Avatar of ritztech
ritztechFlag for United States of America asked on

Linux Cent OS virus ? netstat

hey im trying to locate if my machine is sending a virus if so trying to block it .



heres the output

i get numerous of these a second any my Centos is using postfix as the client
Yesterday this netstat-an was all port 110 pop3 of all the ip range of 195.xx is my server being targeted with proxy servers to identify if my port of 3389 is open ??

i did a netstat -an on the Centos


tcp        0      1 192.168.2.40:48828          214.81.1.74:3389            SYN_SENT    
tcp        0      1 192.168.2.40:50685          214.100.1.68:3389           SYN_SENT    
tcp        0      1 192.168.2.40:50881          214.56.1.91:3389            SYN_SENT    
tcp        0      1 192.168.2.40:47174          214.21.1.136:3389           SYN_SENT    
tcp        0      1 192.168.2.40:38568          214.100.1.55:3389           SYN_SENT    
tcp        0      1 192.168.2.40:35053          214.59.1.54:3389            SYN_SENT    
tcp        0      1 192.168.2.40:41037          214.10.1.143:3389           SYN_SENT    
tcp        0      1 192.168.2.40:59374          214.78.1.44:3389            SYN_SENT    
tcp        0      1 192.168.2.40:59280          214.65.1.67:3389            SYN_SENT    
tcp        0      1 192.168.2.40:34960          214.85.1.56:3389            SYN_SENT    
tcp        0      1 192.168.2.40:44403          214.32.1.136:3389           SYN_SENT    
tcp        0      1 192.168.2.40:49428          214.37.1.129:3389           SYN_SENT    
tcp        0      1 192.168.2.40:38040          214.72.1.57:3389            SYN_SENT    
tcp        0      1 192.168.2.40:52776          214.41.1.130:3389           SYN_SENT    
tcp        0      1 192.168.2.40:35784          214.63.1.49:3389            SYN_SENT    
tcp        0      1 192.168.2.40:33611          214.5.1.131:3389            SYN_SENT    
tcp        0      1 192.168.2.40:44523          214.81.1.89:3389            SYN_SENT    
tcp        0      1 192.168.2.40:57551          214.89.1.60:3389            SYN_SENT    
tcp        0      1 192.168.2.40:56305          214.5.1.123:3389            SYN_SENT    
tcp        0      1 192.168.2.40:49685          214.10.1.141:3389           SYN_SENT    
tcp        0      1 192.168.2.40:52501          214.5.1.141:3389            SYN_SENT    
tcp        0      1 192.168.2.40:39358          214.62.1.66:3389            SYN_SENT    
tcp        0      1 192.168.2.40:40543          214.27.1.128:3389           SYN_SENT    
tcp        0      1 192.168.2.40:38215          214.47.1.88:3389            SYN_SENT    
tcp        0      1 192.168.2.40:41989          214.92.1.90:3389            SYN_SENT    
tcp        0      1 192.168.2.40:57902          214.27.1.123:3389           SYN_SENT    
tcp        0      1 192.168.2.40:52748          214.22.1.122:3389           SYN_SENT    
tcp        0      1 192.168.2.40:40232          214.91.1.68:3389            SYN_SENT    
tcp        0      1 192.168.2.40:57846          214.41.1.138:3389           SYN_SENT    
tcp        0      1 192.168.2.40:58965          214.73.1.77:3389            SYN_SENT    
tcp        0      1 192.168.2.40:57428          214.73.1.75:3389            SYN_SENT    
tcp        0      1 192.168.2.40:39761          214.68.1.61:3389            SYN_SENT    
tcp        0      1 192.168.2.40:49023          214.61.1.64:3389            SYN_SENT    
tcp        0      1 192.168.2.40:43292          214.50.1.57:3389            SYN_SENT    
tcp        0      1 192.168.2.40:49445          214.82.1.49:3389            SYN_SENT    
tcp        0      1 192.168.2.40:44932          214.44.1.129:3389           SYN_SENT    
tcp        0      1 192.168.2.40:38766          214.52.1.65:3389            SYN_SENT    
tcp        0      1 192.168.2.40:47982          214.38.1.127:3389           SYN_SENT    
tcp        0      1 192.168.2.40:49356          214.4.1.134:3389            SYN_SENT    
tcp        0      1 192.168.2.40:34825          214.69.1.79:3389            SYN_SENT    
tcp        0      1 192.168.2.40:42070          214.22.1.112:3389           SYN_SENT    
tcp        0      1 192.168.2.40:46422          214.0.1.119:3389            SYN_SENT    
tcp        0      1 192.168.2.40:48464          214.83.1.44:3389            SYN_SENT    
tcp        0      1 192.168.2.40:51166          214.12.1.137:3389           SYN_SENT    
tcp        0      1 192.168.2.40:44295          214.99.1.44:3389            SYN_SENT    
tcp        0      1 192.168.2.40:39718          214.99.1.58:3389            SYN_SENT    

Theres SO much more then that i just grabbed..

3389 isnt that the RDP port
i dont know how to solve this

im not sure if this means my server is sending out or am i getting sent incoming

where would i look first then ??

Thanks
LinuxEmail Servers

Avatar of undefined
Last Comment
ritztech

8/22/2022 - Mon
ASKER
ritztech

Could it be a rootkit virus i tried viewing all the processes and this is what i get
ps -e
    1 ?        00:00:00 init
    2 ?        00:00:00 migration/0
    3 ?        00:00:00 ksoftirqd/0
    4 ?        00:00:00 watchdog/0
    5 ?        00:00:00 events/0
    6 ?        00:00:00 khelper
    7 ?        00:00:00 kthread
   10 ?        00:00:00 kblockd/0
   11 ?        00:00:00 kacpid
   97 ?        00:00:00 cqueue/0
  100 ?        00:00:00 khubd
  102 ?        00:00:00 kseriod
  164 ?        00:00:00 pdflush
  165 ?        00:00:00 pdflush
  166 ?        00:00:00 kswapd0
  167 ?        00:00:00 aio/0
  324 ?        00:00:00 kpsmoused
  340 ?        00:00:00 kjournald
  367 ?        00:00:00 kauditd
  401 ?        00:00:00 udevd
  895 ?        00:00:00 kgameportd
 1302 ?        00:00:00 kmpathd/0
 1326 ?        00:00:00 kjournald
 1740 ?        00:00:00 auditd
 1742 ?        00:00:00 python
 1772 ?        00:00:00 syslogd
 1775 ?        00:00:00 klogd
 1810 ?        00:00:00 portmap
 1836 ?        00:00:00 rpc.statd
 1880 ?        00:00:00 rpc.idmapd
 1907 ?        00:00:00 dbus-daemon
 1948 ?        00:00:00 acpid
 1996 ?        00:00:00 sshd
 2012 ?        00:00:00 xinetd
 2030 ?        00:00:00 ntpd
 2047 ?        00:00:00 vsftpd
 2114 ?        00:00:00 mysqld_safe
 2150 ?        00:00:00 mysqld
 2303 ?        00:00:00 cyrus-master
 2321 ?        00:00:00 idled
 2323 ?        00:00:00 imapd
 2324 ?        00:00:00 imapd
 2325 ?        00:00:00 pop3d
 2326 ?        00:00:00 pop3d
 2328 ?        00:00:00 imapd
 2329 ?        00:00:00 imapd
 2330 ?        00:00:00 pop3d
 2331 ?        00:00:00 pop3d
 2334 ?        00:00:00 imapd
 2335 ?        00:00:00 pop3d
 2336 ?        00:00:00 imapd
 2337 ?        00:00:00 pop3d
 2354 ?        00:00:00 imapd
 2355 ?        00:00:00 imapd
 2356 ?        00:00:00 imapd
 2357 ?        00:00:00 pop3d
 2358 ?        00:00:00 imapd
 2359 ?        00:00:00 imapd
 2360 ?        00:00:00 imapd
 2361 ?        00:00:00 pop3d
 2389 ?        00:00:00 master
 2393 ?        00:00:00 qmgr
 2408 ?        00:00:00 httpd
 2448 ?        00:00:00 httpd
 2449 ?        00:00:00 httpd
 2450 ?        00:00:00 httpd
 2451 ?        00:00:00 httpd
 2452 ?        00:00:00 httpd
 2453 ?        00:00:00 safe_asterisk
 2459 ?        00:00:00 httpd
 2460 ?        00:00:00 httpd
 2461 ?        00:00:00 httpd
 2468 ?        00:00:07 asterisk
 2487 ?        00:00:00 crond
 2502 ?        00:00:00 atd
 2517 ?        00:00:00 faxq
 2520 ?        00:00:00 hfaxd
 2539 ?        00:00:00 iaxmodem
 2541 ?        00:00:00 iaxmodem
 2542 ?        00:00:00 iaxmodem
 2543 ?        00:00:00 iaxmodem
 2544 ?        00:00:00 iaxmodem
 2557 ?        00:00:00 saslauthd
 2560 ?        00:00:00 saslauthd
 2561 ?        00:00:00 saslauthd
 2562 ?        00:00:00 saslauthd
 2563 ?        00:00:00 saslauthd
 2576 ?        00:00:00 hald
 2577 ?        00:00:00 hald-runner
 2601 ?        00:00:00 hald-addon-acpi
 2666 ?        00:00:00 bash
 2668 ?        00:00:00 sh
 2669 ?        00:00:02 op_server.pl
 2674 tty1     00:00:00 mingetty
 2675 tty2     00:00:00 mingetty
 2676 tty3     00:00:00 mingetty
 2677 tty4     00:00:00 mingetty
 2678 tty5     00:00:00 mingetty
 2679 tty6     00:00:00 mingetty
 2682 ?        00:00:00 faxgetty
 2683 ?        00:00:00 faxgetty
 2684 ?        00:00:00 faxgetty
 2685 ?        00:00:01 faxgetty
 2763 ?        00:00:00 httpd
 2764 ?        00:00:00 httpd
 2765 ?        00:00:00 httpd
 2768 ?        00:00:00 httpd
 2769 ?        00:00:00 httpd
 2770 ?        00:00:00 httpd
 2771 ?        00:00:00 httpd
 2772 ?        00:00:00 httpd
 2773 ?        00:00:00 httpd
 2774 ?        00:00:00 httpd
 2792 ?        00:00:00 bash
 5237 ?        00:00:00 pickup
 5753 ?        00:00:00 lmtpd
 5799 ?        00:00:00 sshd
 5801 pts/0    00:00:00 bash
 5868 pts/0    00:00:00 ps
Cyclops3590

run 'netstat -ano'

the o gives the PID of the process that is doing that connection.  this should help you track down the offending process and figure out who it got ran
Cyclops3590

btw,  3389 is the default remote desktop port for windows
This is the best money I have ever spent. I cannot not tell you how many times these folks have saved my bacon. I learn so much from the contributors.
rwheeler23
ASKER
ritztech

okay thanks for the help i did a lsof -i and i found that process
 
 
 
bash      2792      root    1u     IPv4      18265                 TCP 192.168.2.40:41506->undernet.xs4all.nl:ircd (ESTABLISHED)
bash      2792      root    2u     IPv4      18483                 TCP 192.168.2.40:44412->irc2.saunalahti.fi:ircd (ESTABLISHED)
bash      2792      root    3u     IPv4       8861                 UDP *:32780
bash      2792      root    4u     IPv4      18259                 TCP 192.168.2.40:39955->Oslo.NO.EU.undernet.org:ircd (ESTABLISHED)
 

 
then i looked at  
file /etc/rc.d/init.d/.type/bash: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), for GNU/Linux 2.2.5, dynamically linked (uses shared libs), for GNU/Linux 2.2.5, not stripped
then with Winscp i looked in that directorry and found other .seen files that contain user@ip to many differeent ips
 
then i moved the bash file to the root directory and kill 2792
ASKER
ritztech

i really dont know what it means by the Bash but that doesnt sound good though
and if theres a way to stop it
Cyclops3590

btw, sorry, netstat -ano is for windows, netstat -anp is for linux

bash is a shell, Bourne-again shell actually
its true path should be /bin/bash

Do NOT move it or delete it or you could have some other issues on your hands.

also, those are IRC related, not the RDP you were seeing before.  Run the 'netstat -anp | grep 3389' and see what PID(s) show up.
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
ASKER
ritztech

ya yesterday it was doing 3389 and then the day before it had hundreds of open ports doing 110 so its more then jsut that ....
SOLUTION
Maciej S

Log in or sign up to see answer
Become an EE member today7-DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform
Sign up - Free for 7 days
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
See how we're fighting big data
Not exactly the question you had in mind?
Sign up for an EE membership and get your own personalized solution. With an EE membership, you can ask unlimited troubleshooting, research, or opinion questions.
ask a question
ASKER CERTIFIED SOLUTION
Log in to continue reading
Log In
Sign up - Free for 7 days
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
Cyclops3590

btw, I'm not saying that bash file isn't bad, just that due diligence should be practiced first before making changes that might take down needed services.
Cyclops3590

btw, what version of CentOS are you using?  Going to setup a test VM to see if I can find how that file could be there.  However, we still need to find the binary that is opening all of the RDP connections
I started with Experts Exchange in 2004 and it's been a mainstay of my professional computing life since. It helped me launch a career as a programmer / Oracle data analyst
William Peck
ASKER
ritztech

so i had someone look over the Bash file to identify it and he was saying it was a MechBot

but i moved the .bash file to root dir and killed that proccess and its not sending out those ports anymore

i did notice this though a few days later


lsof -i

neostats   2874  awstats   14u  IPv4   9395       TCP 192.168.2.40:50564->64.32.20.153:afs3-fileserver (ESTABLISHED)

well i did notice back in october that my root password was changed i bet you someone bruteforced in to my box because the password for the root was asterisk (MISTAKE)

but of course i changed it to a difficult password




but thats my thought on how they got in now i cant really keep centos updated because it might corrupt my current Asterisk running on the server

finding the binary is there a command to see where its located i used winscp to look via the files (easier for me then cd .. kind of thing :) .....


Thanks ;)


Cyclops3590

sorry to say, but now I have to agree with oklit.  If you've determined it was hacked into (sounds like it was if your password happened to change and you didn't do it), you need to redo the box from scratch because you don't know what else could be wrong with the box.  

Otherwise you are greatly running the risk of it still being compromised or more easily compromised down the road.
ASKER
ritztech

yea cool thanks in this process ive learned though (linux newbie) how to find it the lsof -i command was the answer and with winscp i targeted where it was coming and temporary stopped it

but yea ill have to do an upgrade on the elastix anyways..


Thanks again
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.