These tools will relate IP flow to UID in Linux: # Get the sockets that are open netstat -an # lsof (as root) sockets to pid and owner uid. lsof
If netstat doen't show it, it could be a raw socket... Or your root-kit's still there. Raw sockets will still show in lsof. Alex On Tue, Feb 23, 2010 at 02:39:41PM -0600, Dan White wrote: > Date: Tue, 23 Feb 2010 14:39:41 -0600 > From: Dan White <dwh...@olp.net> > To: Ronald Cotoni <seti...@gmail.com> > Subject: Re: Security Guideance > Cc: nanog@nanog.org > > On 23/02/10 15:19 -0500, Ronald Cotoni wrote: > >Quick suggestion BUT you may want to have Parallels look into it if > >you can't seem to find it since you pay for the support anyways. You > >may also want to check to see if it is a cron job that is doing it (if > >the machine was root kitted, you may have accidentally copied a cron > >job over. Another suggestion would be simply move half the accounts > >to one server and half to another and see if it ddoses again and keep > >doing that until you find the problem account. > > I'll second that. I've found a few interesting items in my > /var/spool/cron/crontab before. > > Also check your web server logs. If someone has compromised an account via > an apache/php vulnerability, it might show up in your access/error log > (I saw 'wget' in my logs once). > > I assume you've checked 'last' to make sure they're not getting in via a > remote shell. > > ls -ltra is your friend when finding the most recently created files in your > filesystem. > > If you suspect there's a running process doing it, look through your /proc > directory, like in /proc/<pid>/environ, /proc/<pid>/cmdline, etc. > > -- > Dan White
pgpijo51S5geh.pgp
Description: PGP signature
