Hello,

I have a box on our student network that we suspect of beeing hacked.
Anyone that racall seeing this?
The box is still online and not reinstalled, cause we ant to find what and
how :)

Suspicious ports open are
3868/tcp open unknown
2587/tcp open unknown

the ports are open, bot dont give any output..

netstat outputs the following:

Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State
Active UNIX domain sockets (servers and established)
Proto RefCnt Flags Type State I-Node Path

BUT, if i rename /bin/netstat to /bin/netstat2 i get

Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State
<snipped alot of known ports>
tcp 0 0
*:3868 *:* LISTEN
tcp 0 0 host.net:2587 *:* LISTEN
raw 0 0
*:icmp *:* 7
raw 0 0
*:tcp *:* 7

Active UNIX domain sockets (servers and established)
Proto RefCnt Flags Type State I-Node Path
unix 1 [ ] STREAM CONNECTED 660 0000002b
unix 1 [ ] STREAM CONNECTED 520 0000001a
unix 1 [ ] STREAM CONNECTED 664500 00004e78
unix 0 [ ] STREAM CONNECTED 112 00000010
unix 0 [ ACC ] STREAM LISTENING 376457 /dev/log
unix 1 [ ] STREAM CONNECTED 664501 /dev/log
unix 1 [ ] STREAM CONNECTED 661 /dev/log
unix 1 [ ] STREAM CONNECTED 521 /dev/log

Regards,

Magnus 'Marix' Rixtorp - Hustomte Hus8 / C-Drift Rby / DNS crew

Student at Department of Telecommunications and Signal Processing
Blekinge Institute of Technology, Sweden
"Carpe diem quam minimum credula postero"

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]