Hello there and welcome to LQ.
when I called netstat -ptav, it showed an active Internet connection to IRC server (I think), which is oslo1.no.eu.undern:ircd .
oslo1.no.eu.undernet.org is a IRC server, that is correct.
it seems that perhaps I got attacked, but I am not really sure.
Well, let's make sure then. What you need to do is the following:
1. make sure the box is (back) under your control,
2. check for signs of abuse,
3. verify the integrity of the box,
4. Take appropriate steps to make sure this doesnt happen again.
1. make sure the box is (back) under your control
Be able to control your box before you continue. Here's a script to help you:
echo Network info |tee -a ./log; \netstat -aelnp 2>&1 |tee -a ./log
echo Process info |tee -a ./log; \ps auxwwwe 2>&1 |tee -a ./log
echo Opened files |tee -a ./log; \lsof -n 2>&1 |tee -a ./log
echo User info |tee -a ./log; \who -a 2>&1 |tee -a ./log
echo User info |tee -a ./log; \w -l 2>&1 |tee -a ./log
telinit 1 2>&1 |tee -a ./log
If all is well you're in runlevel 1. If not power down.
If you are, backup logfile to log.1 and run again, then power down.
If you run a router in front, make sure it logs traffic.
2. check for signs of abuse
Boot a LiveCD (or into runlevel 1 if you have none), remount the disks read-only and check out these files/logs:
- the previously saved ./logs,
- /etc/passwd /etc/shadow /etc/gshadow and look for accounts that where added,
- issue "last -50", "lastb", "faillog -a" and check for failed logins,
- look for setuid binaries in unusual places or with unusual names: find / -perm -04000 -o -perm -02000 -ls
- system logs (check out /etc/syslog.conf for locations and also include any ksymoops dir if you have one) and application logs for any anomalous activity.
3. verify the integrity of the box.
- If you previously installed, configured and ran a filesystem integrity checker like Aide, Samhain or even tripwire now would be a good time to check. If you didn't you don't need to install one now: too late.
- Any distribution that uses the rpm package manager can easily verify package contents (rpm -V). If you don't use rpm, find out what your distro's package manager can do for you wrt verification. The scope for package managers is narrow: they can only check what's installed.
- Check your system with Chkrootkit and Rootkit Hunter. If you didn't install those and you have no other box to download and compile it on use the LiveCD (not recommended): or set up your firewall to deny inbound traffic before you go to runlevel 3.
Post back any info. If you want to include logs (scrub your IP first!) and they're large, compress and offer a (temporary) D/L location. If you can't manage that you are allowed to attach it and send it me by email if the size is over two megs I'd appreciate an early warning before DoSsing my mailbox:-]
* It would be helpful if you will in your OS/distribution/release info in your profile or give that information up front.
* Also, using the "-n" flag with netstat will make it *not* resolve IP addresses which makes netstat faster giving you output which can come in handy when you've got a slow resolver or a huge list of connections to work with.