Security Basics mailing list archives

Re: Hacked ???

From: Jeremy Heslop <security () omnitechpro com>
Date: Fri, 29 Jul 2005 10:30:48 -0400

Phil,

Is this a private proxy you have on your network? If so it looks likeoutside ips are connecting to it and using it for themselves. This iscalled an open proxy. You should add the proper acls to your squid.confto lock everyone out but yourself (or those who need access). If this isnot the case then discregard this message. Thanks,


Jeremy

asterisk () marnock net wrote:

Hi List,

I'm seeing some strange things on my box.  Here is a snippit from my squid
log:  BTW I don't have an icq account.


1122088113.571    308 212.227.83.197 TCP_MISS/200 184 CONNECT
login.icq.com:443 - DIRECT/64.12.200.89 -
1122088114.402    140 220.160.34.238 TCP_HIT/200 482 GET
http://media.adrevolver.com/adrevolver/banner? - NONE/- text/html
1122088116.711    310 212.227.65.104 TCP_MISS/200 186 CONNECT
login.icq.com:443 - DIRECT/64.12.200.89 -
1122088119.769    339 212.227.83.197 TCP_MISS/200 183 CONNECT
login.icq.com:443 - DIRECT/64.12.200.89 -
1122088119.950    367 72.21.34.42 TCP_MISS/200 185 CONNECT
login.icq.com:443 - DIRECT/64.12.200.89 -
1122088120.466    543 200.50.23.115 TCP_MISS/401 417 GET
http://www.bubblebutts.com/members/ - DIRECT/216.15.219.25 text/html
1122088121.618    404 212.227.65.104 TCP_MISS/200 186 CONNECT
login.icq.com:443 - DIRECT/64.12.200.89 -
1122088122.814    885 70.118.81.253 TCP_MISS/200 6085 GET
http://members.yahoo.com/interests? - DIRECT/66.218.75.151 text/html
1122088123.961    620 212.227.83.197 TCP_MISS/200 251 CONNECT
login.icq.com:443 - DIRECT/64.12.200.89 -
1122088125.635    356 72.21.34.42 TCP_MISS/200 185 CONNECT
login.icq.com:443 - DIRECT/64.12.200.89 -
1122088126.101    309 212.227.65.104 TCP_MISS/200 186 CONNECT
login.icq.com:443 - DIRECT/64.12.200.89 -
1122088126.587    309 212.227.83.197 TCP_MISS/200 182 CONNECT
login.icq.com:443 - DIRECT/64.12.200.89 -
1122088129.107    376 212.227.83.197 TCP_MISS/200 184 CONNECT
login.icq.com:443 - DIRECT/64.12.200.89 -
1122088129.404    446 85.138.104.205 TCP_MISS/999 4647 GET
http://216.109.127.60/config/login? - DIRECT/216.109.127.60 text/html
1122088130.415     10 220.160.34.238 TCP_MEM_HIT/200 381 GET
http://ad.yieldmanager.com/imp? - NONE/- image/gif
1122088130.882    385 212.227.65.104 TCP_MISS/200 186 CONNECT
login.icq.com:443 - DIRECT/64.12.200.89 -
1122088132.464    348 212.227.83.197 TCP_MISS/200 185 CONNECT
login.icq.com:443 - DIRECT/64.12.200.89 -
1122088132.587    307 212.227.83.197 TCP_MISS/200 184 CONNECT
login.icq.com:443 - DIRECT/64.12.200.89 -
1122088135.746    391 212.227.83.197 TCP_MISS/200 184 CONNECT
login.icq.com:443 - DIRECT/64.12.200.89 -
1122088135.762    380 72.21.34.42 TCP_MISS/200 182 CONNECT
login.icq.com:443 - DIRECT/64.12.200.89 -


I've disconected all machines except my main linux box which is used for a
number of things ( asterisk telephony system / squid proxy / cvs ) etc.
I've also noticed port 32768 is open and others are connecting to it from
the web or an app is connecting to them.  How can I see which app is
connecting to port 32768 ???

Heres the first line from a netstat -an

[root@zeus iptraf]# netstat -an | more
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address               Foreign Address
State
tcp        0      0 0.0.0.0:32768               0.0.0.0:*
LISTEN


Thanks in advance.



Phil

Current thread:

Hacked ??? asterisk (Jul 26)
- Re: Hacked ??? Fernando Amatte (Jul 29)
  - Re: Hacked ??? asterisk (Jul 29)
- Re: Hacked ??? Jeremy Heslop (Jul 29)