[Dshield] strange bash history listing

Ed Truitt ed.truitt at etee2k.net
Thu Nov 10 22:06:26 GMT 2005


A scan for open proxies, perhaps?  I would be looking for the source of the command - maybe a cron job.

-EdTr.
-----Original Message-----
From: "Jason Brooks" <brooksje at longwood.edu>
Date: Thu, 10 Nov 2005 13:51:54 
To:"'General DShield Discussion List'" <list at lists.dshield.org>
Subject: Re: [Dshield] strange bash history listing

A quick google of 'sockstat' returned the following link first:

 http://www.gsp.com/cgi-bin/man.cgi?section=1&topic=sockstat

The command, as listed, seems to intend to show all listening INET 4
sockets, then looked for all bound to port 25.

-----Original Message-----
From: list-bounces at lists.dshield.org [mailto:list-bounces at lists.dshield.org]
On Behalf Of J Lake
Sent: Thursday, November 10, 2005 11:42 AM
To: General DShield Discussion List
Subject: Re: [Dshield] strange bash history listing

On Thursday 10 November 2005 08:44 am, Tony Nichols wrote:
> Found this on my mail server this morning:
>
> /usr/local/bin/cdcc 'info'
This might help with the cdcc command....

http://www.dcc-servers.net/dcc/dcc-tree/FAQ.html

> sockstat -l4 | grep 25
>
> I log in via the lan and run freshclam -- just to make sure it 
> updated; however as I hit the up arrow (to show the last commands ran" 
> I found that listing above.
>
> I know I didn't run it... could it be part of the auto update?
>
> System is a SUSE 10 with postfix...

I don't think sockstat is included by default with SuSE 10.

~J
_________________________________________
Using .Net? Need to know more about .Net Security?
http://isc.sans.org/banner_count.php?dest=dotnet

_______________________________________________
send all posts to list at lists.dshield.org To change your subscription options
(or unsubscribe), see: http://www.dshield.org/mailman/listinfo/list

_________________________________________
Using .Net? Need to know more about .Net Security?
http://isc.sans.org/banner_count.php?dest=dotnet

_______________________________________________
send all posts to list at lists.dshield.org
To change your subscription options (or unsubscribe), see: http://www.dshield.org/mailman/listinfo/list

Cheers,
-E D Truitt

Sent via my BlackBerry from Cingular Wireless


More information about the list mailing list