The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Strange ....

Discussion in 'General Discussion' started by Ramsy, May 6, 2005.

  1. Ramsy

    Ramsy Guest

    All of a sudden i get these email from LSM Alert:

    Code:
    This is an automated alert generated from eclipse.crystalcore.nl. This alert is to
    notify the addressed users of new server sockets. New server sockets can
    indicate server-software that has been started on your host, or otherwise
    be an indication to malicious activity. It is advised to review this alert
    and investigate if needed.
    
    Following is a summary of new Internet Server Sockets:
    
    >> tcp        0      0 62.41.26.100:35728          0.0.0.0:*                   LISTEN      -                   
    
    
    Following is a summary of a new Unix Domain Sockets:
    no changes to Unix Domain Sockets
    
    Code:
    This is an automated alert generated from eclipse.crystalcore.nl. This alert is to
    notify the addressed users of new server sockets. New server sockets can
    indicate server-software that has been started on your host, or otherwise
    be an indication to malicious activity. It is advised to review this alert
    and investigate if needed.
    
    Following is a summary of new Internet Server Sockets:
    
    >> tcp        0      0 62.41.26.100:35574          0.0.0.0:*                   LISTEN      -                   
    
    
    Following is a summary of a new Unix Domain Sockets:
    no changes to Unix Domain Sockets
    
    Code:
    This is an automated alert generated from eclipse.crystalcore.nl. This alert is to
    notify the addressed users of new server sockets. New server sockets can
    indicate server-software that has been started on your host, or otherwise
    be an indication to malicious activity. It is advised to review this alert
    and investigate if needed.
    
    Following is a summary of new Internet Server Sockets:
    
    >> tcp        0      0 62.41.26.100:35483          0.0.0.0:*                   LISTEN      -                   
    
    
    Following is a summary of a new Unix Domain Sockets:
    no changes to Unix Domain Sockets
    
    Code:
    This is an automated alert generated from eclipse.crystalcore.nl. This alert is to
    notify the addressed users of new server sockets. New server sockets can
    indicate server-software that has been started on your host, or otherwise
    be an indication to malicious activity. It is advised to review this alert
    and investigate if needed.
    
    Following is a summary of new Internet Server Sockets:
    
    >> tcp        0      0 62.41.26.100:35727          0.0.0.0:*                   LISTEN      -                   
    
    
    Following is a summary of a new Unix Domain Sockets:
    no changes to Unix Domain Sockets
    
    Four mails with suspicious times, first one 0:00, 2nd 0:10, 3rd 2:10 and 4d at 2:20.
    Can't find any running processes for them, run rkhunter and it didnt find anything, nor did chkrootkit (besides a false error to my knowledge: Checking `bindshell'... INFECTED (PORTS: 114 465)).

    Anybody got an idea an what this could be ?
     
  2. webignition

    webignition Well-Known Member

    Joined:
    Jan 22, 2005
    Messages:
    1,880
    Likes Received:
    0
    Trophy Points:
    36
    From SSH try netstat -l

    This will list all ports that are listening and might give you an indication as to what is listening on the relevant ports.
     
  3. DN-Paul

    DN-Paul Well-Known Member

    Joined:
    Oct 30, 2003
    Messages:
    91
    Likes Received:
    0
    Trophy Points:
    6
    I bet you get them whenever someone logs into ftp on your server ;) (when someone is using passive ftp mode and your FTPd opens a new port for their passive connection)
     
  4. Ramsy

    Ramsy Guest

    i think so yeah, because it matches my passive range list :)
     
Loading...

Share This Page