1

When I run netstat -a, a lot of connections to foreign hosts show up. It's connected to a whole subnet, ie 123.123.123.x to the port 80. How can I see what is actually going on? My server doesn't look compromised. It's running ArchLinux.

Ledio Berdellima
  • 113
  • 1
  • 3
  • 2
    Post the output of your that netstat command. Without that, it's quite difficult for us to tell you what's going on. – EEAA Nov 03 '10 at 16:17

1 Answers1

1

netstat has a -p option that shows you which program is making the connection

$ wget http://serverfault.com &
$ netstat -ap
...
Proto Recv-Q Send-Q Local Address           Foreign Address         State       ID/Program
tcp        0      0 rgb.example.com:1034    stackoverflow.com:http  ESTABLISHED 2578/wget

You can then use ps to find out what user is running that process, what it's parent process is and other useful info.

You could use tcpdump dst net 123.123.123 to see what data is being sent and received.

RedGrittyBrick
  • 3,832
  • 1
  • 17
  • 23