From: Mick <michaelkintzios@gmail.com>
To: gentoo-user@lists.gentoo.org
Subject: Re: [gentoo-user] Hacked by association?
Date: Thu, 20 Sep 2007 10:24:16 +0100 [thread overview]
Message-ID: <200709201024.19444.michaelkintzios@gmail.com> (raw)
In-Reply-To: <49bf44f10709191616u4939b86dla32ef38067ea7702@mail.gmail.com>
[-- Attachment #1: Type: text/plain, Size: 1404 bytes --]
On Thursday 20 September 2007, Grant wrote:
> > > I recognize everything in 'ps -ef' I think, but I've never really used
> > > netstat before. Under "Active Internet connections" I don't
> > > recognize:
> > >
> > > tcp localhost:10030
> > > tcp *:snpp
> >
> > Also, snpp is for pagers:
> > http://en.wikipedia.org/wiki/Simple_Network_Paging_Protocol
>
> With netstat -lp it looks like *:snpp is associated with apache2 and
> is using the same pid as *:http and *:https. I've never set up
> anything having to do with a pager. I've never had a pager. What can
> I do to investigate that further?
I assume then that this is spawned by apache, but don't know why apache would
spawn something like this. What happens if you shut apache down? Is it
still there? You could post in apache M/Ls in case they know or have seen
this before.
> > Then run lsof (check man lsof) to see if there is anything suspicious
> > there, like another user logged in either as root or with a different
> > name.
>
> Any handy lsof commands?
I am not good with regex so I would just run it plain and work tediously my
way down the list, or start from the known suspects: check the port that
snpp is using as well as 10030, e.g.
# lsof -i @your_host_name.com:10030 (you can use the IP address here too)
# lsof -i @your_host_name.com:snpp
etc.
HTH.
--
Regards,
Mick
[-- Attachment #2: This is a digitally signed message part. --]
[-- Type: application/pgp-signature, Size: 189 bytes --]
next prev parent reply other threads:[~2007-09-20 9:39 UTC|newest]
Thread overview: 21+ messages / expand[flat|nested] mbox.gz Atom feed top
2007-09-19 18:09 [gentoo-user] Hacked by association? Grant
2007-09-19 18:18 ` Dan Farrell
2007-09-19 18:36 ` Grant
2007-09-19 19:11 ` Ryan Sims
2007-09-19 19:23 ` Mick
2007-09-19 23:16 ` Grant
2007-09-19 23:55 ` Jerry McBride
2007-09-20 1:47 ` Grant
2007-09-20 4:09 ` Dan Farrell
2007-09-20 9:24 ` Mick [this message]
2007-09-20 9:52 ` Hans-Werner Hilse
2007-09-20 18:33 ` [gentoo-user] " Alexander Skwar
2007-09-20 18:57 ` Grant
2007-09-19 19:18 ` [gentoo-user] " Neil Bothwick
2007-09-19 19:37 ` Daniel da Veiga
2007-09-20 1:43 ` Grant
2007-09-20 7:34 ` Mark
2007-09-19 20:01 ` Volker Armin Hemmann
2007-09-21 10:16 ` Grant
2007-09-21 10:43 ` Volker Armin Hemmann
[not found] ` <49bf44f10709211540l240fbb55va7428e9388a976b@mail.gmail.com>
2007-09-22 0:10 ` Volker Armin Hemmann
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=200709201024.19444.michaelkintzios@gmail.com \
--to=michaelkintzios@gmail.com \
--cc=gentoo-user@lists.gentoo.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox