Server under watch ?
 

Hi,

I have recently deployed a test mail server on public network. I was just checking the open ports on this server, when I just happened to give the command -

Following is a part of netstat command output where I am getting doubt ..FYI, I have replaced my actual domain name with "mail.mydomain.com".

netstat -a

udp 0 0 mail.mydomain.com.c:32772 samantha.wu-wien.a:6277 ESTABLISHED
udp 0 0 mail.mydomain:netbios-ns *:*
udp 0 0 *:netbios-ns *:*
udp 0 0 mail.mydom:netbios-dgm *:*
udp 0 0 *:netbios-dgm *:*
udp 0 0 *:33435 *:*
udp 0 0 mail.mydomain.com.c:34853 samantha.wu-wien.a:6277 ESTABLISHED
udp 0 0 mail.mydomain.com.c:34854 samantha.wu-wien.a:6277 ESTABLISHED
udp 0 0 mail.mydomain.com.:domain *:*
udp 0 0 localhost:domain *:*
udp 0 0 mail.mydomain.com.c:34663 samantha.wu-wien.a:6277 ESTABLISHED
udp 0 0 *:sunrpc *:*


1. I would like to know what this refers to

samantha.wu-wien.a:6277

Is this normal behaviour ? or Does that mean that someone is remotely using or connected to my mail server ?

or is this a symptom of hacking ?

I'd appreciate if I get a quick response to my query.

Thanx & Regards,

Amit

Are you using IRC?

What gives
lsof -i tcp -i udp

Nope, nx5000...I'm not using IRC. In fact it turned out to be somethin' else. I checked up all the running services thoroughly and finally realised that my mail server is actually a DCC Client and that

samantha.wu-wien.a:6277

is a connection to a remote DCC server on port 6277.

Just to confirm this, I stopped DCC service on my server and what a relief, the above entry disappeared !! So, I dont think there is any reason for panic. As I have configured my test server as a DCC client, it is actually connecting to a DCC server that it finds available.

nx5000, the command suggested by you provided a detailed and clear output and again confirms the same as follows :

dccifd 4366 qscand 10u IPv4 8185 UDP mail.mydomain.com:32903->samantha.wu-wien.ac.at:6277

Thanx a lot.

Cheers

Amit