what i do in situations like this is run lsof | grep LISTEN
or lsof | grep 8080 or lsof | grep LISTEN | grep 8080 nate Dave Sherohman wrote: > > I've been getting webcache connection attempts showing up in my logs for the > last couple days, always from the same IP. So I got sick of it and sent him > a nastygram and, in the process of composing it, tried telnetting to port > 8080 on the machine in question. > > I connected. > > The only response I was able to get out of it (not knowing the appropriate > protocol to pretend I was a cache client) was: > > --- > Cache Error! > An error of type 400 occurred: Invalid Scheme > > Generated by 1.3.1 > --- > > I'm rather disturbed by the software's failure to identify itself beyond a > version number. > > `fuser -n tcp 8080` says that nobody's using the port, even when I've got a > telnet session open to it. Neither squid nor wwwoffle is installed and > there's no mention of port 8080 (or webcache) in my inetd, apache, or > portsentry configs. > > In the process of investigating this, my server stopped accepting connections > on port 8080, which leads me to suspect that it may have been portsentry > accepting the connections (although it's version 1.0-1.4, not 1.3.1). > > Just to be safe, I've added "webcache: ALL" to hosts.deny, but I'd like to > know who is (or was) listening there. Where should I look next when fuser > doesn't see anything? (And are there any known exploits, trojans, etc. that > would display these symptoms?) > > -- > "Two words: Windows survives." - Craig Mundie, Microsoft senior strategist > "So does syphillis. Good thing we have penicillin." - Matthew Alton > Geek Code 3.1: GCS d- s+: a- C++ UL++$ P+>+++ L+++>++++ E- W--(++) N+ o+ > !K w---$ O M- V? PS+ PE Y+ PGP t 5++ X+ R++ tv b+ DI++++ D G e* h+ r++ y+ > > -- > Unsubscribe? mail -s unsubscribe [EMAIL PROTECTED] < /dev/null -- ::: ICQ: 75132336 http://www.aphroland.org/ http://www.linuxpowered.net/ [EMAIL PROTECTED]
