Checking port logs.
I am pretty new to servers even though i have been running them for almost a year. I mess around with this and that hopeing to learn my way around. :-P
I have a netgear router which i learned i need to port forward anything im doing from the outside to get into my server. Problem: I just checked my port forwarding and I saw this: Name: start: End: IP: (My Server) tsadmin 14534 14534 192.168.0.2 I never added that into netgear.. so I straight went to thinking that im hacked. I looked at some logs but i really don't know what im looking for. I checked apach2 but im thinking that i shouldn't check there because it isn't comming in on port 80. I was wondering how do i check for incoming connections that are coming through port 14534. Just recently I installed a Image Gallery to my website if that matters or not. I never really put up any protection. I have pretty hard passwords, that aren't guessable.. except for my router password. which is a dictionary word which is bad but i didn't really think anything would come of it. thanks for listening |
Run 'netstat -pantu' as root and it should reveal lots of valuable information, including what, if anything, is listening on that port.
|
$ netstat -pantu
(Not all processes could be identified, non-owned process info will not be shown, you would have to be root to see it all.) Active Internet connections (servers and established) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 0.0.0.0:6025 0.0.0.0:* LISTEN 1 1020/Xrealvnc tcp 0 0 0.0.0.0:21 0.0.0.0:* LISTEN - tcp 0 0 127.0.0.1:631 0.0.0.0:* LISTEN - tcp 0 0 0.0.0.0:8888 0.0.0.0:* LISTEN - tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN - tcp 0 0 127.0.0.1:4955 127.0.0.1:631 ESTABLISHED1 1131/gnome-cups-ic tcp 0 0 127.0.0.1:631 127.0.0.1:4955 ESTABLISHED- tcp6 0 0 :::xxxx :::* LISTEN 1 xxxx/Xrealvnc tcp6 0 0 :::80 :::* LISTEN - tcp6 0 0 :::22 :::* LISTEN - tcp6 0 0 ::1:25 :::* LISTEN - tcp6 0 0 ::ffff:192.168.0.2:80 ::ffff:xxx.xxx.xx.:xxxx ESTABLISHED- tcp6 0 1464 ::ffff:192.168.0.2:22 ::ffff:xxx.xxx.xx.:xxxx ESTABLISHED- tcp6 0 0 ::ffff:192.168.0.2:80 ::ffff:xxx.xxx.xx.:xxxx ESTABLISHED- tcp6 0 0 ::ffff:192.168.0.2:22 ::ffff:192.168.0.:xxxxx ESTABLISHED- udp 0 0 0.0.0.0:68 0.0.0.0:* - That is what the printo out came. so nothing about that 14534 port. but there is a tcp port 4955 which i don't konw what it is |
4955 is only listening locally and is for the gnome cups management.
|
Quote:
# netstat -t | grep 14534 Will reveal only if there are currently established connections on that port. # netstat -an |more Will show all listening and established connections. I would grep through /var/log/messages and see if there are any failed/etc connections to the port in question. Then also grep for occurences of failed tsadmin connections, etc. # grep failure /var/log/messages | more # grep tsadmin /var/log/messages | more You may also want to do the same for /var/log/secure. Check your server for a user account called tsadmin? Also, run the command "lastlog" and see who has logged in and when. You may also want to look into configuring portsentry, and/or log sentry on your server. /Les |
All times are GMT -5. The time now is 09:06 PM. |