Re: [tlug] Have I been hacked?

["Mario Luoni" <luoni@example.com>]

knowing the port of the connection, you can use /proc/net/tcp to get the
inode, then use the inode in /proc/<pid>/fd/n->socket:[<inode>] to get the
pid, and /proc/<pid>/cmdline to find out which process is using the
connection.

but you probably already tried that one.

-mario

----- Original Message -----
From: "Jim Breen" <jwb@example.com>
To: <tlug@example.com>
Sent: Saturday, March 02, 2002 06:04
Subject: [tlug] Have I been hacked?


> G'day,
>
> I've been a bit worried about my RH6.2 system, which has been behaving
oddly
> lately. On occasions it gets sluggish, as though something is using the
> network connection. People may recall that something zapped my "top"
> some weeks ago and it no longer works.
>
> Poking around, I notice the following when running tcpdump:
>
> 15:55:51.083588 eth0 > 0:0:0:0:0:0 0:10:a4:11:30:2a 66:
CPE-144-132-16-104.vic.bigpond.net.au.1333 > proximity.globalgold.co.uk.www:
tcp 0 (DF)
>
> Now I am "CPE-144-132-16-104.vic.bigpond.net.au".  At the time of running
> TCPdump I had no telnet/ssh/whatever connections up, and no browser
running.
>
> It also seems to pounding away at my ISP's DNS server.
>
> Any suggestions what I should look for, if there are any nasty surprises
> installed?
>
> Jim
>
> --
> Jim Breen  [j.breen@example.com
http://www.csse.monash.edu.au/~jwb/]
> Computer Science & Software Engineering,                Tel: +61 3 9905
3298
> P.O Box 26, Monash University,                          Fax: +61 3 9905
5146
> Clayton VIC 3800, Australia      ジム・ブリーン@モナシュ大学