LinuxQuestions.org
Help answer threads with 0 replies.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 07-30-2004, 12:44 AM   #1
techrolla
Member
 
Registered: Nov 2003
Distribution: Gentoo, Debian
Posts: 188

Rep: Reputation: 30
netstat - Am I being attacked?


I recently ran netstat, and noticed a large amount of established connections to my computer. Please take in mind, that I am running a webserver, so some of that I can expect, but some of them are a little odd...One of the ip addresses links to some servotron host site...http://63.226.156.33/ and the message is a little unsettling. My question is, am I under some danger? Or is this just a common network situation? I was a little curious because the connections made were from odd port numbers, i.e. 3000's 5000's (not exactly in that precision (5326 for example)) and I was wondering why this would be. Any ideas? Thanks alot.
 
Old 07-30-2004, 01:59 AM   #2
btmiller
Senior Member
 
Registered: May 2004
Location: In the DC 'burbs
Distribution: Arch, Scientific Linux, Debian, Ubuntu
Posts: 4,290

Rep: Reputation: 378Reputation: 378Reputation: 378Reputation: 378
Well when you connect to a Web server, you send a connection out from your computer too port 80 on the remote machine. The connection originates from some random high-numbered port on your machine. So it's not unusual to see connection FROM random, high number ports. If they're coming in TO random ports then it's significantly more worrisome. In any case, it's always a good idea to do some investigation of what's going on. You may be being DOSed if there is a very large number of connections. But in any case, check the usual suspects, i.e. look for strange log entries, run chkrootkit and rkhunter, etc. This isn't a foolproof method of detecting an intrusion but it will maybe give you some things to look at.
 
Old 07-30-2004, 09:38 AM   #3
cyph3r7
Member
 
Registered: Apr 2003
Location: Silicon Valley East, Northern Virginia
Distribution: FreeBSD,Debian, RH, ok well most of em...
Posts: 238

Rep: Reputation: 30
in your netstat can you map ip request to 80 and it's response on random port? That way you differentiate between legitimate traffic versus some other scenario.
 
Old 07-30-2004, 02:34 PM   #4
techrolla
Member
 
Registered: Nov 2003
Distribution: Gentoo, Debian
Posts: 188

Original Poster
Rep: Reputation: 30
Thanks for the replies...Is something like this of worry?
Code:
tcp        0      1 192.168.2.18:4429       1.2.3.4:4400            SYN_SENT
There are a lot less connections now then last night...thanks.
 
Old 08-02-2007, 06:58 AM   #5
kinetik
Member
 
Registered: Dec 2005
Location: The most beautiful city in the world.
Distribution: Mostly RedHat. Also Suse, Ubuntu, PHLAK etc.
Posts: 149

Rep: Reputation: 15
This might be old, but found this from here:

Quote:
This is the default admin port from fortech proxy+ http://www.proxyplus.cz/doc/en/proxyguide.htm
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Virus Attacked! matchgirl Linux - Security 7 03-06-2006 07:39 AM
I think I've been attacked! smacky Linux - Security 7 10-21-2003 02:39 AM
Have I been attacked? tangle Linux - Security 6 08-03-2003 08:33 PM
Help. Attacked by a Python jarin scott Programming 4 06-22-2003 11:07 AM
Being Attacked? andy18 Linux - Security 1 05-11-2003 11:09 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 08:32 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration