来段日志，大家请来看看，版主有空看看呀！

小皮 · 发表于 2004-1-5 14:13:14

Jan  4 12:56:45 localhost Socks5[23573]: TCP Connection Request: Connect (218.80.59.171:64711 to 202.108.255.71:3400) for user user2
Jan  4 12:56:46 localhost Socks5[23573]: TCP Connection Established: Connect (218.80.59.171:64711 to 202.108.255.71:3400) for user user2
Jan  4 12:56:46 localhost Socks5[23573]: TCP Connection Terminated: Normal (218.80.59.171:64711 to 202.108.255.71:3400) for user user2: 12 bytes out, 656 bytes in
Jan  4 12:56:49 localhost Socks5[23575]: TCP Connection Request: Connect (218.80.59.171:64725 to 202.108.255.71:3400) for user user2
Jan  4 12:56:49 localhost Socks5[23575]: TCP Connection Established: Connect (218.80.59.171:64725 to 202.108.255.71:3400) for user user2
Jan  4 12:56:50 localhost Socks5[23575]: TCP Connection Terminated: Normal (218.80.59.171:64725 to 202.108.255.71:3400) for user user2: 116 bytes out, 52 bytes in
Jan  4 12:56:54 localhost Socks5[23581]: TCP Connection Request: Connect (218.80.59.171:64811 to 202.108.255.71:3400) for user user2
Jan  4 12:56:54 localhost Socks5[23581]: TCP Connection Established: Connect (218.80.59.171:64811 to 202.108.255.71:3400) for user user2
Jan  4 12:56:55 localhost Socks5[23581]: TCP Connection Terminated: Normal (218.80.59.171:64811 to 202.108.255.71:3400) for user user2: 116 bytes out, 52 bytes in
Jan  4 12:57:37 localhost Socks5[23047]: TCP Connection Terminated: Abnormal (218.80.59.171:64637 to 202.108.255.75:3400) for user user2: 600 bytes out, 49973 bytes in

这只是从一台web服务器上截取下来的，服务器只开了http服务和ftp服务，怎么会有Socks5的连接呢？

Snoopy · 发表于 2004-1-5 17:39:29

是不是用了nat转的??

上面的日志跟80没关系,都是ftp的,,

需要socks5的

terminator · 发表于 2004-1-6 03:00:23

probaby a hidden socks5 daemon is running :p you need chkrootkit or lsof to check the system for trojans

小皮 · 发表于 2004-1-6 09:56:40

请教如果显示隐藏进程！

terminator · 发表于 2004-1-6 10:33:40

read my original post carefully!!!

小皮 · 发表于 2004-1-6 10:52:03

通过chkrootkit显示
Checking `lkm'... You have 4 process hidden for readdir command
You have 4 process hidden for ps command
Warning: Possible LKM Trojan installed

lsof显示不出有什么异常。
我如何显示出这4个进程？
多谢回复！^_^！

kkaq · 发表于 2004-1-6 15:10:49

chkrootkit -x lkm

小皮 · 发表于 2004-1-7 10:19:44

现在查到了这4个进程的ID号，不知如何才能显示出这些进程的程序名呢？

注：用ps 是显示不出来的

Snoopy · 发表于 2004-1-7 11:58:25

最初由小皮发表
现在查到了这4个进程的ID号，不知如何才能显示出这些进程的程序名呢？

注：用ps 是显示不出来的

ps -ef

小皮 · 发表于 2004-1-7 12:53:23

You have 4 process hidden for ps command!

ps命令是显示不出来的!

		自动登录	找回密码
密码			注册