Disconnect An Established Connection
 

I RECENTLY RAN NETSTAT -PANTU AT A FRIEND OF MINES PC AT HOME. IT SHOW A ESTABLISHED CONNECTIONS ON A PORT THAT LOOKED SUSPICIOUS. IT TURNS OUT THAT IT WAS A BACK DOOR PROGRAM. IN LINUX, HOW WOULD I MANUALLY DISCONNECT AN ALREADY ESTABLISHED CONNECTIONS?

You could kill the listening process using the PID number you got from the netstat output. If your friend has a backdoor installed on his system, then he'll need to do alot more than kill the individual connection if he wants his system to be considered even remotely secure. A full wipe and re-installation from trusted media is the only solution for a security breach of that magnitude. Also if you/he plan on doing any forensic analysis of the system, then killing the connection is going to be an immediate tipoff that the compromise has been detected. You're better off either immediately pulling the network cable or trying to sniff/intercept the connection.

Btw, please don't post in all caps as it is annoying to read.

I guess if I keep annoying Captain Caveman then I will never get a response from you ever. I will be more diligent and pay alot more attention to my grammitical edicate. Now back to the question. Can you please give me an example of killing the pid (syntax)

Using this sample line from netstat -pantu on my machine:
At the end where you see 9650/firefox-bin, 9650 is the PID. So you can kill the process from the console with 'kill 9650'.

Matir you are the man and thanks to mr caveman for his input as well. This is a stupid question but I am going to throw this out there. My question is as such:

1 - A good set of standard security measures would be iptables rules, snort (IDS), tripwire, syslogger and etc.. to prevent most want to be hackers out of your system. Would this be feasable. I would like to create a script that would run every couple of minutes (3 min)and check for establish connections to your system using netstat and I would set up a criteria saying that if your not this certain IP (allowing only certain IP from the outside world) to disconnect you by sending the output of the script to kill the pid using the netstat command. The reason I would use this would be if all of the other security items failed then my script would definately kick them off and or just modify my script to put any IP that is not valid or allowed from the oustide in to add that to my iptables block rule or put it in my host/deny.

give me some feedback thanks.

Why don't you just use a firewall to only allow certain connections? :)

If all else failed(firewall, ids and etc..)I could use netstat to see the established connection. Basically it works like such:

every 3 min my script checks for established connections, if there is a connection that is established while I am on the system then boom disconnects that intruder and adds them to my block rule in IPTABLES. Like you were saying under IPTABLES I would only allow a certain IP address (from work)to my system at home. My system should one have one connection comming from the outside in and that is just me at work looking at my system. If I am at home and I my scripts sees another established connection other then the one I specify them it would flag and add the rogue IP to the IPTABLES - Block rule and this would be an extra added step of security. thanks

And a simple:
Would not achieve the same?

Matir,

you are the man. true but what happens if a cracker gets past the firewall?

In this case... if he (somehow) gets around the firewall, the only way would require a source IP being one of the ones allowed by the firewall... and thus the connection would show as coming from there.

Matir,

Many thanks to all of your responses. I have much respect!

No problem. Just trying to help where I can. :)