if you think you are been hacked, you can use ps, lsof and others commands from other not hacked server, for example scp goodserver:/bin/ps /tmp/ps and use /tmp/ps, this isn't secure, because maybe the attacker installed one rootkit
2014/1/22 Matias Mucciolo <mmucci...@suteba.org.ar> > > can you paste a ps auxf output ? > maybe someone see some strange process > > -- > > Matias > > On Wednesday, January 22, 2014 10:57:14 AM Nico Angenon wrote: > > Hello, > > > > i’ve put a firewall rules on this before the box, so, there is no > connexion left on this port... but there was a lot of trafic on this port > before the rule... > > > > Nico > > > > From: Lesley Binks > > Sent: Wednesday, January 22, 2014 2:46 PM > > To: Nico Angenon > > Cc: debian-security@lists.debian.org > > Subject: Re: finding a process that bind a spcific port > > > > Sorry for top posting. I'm on my phone. > > > > You can always check for data on the interface using tcpdump. > > Worth using it to verify what's happening. > > > > Lesley > > > > On 22 Jan 2014 13:33, "Nico Angenon" <n...@creaweb.fr> wrote: > > > > no output.... > > > > Thanks for all... > > > > Nico > > > > -----Message d'origine----- From: johan A. van Zanten > > Sent: Wednesday, January 22, 2014 1:56 PM > > To: n...@creaweb.fr > > Cc: debian-security@lists.debian.org > > Subject: Re: finding a process that bind a spcific port > > > > > > "Nico Angenon" <n...@creaweb.fr> wrote: > > > > nope... never used this service... > > Still looking for an explanation, try chrootkit and rkhunter right > > now.... > > > > > > Try fuser: > > > > fuser -n udp 10001 > > > > -johan > > > > > > -- > > To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org > > with a subject of "unsubscribe". Trouble? Contact > listmas...@lists.debian.org > > Archive: > http://lists.debian.org/20140122.125650.367853660900983582.jo...@brandwatch.com > > > > -- > > To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org > > with a subject of "unsubscribe". Trouble? Contact > listmas...@lists.debian.org > > Archive: > http://lists.debian.org/4DBF73DFC57C4F76AF3902A5199BB05C@NicoPC > > > > > > > -- > To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org > with a subject of "unsubscribe". Trouble? Contact > listmas...@lists.debian.org > Archive: > http://lists.debian.org/201401221100.48230.mmucci...@suteba.org.ar > > -- esta es mi vida e me la vivo hasta que dios quiera
