Hi guys, checking my centos I ran netstat -utpa|grep ESTA and I found this weird connections to an IP outside my company to the port 8080 and other to a 443 port..

those sites are weird, if you go to isamedia it open apache webpage..

we have a firewall and not ssh connection allow.

we host some virtual servers for use of the company.

When I look for the proccess it is http and perl..

I ran a chkrootkit and it didnt detect anything..

if I try to connect to the http://that_ip:8080 I get a message like:


and this other to https:

Have you run a tcpdump on those?

Try "ps /" - if you get an error message, chances are good that you're not hacked. PS lists the processes, as you know, and to make sure a hacker is not found out, he/she has to "cripple" the workings of PS (and others) to "not mention" his/her processes in the list. Also, check the passwd file, are any users on root status? If not, the hacker (if present) does not have his/her own account. I'd change the password, while you're in there, too...

Luck!

Thor

The most common breach of security (or should we rather call it "malware"?) these days is one of the web stack: intruders piggybacking IRC bot, SSH-scanning or spam-sending processes (that do not necessarily need root rights) on top of your web server, having previously gained access by exploiting a vulnerability in a web-based management panel, web log, shopping cart, statistics, forum or other (outdated) software you run. The quickest way to find out more is to run tools properly like '( /bin/ps axfwwwe 2>&1; /usr/sbin/lsof -Pwln 2>&1; /bin/ls -al /var/spool/cron 2>&1; /bin/netstat -anpe 2>&1; /usr/bin/lastlog 2>&1; /usr/bin/last 2>&1; /usr/bin/who -a 2>&1; /bin/rpm -Vva 2>&1|/bin/grep -v "\.\{8\}" 2>&1; ) > /path/to/log.txt;' (obviously changing "/path/to/" to an appropriate location).
* Should you for reasons unknown not trust 'ps' then at least run something like
per PID on each of your connecting PIDs (just run as 'procdetails 22713' for example).
You now have gathered enough information to post back (please use BB code tags) and kill those PIDs. Just be aware they could be restarted if the intruder can influence any users crontab or has brought over its own tools.
* While you wait for replies please consider performing the steps from the Intruder Detection Checklist and check out any users shell history and directories and the directories the web server user can write to (including directories holding temporary files) in your search for clues.

While it is true 'ps' is one of the usual suspects to be subverted by rootkits, that type of rootkit compromise occurs rarely these days. It makes me wonder what evidence you have that a subverted 'ps' would not return an error?

A security manual (old and basic, but it did show me the inner workings of networks) I had once...

Granted, it's just a small signal...and my reply was done loosely.

Allow me to watch thins thread to learn more, thanks.

Thor