Hello lINUX heads , Just did something REALLY stupid last nite
on my trusty REDHAT bOx. Using Rhat 6.0 with KDE , I somehow decided to "use" or abuse KsIRC ,the CHAT program that is part of INTERNET OPTIONS.

New to this chat stuff ,I did some REMOTE connections (like "undernet " out of AMSTERDAM, and a few others.

The bad part is ,Idid this under ROOT user circumstances.

Just to check out my error, I brought up terminal & typed in NETSTAT and noticed some FUNNY Ip No,s and one that is Clearly
IRC (undernet) . I also tried to "traceroute" these #,s (under network tools) and similar results .



The really Scary thing is that when I disconnect my MODEM (software -wise & physically) ,I try NETSTAT again and these same IP (irc) No,s come up again .

So what do I have , a HACKED LINUX box acting as someones SERVER ????? or worse??????


What can Ido to remedy all this shit that Igot myself into!!!!!



Regards ,chilibowl

dont worry about what netstat says when you unplugg the modem, it will show the last connection state you had
use who or w to see what users are connected
you can kill that connection with
fuser -v -n tcp -k -i port_number

also in /etc/hosts.deny add ALL : ALL

I'd be concerned that I got rooted if I was you. Especially if you reboot and notice sockets listening to odd port numbers that shouldn't be open. I would consider it a compromised box untill you made very sure that it was clean. Download and run chkrootkit to see if you can detect anything. Check /etc/passwd to see if you have any new users (users like h4z0r or 3l337 are probably not a good sign). If you had the foresight to install a file system integrity checker (like tripwire), then check your logs to see if anything significant has changed.

If you continue to notice strange activity, I would seriously think about backing up your personal files and doing a fresh reinstall. You can try and hunt down rootkits, but if you have something nasty like an LKM, you'll have a hard time.