Checking port logs.
 

I am pretty new to servers even though i have been running them for almost a year. I mess around with this and that hopeing to learn my way around. :-P

I have a netgear router which i learned i need to port forward anything im doing from the outside to get into my server.

Problem: I just checked my port forwarding and I saw this:

Name: start: End: IP: (My Server)
tsadmin 14534 14534 192.168.0.2

I never added that into netgear.. so I straight went to thinking that im hacked. I looked at some logs but i really don't know what im looking for. I checked apach2 but im thinking that i shouldn't check there because it isn't comming in on port 80.

I was wondering how do i check for incoming connections that are coming through port 14534.

Just recently I installed a Image Gallery to my website if that matters or not. I never really put up any protection. I have pretty hard passwords, that aren't guessable.. except for my router password. which is a dictionary word which is bad but i didn't really think anything would come of it.

thanks for listening

Run 'netstat -pantu' as root and it should reveal lots of valuable information, including what, if anything, is listening on that port.

$ netstat -pantu
(Not all processes could be identified, non-owned process info
will not be shown, you would have to be root to see it all.)
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State
PID/Program name
tcp 0 0 0.0.0.0:6025 0.0.0.0:* LISTEN 1
1020/Xrealvnc
tcp 0 0 0.0.0.0:21 0.0.0.0:* LISTEN -

tcp 0 0 127.0.0.1:631 0.0.0.0:* LISTEN -

tcp 0 0 0.0.0.0:8888 0.0.0.0:* LISTEN -

tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN -

tcp 0 0 127.0.0.1:4955 127.0.0.1:631 ESTABLISHED1
1131/gnome-cups-ic
tcp 0 0 127.0.0.1:631 127.0.0.1:4955 ESTABLISHED-

tcp6 0 0 :::xxxx :::* LISTEN 1
xxxx/Xrealvnc
tcp6 0 0 :::80 :::* LISTEN -

tcp6 0 0 :::22 :::* LISTEN -

tcp6 0 0 ::1:25 :::* LISTEN -

tcp6 0 0 ::ffff:192.168.0.2:80 ::ffff:xxx.xxx.xx.:xxxx ESTABLISHED-

tcp6 0 1464 ::ffff:192.168.0.2:22 ::ffff:xxx.xxx.xx.:xxxx ESTABLISHED-

tcp6 0 0 ::ffff:192.168.0.2:80 ::ffff:xxx.xxx.xx.:xxxx ESTABLISHED-

tcp6 0 0 ::ffff:192.168.0.2:22 ::ffff:192.168.0.:xxxxx ESTABLISHED-

udp 0 0 0.0.0.0:68 0.0.0.0:* -



That is what the printo out came. so nothing about that 14534 port. but there is a tcp port 4955 which i don't konw what it is

4955 is only listening locally and is for the gnome cups management.

By default the firewall/router is only configurable from the LAN side. It would only be configurable from the WAN side, if you specifically made that change in the router configuration. So unless you changed the router configuration; even if someone knew the dictionary password to your router and tried to make a change from the outside it wouldn't allow them to connect and make changes by default... That change would have to have been made by some other method.


# netstat -t | grep 14534

Will reveal only if there are currently established connections on that port.

# netstat -an |more

Will show all listening and established connections.


I would grep through /var/log/messages and see if there are any failed/etc connections to the port in question. Then also grep for occurences of failed
tsadmin connections, etc.

# grep failure /var/log/messages | more
# grep tsadmin /var/log/messages | more

You may also want to do the same for /var/log/secure.

Check your server for a user account called tsadmin? Also, run the command
"lastlog" and see who has logged in and when.

You may also want to look into configuring portsentry, and/or log sentry on your server.

/Les