Hi,
I seem to be having a lot of traffic on port 6667. I looked around and it seems that port is for IRC. I guess I was hacked and someone installed it on my machine.
How would I go about finding out where it's being started and how to close that port?
thanks, Joel Lopez
joel, if you think you're hacked, i recommend you look through securityfocus website under incidents since i am aware that this subject has been discussed throughly on that particular mailing list. now, if this is a production machine, i would recommend you disconnect the equipment from the network. next step would be to get chkrootkit and start digging. if you want to see what's going out through the port, use tcpdump -i eth0 -s 1400 -w 6667.dump or something. you could also run nc -lnvv -p 6667. good luck!
--
<<gyoo [at] attbi [dot] com>>
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.0 (GNU/Linux)
iQCUAwUBPhxERRxoVYCzmrKXAQJK5gP3Y7CTsFyKpEz2p5W4GWI9+qSm+kWfdJ0R xNlma0Ma9rAL/OBJcZMo5IXyXas+3Edogbv4Al6dIf8lot1WS0Iaxxl/cg2f7gf+ otf7LfNpZDE/6OzR7A1qN6baPMLSjGzywwQWMfSVuWWb6kGQxMsA13Kn68G7Ozxs 5CODZqUPyg== =AolA -----END PGP SIGNATURE-----
-- redhat-list mailing list unsubscribe mailto:[EMAIL PROTECTED] https://listman.redhat.com/mailman/listinfo/redhat-list
