Strange ....

[Ramsy]

All of a sudden i get these email from LSM Alert:

Code:

This is an automated alert generated from eclipse.crystalcore.nl. This alert is to
notify the addressed users of new server sockets. New server sockets can
indicate server-software that has been started on your host, or otherwise
be an indication to malicious activity. It is advised to review this alert
and investigate if needed.

Following is a summary of new Internet Server Sockets:

>> tcp        0      0 62.41.26.100:35728          0.0.0.0:*                   LISTEN      -                   


Following is a summary of a new Unix Domain Sockets:
no changes to Unix Domain Sockets

Code:

This is an automated alert generated from eclipse.crystalcore.nl. This alert is to
notify the addressed users of new server sockets. New server sockets can
indicate server-software that has been started on your host, or otherwise
be an indication to malicious activity. It is advised to review this alert
and investigate if needed.

Following is a summary of new Internet Server Sockets:

>> tcp        0      0 62.41.26.100:35574          0.0.0.0:*                   LISTEN      -                   


Following is a summary of a new Unix Domain Sockets:
no changes to Unix Domain Sockets

Code:

This is an automated alert generated from eclipse.crystalcore.nl. This alert is to
notify the addressed users of new server sockets. New server sockets can
indicate server-software that has been started on your host, or otherwise
be an indication to malicious activity. It is advised to review this alert
and investigate if needed.

Following is a summary of new Internet Server Sockets:

>> tcp        0      0 62.41.26.100:35483          0.0.0.0:*                   LISTEN      -                   


Following is a summary of a new Unix Domain Sockets:
no changes to Unix Domain Sockets

Code:

This is an automated alert generated from eclipse.crystalcore.nl. This alert is to
notify the addressed users of new server sockets. New server sockets can
indicate server-software that has been started on your host, or otherwise
be an indication to malicious activity. It is advised to review this alert
and investigate if needed.

Following is a summary of new Internet Server Sockets:

>> tcp        0      0 62.41.26.100:35727          0.0.0.0:*                   LISTEN      -                   


Following is a summary of a new Unix Domain Sockets:
no changes to Unix Domain Sockets

Four mails with suspicious times, first one 0:00, 2nd 0:10, 3rd 2:10 and 4d at 2:20.
Can't find any running processes for them, run rkhunter and it didnt find anything, nor did chkrootkit (besides a false error to my knowledge: Checking `bindshell'... INFECTED (PORTS: 114 465)).

Anybody got an idea an what this could be ?

[webignition]

From SSH try netstat -l

This will list all ports that are listening and might give you an indication as to what is listening on the relevant ports.

[DN-Paul]

I bet you get them whenever someone logs into ftp on your server (when someone is using passive ftp mode and your FTPd opens a new port for their passive connection)

[Ramsy]

i think so yeah, because it matches my passive range list