How do i find out whois is running this...tcp 0 0 0.0.0.0: 2

[farley99]

How do i find out whois is running this...
tcp 0 0 0.0.0.0:2339 0.0.0.0:* LISTEN 28561/bnc

 

[farley99]

Also...
nobody 28561 0.0 0.0 2024 648 ? S Oct09 0:01 ./bnc

How does i know who it is?

 

[fluid11]

Is that from the output of 'netstat -natp' in the first post and some sort of ps in the second? The 0.0.0.0 means that the service is listening on all interfaces in your system. A daemon called bnc is listening on port 2339. Find out where its located on the disk with 'updatedb && locate bnc', or maybe 'which bnc'.

I googled for bnc and found this...

IRC Session Bouncing Proxy
BouNCe is a daemon designed to allow some people who do not have access to the net in general, but who do have access to another pc that can reach the net, the ability to BouNCe though this pc to IRC.

...and...

http://www.linuxhelp.net/guides/bnc/

Did you install this?

ChrisP
RHCE, LPIC-1, CCNA, CNE, MCSE, +10 others

 

[farley99]

Does this mean anything to you...
cwd -> /var/tmp/.xpl/bnc\ (deleted)

 

[fluid11]

not really, where is that from?

 

[farley99]

it is from /proc

 

[fluid11]

ls -l /proc ????

What does "updatedb && locate bnc" return?

 

[usige]

Farley,
Basically bnc started and changed directory to /var/tmp/.xpl/bnc . Once it started it did an unlink (i.e. remove) of the directory. It's current working dir is still set to the directory even though you would not see it in an ls. This is often used to stealth programs.

Hope that helps.

 

[farley99]

How do i find out who uploaded this...
/var/tmp/.xpl/bnc

It was own as nobody, so it was upload from a php script most likely. Would that be in any of the logs?