Weird connection in my centos to outside..got hacked?
Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Weird connection in my centos to outside..got hacked?
Hi guys, checking my centos I ran netstat -utpa|grep ESTA and I found this weird connections to an IP outside my company to the port 8080 and other to a 443 port..
those sites are weird, if you go to isamedia it open apache webpage..
we have a firewall and not ssh connection allow.
we host some virtual servers for use of the company.
When I look for the proccess it is http and perl..
Try "ps /" - if you get an error message, chances are good that you're not hacked. PS lists the processes, as you know, and to make sure a hacker is not found out, he/she has to "cripple" the workings of PS (and others) to "not mention" his/her processes in the list. Also, check the passwd file, are any users on root status? If not, the hacker (if present) does not have his/her own account. I'd change the password, while you're in there, too...
checking my centos I ran netstat -utpa|grep ESTA and I found this weird connections to an IP outside my company to the port 8080 and other to a 443 port.. (..) When I look for the proccess it is http and perl..
Code:
tcp 0 0 192.16.1.1:56989 nsXX.ovh.XX:webcache ESTABLISHED 3105/httpd
tcp 174 0 192.16.1.1:51233 nsXX.ovh.XX:webcache ESTABLISHED 13141/httpd
tcp 213 0 192.168.16.1.1:38611 X.isamedia.XXX:https ESTABLISHED 18164/httpd
tcp 0 0 192.16.1.1:51312 nsXX.ovh.XX:webcache ESTABLISHED 22713/httpd
The most common breach of security (or should we rather call it "malware"?) these days is one of the web stack: intruders piggybacking IRC bot, SSH-scanning or spam-sending processes (that do not necessarily need root rights) on top of your web server, having previously gained access by exploiting a vulnerability in a web-based management panel, web log, shopping cart, statistics, forum or other (outdated) software you run. The quickest way to find out more is to run tools properly like '( /bin/ps axfwwwe 2>&1; /usr/sbin/lsof -Pwln 2>&1; /bin/ls -al /var/spool/cron 2>&1; /bin/netstat -anpe 2>&1; /usr/bin/lastlog 2>&1; /usr/bin/last 2>&1; /usr/bin/who -a 2>&1; /bin/rpm -Vva 2>&1|/bin/grep -v "\.\{8\}" 2>&1; ) > /path/to/log.txt;' (obviously changing "/path/to/" to an appropriate location).
* Should you for reasons unknown not trust 'ps' then at least run something like
Code:
procdetails() { alias ls='/bin/ls -n --time-style=long-iso --quoting-style=c'; /bin/cat -A /proc/$1/cmdline; ls /proc/$1/fd 2>&1; ls -H /proc/$1/cwd 2>&1; /bin/cat /etc/passwd /etc/group; }
per PID on each of your connecting PIDs (just run as 'procdetails 22713' for example).
You now have gathered enough information to post back (please use BB code tags) and kill those PIDs. Just be aware they could be restarted if the intruder can influence any users crontab or has brought over its own tools.
* While you wait for replies please consider performing the steps from the Intruder Detection Checklist and check out any users shell history and directories and the directories the web server user can write to (including directories holding temporary files) in your search for clues.
Try "ps /" - if you get an error message, chances are good that you're not hacked. PS lists the processes, as you know, and to make sure a hacker is not found out, he/she has to "cripple" the workings of PS (and others) to "not mention" his/her processes in the list.
While it is true 'ps' is one of the usual suspects to be subverted by rootkits, that type of rootkit compromise occurs rarely these days. It makes me wonder what evidence you have that a subverted 'ps' would not return an error?
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.