raw 0 0 0.0.0.0:6 0.0.0.0:* 7

raw 0 0 0.0.0.0:6 0.0.0.0:* 7

Post by Tony » Sun, 22 Jun 2003 13:12:56



I think my machine is hacked. as root, when I do a netstat -an --ip. I see
this

tcp        0      0 0.0.0.0:3306            0.0.0.0:*               LISTEN
tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN
tcp        0      0 0.0.0.0:113             0.0.0.0:*               LISTEN
tcp        0      0 0.0.0.0:21              0.0.0.0:*               LISTEN
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN
tcp        0      0 0.0.0.0:2105            0.0.0.0:*               LISTEN
tcp        0      0 0.0.0.0:443             0.0.0.0:*               LISTEN
tcp        0      0 0.0.0.0:2109            0.0.0.0:*               LISTEN
tcp        0      0 x.x.x.x:22        x.x.x.x:52826     ESTABLISHED
udp        0      0 0.0.0.0:68              0.0.0.0:*

but as user www the same command gives this:

tcp        0      0 0.0.0.0:3306            0.0.0.0:*               LISTEN
tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN
tcp        0      0 0.0.0.0:113             0.0.0.0:*               LISTEN
tcp        0      0 0.0.0.0:21              0.0.0.0:*               LISTEN
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN
tcp        0      0 0.0.0.0:2105            0.0.0.0:*               LISTEN
tcp        0      0 0.0.0.0:443             0.0.0.0:*               LISTEN
tcp        0      0 0.0.0.0:2109            0.0.0.0:*               LISTEN
tcp        0      0 x.x.x.x:22        x.x.x.x:52826     ESTABLISHED
udp        0      0 0.0.0.0:68              0.0.0.0:*
raw        0      0 0.0.0.0:6               0.0.0.0:*               7
raw        0      0 0.0.0.0:6               0.0.0.0:*               7

What is this line: ----> raw        0      0 0.0.0.0:6
0.0.0.0:*               7

I also had remote ip addresses connecting to this machine before I rebooted.

Please help

 
 
 

raw 0 0 0.0.0.0:6 0.0.0.0:* 7

Post by David Mean » Mon, 23 Jun 2003 02:16:21



> I think my machine is hacked. as root, when I do a netstat -an --ip. I
> see this

> tcp        0      0 0.0.0.0:3306            0.0.0.0:* LISTEN tcp      
> 0      0 0.0.0.0:80              0.0.0.0:*
>   LISTEN tcp        0      0 0.0.0.0:113             0.0.0.0:*
>   LISTEN tcp        0      0 0.0.0.0:21              0.0.0.0:*
>   LISTEN tcp        0      0 0.0.0.0:22              0.0.0.0:*
>   LISTEN tcp        0      0 0.0.0.0:2105            0.0.0.0:*
>   LISTEN tcp        0      0 0.0.0.0:443             0.0.0.0:*
>   LISTEN tcp        0      0 0.0.0.0:2109            0.0.0.0:*
>   LISTEN tcp        0      0 x.x.x.x:22        x.x.x.x:52826
>   ESTABLISHED udp        0      0 0.0.0.0:68              0.0.0.0:*

> but as user www the same command gives this:

> tcp        0      0 0.0.0.0:3306            0.0.0.0:* LISTEN tcp      
> 0      0 0.0.0.0:80              0.0.0.0:*
>   LISTEN tcp        0      0 0.0.0.0:113             0.0.0.0:*
>   LISTEN tcp        0      0 0.0.0.0:21              0.0.0.0:*
>   LISTEN tcp        0      0 0.0.0.0:22              0.0.0.0:*
>   LISTEN tcp        0      0 0.0.0.0:2105            0.0.0.0:*
>   LISTEN tcp        0      0 0.0.0.0:443             0.0.0.0:*
>   LISTEN tcp        0      0 0.0.0.0:2109            0.0.0.0:*
>   LISTEN tcp        0      0 x.x.x.x:22        x.x.x.x:52826
>   ESTABLISHED udp        0      0 0.0.0.0:68              0.0.0.0:*
> raw        0      0 0.0.0.0:6               0.0.0.0:*               7
> raw        0      0 0.0.0.0:6               0.0.0.0:*               7

> What is this line: ----> raw        0      0 0.0.0.0:6 0.0.0.0:*
>       7

> I also had remote ip addresses connecting to this machine before I
> rebooted.

> Please help

The 'raw' appears to indicate a raw socket open on your system.  It's not
typical.

port 2105 is eklogin, "Kerberos encrypted rlogin"
port 2109 is ergolight, which appears to be used by a java program of the
same name.
port 68 is bootp.

The rest are pretty much standard.

--
David Means

There are 10 kinds of people in this world: people who understand binary, and people who don't.

 
 
 

raw 0 0 0.0.0.0:6 0.0.0.0:* 7

Post by Kirth Gerse » Mon, 23 Jun 2003 08:11:45




> ....

>> What is this line: ----> raw        0      0 0.0.0.0:6 0.0.0.0:*
>>       7
>> ....

6 stands for TCP, see /etc/protocols and the 7 for one of the TCP states: TCP_CLOSE, see netinet/tcp.h
Could be wrong though. Anyone ? Its seems to be the state field in struct sock.

Only my gateway/firewall shows these raw ip sockets.

Kirth

 
 
 

raw 0 0 0.0.0.0:6 0.0.0.0:* 7

Post by Barry Margoli » Sun, 29 Jun 2003 01:21:35






>> ....

>>> What is this line: ----> raw        0      0 0.0.0.0:6 0.0.0.0:*
>>>       7
>>> ....

>6 stands for TCP, see /etc/protocols and the 7 for one of the TCP states:
>TCP_CLOSE, see netinet/tcp.h
>Could be wrong though. Anyone ? Its seems to be the state field in struct sock.

>Only my gateway/firewall shows these raw ip sockets.

Maybe the gateway or firewall code makes use of raw sockets internally.

--

Level(3), Woburn, MA
*** DON'T SEND TECHNICAL QUESTIONS DIRECTLY TO ME, post them to newsgroups.
Please DON'T copy followups to me -- I'll assume it wasn't posted to the group.

 
 
 

1. PAGE_SIZE IO for RAW (RAW VARY)

It could be done after a check for proper alignment of the user buffer;
e.g. if buffer aligned to 2^N, submit in 2^N chunks.

-Andi
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in

More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

2. speech recognition. . .

3. stty raw </dev/tty1fails to set raw mode

4. Unix Printer Access

5. raw IP and raw ICMP socket???

6. host name netscape how do i change settings??

7. Ignorign Floppy disk errors or Raw-Read Raw-Write

8. A new way of implementing symbolic links

9. Raw disk access and the 'raw' program

10. PDQ - RAW Printing

11. Raw-IP over ISDN and FTP-weirdness

12. Reading "raw" Disks w/ Gnat on SunOS 5.6

13. Raw socket question?