[lug] phantom irc traffic

Aaron Nichols anichols at trumped.org
Fri Nov 21 00:19:54 MST 2008


It's not super-current but one thing I like to do when I suspect
something strange (and IRC traffic to some 3rd party server certainly
qualifies) is fire up chkrootkit on the local host.

http://www.chkrootkit.org/download/

It's easy to download, fast to run, and will often spot a rooted host
faster than other methods of poking around. If it doesn't turn
anything up, remain suspicious, it's just one thing to try. Also, if
your OS already has tools like fuser, netstat, lsof that you are using
to look for these connections they can't really be trusted - most
rootkits would have neutered em. Use binaries from a trusted source.

Aaron

On Thu, Nov 20, 2008 at 4:16 PM, Gordon Golding <gordongoldin at aim.com> wrote:
> Somebody noticed a very regular pattern of IRC traffic from our webserver.
> Every 3 minutes a handshake.
>
> What could cause this?  We got kooties?
>
> Can't seem to figure out what process is doing this.
>
> Also, we see a ESTABLISHED connection to irc.rcn.com
> Can't figure out what process is holding that connection.
>
> How can I figure out what process is holding that irc.rcn.com that I see in
> netstat?
>
> Any thoughts?
>
> IP 19 5.197.175.21 is irc2.saunalahti.fi
> We have grad students and researchers from all over the world, so I'm not
> immediately panicked at the foreign address.
>
> Here are some flowscan logs for the IRC traffic.
>
> 11/20 00:05:05  195.197.175.21  128.138.225.63   6  0  6667 49439     2
> 139
> 11/20 00:05:05  128.138.225.63  195.197.175.21   6  0 49439  6667     2
> 138
> 11/20 00:08:05  195.197.175.21  128.138.225.63   6  0  6667 49439     2
> 139
> 11/20 00:08:05  128.138.225.63  195.197.175.21   6  0 49439  6667
> 2    20138
>  11/20 00:11:05  195.197.175.21  128.138.225.63   6  0  6667 49439     2
> 139
> 11/20 00:11:05  128.138.225.63  195.197.175.21   6  0 49439  6667     2
> 138
> 11/20 00:14:05  128.138.225.63  195.197.175.21   6  0 49439  6667     2
> 138
> 11/20 00:14:05  195.197.175.21  128.138.225.63   6  0  6667 49439     2
> 139
> 11/20 00:15:28  128.138.225.63  195.197.175.21   6  0 49439  6667     2
> 104
> 11/20 00:15:28  195.197.175.21  128.138.225.63   6  0  6667 49439     2
> 379
> 11/20 00:17:05  195.197.175.21  128.138.225.63   6  0  6667 49439     2
> 139
> 11/20 00:17:05  128.138.225.63  195.197.175.21   6  0 49439  6667     2
> 138
> 11/20 00:20:05  128.138.225.63  195.197.175.21   6  0 49439  6667     2
> 138
> 11/20 00:20:05  195.197.175.21  128.138.225.63   6  0  6667 49439     2
> 139
> 11/20 00:23:10  128.138.225.63   195.197.175.21   6  0 49439  6667     3
> 190
> 11/20 00:23:10  195.197.175.21  128.138.225.63   6  0  6667 49439     3
> 328
> Gordon
>
> ________________________________
> Traveling over the river or through the woods this holiday season? Get the
> MapQuest Toolbar. Directions, Traffic, Gas Prices & More!
> _______________________________________________
> Web Page:  http://lug.boulder.co.us
> Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
> Join us on IRC: lug.boulder.co.us port=6667 channel=#colug
>



More information about the LUG mailing list