How to identify the service in one port?
Hello,
My server crash many times in the last days. I´m found one script (.bs.pl) in /tmp (but my /tmp is noexec). After this, always, same after reboot, i´m see this using netstat -an:
udp 0 0 127.0.0.1:32769 127.0.0.1:32769 ESTABLISHED
How to identify the service (or script) running in this port? Always the script (after reboot) change the port.
I´m ran ps -aux but no see not different.
Thanks,
Minotauro.
Your box has been cracked:
http://www.webhostingtalk.com/archiv.../229864-1.html
Good luck.
its connection is from localhost to localhost on same port
Dont look like a exploited machine to me?
.bs.pl is user nobody?
if so then been uploaded by a unsecure script but u say /tmp is noexec?
There no .bash_history in /tmp or any other files that should not be there?
To find the PID of that has a port open you can do the following:
fuser 32769/udp
To tie it into a process,
ps axf | grep -v grep | grep PID
Where PID is the result from the fuser.
Alternatively, issue the following:
netstat -autpn
If it keep restarting after a reboot, check the following for changes:
/etc/rc.d/rc.local
/etc/inetd.conf
/etc/xinetd.d/
Also, if you could display the code of .bp.pl here, it would help. Having noexec on /tmp doesn't help, as all you need to do is:
perl /tmp/.bp.pl
Jonathan Michaelson
Need your cPanel servers secured and tuned?
cPanel Server Configuration, Security, Recovery and Antivirus/AntiSpam Services
Developers of the most effective (and free) Firewall & Security Solution for cPanel Servers - csf
http://www.configserver.com
lil research points to /usr/bin/postmaster as being the user
Take it u have postgresSQL installed
If that is the user ur box as not been cracked as someone without any details would say
Also its not why ur machine is crashing
What is the contents of .bs.pl?
Hello casey and Steve-PWH,Originally posted by casey
Your box has been cracked:
http://www.webhostingtalk.com/archiv.../229864-1.html
Good luck.
My /tmp is noexec and nosuid. The user only send the script to my server, but don't exec it (no send with nobody because i'm ran suexec and phpsuexec).
The port is because PG SQL (thanks Steve-PHW), i'm confirm it after ran netstat -anp:
udp 0 0 127.0.0.1:32769 127.0.0.1:32769 ESTABLISHED 4189/postmaster
chirpy, thanks by reply, but the port is PG SQL.
Thanks all by reply!
Regards,
Minotauro.
LinkBack URL
About LinkBacks
Reply With Quote