[Shorewall-users] New and think I have been hacked

Paul Gear paulgear@bigfoot.com
Fri, 12 Apr 2002 18:22:09 +1000


Tom Eastep wrote:

> On Thu, 11 Apr 2002, chet wrote:
>
> > Hi all, im new to the Linux world and have just installed shorewall, not sure if I have been hacked already though.
> >
> > if I do netstat -a, I get the following
> >
> > tcp chetnet.co.uk:http adsl-66-84-17:49796 syn_recv

This one just means that the host noted has connected to your web server.

> > and also
> > *:32768 listening
> >  :909 listening
> > ...
> > If I have been hacked how do I stop it,

The generic answer to that question is to reinstall from clean media, apply vendor security patches, and restore data
(not programs) from backup.  Check out the security incidents mailing list at http://www.securityfocus.com.

> Relax -- nothing in that output is out of the ordinary.

What are 909 & 32768?  I've not seen 909, and certainly 32768 cannot be a normal service.

Paul
http://paulgear.webhop.net