too many connections

**mummaneni** · 11-04-2006

Hi everybody,

command : netstat -tapn|grep -i est

This is the giving the following output.

Active Internet connections (servers and established)
tcp 0 0 <my_ip>:41975 69.39.226.10:6667 ESTABLISHED 20332/httpd
tcp 0 0 <my_ip>:52768 38.118.142.100:25 ESTABLISHED 31650/kA3Hmo0s02379
tcp 0 0 127.0.0.1:25 127.0.0.1:46199 ESTABLISHED 17600/sendmail: kA4
tcp 0 0 127.0.0.1:25 127.0.0.1:42882 ESTABLISHED 28398/sendmail: ser
tcp 0 0 <my_ip>:37784 213.42.1.72:25 ESTABLISHED 8835/kA45YRPG010250
tcp 0 0 ::ffff:<my_ip>:58793 ::ffff:67.154.68.85:25 ESTABLISHED 16372/kA4FF91D01637
tcp 0 0 ::ffff:<my_ip>:56199 ::ffff:207.44.144.6:25 ESTABLISHED 433/kA4AbXr6012272
tcp 0 0 ::ffff:<my_ip>:80 ::ffff:213.181.88.76:4293 ESTABLISHED 2245/httpd
tcp 0 0 ::ffff:<my_ip>:53932 ::ffff:4.79.181.168:25 ESTABLISHED 10882/kA4FCfHb01087
tcp 0 0 ::ffff:<my_ip>:33595 ::ffff:4.79.181.14:25 ESTABLISHED 16528/kA4FFHYM01652
tcp 0 0 ::ffff:<my_ip>:80 ::ffff:213.181.88.76:4302 ESTABLISHED 3835/httpd
tcp 0 0 ::ffff:<my_ip>:60037 ::ffff:136.159.2.1:25 ESTABLISHED 5334/kA342YiT010480
tcp 0 0 ::ffff:<my_ip>:42753 ::ffff:144.140.80.13:25 ESTABLISHED 16223/kA4AP8dD00547
tcp 0 0 ::ffff:<my_ip>:57116 ::ffff:4.79.181.168:25 ESTABLISHED 16159/kA4FF3BC01615
tcp 0 0 ::ffff:<my_ip>:52977 ::ffff:4.79.181.136:25 ESTABLISHED 8153/kA2EFY8J001875
tcp 0 0 ::ffff:<my_ip>:35413 ::ffff:207.69.189.44:25 ESTABLISHED 17598/kA4FGck001759
tcp 0 0 ::ffff:<my_ip>:60723 ::ffff:147.226.7.81:25 ESTABLISHED 11841/kA4FD3EM01183
tcp 0 0 ::ffff:<my_ip>:39409 ::ffff:216.129.105.34:25 ESTABLISHED 15341/kA4FEeGH01533
tcp 0 0 ::ffff:<my_ip>:39579 ::ffff:149.174.40.55:25 ESTABLISHED 15522/kA4FEjmc01551
tcp 0 0 ::ffff:<my_ip>:58472 ::ffff:129.215.13.3:25 ESTABLISHED 23621/kA334JFa02390
tcp 0 0 ::ffff:<my_ip>:47106 ::ffff:206.186.35.25:25 ESTABLISHED 16223/kA4AP8dD00547
tcp 0 0 ::ffff:<my_ip>:36564 ::ffff:62.37.236.140:25 ESTABLISHED 15297/kA4FEd4W01529
tcp 0 0 ::ffff:<my_ip>:51848 ::ffff:216.129.105.39:25 ESTABLISHED 12557/kA4FDIq501255
tcp 0 0 ::ffff:<my_ip>:34350 ::ffff:85.90.160.100:25 ESTABLISHED 29535/kA3IXAIT02959
tcp 0 0 ::ffff:<my_ip>:33583 ::ffff:136.159.2.4:25 ESTABLISHED 5334/kA342YiT010480
tcp 0 0 ::ffff:<my_ip>:54849 ::ffff:206.12.82.99:25 ESTABLISHED 28289/kA4B53cF02883
tcp 0 0 ::ffff:<my_ip>:54850 ::ffff:65.243.234.36:25 ESTABLISHED 433/kA4AbXr6012272
tcp 0 0 ::ffff:<my_ip>:57367 ::ffff:147.26.8.23:25 ESTABLISHED 17547/kA4FGZPg01754
tcp 0 0 ::ffff:<my_ip>:56122 ::ffff:207.155.253.162:25 ESTABLISHED 20364/kA33TwIV00278
tcp 0 0 ::ffff:<my_ip>:54477 ::ffff:67.28.113.71:25 ESTABLISHED 17593/kA4FGbWn01759
tcp 0 0 ::ffff:<my_ip>:60741 ::ffff:216.157.145.25:25 ESTABLISHED 31650/kA3Hmo0s02379
tcp 0 0 ::ffff:<my_ip>:37565 ::ffff:216.193.201.145:25 ESTABLISHED 24099/kA3KBU2P02943
tcp 0 0 ::ffff:<my_ip>:54697 ::ffff:64.18.5.14:25 ESTABLISHED 18695/kA46W75002916
tcp 0 24 ::ffff:<my_ip>:43387 ::ffff:208.244.164.201:25 ESTABLISHED 17589/kA4FGbVM01758
tcp 0 0 ::ffff:<my_ip>:52852 ::ffff:152.43.1.210:25 ESTABLISHED 18695/kA46W75002916
tcp 0 0 ::ffff:<my_ip>:59942 ::ffff:161.85.125.8:25 ESTABLISHED 17494/kA4FGXGp01749
tcp 0 0 ::ffff:<my_ip>:51535 ::ffff:198.63.16.44:25 ESTABLISHED 25732/kA3GX72k00399
tcp 0 0 ::ffff:127.0.0.1:46199 ::ffff:127.0.0.1:25 ESTABLISHED 17599/kA4FGcD901759
tcp 0 0 ::ffff:<my_ip>:52160 ::ffff:207.155.248.116:25 ESTABLISHED 20364/kA33TwIV00278
tcp 0 0 ::ffff:<my_ip>:57121 ::ffff:66.9.5.10:25 ESTABLISHED 25732/kA3GX72k00399
tcp 0 0 ::ffff:<my_ip>:52243 ::ffff:65.24.7.10:25 ESTABLISHED 17461/kA4FGWsU01745
tcp 0 0 ::ffff:127.0.0.1:42882 ::ffff:127.0.0.1:25 ESTABLISHED 28290/kA3JbqGU03103
tcp 0 96 ::ffff:<my_ip>:22456 ::ffff:202.53.95.130:45823 ESTABLISHED 1413/sshd: myogendr
tcp 0 0 ::ffff:<my_ip>:37754 ::ffff:64.18.4.14:25 ESTABLISHED 29535/kA3IXAIT02959
tcp 0 0 ::ffff:<my_ip>:59495 ::ffff:129.215.128.53:25 ESTABLISHED 23621/kA334JFa02390
tcp 0 0 ::ffff:<my_ip>:48847 ::ffff:66.114.87.26:25 ESTABLISHED 17551/kA4FGZbK01754
tcp 0 0 ::ffff:<my_ip>:54752 ::ffff:82.148.190.131:25 ESTABLISHED 1267/kA4Exuvr001265

Why so many connections are established.
Is my system getting any DOS attacks to 25 port
Please help me

Thanks inadvance
Mummaneni.

**bigtomrodney** · 11-04-2006

Something's not right there - what are these processes "kA4FF91D01637" etc. ?

Run and post back the contents of

Code:

ps aux

**mummaneni** · 11-05-2006

Hi bigtomrodney,
Thank you for quick reply.

Now the active connections are :

command : netstat -tapn|grep -i est

Active Internet connections (servers and established)
tcp 0 0 ::ffff:<my_ip>:54195 ::ffff:217.199.23.68:25 ESTABLISHED 31688/kA49rXg302721
tcp 0 0 ::ffff:<my_ip>:33356 ::ffff:147.226.7.90:25 ESTABLISHED 30926/kA4FD3EM01183
tcp 0 0 ::ffff:<my_ip>:40576 ::ffff:216.37.120.28:25 ESTABLISHED 30021/kA4Euhum03136
tcp 0 0 ::ffff:<my_ip>:45013 ::ffff:205.188.155.89:25 ESTABLISHED 32316/kA46VDiI02825
tcp 0 48 ::ffff:<my_ip>:22456 ::ffff:202.53.95.130:45823 ESTABLISHED 1413/sshd: myogendr
tcp 0 0 ::ffff:<my_ip>:59645 ::ffff:216.37.114.7:25 ESTABLISHED 30021/kA4Euhum03136

command : ps -aux
root 20687 0.0 0.4 7988 3240 ? Ss 10:06 0:00 sendmail: accepting connections
root 20688 0.0 0.9 10692 6684 ? S 10:06 0:06 sendmail: ./kA45banD016302 sdf.bellsouth.net.: user open
smmsp 20695 0.0 0.3 7000 2736 ? Ss 10:06 0:00 sendmail: Queue runner@01:00:00 for /var/spool/clientmqueue
root 26887 0.0 0.9 10744 6772 ? S 11:06 0:05 sendmail: ./kA45ZV1r011933 panacom.com.: user open
root 27436 0.0 0.9 10756 6836 ? S 12:06 0:06 sendmail: ./kA4FD9r0012116 mail2.bww.com.: user open
root 28059 0.0 0.9 10548 6604 ? S 13:06 0:04 sendmail: ./kA45RX9J003550 postmark.net.: user open
root 29327 0.0 0.9 10352 6404 ? S 14:06 0:02 sendmail: ./kA45aosM014951 lig.bellsouth.net.: user open
root 30021 0.0 0.9 10328 6408 ? S 15:06 0:03 sendmail: ./kA4Arqgd025809 showme.missouri.edu.: user open
root 30926 0.0 0.8 10080 5844 ? S 16:06 0:01 sendmail: ./kA4AeZhN017560 galileo.thp.univie.ac.at.: user osmmsp 30927 0.0 0.4 7076 3012 ? S 16:06 0:00 sendmail: ./kA2IP1Lt032108 from queue
root 31688 0.0 0.8 10040 6140 ? S 17:06 0:01 sendmail: ./kA4GExJw020698 webdesignconcepts.com.: user opensmmsp 31689 0.0 0.4 7016 2960 ? S 17:06 0:00 sendmail: ./kA3304li022275 from queue
root 32316 0.0 0.8 10076 6136 ? S 18:06 0:01 sendmail: ./kA4GExIo020698 resalehost.networksolutions.com.:smmsp 32317 0.0 0.4 7016 2952 ? S 18:06 0:00 sendmail: ./kA49nvVf025761 from queue

Mummaneni.

**anomie** · 11-05-2006

Your box appears to have a number of open connections to port 25 on various remote machines.

I'll concur with the previous post - something is not right there. Are you being attacked on port 25? No, quite the opposite (maybe).

For the hell of it you might want to run a rkhunter scan on your box.

**bigtomrodney** · 11-05-2006

It looks like you are spamming!

Also it is root sending them out. Best thing is to take the box off the network - your ISP can ban you for this and you may also end up being fined from elsewhere. You may want to look at startup scripts in root's profie and also check /etc/init.d/ for any odd looking services. As anomie said run a root kit detector also. If you have been rooted I would recommend a backup and reinstall as soon as possible.

**mummaneni** · 11-07-2006

Hi,
I ran the rkhunter /usr/local/bin/rkhunter -c

This is the output. I think nothing is wrong there on my system. Please conclude.
---------------------------- Scan results ----------------------------
MD5
MD5 compared: 0
Incorrect MD5 checksums: 0

File scan
Scanned files: 342
Possible infected files: 0

Application scan
Vulnerable applications: 1

Scanning took 131 seconds
-----------------------------------------------------------------------

Thanks & Regards,
Mummaneni.

**anomie** · 11-07-2006

Well, first off you will probably want to address the vulnerable app it found. (Usually fixed by an upgrade or config file change.)

What is this box being used for? Is there some program running that would be connecting to remote port 25 on lots of different machines? Are you the only user? It would help to know more about it.

**mummaneni** · 11-08-2006

Hi,
My box is being used as web server.
As you guys told, I received spam complaint from ISP.
They placed some hacking tools in /tmp directory trough apache service, because those files contains user and group as apache.

Please tell me how they are placing files on my web server and how to restrict them from uploading files and most of our projects are based on PHP.

I am very new to security, please help me.

Thanks Inadvance,
Mummaneni.

**anomie** · 11-08-2006

Keep your software up to date (remember that warning from rootkit?) and restrict access to your web service using iptables or tcp_wrappers, if appropriate for your situation.

I do not have experience hardening apache web services, and a quick google is not going to help me help you. I'd recommend reviewing apache's online documentation and getting a detailed book on the subject.

You are going to want to take your machine offline, back up important data files (keeping in mind that even they may have been compromised), and rebuild your box from scratch. Do not re-enable the apache service until you have all software up to date.

Good luck.

**mitto** · 11-14-2006

It seems that you need block unwanted ports and configure your iptables

Thread Tools

Display

too many connections

Posting Permissions