5/9 netstat -upl, run as root on a Linux box:
Active Internet connections (only servers)
Proto Local Address Foreign Address PID/Program name
udp *:32768 *:* -
udp *:799 *:* -
udp *:800 *:* -
udp *:sunrpc *:* 110/portmap
Is there any way of determining who is listening on 32768
and friends? I don't think I've been 0wn3d...?
\_ lsof -i :32768
\_ losf is probably trojaned, so is netstat. You will
never be able to track it down. Reinstall while you
still have a chance.
\_ Victim could build and copy in tools from somewhere else
but if Victim was really hacked, you're right. Reinstall
and do a better job securing the box next time.
\_ So, what, go OpenBSD?
\_ Or maybe just stop running random and useless services you
don't need or use that are known to come from a bad code
base like wu-ftpd.
\_ "lsof -V -i UDP:32768" produces:
lsof: Internet address not located: UDP:32768 |