netstat shows SYN_SENT with wrong / multiple PID
Hello, trying to track down what this is , a compromise or what - this is a partial list of netstat -pane , I altered our IP address, but the target IP is something we do not use or send to, the PID is repeated, when I show the pa-aux entry (also edited to not show too much info), it is running what would be a valid script
any help would be greatly appreciated tcp 0 1 ::ffff:111.222.33.44:44888 ::ffff:108.61.22.179:40000 SYN_SENT 0 132539434 28495/java tcp 0 1 ::ffff:111.222.33.44:44881 ::ffff:108.61.22.179:40000 SYN_SENT 0 132539413 28495/java tcp 0 1 ::ffff:111.222.33.44:44880 ::ffff:108.61.22.179:40000 SYN_SENT 0 132539410 28495/java tcp 0 1 ::ffff:111.222.33.44:44883 ::ffff:108.61.22.179:40000 SYN_SENT 0 132539419 28495/java tcp 0 1 ::ffff:111.222.33.44:44882 ::ffff:108.61.22.179:40000 SYN_SENT 0 132539416 28495/java tcp 0 1 ::ffff:111.222.33.44:44885 ::ffff:108.61.22.179:40000 SYN_SENT 0 132539425 28495/java root 28495 102 0.6 4563628 104612 ? Sl Jun16 3770:13 /usr/local/jdk/jre/bin/java -classpath /usr/local/apache-ant-1.8.2/lib/ant-launcher.jar -Dant.home=/usr/local/apache-ant-1.8.2 -Dant.library.dir=/usr/local/apache-ant-1.8.2/lib org.apache.tools.ant.launch.Launcher -cp -f /homdeir of our scripts/ validscriptname |
What makes you think this is "a compromise or what"? "/homdeir of our scripts/ validscriptname" doesn't show any clue of what you run. Verify the integrity of your system? Maybe it's an auth / phone home thing. tcpdump the connection and see what it says?
|
"/homdeir of our scripts/ validscriptname just meant I didn't want to show our complete directory structure of where we keep our scripts and what naming convention we use for scripts , ditto for the sending IP address
we recently installed CSF and this is going on CONSTANTLY since then and that address is not something we would send to, what tcpdump command syntax should I use ? |
Did you verify the integrity of your system?
Command should be something like 'tcpdump -i [interface name] -n -s 0 -w [output file]'. (See 'man tcpdump'.) |
All times are GMT -5. The time now is 02:13 PM. |