# am I being hacked?[solved]

## badgers

```
myth_host ~ # netstat -an

Active Internet connections (servers and established)

Proto Recv-Q Send-Q Local Address           Foreign Address         State

tcp        0      0 0.0.0.0:3306            0.0.0.0:*               LISTEN

tcp        0      0 0.0.0.0:6253            0.0.0.0:*               LISTEN

tcp        0      0 0.0.0.0:6543            0.0.0.0:*               LISTEN

tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN

tcp        0      0 0.0.0.0:6000            0.0.0.0:*               LISTEN

tcp        0      0 0.0.0.0:6544            0.0.0.0:*               LISTEN

tcp        0      0 0.0.0.0:6033            0.0.0.0:*               LISTEN

tcp        0      0 127.0.0.1:37488         127.0.0.1:6543          ESTABLISHED

tcp        0      0 127.0.0.1:37489         127.0.0.1:6543          ESTABLISHED

tcp        0      0 127.0.0.1:51777         127.0.0.1:6543          ESTABLISHED

tcp        0      0 127.0.0.1:6543          127.0.0.1:51777         ESTABLISHED

tcp        0      0 127.0.0.1:6543          127.0.0.1:37489         ESTABLISHED

tcp        0      0 127.0.0.1:6543          127.0.0.1:37488         ESTABLISHED

tcp        0     52 192.168.1.103:6253      12.20.65.30:49013       ESTABLISHED

tcp        0      0 192.168.1.103:47690     194.129.79.6:80         ESTABLISHED

udp    25592      0 0.0.0.0:68              0.0.0.0:*

udp        0      0 192.168.1.103:123       0.0.0.0:*

udp        0      0 127.0.0.1:123           0.0.0.0:*

udp        0      0 0.0.0.0:123             0.0.0.0:*
```

I am the connection from 12.20.65.30 via ssh2

the connection 

tcp        0      0 192.168.1.103:47690     194.129.79.6:80         ESTABLISHED

is what I am concerned with.

I did /etc/init/d/apache2 stop 

because I thought the port 80 indicated it was connected to apache2 server.

Now that I killed it I can not restart apache with the following error:

myth_host ~ # /etc/init.d/apache2 start

 * Starting apache2 ...

(98)Address already in use: make_sock: could not bind to address 0.0.0.0:80

no listening sockets available, shutting down

Unable to open logs                                                                                                                                     [ !! ]

myth_host ~ #

how can I kick off a connection?

----------

## badgers

```
myth_host ~ # netstat -aevep

Active Internet connections (servers and established)

Proto Recv-Q Send-Q Local Address           Foreign Address         State       User       Inode      PID/Program name

tcp        0      0 *:mysql                 *:*                     LISTEN      root       7029       5077/mysqld

tcp        0      0 *:6253                  *:*                     LISTEN      root       7367       5380/sshd

tcp        0      0 *:6543                  *:*                     LISTEN      mythtv     7785       5656/mythbackend

tcp        0      0 *:http                  *:*                     LISTEN      root       89425      32646/Xvfb

tcp        0      0 *:x11                   *:*                     LISTEN      root       7851       5723/X

tcp        0      0 *:6544                  *:*                     LISTEN      mythtv     7786       5656/mythbackend

tcp        0      0 *:6033                  *:*                     LISTEN      mythtv     94969      32646/Xvfb

tcp        0      0 localhost:37488         localhost:6543          ESTABLISHED mythtv     884874     19214/mythfrontend

tcp        0      0 localhost:37489         localhost:6543          ESTABLISHED mythtv     884880     19214/mythfrontend

tcp        0      0 localhost:51777         localhost:6543          ESTABLISHED mythtv     94934      32646/Xvfb

tcp        0      0 localhost:6543          localhost:51777         ESTABLISHED mythtv     94935      5656/mythbackend

tcp        0      0 localhost:6543          localhost:37489         ESTABLISHED mythtv     884881     5656/mythbackend

tcp        0      0 localhost:6543          localhost:37488         ESTABLISHED mythtv     884875     5656/mythbackend

tcp        0     52 192.168.1.103:6253      global.erdman.com:49013 ESTABLISHED root       889063     23884/3

udp    25592      0 *:bootpc                *:*                                 root       6675       4871/dhcpcd

udp        0      0 192.168.1.103:ntp       *:*                                 root       7327       5300/ntpd

udp        0      0 localhost:ntp           *:*                                 root       7326       5300/ntpd

udp        0      0 *:ntp                   *:*                                 root       7325       5300/ntpd
```

I was able to kill the foreign address connection, it indicated it was from mythbrowser but it didn't make sense. the 0.0.0.0:80 is from Xvfb

why is that on port 80?

----------

## badgers

This is what I found out about the remote "foreign" IP address

[curly]$ whois 194.129.79.6

% This is the RIPE Whois query server #2.

% The objects are in RPSL format.

%

% Note: the default output of the RIPE Whois server

% is changed. Your tools may need to be adjusted. See

% http://www.ripe.net/db/news/abuse-proposal-20050331.html

% for more details.

%

% Rights restricted by copyright.

% See http://www.ripe.net/db/copyright.html

% Note: This output has been filtered.

%       To receive output for a database update, use the "-B" flag

% Information related to '194.128.0.0 - 194.131.255.255'

inetnum:        194.128.0.0 - 194.131.255.255

org:            ORG-UA24-RIPE

netname:        UK-PIPEX-194-128-131

descr:          UUNET

descr:          PROVIDER Local Registry

country:        GB

admin-c:        WERT1-RIPE

tech-c:         UPHM1-RIPE

status:         ALLOCATED PA

remarks:        Please send abuse notification to abuse@uk.uu.net

mnt-by:         RIPE-NCC-HM-MNT

mnt-lower:      AS1849-MNT

mnt-routes:     AS1849-MNT

mnt-routes:     WCOM-EMEA-RICE-MNT

mnt-irt:        IRT-MCI-GB

source:         RIPE # Filtered

organisation:   ORG-UA24-RIPE

org-name:       UUNET

org-type:       LIR

address:        c/o UUNET Sweden

                P.O. Box 4127

address:        SE-17104

address:        Solna

address:        Sweden

phone:          +46 8 5661 7629

phone:          +31 20 711 6000

fax-no:         +46 8 5661 7236

fax-no:         +31 20 711 1784

e-mail:         ip@se.mci.com

e-mail:         support@uk.uu.net

e-mail:         registrar@eu.uu.net

admin-c:        AK111-RIPE

admin-c:        UIU1-RIPE

admin-c:        WERT1-RIPE

admin-c:        TONE1-RIPE

admin-c:        UE30-RIPE

admin-c:        ARK-RIPE

admin-c:        AA2250-RIPE

admin-c:        jful-ripe

admin-c:        duma-ripe

mnt-ref:        AS1849-MNT

mnt-ref:        RIPE-NCC-HM-MNT

mnt-by:         RIPE-NCC-HM-MNT

source:         RIPE # Filtered

role:         WCOM EMEA Registrar Team

address:      UUNET / MCI

address:      EMEA Network Services

address:      J. Muyskenweg 22

address:      NL-1096 CJ Amsterdam

address:      The Netherlands

phone:        +31 20 711 6000

fax-no:       +31 20 711 6001

e-mail:       registrar@eu.uu.net

admin-c:      AK111-RIPE

admin-c:      ARK-RIPE

admin-c:      HTV5-RIPE

admin-c:      TONE1-RIPE

admin-c:      USB1-RIPE

tech-c:       AK111-RIPE

tech-c:       ARK-RIPE

tech-c:       HTV5-RIPE

tech-c:       TONE1-RIPE

tech-c:       USB1-RIPE

nic-hdl:      WERT1-RIPE

mnt-by:       AS1849-MNT

source:       RIPE # Filtered

role:           PIPEX Hostmaster

address:        UUNET UK

address:        Internet House

address:        330 Science Park

address:        Milton Road

address:        Cambridge

address:        CB4 4BZ

address:        UK

phone:          +44 1223 250122

fax-no:         +44 1223 250133

e-mail:         support@uk.uu.net

remarks:        trouble:      Telephone number available 24x7

admin-c:        WERT1-RIPE

tech-c:         WERT1-RIPE

nic-hdl:        UPHM1-RIPE

remarks:        UUNET UK

mnt-by:         AS1849-MNT

source:         RIPE # Filtered

% Information related to '194.129.64.0/20AS9194'

route:        194.129.64.0/20

descr:        UUNet Global Hosting - UK5

origin:       AS9194

mnt-by:       MCI-MNT

source:       RIPE # Filtered

----------

## magic919

It's an outgoing connection to a webserver.  Your machine initiated so i don't think I'd worry about being hacked.

----------

## badgers

thanks, I keep this machine running all the time and I have always been afraid of running apache, but for mythburn to work I needed it.

I appreciate your help

----------

## smurfd

as magic919 said, its most likely no problem..

but if you suspect something, i'd keep my eye opened. 

check access logs, look for the usual weird looking binaries and such.

worst case, just block the address via iptables and see if anything freaks out..  

better safe than sorry  :Smile: 

----------

## Vulpes_Vulpes

You can emerge chkrootkit and rkhunter to check your machine and really be at ease.  :Wink: 

----------

## ben_dash

If you're only using apache for mythburn why don't you firewall off port 80 incoming?

I have all ports blocked except 22, i.e. SSH.

If I want to get to mythweb I just tunnel it through ssh, or just wait until I get home and do it from inside my LAN.

"An ounce of prevention is worth a pound of cure" as they say.

Good luck!

Ben

----------

## badgers

 *ben_dash wrote:*   

> If you're only using apache for mythburn why don't you firewall off port 80 incoming?
> 
> I have all ports blocked except 22, i.e. SSH.
> 
> Ben

 

Port 80 and 22 are off in the firewall.

that is why I was suprised to see it, but as pointed out magic919, it was actually a mythweb session that had not closed out and the connection was outgoing..

I keep this box running for months at a time and I was just nervous that the connection had been there so long with nothting really "open" from the GUI point of view.

thanks, My Bad. I wans't being attacked

----------

