port to program tool?

uk_viper · 25 Jul 2007 at 14:39

Bit of a strange one, few weeks ago i had a dos attack launched from one of my servers, i know its coming from port 6667 program used was an eggdrop, its still sending them out, anyone know of any software i can use which can tell me what program is using what port so i can finally find it, and remove it, my firewall is stopping it been sent out but i want it removed completely

tntcoder · 25 Jul 2007 at 14:48

netstat -a should do the job? Failing that maybe run an nmap scan on yourself

.walls · 25 Jul 2007 at 14:55

something along the lines of

Code:

# netstat -p

although you might want to pipe that into a text file...

You can fine tune netstat to show only the port(s) that you want, of course.

riddlermarc · 25 Jul 2007 at 15:11

=walls= said:
something along the lines of

Code:

# netstat -p

although you might want to pipe that into a text file...

You can fine tune netstat to show only the port(s) that you want, of course.

.. or even do a real kludge and

Code:

netstat -a | grep 6667

Also do a ps -ef and see if there are any obviously dodgy items in there..?

uk_viper · 25 Jul 2007 at 16:46

have a go tonight i will, kill all firewalls and that i cant see anything with it warning me every 10seconds

Una · 25 Jul 2007 at 17:56

port 6667 is usually a connection to an irc server (which makes sense if its an eggdrop).

lsof -i :6667 will tell you what the current sockets open on that port are...

If your box has been compromised you have no guarantee that netstat/lsof, ps etc... will work as you expect them to, since its pretty easy to modify binaries to produce a different output.