This tutorial demonstrates how to find and deal with programs opening network ports on your Linux system. In our example below, the TCP port 6667 is open. This port is usually used for IRC servers. If you see this port open but don’t expect it, your server might have been hacked. We’ll find, stop and remove the program running on TCP port 6667.
First we need to check the status of our ports:
netstat -na | grep "ESTABLISHED" tcp 0 0 192.168.0.1:39701 18.104.22.168:6667 ESTABLISHED
The only interesting port with a status of “ESTABLISHED” is in the above output. The remote system somewhere on the Internet has the IP address of “22.214.171.124″. We need to find out which program is opening that port.
lsof -Pnl +M -i4 | grep 6667 modcluste 3959 10224 1u IPv4 12002 TCP 192.168.0.1:39701->126.96.36.199:6667 (ESTABLISHED)
The program name listed above is “modcluste” but that name is cut short. To find out it’s full name we can run the following name using the process id (from the above output) “3959″.
ps aux 3959 sally 3959 0.0 0.0 1988 852 ? Ss Feb05 0:00 modclusterd
Now we can see the complete name. We can also see that the user “sally” started the application. Most likely her account was hacked. We can find where that application is located by using either (or both) of the following commands:
locate modclusterd find / | grep modclusterd
The output might be like follows:
The above looks like a cracker was here. So lets kill it and remove it.
kill -9 3959 rm -rf /var/tmp/.a
So the known threat is gone but the work has just begun. We need to alter the firewall to prevent this from happening again. Also consider enabling SELinux if possible. We also need to find out what damage was done to the system (if any) if this were a real incident. Also consider changing Sally’s account password.
Thanks to AgixLinux