LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 11-17-2005, 11:41 AM   #1
coolamit78
Member
 
Registered: Aug 2003
Location: New Delhi, India
Distribution: RHEL AS 3/4, Windows XP
Posts: 546

Rep: Reputation: 31
Server under watch ?


Hi,

I have recently deployed a test mail server on public network. I was just checking the open ports on this server, when I just happened to give the command -

Following is a part of netstat command output where I am getting doubt ..FYI, I have replaced my actual domain name with "mail.mydomain.com".

netstat -a

udp 0 0 mail.mydomain.com.c:32772 samantha.wu-wien.a:6277 ESTABLISHED
udp 0 0 mail.mydomain:netbios-ns *:*
udp 0 0 *:netbios-ns *:*
udp 0 0 mail.mydom:netbios-dgm *:*
udp 0 0 *:netbios-dgm *:*
udp 0 0 *:33435 *:*
udp 0 0 mail.mydomain.com.c:34853 samantha.wu-wien.a:6277 ESTABLISHED
udp 0 0 mail.mydomain.com.c:34854 samantha.wu-wien.a:6277 ESTABLISHED
udp 0 0 mail.mydomain.com.:domain *:*
udp 0 0 localhost:domain *:*
udp 0 0 mail.mydomain.com.c:34663 samantha.wu-wien.a:6277 ESTABLISHED
udp 0 0 *:sunrpc *:*


1. I would like to know what this refers to

samantha.wu-wien.a:6277

Is this normal behaviour ? or Does that mean that someone is remotely using or connected to my mail server ?

or is this a symptom of hacking ?

I'd appreciate if I get a quick response to my query.

Thanx & Regards,

Amit
 
Old 11-17-2005, 01:07 PM   #2
nx5000
Senior Member
 
Registered: Sep 2005
Location: Out
Posts: 3,307

Rep: Reputation: 57
Are you using IRC?

What gives
lsof -i tcp -i udp
 
Old 11-17-2005, 01:59 PM   #3
coolamit78
Member
 
Registered: Aug 2003
Location: New Delhi, India
Distribution: RHEL AS 3/4, Windows XP
Posts: 546

Original Poster
Rep: Reputation: 31
Nope, nx5000...I'm not using IRC. In fact it turned out to be somethin' else. I checked up all the running services thoroughly and finally realised that my mail server is actually a DCC Client and that

samantha.wu-wien.a:6277

is a connection to a remote DCC server on port 6277.

Just to confirm this, I stopped DCC service on my server and what a relief, the above entry disappeared !! So, I dont think there is any reason for panic. As I have configured my test server as a DCC client, it is actually connecting to a DCC server that it finds available.

nx5000, the command suggested by you provided a detailed and clear output and again confirms the same as follows :

dccifd 4366 qscand 10u IPv4 8185 UDP mail.mydomain.com:32903->samantha.wu-wien.ac.at:6277

Thanx a lot.

Cheers

Amit
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Linux Watch vs BSD Watch blueCow *BSD 4 08-16-2009 05:35 PM
Watch those commands... exodist Linux - General 15 11-05-2004 09:07 PM
Can I use xine to watch tv? bruno buys Linux - Software 1 04-26-2004 06:09 AM
software to watch tv zero-g Linux - Software 9 03-18-2003 08:57 AM
How to watch .rm movies? jimman Linux - Software 3 09-06-2002 02:44 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 03:09 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration