Server under watch ?
Hi,
I have recently deployed a test mail server on public network. I was just checking the open ports on this server, when I just happened to give the command - Following is a part of netstat command output where I am getting doubt ..FYI, I have replaced my actual domain name with "mail.mydomain.com". netstat -a udp 0 0 mail.mydomain.com.c:32772 samantha.wu-wien.a:6277 ESTABLISHED udp 0 0 mail.mydomain:netbios-ns *:* udp 0 0 *:netbios-ns *:* udp 0 0 mail.mydom:netbios-dgm *:* udp 0 0 *:netbios-dgm *:* udp 0 0 *:33435 *:* udp 0 0 mail.mydomain.com.c:34853 samantha.wu-wien.a:6277 ESTABLISHED udp 0 0 mail.mydomain.com.c:34854 samantha.wu-wien.a:6277 ESTABLISHED udp 0 0 mail.mydomain.com.:domain *:* udp 0 0 localhost:domain *:* udp 0 0 mail.mydomain.com.c:34663 samantha.wu-wien.a:6277 ESTABLISHED udp 0 0 *:sunrpc *:* 1. I would like to know what this refers to samantha.wu-wien.a:6277 Is this normal behaviour ? or Does that mean that someone is remotely using or connected to my mail server ? or is this a symptom of hacking ? I'd appreciate if I get a quick response to my query. Thanx & Regards, Amit |
Are you using IRC?
What gives lsof -i tcp -i udp |
Nope, nx5000...I'm not using IRC. In fact it turned out to be somethin' else. I checked up all the running services thoroughly and finally realised that my mail server is actually a DCC Client and that
samantha.wu-wien.a:6277 is a connection to a remote DCC server on port 6277. Just to confirm this, I stopped DCC service on my server and what a relief, the above entry disappeared !! So, I dont think there is any reason for panic. As I have configured my test server as a DCC client, it is actually connecting to a DCC server that it finds available. nx5000, the command suggested by you provided a detailed and clear output and again confirms the same as follows : dccifd 4366 qscand 10u IPv4 8185 UDP mail.mydomain.com:32903->samantha.wu-wien.ac.at:6277 Thanx a lot. Cheers Amit |
All times are GMT -5. The time now is 08:17 AM. |