From owner-freebsd-questions@FreeBSD.ORG Fri Sep 23 15:21:03 2005 Return-Path: X-Original-To: freebsd-questions@freebsd.org Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E06CE16A420 for ; Fri, 23 Sep 2005 15:21:03 +0000 (GMT) (envelope-from alex.voicu@bredband.net) Received: from mxfep01.bredband.com (mxfep01.bredband.com [195.54.107.70]) by mx1.FreeBSD.org (Postfix) with ESMTP id DBCF043D45 for ; Fri, 23 Sep 2005 15:21:02 +0000 (GMT) (envelope-from alex.voicu@bredband.net) Received: from neo ([213.114.3.132] [213.114.3.132]) by mxfep01.bredband.com with ESMTP id <20050923152100.EUWI24001.mxfep01.bredband.com@neo> for ; Fri, 23 Sep 2005 17:21:00 +0200 From: "Alex" To: Date: Fri, 23 Sep 2005 17:21:04 +0200 Message-ID: <000001c5c052$69d6c020$640010ac@neo> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook, Build 10.0.2627 Importance: Normal X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180 Subject: tcp connections not showing up anymore on netstat? X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 23 Sep 2005 15:21:04 -0000 Hello list, I've got a rather strange problem. Yestoday, when I rebooted my box I was still able to ping the box, but no services started (apache,ssh etc), nor did they show up on netstat. So I rebooted it again, now I could connect to the box on port 80 (httpd) and port 22 (ssh) but netstat still wont show tcp. Im beginning to think I got hacked because NOTHING was changed in the configuration. And if I have, is there any way I can do to see wich bins where rootkited? Anyways, here is the relevant info, I'd appreciate some help: -bash-2.05b# dmesg -a Copyright (c) 1992-2005 The FreeBSD Project. Copyright (c) 1979, 1980, 1983, 1986, 1988, 1989, 1991, 1992, 1993, 1994 The Regents of the University of California. All rights reserved. FreeBSD 5.4-STABLE #1: Fri Sep 2 19:31:58 CEST 2005 root@dracula.darksniper.net:/usr/obj/usr/src/sys/DRACULA Timecounter "i8254" frequency 1193182 Hz quality 0 CPU: Pentium II/Pentium II Xeon/Celeron (350.80-MHz 686-class CPU) Origin = "GenuineIntel" Id = 0x651 Stepping = 1 Features=0x183f9ff real memory = 201261056 (191 MB) avail memory = 187076608 (178 MB) pnpbios: Bad PnP BIOS data checksum ACPI disabled by blacklist. Contact your BIOS vendor. lo0: flags=8049 mtu 16384 inet 127.0.0.1 netmask 0xff000000 Flushed all rules. 00100 allow ip from any to any via lo0 00200 deny ip from any to 127.0.0.0/8 00300 deny ip from 127.0.0.0/8 to any 65000 allow ip from any to any Firewall rules loaded, starting divert daemons: . net.inet.ip.fw.enable: 1 -> 1 Starting dhclient. Starting syslogd. Sep 23 17:21:27 dracula syslogd: kernel boot file is /boot/kernel/kernel ELF ldconfig path: /lib /usr/lib /usr/lib/compat /usr/X11R6/lib /usr/local/lib a.out ldconfig path: /usr/lib/aout /usr/lib/compat/aout /usr/X11R6/lib/aout /etc /ld.so.conf Starting usbd. apm: can't open /dev/apm : No such file or directory Starting local daemons: Starting up Apache: httpd started Starting up idled: ddclient: Starting up MySQL: 050923 17:21:37 InnoDB: Started; log sequence number 0 122655417 /usr/local/libexec/mysqld: ready for connections. Version: '4.1.11' socket: '/tmp/mysql.sock' port: 0 Source distribution -bash-2.05b# netstat -a Active Internet connections (including servers) Proto Recv-Q Send-Q Local Address Foreign Address (state) udp4 0 0 *.snmp *.* udp4 0 0 *.syslog *.* udp4 0 0 *.bootpc *.* Active UNIX domain sockets Address Type Recv-Q Send-Q Inode Conn Refs Nextref Addr c15e908c stream 0 0 c1790528 0 0 0 /tmp/mysql.sock c15e91a4 stream 0 0 c15ecb58 0 0 0 /var/run/devd.pipe c15e9230 dgram 0 0 0 c15e9118 0 c15e9000 c15e9000 dgram 0 0 0 c15e9118 0 0 c15e9118 dgram 0 0 c15ec210 0 c15e9230 0 /var/run/log