On Thursday 01 January 2004 20:51, Patrick Ahlbrecht wrote:
I have never seen something like [eth0] anywhere else (btw: what's the actual meaning of square brackets? Demons show them to, but these are kernel tasks). Looking at /proc/425 doesn't give any clues, except that it has one file descripter open pointing to /dev/initctl and a PPID of 1.
Not likely a rootkit. You will find that you can stop it with 'rcnetwork stop eth0' and start it again with 'rcnetwork start eth0'. It's the service which handles you network card. Most rootkits will hide themselves by changing the output of the 'ps' command, so you're not likely to find a rootkit that way.
I also found port 6667 to be open, or better "filtered" (nmap). The firewall (self made) doesn't touch it, and I can't associate a process with it (it doesn't accept connections either if simply telnetted to).
From where did you check this? If you used an online scanning service, it could be that your ISP is filtering port 6667. It is commonly (ab)used for IRC and therefor a fairly well known vulnerability. Some ISP's don't want their customers to run servers, the only reason why you might need it. As an 'ordinary' user, you wouldn't be harmed by filtering. Check with your acceptable use policy of your provider. Best regards, Arjen