LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (https://www.linuxquestions.org/questions/linux-security-4/)
-   -   netstat shows SYN_SENT with wrong / multiple PID (https://www.linuxquestions.org/questions/linux-security-4/netstat-shows-syn_sent-with-wrong-multiple-pid-4175508410/)

texupport 06-18-2014 02:27 PM
netstat shows SYN_SENT with wrong / multiple PID
 
Hello, trying to track down what this is , a compromise or what - this is a partial list of netstat -pane , I altered our IP address, but the target IP is something we do not use or send to, the PID is repeated, when I show the pa-aux entry (also edited to not show too much info), it is running what would be a valid script

any help would be greatly appreciated


tcp 0 1 ::ffff:111.222.33.44:44888 ::ffff:108.61.22.179:40000 SYN_SENT 0 132539434 28495/java
tcp 0 1 ::ffff:111.222.33.44:44881 ::ffff:108.61.22.179:40000 SYN_SENT 0 132539413 28495/java
tcp 0 1 ::ffff:111.222.33.44:44880 ::ffff:108.61.22.179:40000 SYN_SENT 0 132539410 28495/java
tcp 0 1 ::ffff:111.222.33.44:44883 ::ffff:108.61.22.179:40000 SYN_SENT 0 132539419 28495/java
tcp 0 1 ::ffff:111.222.33.44:44882 ::ffff:108.61.22.179:40000 SYN_SENT 0 132539416 28495/java
tcp 0 1 ::ffff:111.222.33.44:44885 ::ffff:108.61.22.179:40000 SYN_SENT 0 132539425 28495/java


root 28495 102 0.6 4563628 104612 ? Sl Jun16 3770:13 /usr/local/jdk/jre/bin/java -classpath /usr/local/apache-ant-1.8.2/lib/ant-launcher.jar -Dant.home=/usr/local/apache-ant-1.8.2 -Dant.library.dir=/usr/local/apache-ant-1.8.2/lib org.apache.tools.ant.launch.Launcher -cp -f /homdeir of our scripts/ validscriptname

unSpawn 06-18-2014 04:07 PM
What makes you think this is "a compromise or what"? "/homdeir of our scripts/ validscriptname" doesn't show any clue of what you run. Verify the integrity of your system? Maybe it's an auth / phone home thing. tcpdump the connection and see what it says?

texupport 06-19-2014 08:24 PM
"/homdeir of our scripts/ validscriptname just meant I didn't want to show our complete directory structure of where we keep our scripts and what naming convention we use for scripts , ditto for the sending IP address

we recently installed CSF and this is going on CONSTANTLY since then and that address is not something we would send to,

what tcpdump command syntax should I use ?

unSpawn 06-20-2014 01:23 AM
Did you verify the integrity of your system?
Command should be something like 'tcpdump -i [interface name] -n -s 0 -w [output file]'.
(See 'man tcpdump'.)


All times are GMT -5. The time now is 02:13 PM.