netstat -apln
I tried, but here I get some things which I don't understand: tcp 0 0 0.0.0.0:9705 0.0.0.0:* LISTEN tcp 0 0 0.0.0.0:25 0.0.0.0:* LISTEN tcp 0 0 0.0.0.0:587 0.0.0.0:* LISTEN tcp 0 0 0.0.0.0:110 0.0.0.0:* LISTEN tcp 0 0 0.0.0.0:21 0.0.0.0:* LISTEN tcp 0 0 my_machine:7373 213.3.142.211:65338 ESTABLISHED tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN udp 0 0 0.0.0.0:2030 0.0.0.0:* let me give some more things: (/var/log/messages) Feb 6 15:08:10 linux1 sshd[3355]: log: Connection from 213.3.142.43 port 65462 Feb 6 15:08:10 linux1 sshd[3355]: fatal: Connection closed by remote host. Feb 6 15:08:13 linux1 sshd[3357]: log: Connection from 213.3.142.43 port 65456 Feb 6 15:08:14 linux1 sshd[3357]: fatal: Connection closed by remote host. Feb 6 15:08:32 linux1 sshd[3359]: log: Connection from 213.3.142.43 port 65199 Feb 6 15:08:32 linux1 sshd[3359]: fatal: Connection closed by remote host. Feb 6 15:09:12 linux1 sshd[3360]: log: Connection from 213.3.142.43 port 65441 Feb 6 15:09:13 linux1 sshd[3360]: fatal: Connection closed by remote host. Feb 6 15:09:37 linux1 sshd[3361]: log: Connection from 213.3.142.43 port 65431 Feb 6 15:09:37 linux1 sshd[3361]: fatal: Connection closed by remote host. Feb 6 15:09:48 linux1 sshd[3362]: log: Connection from 213.3.142.43 port 65190 Feb 6 15:09:48 linux1 sshd[3362]: fatal: Connection closed by remote host. Feb 6 15:10:54 linux1 sshd[3363]: log: Connection from 213.3.142.43 port 65433 Feb 6 15:10:54 linux1 sshd[3363]: log: Password authentication for root accepted. Feb 6 15:10:54 linux1 sshd[3363]: log: ROOT LOGIN as 'root' from bw2-142pub43.bluewin.ch Feb 6 15:12:06 linux1 sshd[3363]: log: Closing connection to 213.3.142.43 Feb 6 18:21:05 linux1 popper[3484]: connect from 213.3.142.43 Feb 6 15:24:59 linux1 sshd[214]: log: Generating new 768 bit RSA key. Feb 6 15:24:59 linux1 sshd[214]: log: RSA key generation complete. This 213.3.142.43 is a bluewin.ch dialin. The one above which still has a connection open is one as well. (probably the same guy). Is there a trojan listening in my system? Could I find it somehow? I have backups of /bin/ps and /bin/ls but they seem to be the same! Thanks Raffy