gehackt?

koepie · Nov 13, 2007

Ich habe auf meinem Server mal ntop installiert

jetzt beunruhigt es mich wieviel Traffic der verschlingt!
Vor allem wundert mich die untere Tabelle:

ttyinfo xinuexpansion4 sieve servexec shadowserver arcpd scrabble ricardo-lm ppcontrol cypress-stat cypress x-bone-api stgxfws weblogin unet

Ich würde mich sehr freuen wenn ihr euch das mal anschauen würdet und dann sagen könntet ob da was faul ist!

Hier noch die Oberfläche von ntop
http://lederzwerg.eu:3000/trafficStats.html

LinuxAdmin · Nov 13, 2007

Es ist etwas schwer zu sagen, ob da was faul ist, wenn man nicht weiß, was darauf laufen soll, und was nicht...

Zu den von Dir benannten Ports kann man insofern nicht viel sagen, als dass es bei einigen Programmen üblich ist, dass die Ports dynamisch ausgehandelt werden und daher recht zufällig verteilt sind -- allerdings werden dafür meistens Ports außerhalb des bei IANA vergebenen Bereichs verwendet (muss aber nicht sein).

Dass der Traffic fast auschließlich über UDP mit so vielen unterschiedlichen Hosts erzeugt wird, ist schon recht merkwürdig... Hast Du irgendeine P2P-Software am laufen?

Was sagen denn "ps aux" und "lsof -i"?

Viele Grüße,
LinuxAdmin

koepie · Nov 13, 2007

Code:

lsof -i
COMMAND     PID         USER   FD   TYPE    DEVICE SIZE NODE NAME
xinetd     2200         root    6u  IPv4      6216       TCP *:ftp (LISTEN)
xinetd     2200         root    8u  IPv4      6217       TCP *:poppassd (LISTEN)
xinetd     2200         root    9u  IPv4      6218       TCP *:smtp (LISTEN)
xinetd     2200         root   10u  IPv4      6219       TCP *:smtps (LISTEN)
sshd       2590         root    3u  IPv6      6361       TCP *:ssh (LISTEN)
portmap    2595       nobody    3u  IPv4      6404       UDP *:sunrpc
portmap    2595       nobody    4u  IPv4      6408       TCP *:sunrpc (LISTEN)
couriertc  2605         root    5u  IPv4      6457       TCP *:imap (LISTEN)
famd       2618         root    3u  IPv4      6466       TCP localhost:acap (LISTEN)
couriertc  2646         root    5u  IPv4      6569       TCP *:imaps (LISTEN)
couriertc  2701         root    5u  IPv4      6682       TCP *:pop3 (LISTEN)
couriertc  2772         root    5u  IPv4      6966       TCP *:pop3s (LISTEN)
named      2924        named   20u  IPv6      7247       UDP *:domain
named      2924        named   21u  IPv6      7248       TCP *:domain (LISTEN)
named      2924        named   22u  IPv4      7250       UDP localhost:domain
named      2924        named   23u  IPv4      7251       TCP localhost:domain (LISTEN)
named      2924        named   24u  IPv4      7252       UDP india130.server4you.de:domain
named      2924        named   25u  IPv4      7253       TCP india130.server4you.de:domain (LISTEN)
named      2924        named   26u  IPv4      7259       UDP *:filenet-tms
named      2924        named   27u  IPv6      7260       UDP *:filenet-rpc
named      2924        named   28u  IPv4      7261       TCP localhost:953 (LISTEN)
named      2924        named   29u  IPv6      7262       TCP localhost:953 (LISTEN)
mysqld-ma  2992        mysql   10u  IPv4      7780       TCP *:mysql (LISTEN)
postmaste  3254     postgres    3u  IPv4      8035       TCP localhost:postgresql (LISTEN)
postmaste  3254     postgres    4u  IPv6      8036       TCP localhost:postgresql (LISTEN)
postmaste  3254     postgres    7u  IPv4      8046       UDP localhost:filenet-nch->localhost:filenet-nch
postmaste  3263     postgres    7u  IPv4      8046       UDP localhost:filenet-nch->localhost:filenet-nch
postmaste  3264     postgres    7u  IPv4      8046       UDP localhost:filenet-nch->localhost:filenet-nch
httpsd     3334         root   16u  IPv4      8214       TCP *:cddbp-alt (LISTEN)
httpsd     3334         root   17u  IPv4      8215       TCP *:pcsync-https (LISTEN)
drwebd     3480        drweb    4u  IPv4     10127       TCP localhost:hbci (LISTEN)
srcds_amd  3790         dod1    4u  IPv4     22461       UDP india130.server4you.de:27019
srcds_amd  3790         dod1    5u  IPv4     22462       UDP india130.server4you.de:27021
srcds_amd  3790         dod1    6u  IPv4     22463       UDP india130.server4you.de:27006
srcds_amd  3790         dod1    7u  IPv4     22464       TCP india130.server4you.de:27019 (LISTEN)
srcds_amd  3790         dod1    9u  IPv4     24800       UDP india130.server4you.de:26902
srcds_amd  4311          cs5    4u  IPv4     53828       UDP india130.server4you.de:27025
srcds_amd  4311          cs5    5u  IPv4     53829       UDP india130.server4you.de:27026
srcds_amd  4311          cs5    6u  IPv4     53830       UDP india130.server4you.de:27010
srcds_amd  4311          cs5    7u  IPv4     53831       TCP india130.server4you.de:27025 (LISTEN)
srcds_amd  4311          cs5    9u  IPv4     58858       UDP india130.server4you.de:26906
srcds_amd  5289     csskunze    4u  IPv4 933090046       UDP india130.server4you.de:27040
srcds_amd  5289     csskunze    5u  IPv4 933090047       UDP india130.server4you.de:27023
srcds_amd  5289     csskunze    6u  IPv4 933090048       UDP india130.server4you.de:27008
srcds_amd  5289     csskunze    7u  IPv4 933090049       TCP india130.server4you.de:27040 (LISTEN)
srcds_amd  5289     csskunze    9u  IPv4 933094260       UDP india130.server4you.de:26904
httpd2-pr  7239         root    3u  IPv6 266434254       TCP *:http (LISTEN)
httpd2-pr  7239         root    5u  IPv6 266434259       TCP *:https (LISTEN)
httpsd     8510       psaadm   16u  IPv4      8214       TCP *:cddbp-alt (LISTEN)
httpsd     8510       psaadm   17u  IPv4      8215       TCP *:pcsync-https (LISTEN)
srcds_amd 10341           cs    4u  IPv4 943547845       UDP india130.server4you.de:27015
srcds_amd 10341           cs    6u  IPv4 943547846       UDP india130.server4you.de:27020
srcds_amd 10341           cs    7u  IPv4 943547847       UDP india130.server4you.de:27005
srcds_amd 10341           cs    8u  IPv4 943547848       TCP india130.server4you.de:27015 (LISTEN)
srcds_amd 10341           cs   10u  IPv4 943551983       UDP india130.server4you.de:26901
hlds_amd  10718      cskunze    4u  IPv4 943649191       UDP india130.server4you.de:27030
hlds_amd  10718      cskunze    5u  IPv4 943649590       UDP india130.server4you.de:26900
sshd      10915         root    3u  IPv6 943701566       TCP india130.server4you.de:ssh->p54B83231.dip0.t-ipconnect.de:61341 (ESTABLISHED)
httpsd    11004       psaadm   16u  IPv4      8214       TCP *:cddbp-alt (LISTEN)
httpsd    11004       psaadm   17u  IPv4      8215       TCP *:pcsync-https (LISTEN)
ntop      11062       nobody    0u  IPv4 943728939       TCP india130.server4you.de:hbci (LISTEN)
ntop      11062       nobody    1u  IPv4 948101278       UDP india130.server4you.de:38447->static-ip-10-128-25-85.in-addr.intergenia.de:domain
ntop      11434       nobody    1u  IPv4 944038990       UDP india130.server4you.de:36391->static-ip-10-128-25-85.in-addr.intergenia.de:domain
ntop      11434       nobody   12u  IPv4 944039897       TCP india130.server4you.de:hbci->p54B83231.dip0.t-ipconnect.de:61799 (CLOSE_WAIT)
server_li 16261 tsserver_gwi   11u  IPv4 861234936       TCP india130.server4you.de:51234->india130.server4you.de:43338 (ESTABLISHED)
server_li 16261 tsserver_gwi   12u  IPv4 549862056       TCP india130.server4you.de:51234->pD9557006.dip.t-dialin.net:4853 (ESTABLISHED)
server_li 16261 tsserver_gwi   13u  IPv4 860038078       TCP india130.server4you.de:51234->pD95545B8.dip.t-dialin.net:rusb-sys-port (ESTABLISHED)
server_li 16261 tsserver_gwi   15u  IPv4 947554773       TCP india130.server4you.de:51234->pD9555F72.dip.t-dialin.net:orbplus-iiop (ESTABLISHED)
server_li 16261 tsserver_gwi   26u  IPv4 546972282       UDP *:8768
server_li 16261 tsserver_gwi   35u  IPv4 546972318       UDP *:8769
server_li 16261 tsserver_gwi   45u  IPv4 774644140       UDP *:dpap
server_li 16261 tsserver_gwi   53u  IPv4 546972386       UDP *:8771
server_li 16261 tsserver_gwi   59u  IPv4 548252388       UDP *:sieve
server_li 16261 tsserver_gwi   71u  IPv4 546972483       UDP *:pipe_server
server_li 16261 tsserver_gwi   80u  IPv4 546972526       UDP *:servserv
server_li 16261 tsserver_gwi   89u  IPv4 546972558       UDP *:raid-ac
server_li 16261 tsserver_gwi   98u  IPv4 546972583       UDP *:raid-cd
server_li 16261 tsserver_gwi  104u  IPv4 575902132       UDP *:raid-sf
server_li 16261 tsserver_gwi  117u  IPv4 658869133       UDP *:raid-cs
server_li 16261 tsserver_gwi  126u  IPv4 773844531       UDP *:bootserver
server_li 16261 tsserver_gwi  132u  IPv4 553946146       UDP *:bootclient
server_li 16261 tsserver_gwi  152u  IPv4 546972781       UDP *:about
server_li 16261 tsserver_gwi  161u  IPv4 546972818       UDP *:xinupageserver
server_li 16261 tsserver_gwi  170u  IPv4 546972869       UDP *:xinuexpansion1
server_li 16261 tsserver_gwi  179u  IPv4 546972896       UDP *:xinuexpansion2
server_li 16261 tsserver_gwi  188u  IPv4 546972938       UDP *:xinuexpansion3
server_li 16261 tsserver_gwi  197u  IPv4 546972971       UDP *:xinuexpansion4
server_li 16261 tsserver_gwi  206u  IPv4 546973009       UDP *:xribs
server_li 16261 tsserver_gwi  215u  IPv4 546973059       UDP *:scrabble
server_li 16261 tsserver_gwi  224u  IPv4 546973094       UDP *:shadowserver
server_li 16261 tsserver_gwi  234u  IPv4 583525235       UDP *:submitserver
server_li 16261 tsserver_gwi  242u  IPv4 546973170       UDP *:hsrpv6
server_li 16261 tsserver_gwi  249u  IPv4 688125842       UDP *:device2
server_li 16261 tsserver_gwi  255u  IPv4 583690762       UDP *:mobrien-chat
server_li 16261 tsserver_gwi  265u  IPv4 588218847       UDP *:blackboard
server_li 16261 tsserver_gwi  269u  IPv4 691150563       UDP *:rellpack
server_li 16261 tsserver_gwi  272u  IPv4 546976359       TCP *:14534 (LISTEN)
server_li 16261 tsserver_gwi  273u  IPv4 546976360       TCP *:51234 (LISTEN)
drwebd    21942        drweb    4u  IPv4     10127       TCP localhost:hbci (LISTEN)
drwebd    21943        drweb    4u  IPv4     10127       TCP localhost:hbci (LISTEN)
drwebd    21944        drweb    4u  IPv4     10127       TCP localhost:hbci (LISTEN)
drwebd    21945        drweb    4u  IPv4     10127       TCP localhost:hbci (LISTEN)
httpd2-pr 23452       wwwrun    3u  IPv6 266434254       TCP *:http (LISTEN)
httpd2-pr 23452       wwwrun    5u  IPv6 266434259       TCP *:https (LISTEN)
httpd2-pr 23453       wwwrun    3u  IPv6 266434254       TCP *:http (LISTEN)
httpd2-pr 23453       wwwrun    5u  IPv6 266434259       TCP *:https (LISTEN)
httpd2-pr 23454       wwwrun    3u  IPv6 266434254       TCP *:http (LISTEN)
httpd2-pr 23454       wwwrun    5u  IPv6 266434259       TCP *:https (LISTEN)
httpd2-pr 23455       wwwrun    3u  IPv6 266434254       TCP *:http (LISTEN)
httpd2-pr 23455       wwwrun    5u  IPv6 266434259       TCP *:https (LISTEN)
httpd2-pr 23456       wwwrun    3u  IPv6 266434254       TCP *:http (LISTEN)
httpd2-pr 23456       wwwrun    5u  IPv6 266434259       TCP *:https (LISTEN)
httpd2-pr 23457       wwwrun    3u  IPv6 266434254       TCP *:http (LISTEN)
httpd2-pr 23457       wwwrun    5u  IPv6 266434259       TCP *:https (LISTEN)
httpd2-pr 23483       wwwrun    3u  IPv6 266434254       TCP *:http (LISTEN)
httpd2-pr 23483       wwwrun    5u  IPv6 266434259       TCP *:https (LISTEN)
httpd2-pr 23494       wwwrun    3u  IPv6 266434254       TCP *:http (LISTEN)
httpd2-pr 23494       wwwrun    5u  IPv6 266434259       TCP *:https (LISTEN)
httpd2-pr 23525       wwwrun    3u  IPv6 266434254       TCP *:http (LISTEN)
httpd2-pr 23525       wwwrun    5u  IPv6 266434259       TCP *:https (LISTEN)
srcds_amd 23601          cs2    4u  IPv4 946988363       UDP india130.server4you.de:27016
srcds_amd 23601          cs2    6u  IPv4 946988364       UDP india130.server4you.de:27022
srcds_amd 23601          cs2    7u  IPv4 946988365       UDP india130.server4you.de:27007
srcds_amd 23601          cs2    8u  IPv4 946988366       TCP india130.server4you.de:27016 (LISTEN)
srcds_amd 23601          cs2   10u  IPv4 946991251       UDP india130.server4you.de:26903
sshd      23784         root    3u  IPv6 947251680       TCP india130.server4you.de:ssh->p54B83231.dip0.t-ipconnect.de:63442 (ESTABLISHED)
httpd2-pr 23836       wwwrun    3u  IPv6 266434254       TCP *:http (LISTEN)
httpd2-pr 23836       wwwrun    5u  IPv6 266434259       TCP *:https (LISTEN)
wdcollect 25919         root    7u  IPv4 173030820       TCP localhost:epicon (LISTEN)
monit     25926         root    4u  IPv4 173031824       TCP localhost:blockade (LISTEN)
python    26068       wwwrun    3u  IPv6 266434254       TCP *:http (LISTEN)
python    26068       wwwrun    5u  IPv6 266434259       TCP *:https (LISTEN)
python    26068       wwwrun   66u  IPv4 858481037       TCP *:49293 (LISTEN)
python    26068       wwwrun   73u  IPv4 860675813       TCP india130.server4you.de:49293->static-87-245-43-5.teleos-web.de:upgrade (CLOSE_WAIT)
python    26068       wwwrun   75u  IPv4 860743653       TCP india130.server4you.de:49293->dslb-088-070-040-036.pools.arcor-ip.net:64272 (CLOSE_WAIT)
python    26068       wwwrun   76u  IPv4 858594034       TCP india130.server4you.de:49293->p548FD2E4.dip.t-dialin.net:53445 (CLOSE_WAIT)
python    26068       wwwrun   77u  IPv4 860457683       TCP india130.server4you.de:49293->p54AE0315.dip0.t-ipconnect.de:64575 (CLOSE_WAIT)
python    26068       wwwrun   78u  IPv4 860070671       TCP india130.server4you.de:49293->p57B2C7DC.dip.t-dialin.net:27740 (CLOSE_WAIT)
python    26068       wwwrun   80u  IPv4 858481675       TCP india130.server4you.de:57365->d142-59-20-135.abhsia.telus.net:11067 (CLOSE_WAIT)
python    26068       wwwrun   81u  IPv4 860836416       TCP india130.server4you.de:49293->88-134-64-98-dynip.superkabel.de:4643 (CLOSE_WAIT)
python    26068       wwwrun   82u  IPv4 858595161       TCP india130.server4you.de:49293->dslb-084-061-184-254.pools.arcor-ip.net:63637 (CLOSE_WAIT)
python    26068       wwwrun   83u  IPv4 860792339       TCP india130.server4you.de:49293->e180073233.adsl.alicedsl.de:61807 (CLOSE_WAIT)
python    26068       wwwrun   84u  IPv4 859067841       TCP india130.server4you.de:49293->pD9E27109.dip.t-dialin.net:64903 (CLOSE_WAIT)
python    26068       wwwrun   85u  IPv4 860149744       TCP india130.server4you.de:49293->stgt-590f1958.pool.einsundeins.de:openvpn (CLOSE_WAIT)
python    26068       wwwrun   86u  IPv4 858900682       TCP india130.server4you.de:49293->M1280P031.adsl.highway.telekom.at:ncdloadbalance (CLOSE_WAIT)
python    26068       wwwrun   87u  IPv4 860484390       TCP india130.server4you.de:49293->cpe-76-185-35-165.tx.res.rr.com:esps-portal (CLOSE_WAIT)
python    26068       wwwrun   88u  IPv4 858658728       TCP india130.server4you.de:49293->i5387493E.versanet.de:xmlink-connect (CLOSE_WAIT)
python    26068       wwwrun   89u  IPv4 859059232       TCP india130.server4you.de:49293->p54ABD683.dip.t-dialin.net:63221 (CLOSE_WAIT)
python    26068       wwwrun   91u  IPv4 858662639       TCP india130.server4you.de:49293->e179029039.adsl.alicedsl.de:34191 (CLOSE_WAIT)
python    26068       wwwrun   93u  IPv4 859610010       TCP india130.server4you.de:49293->p54B7EBB7.dip.t-dialin.net:spectraport (CLOSE_WAIT)
python    26068       wwwrun   94u  IPv4 858673172       TCP india130.server4you.de:49293->cm123-4.liwest.at:rimsl (CLOSE_WAIT)
python    26068       wwwrun   96u  IPv4 859156587       TCP india130.server4you.de:49293->e177216211.adsl.alicedsl.de:cogitate (CLOSE_WAIT)
python    26068       wwwrun   97u  IPv4 858711446       TCP india130.server4you.de:49293->221-172.2-85.cust.bluewin.ch:62295 (CLOSE_WAIT)
python    26068       wwwrun   98u  IPv4 859942412       TCP india130.server4you.de:49293->p5495D98C.dip.t-dialin.net:whosells (CLOSE_WAIT)
python    26068       wwwrun   99u  IPv4 860910706       TCP india130.server4you.de:49293->p5086ADFE.dip0.t-ipconnect.de:53648 (CLOSE_WAIT)
python    26068       wwwrun  100u  IPv4 859613733       TCP india130.server4you.de:49293->e180161205.adsl.alicedsl.de:simbaexpress (CLOSE_WAIT)
python    26068       wwwrun  101u  IPv4 859223594       TCP india130.server4you.de:49293->h081217095148.dyn.cm.kabsi.at:ptk-alink (CLOSE_WAIT)
python    26068       wwwrun  102u  IPv4 859254177       TCP india130.server4you.de:49293->dslb-088-077-011-231.pools.arcor-ip.net:50506 (CLOSE_WAIT)
python    26068       wwwrun  103u  IPv4 860824952       TCP india130.server4you.de:49293->pD9556E82.dip.t-dialin.net:buddy-draw (CLOSE_WAIT)
python    26068       wwwrun  105u  IPv4 859271735       TCP india130.server4you.de:49293->static-87-245-63-129.teleos-web.de:60367 (CLOSE_WAIT)
python    26068       wwwrun  106u  IPv4 860227605       TCP india130.server4you.de:49293->76.Red-88-26-29.staticIP.rima-tde.net:56166 (CLOSE_WAIT)
python    26068       wwwrun  107u  IPv4 860017600       TCP india130.server4you.de:49293->p548785FB.dip0.t-ipconnect.de:65080 (CLOSE_WAIT)
python    26068       wwwrun  108u  IPv4 860046666       TCP india130.server4you.de:49293->ip-3-19.travedsl.de:52628 (CLOSE_WAIT)
python    26068       wwwrun  109u  IPv4 859801166       TCP india130.server4you.de:49293->xdsl-81-173-238-208.netcologne.de:34028 (CLOSE_WAIT)
python    26068       wwwrun  110u  IPv4 860710366       TCP india130.server4you.de:49293->p50866312.dip.t-dialin.net:ftrapid-1 (CLOSE_WAIT)
python    26068       wwwrun  112u  IPv4 860880501       TCP india130.server4you.de:49293->p57B9F1AC.dip.t-dialin.net:29262 (CLOSE_WAIT)
python    26068       wwwrun  113u  IPv4 860874749       TCP india130.server4you.de:49293->143-5.2-85.cust.bluewin.ch:59410 (CLOSE_WAIT)
python    26068       wwwrun  114u  IPv4 859685280       TCP india130.server4you.de:49293->brln-d9ba60aa.pool.mediaWays.net:61268 (CLOSE_WAIT)
python    26068       wwwrun  115u  IPv4 859999452       TCP india130.server4you.de:49293->achn-4db4882e.pool.einsundeins.de:qubes (CLOSE_WAIT)
python    26068       wwwrun  116u  IPv4 860929044       TCP india130.server4you.de:49293->p54A88A8A.dip0.t-ipconnect.de:63583 (CLOSE_WAIT)
python    26068       wwwrun  117u  IPv4 860840622       TCP india130.server4you.de:49293->p548ECBDB.dip.t-dialin.net:4825 (CLOSE_WAIT)
python    26068       wwwrun  118u  IPv4 860875985       TCP india130.server4you.de:49293->p54B3E329.dip.t-dialin.net:netview-aix-3 (CLOSE_WAIT)
python    26068       wwwrun  119u  IPv4 860932260       TCP india130.server4you.de:49293->80.248.5.158:12712 (CLOSE_WAIT)
python    26068       wwwrun  120u  IPv4 860933541       TCP india130.server4you.de:49293->p5492080A.dip0.t-ipconnect.de:33734 (ESTABLISHED)
python    26068       wwwrun  121u  IPv4 860376706       TCP india130.server4you.de:49293->85-127-145-92.dynamic.xdsl-line.inode.at:64832 (CLOSE_WAIT)
python    26068       wwwrun  122u  IPv4 859629468       TCP india130.server4you.de:49293->p57BD7D90.dip.t-dialin.net:61219 (CLOSE_WAIT)
python    26068       wwwrun  123u  IPv4 860571013       TCP india130.server4you.de:49293->p57BB6756.dip.t-dialin.net:orbix-loc-ssl (CLOSE_WAIT)
python    26068       wwwrun  124u  IPv4 860935608       TCP india130.server4you.de:49293->chello084115013016.wrn.surfer.at:61777 (CLOSE_WAIT)
python    26068       wwwrun  125u  IPv4 859858639       TCP india130.server4you.de:49293->p4FD65A26.dip.t-dialin.net:4237 (CLOSE_WAIT)
python    26068       wwwrun  126u  IPv4 859864984       TCP india130.server4you.de:49293->250-101-204-62-pool.cable.fcom.ch:vxcrnbuport (CLOSE_WAIT)
python    26068       wwwrun  127u  IPv4 860257430       TCP india130.server4you.de:49293->p4FD3F1CE.dip.t-dialin.net:62857 (CLOSE_WAIT)
python    26068       wwwrun  128u  IPv4 860264573       TCP india130.server4you.de:49293->dslb-088-070-018-157.pools.arcor-ip.net:25070 (CLOSE_WAIT)
python    26068       wwwrun  129u  IPv4 859725425       TCP india130.server4you.de:49293->M4073P009.adsl.highway.telekom.at:58940 (CLOSE_WAIT)
python    26068       wwwrun  130u  IPv4 860935912       TCP india130.server4you.de:49293->dslb-084-062-126-166.pools.arcor-ip.net:avenue (CLOSE_WAIT)
python    26068       wwwrun  131u  IPv4 860300302       TCP india130.server4you.de:49293->p508BAFF1.dip0.t-ipconnect.de:2217 (CLOSE_WAIT)
python    26068       wwwrun  132u  IPv4 859776609       TCP india130.server4you.de:49293->p5B3EEBEF.dip.t-dialin.net:4052 (CLOSE_WAIT)
python    26068       wwwrun  133u  IPv4 860264642       TCP india130.server4you.de:49293->p54B6F955.dip.t-dialin.net:de-spot (CLOSE_WAIT)
python    26068       wwwrun  134u  IPv4 860267290       TCP india130.server4you.de:49293->dslb-088-070-082-110.pools.arcor-ip.net:22745 (ESTABLISHED)
python    26068       wwwrun  135u  IPv4 859869439       TCP india130.server4you.de:49293->xdsl-87-79-199-206.netcologne.de:63502 (CLOSE_WAIT)
python    26068       wwwrun  136u  IPv4 860268617       TCP india130.server4you.de:49293->i59F71C98.versanet.de:62708 (CLOSE_WAIT)
python    26068       wwwrun  137u  IPv4 860536968       TCP india130.server4you.de:49293->81-223-23-126.goesting.xdsl-line.inode.at:ms-wbt-server (CLOSE_WAIT)
python    26068       wwwrun  138u  IPv4 860548434       TCP india130.server4you.de:49293->cable-84-44-140-251.netcologne.de:60500 (CLOSE_WAIT)
python    26068       wwwrun  139u  IPv4 859922879       TCP india130.server4you.de:49293->M3710P014.adsl.highway.telekom.at:61997 (CLOSE_WAIT)
python    26068       wwwrun  141u  IPv4 860337157       TCP india130.server4you.de:49293->p508A7A6E.dip.t-dialin.net:64800 (CLOSE_WAIT)
python    26068       wwwrun  142u  IPv4 860344828       TCP india130.server4you.de:49293->p5499C8B7.dip.t-dialin.net:4073 (CLOSE_WAIT)
python    26068       wwwrun  146u  IPv4 860650321       TCP india130.server4you.de:49293->d83-189-60-75.cust.tele2.de:2264 (CLOSE_WAIT)
python    26068       wwwrun  147u  IPv4 860654423       TCP india130.server4you.de:49293->i577A6336.versanet.de:bmap (CLOSE_WAIT)
python    26068       wwwrun  148u  IPv4 860670008       TCP india130.server4you.de:49293->85.127.238.202:11098 (CLOSE_WAIT)
python    26068       wwwrun  149u  IPv4 860724609       TCP india130.server4you.de:49293->adsl-89-217-78-139.adslplus.ch:49382 (CLOSE_WAIT)
httpsd    27026       psaadm   16u  IPv4      8214       TCP *:cddbp-alt (LISTEN)
httpsd    27026       psaadm   17u  IPv4      8215       TCP *:pcsync-https (LISTEN)
httpsd    29200       psaadm   16u  IPv4      8214       TCP *:cddbp-alt (LISTEN)
httpsd    29200       psaadm   17u  IPv4      8215       TCP *:pcsync-https (LISTEN)
perl      29592 tsserver_gwi    4u  IPv4 861234935       TCP india130.server4you.de:43338->india130.server4you.de:51234 (ESTABLISHED)
httpsd    30377       psaadm   16u  IPv4      8214       TCP *:cddbp-alt (LISTEN)
httpsd    30377       psaadm   17u  IPv4      8215       TCP *:pcsync-https (LISTEN)

Hmm also ich find da auch nix auffälliges!

Das der Traffic von mehreren kommt liegt wahrscheinlich an den 500 slot teamspeak Servern
und an den Gameservern!

Aber der Befehl lsof -i gefällt mir sehr !

kannte ich noch net.

Also wenn dir da auch nixhts auffällt kann ich ja wieder ruhig schlafen!

koepie · Nov 13, 2007

Code:

# ps aux
USER       PID %CPU %MEM    VSZ   RSS TTY      STAT START   TIME COMMAND
root         1  0.0  0.0    716   284 ?        S    Oct20   0:06 init [3]
root         2  0.0  0.0      0     0 ?        S    Oct20   0:00 [migration/0]
root         3  0.0  0.0      0     0 ?        SN   Oct20   0:01 [ksoftirqd/0]
root         4  0.0  0.0      0     0 ?        S    Oct20   0:17 [migration/1]
root         5  0.0  0.0      0     0 ?        SN   Oct20   0:00 [ksoftirqd/1]
root         6  0.0  0.0      0     0 ?        S<   Oct20   0:00 [events/0]
root         7  0.0  0.0      0     0 ?        S<   Oct20   0:00 [events/1]
root         8  0.0  0.0      0     0 ?        S<   Oct20   0:00 [khelper]
root         9  0.0  0.0      0     0 ?        S<   Oct20   0:00 [kthread]
root        12  0.0  0.0      0     0 ?        S<   Oct20   0:00 [kblockd/0]
root        13  0.0  0.0      0     0 ?        S<   Oct20   0:01 [kblockd/1]
root        82  0.0  0.0      0     0 ?        S    Oct20   0:35 [kswapd0]
root        83  0.0  0.0      0     0 ?        S<   Oct20   0:00 [aio/0]
root        84  0.0  0.0      0     0 ?        S<   Oct20   0:00 [aio/1]
root       293  0.0  0.0      0     0 ?        S<   Oct20   0:00 [cqueue/0]
root       294  0.0  0.0      0     0 ?        S<   Oct20   0:00 [cqueue/1]
root       295  0.0  0.0      0     0 ?        S<   Oct20   0:00 [kseriod]
root       331  0.0  0.0      0     0 ?        S<   Oct20   0:00 [kpsmoused]
root       725  0.0  0.0      0     0 ?        S<   Oct20   0:00 [ata/0]
root       726  0.0  0.0      0     0 ?        S<   Oct20   0:00 [ata/1]
root       733  0.0  0.0      0     0 ?        S<   Oct20   0:00 [scsi_eh_0]
root       734  0.0  0.0      0     0 ?        S<   Oct20   0:00 [scsi_eh_1]
root       832  0.0  0.0      0     0 ?        S    Oct20   2:45 [kjournald]
root       891  0.0  0.0   1756   544 ?        S<s  Oct20   0:00 /sbin/udevd --daemon
root      1566  0.0  0.0      0     0 ?        S<   Oct20   0:00 [khubd]
100       2075  0.0  0.0   3416   952 ?        Ss   Oct20   0:03 /usr/bin/dbus-daemon --system
root      2200  0.0  0.0   2224   884 ?        Ss   Oct20   0:00 /usr/sbin/xinetd
root      2327  0.0  0.0   4280  2868 ?        Ss   Oct20   0:01 /usr/sbin/hald --daemon=yes --retain-privileges
root      2423  0.0  0.0   1652   520 ?        Ss   Oct20   0:00 /sbin/klogd -c 1 -x -x
root      2453  0.0  0.0   1896   780 ?        Ss   Oct20   0:33 /sbin/syslog-ng
root      2527  0.0  0.0   4368   844 ?        Ss   Oct20   0:00 /usr/sbin/saslauthd -a shadow
root      2590  0.0  0.0   4956  1100 ?        Ss   Oct20   0:18 /usr/sbin/sshd -o PidFile=/var/run/sshd.init.pid
nobody    2595  0.0  0.0   1556   496 ?        Ss   Oct20   0:00 /sbin/portmap
root      2605  0.0  0.0   3040   760 ?        S    Oct20   0:02 /usr/lib/courier-imap/couriertcpd -address=0 -stderrlogger=/usr/sbin/courier
root      2611  0.0  0.0   2952   864 ?        S    Oct20   0:03 /usr/sbin/courierlogger imapd
root      2612  0.0  0.0   4368   492 ?        S    Oct20   0:00 /usr/sbin/saslauthd -a shadow
root      2613  0.0  0.0   4368   440 ?        S    Oct20   0:00 /usr/sbin/saslauthd -a shadow
root      2614  0.0  0.0   4368   440 ?        S    Oct20   0:00 /usr/sbin/saslauthd -a shadow
root      2615  0.0  0.0   4368   440 ?        S    Oct20   0:00 /usr/sbin/saslauthd -a shadow
root      2618  0.0  0.0   3144   672 ?        Ss   Oct20   0:00 /usr/sbin/famd -t 4 -T 0 -L
root      2646  0.0  0.0   3040   760 ?        S    Oct20   0:01 /usr/lib/courier-imap/couriertcpd -address=0 -stderrlogger=/usr/sbin/courier
root      2648  0.0  0.0   2948   860 ?        S    Oct20   0:02 /usr/sbin/courierlogger imapd-ssl
root      2701  0.0  0.0   3044   760 ?        S    Oct20   0:01 /usr/lib/courier-imap/couriertcpd -address=0 -stderrlogger=/usr/sbin/courier
root      2703  0.0  0.0   2948   860 ?        S    Oct20   0:03 /usr/sbin/courierlogger pop3d
root      2734  0.0  0.0   2524  1204 ?        S    Oct20   0:00 /bin/sh /usr/bin/mysqld_safe --user=mysql --pid-file=/var/lib/mysql/mysqld.p
root      2772  0.0  0.0   3044   760 ?        S    Oct20   0:03 /usr/lib/courier-imap/couriertcpd -address=0 -stderrlogger=/usr/sbin/courier
root      2774  0.0  0.0   2952   864 ?        S    Oct20   0:01 /usr/sbin/courierlogger pop3d-ssl
named     2924  0.0  0.1  32108  3160 ?        Ssl  Oct20   0:08 /usr/sbin/named -t /var/lib/named -u named
mysql     2992  0.1  1.2 132772 37572 ?        Sl   Oct20  39:19 /usr/sbin/mysqld-max --basedir=/usr --datadir=/var/lib/mysql --user=mysql --
root      3108  0.0  0.0   1804   724 ?        Ss   Oct20   0:02 /usr/sbin/cron
root      3174  0.0  0.0   4260  1748 ?        S    Oct20   0:02 /usr/sbin/powersaved -d -v 3
postgres  3254  0.0  0.0  19952  3020 ?        Ss   Oct20   0:00 /usr/bin/postmaster -D /var/lib/pgsql/data
postgres  3257  0.0  0.0   9732  1132 ?        S    Oct20   0:01 postgres: logger process
postgres  3263  0.0  0.0  19952  1148 ?        S    Oct20   0:04 postgres: writer process
postgres  3264  0.0  0.0  10732   980 ?        S    Oct20   0:00 postgres: stats buffer process
postgres  3265  0.0  0.0   9876  1228 ?        S    Oct20   0:00 postgres: stats collector process
root      3275  0.0  0.8  27392 24896 ?        Ss   Oct20   0:12 /usr/sbin/spamd --username=popuser --daemonize --nouser-config --helper-home
popuser   3283  0.0  0.7  27392 23620 ?        S    Oct20   0:00 spamd child
popuser   3284  0.0  0.7  27392 23584 ?        S    Oct20   0:00 spamd child
root      3334  0.0  0.1  36656  5296 ?        Ss   Oct20   0:00 /usr/local/psa/admin/bin/httpsd
root      3388  0.0  0.0   1956   660 tty1     Ss+  Oct20   0:00 /sbin/mingetty --noclear tty1
root      3389  0.0  0.0   1960   640 tty2     Ss+  Oct20   0:00 /sbin/mingetty tty2
root      3390  0.0  0.0   1956   640 tty3     Ss+  Oct20   0:00 /sbin/mingetty tty3
root      3391  0.0  0.0   1960   640 tty4     Ss+  Oct20   0:00 /sbin/mingetty tty4
root      3392  0.0  0.0   1956   636 tty5     Ss+  Oct20   0:00 /sbin/mingetty tty5
root      3393  0.0  0.0   1960   636 tty6     Ss+  Oct20   0:00 /sbin/mingetty tty6
drweb     3480  0.0  0.5  19504 16524 ?        Ss   Oct20   7:05 /opt/drweb/drwebd -ini=/etc/drweb/drweb32.ini
dod1      3770  0.0  0.0   3032   964 ?        Ss   Oct20   0:00 SCREEN -A -m -d -S dod1 ./srcds_run -game dod +maxplayers 24 +map dod_colmar
dod1      3771  0.0  0.0   2788  1356 pts/4    Ss+  Oct20   0:00 /bin/sh ./srcds_run -game dod +maxplayers 24 +map dod_colmar +ip 85.25.149.1
dod1      3790  0.1  3.3 177412 102844 pts/4   Sl+  Oct20  63:27 ./srcds_amd -game dod +maxplayers 24 +map dod_colmar +ip 85.25.149.144 +port
cs5       4295  0.0  0.0   2768   868 ?        Ss   Oct20   0:00 SCREEN -A -m -d -S server_cs5_id8 /css_server/css5/server_cs5_id8/srcds_run
cs5       4296  0.0  0.0   2524  1236 pts/8    Ss+  Oct20   0:00 /bin/sh /css_server/css5/server_cs5_id8/srcds_run -game cstrike -secure +ip
cs5       4311  0.1  2.2 145068 71044 pts/8    Sl+  Oct20  56:17 ./srcds_amd -game cstrike -secure +ip 85.25.149.144 -port 27020 +maxplayers
cs2      16988  0.0  0.0   2764   872 ?        Ss   Oct22   0:02 SCREEN -A -m -d -S server_cs2_id3 /css_server/css2/server_cs2_id3/srcds_run
cs2      16989  0.0  0.0   2788  1268 pts/3    Ss+  Oct22   0:00 /bin/sh /css_server/css2/server_cs2_id3/srcds_run -game cstrike -secure +ip
root     25919  0.0  0.2  17120  6264 ?        Ss   Oct24   1:29 /usr/local/psa/admin/bin/php /usr/local/psa/admin/bin/modules/watchdog/wdcol
root     25926  0.0  0.0  20560  2328 ?        Ssl  Oct24  14:15 /usr/local/psa/admin/bin/modules/watchdog/monit -Ic /usr/local/psa/etc/modul
cs       31497  0.0  0.0   2768   872 ?        Ss   Oct24   1:42 SCREEN -A -m -d -S server_cs_id2 /css_server/css1/server_cs_id2/srcds_run -g
cs       31498  0.0  0.0   2784  1252 pts/0    Ss+  Oct24   0:00 /bin/sh /css_server/css1/server_cs_id2/srcds_run -game cstrike -secure +ip 8
root      7239  0.0  3.9 206572 123132 ?       Ss   Oct26   1:41 /usr/sbin/httpd2-prefork -f /etc/apache2/httpd.conf -DSSL
psaadm    8510  0.0  0.9  47080 29776 ?        S    Oct30   0:55 /usr/local/psa/admin/bin/httpsd
psaadm   11004  0.0  0.9  46252 28496 ?        S    Oct30   0:55 /usr/local/psa/admin/bin/httpsd
qmails   28997  0.0  0.0   1560   480 ?        S    Nov02   0:04 qmail-send
qmaill   28999  0.0  0.0   1520   468 ?        S    Nov02   0:00 splogger qmail
root     29000  0.0  0.0   1552   372 ?        S    Nov02   0:00 qmail-lspawn ./Maildir/
qmailr   29001  0.0  0.0   1540   408 ?        S    Nov02   0:00 qmail-rspawn
qmailq   29002  0.0  0.0   1512   336 ?        S    Nov02   0:00 qmail-clean
psaadm   30377  0.0  0.5  45924 15832 ?        S    Nov02   0:01 /usr/local/psa/admin/bin/httpsd
65007    16261  1.5  0.4 795264 13588 ?        SNl  Nov03 223:10 ./server_linux -PID=tsserver2.pid
wwwrun   26068  0.0  0.7  43412 24256 ?        S    Nov11   2:35 /usr/bin/python -OO /srv/www/vhosts/punk-netz.eu/httpdocs/torrent/TF_BitTorn
65007    29592  0.2  0.2   9048  6816 ?        S    Nov11   7:42 perl ./ts2perlmod.pl -config=default.ini -pid=ts2perlmod.pid -daemon
psaadm   27026  0.0  0.9  46060 29032 ?        S    Nov12   0:39 /usr/local/psa/admin/bin/httpsd
psaadm   29200  0.0  1.1  49916 34840 ?        S    00:39   0:36 /usr/local/psa/admin/bin/httpsd
root     31241  0.0  0.0      0     0 ?        S    04:02   0:00 [pdflush]
root     31244  0.0  0.0      0     0 ?        S    04:02   0:00 [pdflush]
csskunze  5273  0.0  0.0   2556   868 ?        Ss   13:57   0:00 SCREEN -A -m -d -S server_csskunze_id10 /css_server/csskunze/server_csskunze
csskunze  5274  0.0  0.0   2524  1240 pts/2    Ss+  13:57   0:00 /bin/sh /css_server/csskunze/server_csskunze_id10/srcds_run -game cstrike -s
csskunze  5289  0.2  2.1 140536 67116 pts/2    Sl+  13:57   1:01 ./srcds_amd -game cstrike -secure +ip 85.25.149.144 -port 27040 +maxplayers
cs       10341  2.1  2.5 156732 79756 pts/0    Sl+  19:30   2:58 ./srcds_amd -game cstrike -secure +ip 85.25.149.144 -port 27015 +maxplayers
cskunze  10706  0.0  0.0   2552   864 ?        Ss   19:33   0:00 SCREEN -A -m -d -S server_cskunze_id9 /css_server/cskunze/server_cskunze_id9
cskunze  10707  0.0  0.0   2528  1240 pts/1    Ss+  19:33   0:00 /bin/sh /css_server/cskunze/server_cskunze_id9/hlds_run -game cstrike -secur
cskunze  10718  2.5  1.9  76864 61208 pts/1    Sl+  19:33   3:26 ./hlds_amd -game cstrike -secure +ip 85.25.149.144 -port 27030 +maxplayers 1
root     10915  0.0  0.0   9304  2668 ?        Ss   19:34   0:00 sshd: root@pts/5
root     10946  0.0  0.0   4152  2016 pts/5    Ss+  19:35   0:00 -bash
nobody   11062  5.0  1.4 100156 44172 ?        Ssl  19:35   6:41 ntop
nobody   11434  0.0  1.2  96600 37484 ?        Ss   19:45   0:00 ntop
root     20889  0.0  0.4  36792 15180 ?        S    20:55   0:00 /usr/bin/python2.4 /usr/local/psa/admin/sbin/supervisor /var/lib/psa/dumps/t
root     20932  1.8  0.0      0     0 ?        Z    20:57   0:56 [supervisor] <defunct>
drweb    21942  0.0  0.4  19504 15476 ?        S    20:58   0:00 /opt/drweb/drwebd -ini=/etc/drweb/drweb32.ini
drweb    21943  0.0  0.4  19504 15476 ?        S    20:58   0:00 /opt/drweb/drwebd -ini=/etc/drweb/drweb32.ini
drweb    21944  0.0  0.4  19504 15476 ?        S    20:58   0:00 /opt/drweb/drwebd -ini=/etc/drweb/drweb32.ini
drweb    21945  0.0  0.4  19504 15476 ?        S    20:58   0:00 /opt/drweb/drwebd -ini=/etc/drweb/drweb32.ini
wwwrun   23452  0.0  3.7 206572 116736 ?       S    21:02   0:00 /usr/sbin/httpd2-prefork -f /etc/apache2/httpd.conf -DSSL
wwwrun   23453  0.0  4.3 220904 133704 ?       S    21:02   0:02 /usr/sbin/httpd2-prefork -f /etc/apache2/httpd.conf -DSSL
wwwrun   23454  0.0  4.2 220276 132740 ?       S    21:02   0:01 /usr/sbin/httpd2-prefork -f /etc/apache2/httpd.conf -DSSL
wwwrun   23455  0.0  4.1 217276 129724 ?       S    21:02   0:01 /usr/sbin/httpd2-prefork -f /etc/apache2/httpd.conf -DSSL
wwwrun   23456  0.0  4.3 221020 133604 ?       S    21:02   0:01 /usr/sbin/httpd2-prefork -f /etc/apache2/httpd.conf -DSSL
wwwrun   23457  0.0  4.2 220528 132620 ?       S    21:02   0:01 /usr/sbin/httpd2-prefork -f /etc/apache2/httpd.conf -DSSL
wwwrun   23483  0.1  4.3 220756 133704 ?       S    21:05   0:04 /usr/sbin/httpd2-prefork -f /etc/apache2/httpd.conf -DSSL
wwwrun   23494  0.0  4.3 220292 133296 ?       S    21:05   0:02 /usr/sbin/httpd2-prefork -f /etc/apache2/httpd.conf -DSSL
wwwrun   23525  0.0  4.2 217256 130076 ?       S    21:08   0:01 /usr/sbin/httpd2-prefork -f /etc/apache2/httpd.conf -DSSL
cs2      23601  0.7  2.2 147108 69204 pts/3    Rl+  21:14   0:15 ./srcds_amd -game cstrike -secure +ip 85.25.149.144 -port 27016 +maxplayers
root     23784  0.0  0.0   9436  2728 ?        Ss   21:22   0:00 sshd: root@pts/6
root     23794  0.0  0.0   4148  2044 pts/6    Ss   21:22   0:00 -bash
wwwrun   23836  0.0  4.2 220292 132576 ?       S    21:23   0:00 /usr/sbin/httpd2-prefork -f /etc/apache2/httpd.conf -DSSL
root     24615  0.0  0.0   2404   948 pts/6    R+   21:48   0:00 ps aux

LinuxAdmin · Nov 14, 2007

koepie said:
Das der Traffic von mehreren kommt liegt wahrscheinlich an den 500 slot teamspeak Servern und an den Gameservern!

Na ja, dass die ganzen Sachen einen gewissen Traffic verursachen wenn sie genutzt werden, hättest Du Dir auch denken können...

Ansonsten würde ich das ntop nicht unbedingt für jeden zugänglich lassen. Je weniger Ports offen sind, desto weniger Angriffsfläche bietet man.

Viele Grüße,
LinuxAdmin

frannek · Nov 14, 2007

hehe, und jetzt wo wir wissen was läuft und die IP des Servers kennen ist der so gesehen eh offen wie ein scheunentor.

LinuxAdmin · Nov 14, 2007

Solange die Kiste vernünftig administriert ist und die eingesetzten Gameserver in Ordnung sind, ist das kein Problem -- dann kommst Du trotzdem nicht drauf.
Ansonsten stehen da keine relevanten Informationen, die man nicht auch auf anderem Wege raus finden könnte.

Merke: Security by obscurity is no security!

Viele Grüße,
LinuxAdmin

ClausVB · Nov 14, 2007

frannek said:
hehe, und jetzt wo wir wissen was läuft und die IP des Servers kennen ist der so gesehen eh offen wie ein scheunentor.

Naja, die IP eines Server herauszubekommen ist nicht so fürchterlich schwer:

Code:

nslookup heise.de

und Du hast die IP-Adresse.

Das nur am Rande.

Gruß
Claus

EDIT: LinuxAdmin war schneller.

frannek · Nov 14, 2007

Wollte damit auch nur anmerken das es doch recht mutig ist das ganze zu posten.

blupp1 · Nov 14, 2007

frannek said:
Wollte damit auch nur anmerken das es doch recht mutig ist das ganze zu posten.

Ich denk mal, mutig ist immernoch das, wenn man Admin Passwort hier postet

.

gehackt?

koepie

New Member

LinuxAdmin

Moderator

koepie

New Member

koepie

New Member

LinuxAdmin

Moderator

frannek

Registered User

LinuxAdmin

Moderator

ClausVB

Registered User

frannek

Registered User

blupp1

Guest

We value your privacy