If you have setup sudo : sudo netstat -lpn --inet If you have not, then as root : netstat -lpn --inet This will show all listening "ip" ports and the program that has opened them. Example: Proto Recv-Q Send-Q LocalAddress ForeignAddress State PID/Program name ... tcp 0 0 127.0.0.1:5335 0.0.0.0:* LISTEN 2361/mDNSResponder ... mDNSResponder is part of HAL. Happy Hunting. On Sat, 2005-08-01 at 22:38 +0000, Paul wrote: > Hi, > > I've just had a strange email from a friend who seems to have had an > email from an unsavoury character which I sent to a closed list on 20th > Dec. > > I've checked my box for r00tkits (none found) and open ports and have > found 1539 and 5335 open. A web search hasn't revealed very much on > these and they seem innocent enough (well, 5335 has been used for a > virus before now...) > > There are few things in my logs which are suspicious... > > First are a couple like this > > Jan 1 22:18:35 T7 sshd[31409]: Invalid user test > from ::ffff:70.56.41.21 > Jan 1 22:18:36 T7 sshd[31409]: Address 70.56.41.21 maps to prox.wares- > consulting.com, but this does not map back to the address - POSSIBLE > BREAKIN ATTEMPT! > > I seem to be subjected to a dictionary attack. > > I get users named guest, admin, test, patrick, rolo, iceuser, horde, > cyrus, www, wwwrun, matt, jane, pamela, cosmin, cip52, cip51, noc, > webmaster, user and no username etc. > > Most of the attacks come from three IP addresses (83.235.214.145, > 66.78.52.253 and 216.180.243.178) using various ports to get through via > ssh2. None have gotten through. > > Should I be overly worried? I've closed ssh on my router, so that's one > line of defence in the way :-) > > TTFN > > Paul > -- > fedora-test-list mailing list > fedora-test-list@xxxxxxxxxx > To unsubscribe: > http://www.redhat.com/mailman/listinfo/fedora-test-list -- Guy Fraser Network Administrator The Internet Centre 1-888-450-6787 (780)450-6787