:eek:
Well, I noticed some 6667 traffic in the cisco ASA… getting blocked… so found the cluprit server…
and on there:
[root@server1 ~]# lsof -i TCP:6667
COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME
httpd 7735 apache 3u IPv4 125657 TCP server1:56882->202.91.37.40:ircd (SYN_SENT)
httpd 14846 apache 3u IPv4 125665 TCP server1:47440->202.159.33.34:ircd (SYN_SENT)
httpd 14863 apache 3u IPv4 125652 TCP server1:47438->202.159.33.34:ircd (SYN_SENT)
chkrootkit / rkhunter show clean…
/tmp is empty… and well… nothing else seems to be a problem… it’s a script that one of my clients has anyway… how do I find the script?
I dont think this time they managed to get in, but they have tried to connect on ports… soo… any ideas?