Find the answer to your Linux question:
Page 1 of 2 1 2 LastLast
Results 1 to 10 of 12
Hi everybody, command : netstat -tapn|grep -i est This is the giving the following output. Active Internet connections (servers and established) tcp 0 0 <my_ip>:41975 69.39.226.10:6667 ESTABLISHED 20332/httpd tcp 0 ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1
    Linux Newbie
    Join Date
    Jul 2004
    Posts
    143

    too many connections


    Hi everybody,

    command : netstat -tapn|grep -i est

    This is the giving the following output.

    Active Internet connections (servers and established)
    tcp 0 0 <my_ip>:41975 69.39.226.10:6667 ESTABLISHED 20332/httpd
    tcp 0 0 <my_ip>:52768 38.118.142.100:25 ESTABLISHED 31650/kA3Hmo0s02379
    tcp 0 0 127.0.0.1:25 127.0.0.1:46199 ESTABLISHED 17600/sendmail: kA4
    tcp 0 0 127.0.0.1:25 127.0.0.1:42882 ESTABLISHED 28398/sendmail: ser
    tcp 0 0 <my_ip>:37784 213.42.1.72:25 ESTABLISHED 8835/kA45YRPG010250
    tcp 0 0 ::ffff:<my_ip>:58793 ::ffff:67.154.68.85:25 ESTABLISHED 16372/kA4FF91D01637
    tcp 0 0 ::ffff:<my_ip>:56199 ::ffff:207.44.144.6:25 ESTABLISHED 433/kA4AbXr6012272
    tcp 0 0 ::ffff:<my_ip>:80 ::ffff:213.181.88.76:4293 ESTABLISHED 2245/httpd
    tcp 0 0 ::ffff:<my_ip>:53932 ::ffff:4.79.181.168:25 ESTABLISHED 10882/kA4FCfHb01087
    tcp 0 0 ::ffff:<my_ip>:33595 ::ffff:4.79.181.14:25 ESTABLISHED 16528/kA4FFHYM01652
    tcp 0 0 ::ffff:<my_ip>:80 ::ffff:213.181.88.76:4302 ESTABLISHED 3835/httpd
    tcp 0 0 ::ffff:<my_ip>:60037 ::ffff:136.159.2.1:25 ESTABLISHED 5334/kA342YiT010480
    tcp 0 0 ::ffff:<my_ip>:42753 ::ffff:144.140.80.13:25 ESTABLISHED 16223/kA4AP8dD00547
    tcp 0 0 ::ffff:<my_ip>:57116 ::ffff:4.79.181.168:25 ESTABLISHED 16159/kA4FF3BC01615
    tcp 0 0 ::ffff:<my_ip>:52977 ::ffff:4.79.181.136:25 ESTABLISHED 8153/kA2EFY8J001875
    tcp 0 0 ::ffff:<my_ip>:35413 ::ffff:207.69.189.44:25 ESTABLISHED 17598/kA4FGck001759
    tcp 0 0 ::ffff:<my_ip>:60723 ::ffff:147.226.7.81:25 ESTABLISHED 11841/kA4FD3EM01183
    tcp 0 0 ::ffff:<my_ip>:39409 ::ffff:216.129.105.34:25 ESTABLISHED 15341/kA4FEeGH01533
    tcp 0 0 ::ffff:<my_ip>:39579 ::ffff:149.174.40.55:25 ESTABLISHED 15522/kA4FEjmc01551
    tcp 0 0 ::ffff:<my_ip>:58472 ::ffff:129.215.13.3:25 ESTABLISHED 23621/kA334JFa02390
    tcp 0 0 ::ffff:<my_ip>:47106 ::ffff:206.186.35.25:25 ESTABLISHED 16223/kA4AP8dD00547
    tcp 0 0 ::ffff:<my_ip>:36564 ::ffff:62.37.236.140:25 ESTABLISHED 15297/kA4FEd4W01529
    tcp 0 0 ::ffff:<my_ip>:51848 ::ffff:216.129.105.39:25 ESTABLISHED 12557/kA4FDIq501255
    tcp 0 0 ::ffff:<my_ip>:34350 ::ffff:85.90.160.100:25 ESTABLISHED 29535/kA3IXAIT02959
    tcp 0 0 ::ffff:<my_ip>:33583 ::ffff:136.159.2.4:25 ESTABLISHED 5334/kA342YiT010480
    tcp 0 0 ::ffff:<my_ip>:54849 ::ffff:206.12.82.99:25 ESTABLISHED 28289/kA4B53cF02883
    tcp 0 0 ::ffff:<my_ip>:54850 ::ffff:65.243.234.36:25 ESTABLISHED 433/kA4AbXr6012272
    tcp 0 0 ::ffff:<my_ip>:57367 ::ffff:147.26.8.23:25 ESTABLISHED 17547/kA4FGZPg01754
    tcp 0 0 ::ffff:<my_ip>:56122 ::ffff:207.155.253.162:25 ESTABLISHED 20364/kA33TwIV00278
    tcp 0 0 ::ffff:<my_ip>:54477 ::ffff:67.28.113.71:25 ESTABLISHED 17593/kA4FGbWn01759
    tcp 0 0 ::ffff:<my_ip>:60741 ::ffff:216.157.145.25:25 ESTABLISHED 31650/kA3Hmo0s02379
    tcp 0 0 ::ffff:<my_ip>:37565 ::ffff:216.193.201.145:25 ESTABLISHED 24099/kA3KBU2P02943
    tcp 0 0 ::ffff:<my_ip>:54697 ::ffff:64.18.5.14:25 ESTABLISHED 18695/kA46W75002916
    tcp 0 24 ::ffff:<my_ip>:43387 ::ffff:208.244.164.201:25 ESTABLISHED 17589/kA4FGbVM01758
    tcp 0 0 ::ffff:<my_ip>:52852 ::ffff:152.43.1.210:25 ESTABLISHED 18695/kA46W75002916
    tcp 0 0 ::ffff:<my_ip>:59942 ::ffff:161.85.125.8:25 ESTABLISHED 17494/kA4FGXGp01749
    tcp 0 0 ::ffff:<my_ip>:51535 ::ffff:198.63.16.44:25 ESTABLISHED 25732/kA3GX72k00399
    tcp 0 0 ::ffff:127.0.0.1:46199 ::ffff:127.0.0.1:25 ESTABLISHED 17599/kA4FGcD901759
    tcp 0 0 ::ffff:<my_ip>:52160 ::ffff:207.155.248.116:25 ESTABLISHED 20364/kA33TwIV00278
    tcp 0 0 ::ffff:<my_ip>:57121 ::ffff:66.9.5.10:25 ESTABLISHED 25732/kA3GX72k00399
    tcp 0 0 ::ffff:<my_ip>:52243 ::ffff:65.24.7.10:25 ESTABLISHED 17461/kA4FGWsU01745
    tcp 0 0 ::ffff:127.0.0.1:42882 ::ffff:127.0.0.1:25 ESTABLISHED 28290/kA3JbqGU03103
    tcp 0 96 ::ffff:<my_ip>:22456 ::ffff:202.53.95.130:45823 ESTABLISHED 1413/sshd: myogendr
    tcp 0 0 ::ffff:<my_ip>:37754 ::ffff:64.18.4.14:25 ESTABLISHED 29535/kA3IXAIT02959
    tcp 0 0 ::ffff:<my_ip>:59495 ::ffff:129.215.128.53:25 ESTABLISHED 23621/kA334JFa02390
    tcp 0 0 ::ffff:<my_ip>:48847 ::ffff:66.114.87.26:25 ESTABLISHED 17551/kA4FGZbK01754
    tcp 0 0 ::ffff:<my_ip>:54752 ::ffff:82.148.190.131:25 ESTABLISHED 1267/kA4Exuvr001265

    Why so many connections are established.
    Is my system getting any DOS attacks to 25 port
    Please help me

    Thanks inadvance
    Mummaneni.

  2. #2
    Linux Guru bigtomrodney's Avatar
    Join Date
    Nov 2004
    Location
    Ireland
    Posts
    6,133
    Something's not right there - what are these processes "kA4FF91D01637" etc. ?

    Run and post back the contents of
    Code:
    ps aux

  3. #3
    Linux Newbie
    Join Date
    Jul 2004
    Posts
    143
    Hi bigtomrodney,
    Thank you for quick reply.

    Now the active connections are :

    command : netstat -tapn|grep -i est

    Active Internet connections (servers and established)
    tcp 0 0 ::ffff:<my_ip>:54195 ::ffff:217.199.23.68:25 ESTABLISHED 31688/kA49rXg302721
    tcp 0 0 ::ffff:<my_ip>:33356 ::ffff:147.226.7.90:25 ESTABLISHED 30926/kA4FD3EM01183
    tcp 0 0 ::ffff:<my_ip>:40576 ::ffff:216.37.120.28:25 ESTABLISHED 30021/kA4Euhum03136
    tcp 0 0 ::ffff:<my_ip>:45013 ::ffff:205.188.155.89:25 ESTABLISHED 32316/kA46VDiI02825
    tcp 0 48 ::ffff:<my_ip>:22456 ::ffff:202.53.95.130:45823 ESTABLISHED 1413/sshd: myogendr
    tcp 0 0 ::ffff:<my_ip>:59645 ::ffff:216.37.114.7:25 ESTABLISHED 30021/kA4Euhum03136

    command : ps -aux
    root 20687 0.0 0.4 7988 3240 ? Ss 10:06 0:00 sendmail: accepting connections
    root 20688 0.0 0.9 10692 6684 ? S 10:06 0:06 sendmail: ./kA45banD016302 sdf.bellsouth.net.: user open
    smmsp 20695 0.0 0.3 7000 2736 ? Ss 10:06 0:00 sendmail: Queue runner@01:00:00 for /var/spool/clientmqueue
    root 26887 0.0 0.9 10744 6772 ? S 11:06 0:05 sendmail: ./kA45ZV1r011933 panacom.com.: user open
    root 27436 0.0 0.9 10756 6836 ? S 12:06 0:06 sendmail: ./kA4FD9r0012116 mail2.bww.com.: user open
    root 28059 0.0 0.9 10548 6604 ? S 13:06 0:04 sendmail: ./kA45RX9J003550 postmark.net.: user open
    root 29327 0.0 0.9 10352 6404 ? S 14:06 0:02 sendmail: ./kA45aosM014951 lig.bellsouth.net.: user open
    root 30021 0.0 0.9 10328 6408 ? S 15:06 0:03 sendmail: ./kA4Arqgd025809 showme.missouri.edu.: user open
    root 30926 0.0 0.8 10080 5844 ? S 16:06 0:01 sendmail: ./kA4AeZhN017560 galileo.thp.univie.ac.at.: user osmmsp 30927 0.0 0.4 7076 3012 ? S 16:06 0:00 sendmail: ./kA2IP1Lt032108 from queue
    root 31688 0.0 0.8 10040 6140 ? S 17:06 0:01 sendmail: ./kA4GExJw020698 webdesignconcepts.com.: user opensmmsp 31689 0.0 0.4 7016 2960 ? S 17:06 0:00 sendmail: ./kA3304li022275 from queue
    root 32316 0.0 0.8 10076 6136 ? S 18:06 0:01 sendmail: ./kA4GExIo020698 resalehost.networksolutions.com.:smmsp 32317 0.0 0.4 7016 2952 ? S 18:06 0:00 sendmail: ./kA49nvVf025761 from queue

    Mummaneni.

  4. #4
    Linux Guru anomie's Avatar
    Join Date
    Mar 2005
    Location
    Texas
    Posts
    1,692
    Your box appears to have a number of open connections to port 25 on various remote machines.

    I'll concur with the previous post - something is not right there. Are you being attacked on port 25? No, quite the opposite (maybe).

    For the hell of it you might want to run a rkhunter scan on your box.

  5. #5
    Linux Guru bigtomrodney's Avatar
    Join Date
    Nov 2004
    Location
    Ireland
    Posts
    6,133
    It looks like you are spamming!

    Also it is root sending them out. Best thing is to take the box off the network - your ISP can ban you for this and you may also end up being fined from elsewhere. You may want to look at startup scripts in root's profie and also check /etc/init.d/ for any odd looking services. As anomie said run a root kit detector also. If you have been rooted I would recommend a backup and reinstall as soon as possible.

  6. #6
    Linux Newbie
    Join Date
    Jul 2004
    Posts
    143
    Hi,
    I ran the rkhunter /usr/local/bin/rkhunter -c

    This is the output. I think nothing is wrong there on my system. Please conclude.
    ---------------------------- Scan results ----------------------------
    MD5
    MD5 compared: 0
    Incorrect MD5 checksums: 0

    File scan
    Scanned files: 342
    Possible infected files: 0

    Application scan
    Vulnerable applications: 1

    Scanning took 131 seconds
    -----------------------------------------------------------------------

    Thanks & Regards,
    Mummaneni.

  7. #7
    Linux Guru anomie's Avatar
    Join Date
    Mar 2005
    Location
    Texas
    Posts
    1,692
    Well, first off you will probably want to address the vulnerable app it found. (Usually fixed by an upgrade or config file change.)

    What is this box being used for? Is there some program running that would be connecting to remote port 25 on lots of different machines? Are you the only user? It would help to know more about it.

  8. #8
    Linux Newbie
    Join Date
    Jul 2004
    Posts
    143
    Hi,
    My box is being used as web server.
    As you guys told, I received spam complaint from ISP.
    They placed some hacking tools in /tmp directory trough apache service, because those files contains user and group as apache.

    Please tell me how they are placing files on my web server and how to restrict them from uploading files and most of our projects are based on PHP.

    I am very new to security, please help me.

    Thanks Inadvance,
    Mummaneni.

  9. #9
    Linux Guru anomie's Avatar
    Join Date
    Mar 2005
    Location
    Texas
    Posts
    1,692
    Keep your software up to date (remember that warning from rootkit?) and restrict access to your web service using iptables or tcp_wrappers, if appropriate for your situation.

    I do not have experience hardening apache web services, and a quick google is not going to help me help you. I'd recommend reviewing apache's online documentation and getting a detailed book on the subject.

    You are going to want to take your machine offline, back up important data files (keeping in mind that even they may have been compromised), and rebuild your box from scratch. Do not re-enable the apache service until you have all software up to date.

    Good luck.

  10. #10
    Just Joined!
    Join Date
    Jun 2006
    Location
    (.)
    Posts
    69
    It seems that you need block unwanted ports and configure your iptables

Page 1 of 2 1 2 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •