From owner-freebsd-questions@FreeBSD.ORG Thu Nov 17 05:26:55 2005 Return-Path: X-Original-To: freebsd-questions@freebsd.org Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id F3EE016A41F for ; Thu, 17 Nov 2005 05:26:54 +0000 (GMT) (envelope-from jay2xra@yahoo.com) Received: from web51606.mail.yahoo.com (web51606.mail.yahoo.com [206.190.38.211]) by mx1.FreeBSD.org (Postfix) with SMTP id 74BC943D46 for ; Thu, 17 Nov 2005 05:26:54 +0000 (GMT) (envelope-from jay2xra@yahoo.com) Received: (qmail 32553 invoked by uid 60001); 17 Nov 2005 05:26:53 -0000 DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.com; h=Message-ID:Received:Date:From:Subject:To:In-Reply-To:MIME-Version:Content-Type:Content-Transfer-Encoding; b=AZVBilwgLmdPhWCASPV7a1bOG9w1CaWc4cQkKjqsAYd1rsDwjg9k5g2QYK8wHWXuUPKunX9BHrApdwLgu2ywbhtYTTVfzlooXf1WfaYcTZ9cBKdmLUDz5BoYTPXwruhioikPvH3ShQGP3c4XvFupERKsgZPVTaz9HwQNqttG0SY= ; Message-ID: <20051117052653.32551.qmail@web51606.mail.yahoo.com> Received: from [202.90.128.28] by web51606.mail.yahoo.com via HTTP; Wed, 16 Nov 2005 21:26:53 PST Date: Wed, 16 Nov 2005 21:26:53 -0800 (PST) From: Mark Jayson Alvarez To: Marco Wertejuk , freebsd-questions@freebsd.org In-Reply-To: <20051117020308.GA18424@maeko.hayai.de> MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: Subject: Re: Need urgent help regarding security X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 17 Nov 2005 05:26:55 -0000 Marco Wertejuk wrote: try sockstat | grep 6667 to see which process is connecting to irc and try to see what this process is doing with lsof, but depending on what backdoor or rootkit is used, it's possible to see nothing because intelligent rootkits hide themself Ok done this... and I found something First the output of nestat: 10.10.8.140.2994 195.204.1.132.6667 SYN_SENT 10.10.8.140.2993 195.204.1.132.6667 SYN_SENT Then sockstat root adjkernt 4926 445 tcp4 10.10.8.140:2994 195.204.1.132:6667 So.. is it the adjkernt that has been replaced? What should I do with it? P.S. I just plugged this server into our private network in order to access it from my workstation. --------------------------------- Yahoo! FareChase - Search multiple travel sites in one click.