From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from lists.gentoo.org ([140.105.134.102] helo=robin.gentoo.org) by finch.gentoo.org with esmtp (Exim 4.60) (envelope-from ) id 1IYIVR-0000K6-Km for garchives@archives.gentoo.org; Thu, 20 Sep 2007 09:39:34 +0000 Received: from robin.gentoo.org (localhost [127.0.0.1]) by robin.gentoo.org (8.14.0/8.14.0) with SMTP id l8K9U89t011581; Thu, 20 Sep 2007 09:30:08 GMT Received: from ug-out-1314.google.com (ug-out-1314.google.com [66.249.92.169]) by robin.gentoo.org (8.14.0/8.14.0) with ESMTP id l8K9P25q006150 for ; Thu, 20 Sep 2007 09:25:02 GMT Received: by ug-out-1314.google.com with SMTP id j3so375189ugf for ; Thu, 20 Sep 2007 02:25:02 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:from:reply-to:to:subject:date:user-agent:references:in-reply-to:mime-version:content-type:content-transfer-encoding:message-id; bh=RYM8TKvLDdU0Ev3yVcrFXykng2iD1853KKnwGxMxBHE=; b=oXfOf6JT3UOnWLU8ADtDBFocMX+1Selm0jimZcSiYy9HtUdeamTn7wt5ekUKATV5ij2SW32C6Ae3N1aVdFZ12s2hGUXnfquPN9jGF2U9xDutI1DeVNBepE3kjmo13s9FH7XIbVZKgxXDKokVY8eRHoOLs4bc8iExnM47Q+RFchg= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:from:reply-to:to:subject:date:user-agent:references:in-reply-to:mime-version:content-type:content-transfer-encoding:message-id; b=tOZhvlHl2aZ+9jgrL8NwVRZa7/IWa81y8uoQNt4VGq0WH+6P/z+ct9yzQdeSZam9/5rDcTwzt/oSyZW5D6K1pan6GgmFUSqgH72r1Zd/MAJxWxiLeK6b55WaJlLVL9I+tUMXgPzvbriQKvIQldVj6JIutFKfiVil6A8P/nsB18s= Received: by 10.66.217.13 with SMTP id p13mr550485ugg.1190280302392; Thu, 20 Sep 2007 02:25:02 -0700 (PDT) Received: from lappy ( [86.156.30.195]) by mx.google.com with ESMTPS id x26sm1831214ugc.2007.09.20.02.24.57 (version=TLSv1/SSLv3 cipher=OTHER); Thu, 20 Sep 2007 02:24:58 -0700 (PDT) From: Mick To: gentoo-user@lists.gentoo.org Subject: Re: [gentoo-user] Hacked by association? Date: Thu, 20 Sep 2007 10:24:16 +0100 User-Agent: KMail/1.9.7 References: <49bf44f10709191109x58494aa3n3182cea59553d510@mail.gmail.com> <200709192023.34859.michaelkintzios@gmail.com> <49bf44f10709191616u4939b86dla32ef38067ea7702@mail.gmail.com> In-Reply-To: <49bf44f10709191616u4939b86dla32ef38067ea7702@mail.gmail.com> Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-user@gentoo.org Reply-to: gentoo-user@lists.gentoo.org MIME-Version: 1.0 Content-Type: multipart/signed; boundary="nextPart2322767.eeA2Tov4dj"; protocol="application/pgp-signature"; micalg=pgp-sha1 Content-Transfer-Encoding: 7bit Message-Id: <200709201024.19444.michaelkintzios@gmail.com> X-Archives-Salt: 76e15756-663e-47ec-966e-afe8e0bcd225 X-Archives-Hash: 4b825de3af4e6c90d88e1961d0b5abdd --nextPart2322767.eeA2Tov4dj Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline On Thursday 20 September 2007, Grant wrote: > > > I recognize everything in 'ps -ef' I think, but I've never really used > > > netstat before. Under "Active Internet connections" I don't > > > recognize: > > > > > > tcp localhost:10030 > > > tcp *:snpp > > > > Also, snpp is for pagers: > > http://en.wikipedia.org/wiki/Simple_Network_Paging_Protocol > > With netstat -lp it looks like *:snpp is associated with apache2 and > is using the same pid as *:http and *:https. I've never set up > anything having to do with a pager. I've never had a pager. What can > I do to investigate that further? I assume then that this is spawned by apache, but don't know why apache wou= ld=20 spawn something like this. What happens if you shut apache down? Is it=20 still there? You could post in apache M/Ls in case they know or have seen= =20 this before. > > Then run lsof (check man lsof) to see if there is anything suspicious > > there, like another user logged in either as root or with a different > > name. > > Any handy lsof commands? I am not good with regex so I would just run it plain and work tediously my= =20 way down the list, or start from the known suspects: check the port that=20 snpp is using as well as 10030, e.g. # lsof -i @your_host_name.com:10030 (you can use the IP address here too) # lsof -i @your_host_name.com:snpp etc. HTH. =2D-=20 Regards, Mick --nextPart2322767.eeA2Tov4dj Content-Type: application/pgp-signature; name=signature.asc Content-Description: This is a digitally signed message part. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) iD8DBQBG8jxC5Fp0QerLYPcRAt6oAJ413mV+cvcHopsJP2wpNA5GJt1UqgCdGlkd hdA727nIEVJv05UUOSUeqQI= =HSD/ -----END PGP SIGNATURE----- --nextPart2322767.eeA2Tov4dj-- -- gentoo-user@gentoo.org mailing list