Mailinglist Archive: opensuse-security (636 mails)

< Previous Next >
RE: [suse-security] Incident
  • From: "Raffy" <suse@xxxxxxxx>
  • Date: Thu, 8 Feb 2001 10:39:06 +0100
  • Message-id: <000701c091b2$faea5000$a26647d4@xxxxxxxx>
> netstat -apln

I tried, but here I get some things which I don't understand:

tcp 0 0 0.0.0.0:9705 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:25 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:587 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:110 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:21 0.0.0.0:* LISTEN
tcp 0 0 my_machine:7373 213.3.142.211:65338
ESTABLISHED
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN
udp 0 0 0.0.0.0:2030 0.0.0.0:*

let me give some more things: (/var/log/messages)

Feb 6 15:08:10 linux1 sshd[3355]: log: Connection from 213.3.142.43 port
65462
Feb 6 15:08:10 linux1 sshd[3355]: fatal: Connection closed by remote host.
Feb 6 15:08:13 linux1 sshd[3357]: log: Connection from 213.3.142.43 port
65456
Feb 6 15:08:14 linux1 sshd[3357]: fatal: Connection closed by remote host.
Feb 6 15:08:32 linux1 sshd[3359]: log: Connection from 213.3.142.43 port
65199
Feb 6 15:08:32 linux1 sshd[3359]: fatal: Connection closed by remote host.
Feb 6 15:09:12 linux1 sshd[3360]: log: Connection from 213.3.142.43 port
65441
Feb 6 15:09:13 linux1 sshd[3360]: fatal: Connection closed by remote host.
Feb 6 15:09:37 linux1 sshd[3361]: log: Connection from 213.3.142.43 port
65431
Feb 6 15:09:37 linux1 sshd[3361]: fatal: Connection closed by remote host.
Feb 6 15:09:48 linux1 sshd[3362]: log: Connection from 213.3.142.43 port
65190
Feb 6 15:09:48 linux1 sshd[3362]: fatal: Connection closed by remote host.
Feb 6 15:10:54 linux1 sshd[3363]: log: Connection from 213.3.142.43 port
65433
Feb 6 15:10:54 linux1 sshd[3363]: log: Password authentication for root
accepted.
Feb 6 15:10:54 linux1 sshd[3363]: log: ROOT LOGIN as 'root' from
bw2-142pub43.bluewin.ch
Feb 6 15:12:06 linux1 sshd[3363]: log: Closing connection to 213.3.142.43
Feb 6 18:21:05 linux1 popper[3484]: connect from 213.3.142.43
Feb 6 15:24:59 linux1 sshd[214]: log: Generating new 768 bit RSA key.
Feb 6 15:24:59 linux1 sshd[214]: log: RSA key generation complete.

This 213.3.142.43 is a bluewin.ch dialin. The one above which still has a
connection open is one as well. (probably the same guy).

Is there a trojan listening in my system? Could I find it somehow? I have
backups of /bin/ps and /bin/ls but they seem to be the same!

Thanks

Raffy



< Previous Next >
Follow Ups