The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

suspicious ip connection

Discussion in 'General Discussion' started by Zion Ahead, Sep 29, 2007.

  1. Zion Ahead

    Zion Ahead Well-Known Member

    Joined:
    Nov 10, 2006
    Messages:
    347
    Likes Received:
    0
    Trophy Points:
    16
    Code:
    root@server [/tmp]# netstat -ntu | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -nr
         46 24.184.145.112
         16 71.100.54.87
         10 72.222.188.191
          8 12.178.61.25
          7 
          4 76.73.165.170
          4 216.67.24.190
          4 216.239.50.136
          3 65.54.188.147
          3 128.120.161.209
          2 76.183.60.83
          2 72.160.255.180
          2 69.77.205.218
          2 66.153.232.40
          2 65.214.39.180
          2 60.53.3.60
          2 148.168.40.4
          1 servers)
          1 Address


    What is this "servers)" and "Address" lines? And the blank one with 7 connections?


    root@server [/tmp]# uname -a
    Linux server.host.com 2.6.9-55.0.2.ELsmp #1 SMP Tue Jun 26 14:30:58 EDT 2007 i686 i686 i386 GNU/Linux
     
  2. mctDarren

    mctDarren Well-Known Member

    Joined:
    Jan 6, 2004
    Messages:
    664
    Likes Received:
    2
    Trophy Points:
    18
    Location:
    New Jersey
    cPanel Access Level:
    Root Administrator
    If you do that command without the awk, cut and sort you see this at the top of the listing:

    Code:
    # netstat -ntu
    Active Internet connections (w/o servers)
    Proto Recv-Q Send-Q Local Address               Foreign Address             State
    tcp        0      0 192,168.1.1:80           192.168.1.2:4997           ESTABLISHED
    
     
  3. Zion Ahead

    Zion Ahead Well-Known Member

    Joined:
    Nov 10, 2006
    Messages:
    347
    Likes Received:
    0
    Trophy Points:
    16
    There is a vbulletin forum I manage where somehow, someone hacked into (a hole maybe) one forum category specifically and posted two threads, each post said "hacked by eagle".

    I'm trying to figure out where they came in from. There are a lot of modules installed, to say the least they are all with good ratings indicating good quality and at least to a certain degree, good coding. Of course, nothing is perfect.

    I did upgrade the kernel after I noticed this. Now I have this:

    2.6.9-55.0.9.ELsmp #1 SMP Thu Sep 27 18:27:41 EDT 2007 i686 i686 i386 GNU/Linux

    Centos 4.5

    One thing is, how can you trace such a thing, the two posts made in forum specifically? They were made under the administrators name too, which has a very complex 24 character password as well (same for mysql, server root password)
     
  4. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    14,478
    Likes Received:
    203
    Trophy Points:
    63
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    vbulletin keeps mod logs, might be worth reviewing, dom logs for the account, apache logs might show something as well.

    What modules are installed on the forums? mod rpg, vbgsitemap possibly? Is the forum up to date with the latest vb code? Are these modules up to date?

    Kernel upgrade is a good idea but wouldn't be of any consequence here I don't think.

    Check the time of the posts then dig the logs for things going on at that time.

    Meantime, before you bother looking for anything else, I'd suggest you disable any modules on that forum and remove them until you are sure they're safe. There's a good chance this is how they got in. IMHO of course.
     
Loading...

Share This Page