Results 1 to 6 of 6
Thread: strange root@(ip address) found
Enjoy an ad free experience by logging in. Not a member yet? Register.
strange root@(ip address) found
OrgName: Global Net Access, LLC OrgID: GNAL-2 Address: 1100 White St SW City: Atlanta StateProv: GA PostalCode: 30310 Country: US ReferralServer: rwhois://rwhois.gnax.net:4321 NetRange: 220.127.116.11 - 18.104.22.168 CIDR: 22.214.171.124/19 OriginAS: AS3595, AS16626 NetName: GNAXNET NetHandle: NET-72-9-224-0-1 Parent: NET-72-0-0-0-0 NetType: Direct Allocation NameServer: DNS1.GNAX.NET NameServer: DNS2.GNAX.NET NameServer: NS1.GNAX.NET NameServer: NS2.GNAX.NET Comment: ADDRESSES WITHIN THIS BLOCK ARE NON-PORTABLE Comment: ******************************************** Comment: Reassignment information for this block is Comment: available at rwhois.gnax.net port 4321 Comment: ******************************************** RegDate: 2004-10-11 Updated: 2007-06-01 RAbuseHandle: ABUSE745-ARIN RAbuseName: GNAX ABUSE RAbusePhone: +1-404-230-9150 RAbuseEmail: firstname.lastname@example.org RNOCHandle: ENGIN7-ARIN RNOCName: GNAX ENGINEERING RNOCPhone: +1-404-230-9150 RNOCEmail: email@example.com RTechHandle: ENGIN7-ARIN RTechName: GNAX ENGINEERING RTechPhone: +1-404-230-9150 RTechEmail: firstname.lastname@example.org OrgAbuseHandle: ABUSE745-ARIN OrgAbuseName: GNAX ABUSE OrgAbusePhone: +1-404-230-9150 OrgAbuseEmail: email@example.com OrgNOCHandle: ENGIN7-ARIN OrgNOCName: GNAX ENGINEERING OrgNOCPhone: +1-404-230-9150 OrgNOCEmail: firstname.lastname@example.org OrgTechHandle: ENGIN7-ARIN OrgTechName: GNAX ENGINEERING OrgTechPhone: +1-404-230-9150 OrgTechEmail: email@example.com # ARIN WHOIS database, last updated 2007-09-11 19:10 # Enter ? for additional hints on searching ARIN's WHOIS database. Found a referral to rwhois.gnax.net:4321. %rwhois V-1.5:003fff:00 rwhois.gnax.net (by Network Solutions, Inc. V-126.96.36.199) network:Class-Name:network network:ID:188.8.131.52.0/19 network:Auth-Area:184.108.40.206/19 network:Network-Name:RackWan network:IP-Network:220.127.116.11/26 network:Organization;I:RackWan network:Tech-Contact;I:firstname.lastname@example.org network:Admin-Contact;I:email@example.com network:Created:20041213 network:Updated:20060417 network:Updated-By:firstname.lastname@example.org
I ssh'd email@example.com and it asked for a password. I have no idea who this is. Why would this be on my Ubuntu box as a command? Any ideas about this? Any thoughts or help appreciated.
Are you saying the entry
shows up in your user's bash history?
It's strange because that is not a command. Even so, it is a little ominous. Maybe review the history more carefully to make sure you have the full entry. (Just pipe the whole thing to less and search for that.)
rkhunter is pretty good because it checks (for supported OSes) md5 sums for a long list of binaries. It also checks for rootkit signatures and some other things like new groups and accounts on the system. When was the last time you ran it before the most recent run? For an extra sanity check you can also run chkrootkit. (I'd also add that it is possible for any binary - including your rootkit checker - to become compromised.)
Do you have any services that are listening on external, web-facing interfaces? Use netstat -ltun to double-check.
More possibilities once we know the answer to that question.
Hi fellows and thanks for the insight and help. RobinVossen, I checked over the logs and didn't see anything suspicious. anomie, I felt the same way. Why is this listed as a command?? Here is the output of netstat -ltun...
Active Internet connections (only servers) Proto Recv-Q Send-Q Local Address Foreign Address State tcp 0 0 127.0.0.1:2208 0.0.0.0:* LISTEN tcp 0 0 127.0.0.1:631 0.0.0.0:* LISTEN tcp 0 0 127.0.0.1:2207 0.0.0.0:* LISTEN tcp6 0 0 :::22 :::* LISTEN udp 0 0 0.0.0.0:32768 0.0.0.0:* udp 0 0 0.0.0.0:5353 0.0.0.0:*
Active Internet connections (only servers) Proto Recv-Q Send-Q Local Address Foreign Address State tcp 0 0 127.0.0.1:2208 0.0.0.0:* LISTEN tcp 0 0 0.0.0.0:37 0.0.0.0:* LISTEN tcp 0 0 0.0.0.0:111 0.0.0.0:* LISTEN tcp 0 0 0.0.0.0:113 0.0.0.0:* LISTEN tcp 0 0 127.0.0.1:631 0.0.0.0:* LISTEN tcp 0 0 0.0.0.0:52635 0.0.0.0:* LISTEN tcp 0 0 127.0.0.1:2207 0.0.0.0:* LISTEN tcp6 0 0 :::22 :::* LISTEN udp 0 0 0.0.0.0:512 0.0.0.0:* udp 0 0 0.0.0.0:32768 0.0.0.0:* udp 0 0 0.0.0.0:37 0.0.0.0:* udp 0 0 0.0.0.0:111 0.0.0.0:* udp 0 0 0.0.0.0:631 0.0.0.0:* udp 0 0 192.168.1.101:123 0.0.0.0:* udp 0 0 127.0.0.1:123 0.0.0.0:* udp 0 0 0.0.0.0:123 0.0.0.0:* udp 0 0 0.0.0.0:766 0.0.0.0:* udp6 0 0 fe80::219:d1ff:fe41:123 :::* udp6 0 0 ::1:123 :::* udp6 0 0 :::123 :::*
Since the command appeared in your Ubuntu installation I'll focus on that. These are the listening sockets to look at for now:
tcp6 0 0 :::22 :::* LISTEN udp 0 0 0.0.0.0:32768 0.0.0.0:* udp 0 0 0.0.0.0:5353 0.0.0.0:*
A couple more questions:
1. Are you running a firewall?
2. If so, are connections allowed from the outside world to tcp port 22?
3. Are any of the following enabled in sshd_config: PasswordAuthentication, Challenge-Response Authentication, UsePAM ?
It might be a good idea to check /var/log/secure (at least that's the naming CentOS uses) for ssh connections and connection attempts over the past few weeks. If your system is running logwatch this automatically reports ssh connections to you. (You may need to check root's mail.)
As for the two udp sockets, some quick notes:
udp 32768 summarized here. I am not familiar with Filenet TMS. Maybe it is something one of your apps requires.
udp 5353 summarized here. Sounds like iTunes or similar application using multicast DNS.
Well, I think I cant help you now..
Since I cant *touch* the Terminal.
I might be able to look into it but then you need to trust me by giving me a SSH account :/ (Guess you wont do that, since neither will I )
Well, umm What command did you use to show that "firstname.lastname@example.org"
Since if it was the Search Function I give there you or some program uses that all the time :/