For reference I have 'netstat -a -t -u -p' output for the server I just built. It has all the necessary software that the "infected" one had except
gallery and LCDProc.
# netstat -a -t -u -p
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 *:1024 *:* LISTEN 640/rpc.statd
tcp 0 0 *:931 *:* LISTEN 1600/rpc.dracd
tcp 0 0 *:npmp-gui *:* LISTEN 1280/rpc.dracd
tcp 0 0 *:pop3 *:* LISTEN 1628/xinetd
tcp 0 0 *:imap *:* LISTEN 1628/xinetd
tcp 0 0 *:sunrpc *:* LISTEN 625/portmap
tcp 0 0 *:http *:* LISTEN 889/httpd
tcp 0 0 *:ftp *:* LISTEN 1628/xinetd
tcp 0 0 *:ssh *:* LISTEN 800/sshd
tcp 0 0 *:smtp *:* LISTEN 1318/sendmail: acce
tcp 0 0 *:https *:* LISTEN 889/httpd
tcp 0 0 tslight.com:ftp 216.179.112.2:61780 ESTABLISHED 1631/ftpd: 216.179.
tcp 0 0 tslight.com:ssh 216.179.112.2:61715 ESTABLISHED 1331/sshd
udp 0 0 *:1024 *:* 640/rpc.statd
udp 0 0 *:929 *:* 1600/rpc.dracd
udp 0 0 *:816 *:* 640/rpc.statd
udp 0 0 *:609 *:* 1280/rpc.dracd
udp 0 0 *:sunrpc *:* 625/portmap
Previous Topic
Index
