort den Absender und vernichten Sie diese Mail. Das unerlaubte Kopieren sowie die unbefugte Weitergabe dieser Mail ist nicht gestattet. > Am 22.01.2014 um 14:01 schrieb "Nico Angenon" : > > Same : No output... > > Nico > > -Message d'origine- From: johan A. van Zanten Sent: Wednesday, > January 22, 2014 1:56 PM To: n...@creaweb.fr Cc: > debian-security@lists.debian.org Subject: Re: finding a process that bind a > spcific port > > "Nico Angenon" wrote: >> nope... never used this service... >> Still looking for an explanation, try chrootkit and rkhunter right >> now > > Try fuser: > > fuser -n udp 10001 > > -johan > > > -- > To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org > with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org > Archive: http://lists.debian.org/7FDB49F9BD694384B75B034AE72A5825@NicoPC >
Re: finding a process that bind a spcific port
Same : No output... Nico -Message d'origine- From: johan A. van Zanten Sent: Wednesday, January 22, 2014 1:56 PM To: n...@creaweb.fr Cc: debian-security@lists.debian.org Subject: Re: finding a process that bind a spcific port "Nico Angenon" wrote: nope... never used this service... Still looking for an explanation, try chrootkit and rkhunter right now Try fuser: fuser -n udp 10001 -johan -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/7FDB49F9BD694384B75B034AE72A5825@NicoPC
Re: finding a process that bind a spcific port
i do try as root... Nico From: Frank Sent: Wednesday, January 22, 2014 1:45 PM To: debian-security@lists.debian.org Subject: Re: finding a process that bind a spcific port On 01/22/2014 01:20 PM, Nico Angenon wrote: Hello, i think i’ve been hacked on one of my boxes... I try to find with process bind a specific port : # netstat -anpe |grep udp gives me udp0 0 0.0.0.0:10001 0.0.0.0:* 0 5950269 - Try as root. Best Frank
Re: finding a process that bind a spcific port
On Wed, 2014-01-22 at 13:37, Nico Angenon wrote: > the same...no output Maybe you can be lucky with: ss -ulp But, if you are really hacked it would be better to shutdown machine, move disk to clean machine and try some forensic tools. > -Message d'origine- From: Andika Triwidada > Sent: Wednesday, January 22, 2014 1:33 PM > To: Nico Angenon > Cc: debian security > Subject: Re: finding a process that bind a spcific port > On Wed, Jan 22, 2014 at 7:20 PM, Nico Angenon wrote: > >Hello, > > > >i think i’ve been hacked on one of my boxes... > > > >I try to find with process bind a specific port : > > > ># netstat -anpe |grep udp > >gives me > >udp0 0 0.0.0.0:10001 0.0.0.0:* > >0 5950269 - > > > > > >but > ># lsof |grep 10001 > >doesn’t show me anything > > lsof -i -n | grep 10001 -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20140122124234.ga17...@arvanta.net
Re: finding a process that bind a spcific port
On 01/22/2014 01:20 PM, Nico Angenon wrote: > Hello, > > i think i’ve been hacked on one of my boxes... > > I try to find with process bind a specific port : > > # netstat -anpe |grep udp > gives me > udp0 0 0.0.0.0:10001 > 0.0.0.0:* 0 5950269 - > Try as root. Best Frank
Re: finding a process that bind a spcific port
nope... never used this service... Still looking for an explanation, try chrootkit and rkhunter right now Nico From: wootanaz Sent: Wednesday, January 22, 2014 1:45 PM To: Nico Angenon Cc: debian security Subject: Re: finding a process that bind a spcific port Maybe you are using (or had been) cloud service tonido? http://www.tonido.com/forum/viewtopic.php?f=55&t=3368&start=10 hth 2014/1/22 Nico Angenon the same...no output Nico -Message d'origine- From: Andika Triwidada Sent: Wednesday, January 22, 2014 1:33 PM To: Nico Angenon Cc: debian security Subject: Re: finding a process that bind a spcific port On Wed, Jan 22, 2014 at 7:20 PM, Nico Angenon wrote: Hello, i think i’ve been hacked on one of my boxes... I try to find with process bind a specific port : # netstat -anpe |grep udp gives me udp0 0 0.0.0.0:10001 0.0.0.0:* 0 5950269 - but # lsof |grep 10001 doesn’t show me anything lsof -i -n | grep 10001 -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/B0AA26B538DD4C15884CB658AD15788D@NicoPC
Re: finding a process that bind a spcific port
The same... no output using lsof -i :10001 Nico -Message d'origine- From: Marco De Benedetto Sent: Wednesday, January 22, 2014 1:35 PM To: debian-security@lists.debian.org Subject: Re: finding a process that bind a spcific port On mer 22 gen, Andika Triwidada wrote: On Wed, Jan 22, 2014 at 7:20 PM, Nico Angenon wrote: > Hello, > > i think i’ve been hacked on one of my boxes... > > I try to find with process bind a specific port : > > # netstat -anpe |grep udp > gives me > udp0 0 0.0.0.0:10001 0.0.0.0:* > 0 5950269 - > > > but > # lsof |grep 10001 > doesn’t show me anything lsof -i -n | grep 10001 sudo lsof -i :10001 -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20140122123529.ga11...@galliera.it -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/150A2DAFDE394A189BEAA72993B697F4@NicoPC
Re: finding a process that bind a spcific port
On Wed, Jan 22, 2014 at 7:37 PM, Nico Angenon wrote: > the same...no output could be hidden by rootkit :( > > Nico > > -Message d'origine- From: Andika Triwidada > Sent: Wednesday, January 22, 2014 1:33 PM > To: Nico Angenon > Cc: debian security > Subject: Re: finding a process that bind a spcific port > > On Wed, Jan 22, 2014 at 7:20 PM, Nico Angenon wrote: >> >> Hello, >> >> i think i’ve been hacked on one of my boxes... >> >> I try to find with process bind a specific port : >> >> # netstat -anpe |grep udp >> gives me >> udp0 0 0.0.0.0:10001 0.0.0.0:* >> 0 5950269 - >> >> >> but >> # lsof |grep 10001 >> doesn’t show me anything > > > lsof -i -n | grep 10001 -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/canhsfsvdo_usjxsit-ihax1f0pv7mz07brgwyyprjgtoajt...@mail.gmail.com
Re: finding a process that bind a spcific port
netstat -tulpn | grep :10001 grep 10001 /etc/services or: fuser 10001/udp This will output PID Then find out process name associated with PID ls -l /proc/PID/exe ---Permission to forward and reprint is given.--- *Don't confuse my personality with my attitude. My personality is who I am. My attitude depends on who you are.* On Wed, Jan 22, 2014 at 12:37 PM, Nico Angenon wrote: > the same...no output > > Nico > > -Message d'origine- From: Andika Triwidada > Sent: Wednesday, January 22, 2014 1:33 PM > To: Nico Angenon > Cc: debian security > Subject: Re: finding a process that bind a spcific port > > > On Wed, Jan 22, 2014 at 7:20 PM, Nico Angenon wrote: > >> Hello, >> >> i think i’ve been hacked on one of my boxes... >> >> I try to find with process bind a specific port : >> >> # netstat -anpe |grep udp >> gives me >> udp0 0 0.0.0.0:10001 0.0.0.0:* >> 0 5950269 - >> >> >> but >> # lsof |grep 10001 >> doesn’t show me anything >> > > lsof -i -n | grep 10001 > > -- > To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org > with a subject of "unsubscribe". Trouble? Contact > listmas...@lists.debian.org > Archive: http://lists.debian.org/B0AA26B538DD4C15884CB658AD15788D@NicoPC > >
Re: finding a process that bind a spcific port
On mer 22 gen, Andika Triwidada wrote: > On Wed, Jan 22, 2014 at 7:20 PM, Nico Angenon wrote: > > Hello, > > > > i think i’ve been hacked on one of my boxes... > > > > I try to find with process bind a specific port : > > > > # netstat -anpe |grep udp > > gives me > > udp0 0 0.0.0.0:10001 0.0.0.0:* > > 0 5950269 - > > > > > > but > > # lsof |grep 10001 > > doesn’t show me anything > > lsof -i -n | grep 10001 sudo lsof -i :10001 -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20140122123529.ga11...@galliera.it
Re: finding a process that bind a spcific port
the same...no output Nico -Message d'origine- From: Andika Triwidada Sent: Wednesday, January 22, 2014 1:33 PM To: Nico Angenon Cc: debian security Subject: Re: finding a process that bind a spcific port On Wed, Jan 22, 2014 at 7:20 PM, Nico Angenon wrote: Hello, i think i’ve been hacked on one of my boxes... I try to find with process bind a specific port : # netstat -anpe |grep udp gives me udp0 0 0.0.0.0:10001 0.0.0.0:* 0 5950269 - but # lsof |grep 10001 doesn’t show me anything lsof -i -n | grep 10001 -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/B0AA26B538DD4C15884CB658AD15788D@NicoPC
Re: finding a process that bind a spcific port
On Wed, Jan 22, 2014 at 7:20 PM, Nico Angenon wrote: > Hello, > > i think i’ve been hacked on one of my boxes... > > I try to find with process bind a specific port : > > # netstat -anpe |grep udp > gives me > udp0 0 0.0.0.0:10001 0.0.0.0:* > 0 5950269 - > > > but > # lsof |grep 10001 > doesn’t show me anything lsof -i -n | grep 10001 -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/CANHSFsuy3A_bMZwquT=nnn07cff9h1xxxvqrn2ibzosar2o...@mail.gmail.com
finding a process that bind a spcific port
Hello, i think i’ve been hacked on one of my boxes... I try to find with process bind a specific port : # netstat -anpe |grep udp gives me udp0 0 0.0.0.0:10001 0.0.0.0:* 0 5950269 - but # lsof |grep 10001 doesn’t show me anything i’ve tried to cat /proc/*/cmdline... no 10001 found no 10001 in ‘ps aux’ no 10001 in ‘rpcinfo –p’ any idea ? Thanks Nico
