Connections to IRC server, and it's not me

view full story

http://www.linuxquestions.org – For some time now I've been noticing the network activity light for my linux box blinking like mad on my router. After a little looking around for ways to see what connections my box has established, I found the following using lsof -i Code: bash      13839 root    1u  IPv4 3118972      TCP shana:49148->Oslo.NO.EU.undernet.org:ircd (SYN_SENT) bash      13839 root    2u  IPv4 3118986      TCP shana:34323-> (SYN_SENT) bash      13839 root    3u  IPv4 3118543      UDP *:33437 bash      13839 root    4u  IPv4 3118982      TCP shana:58438->oslo.no.eu.undernet.org:ircd (SYN_SENT) I know I'm not using IRC, and I have my sshd locked down fairly tight, requiring a key to log in, so obviously, it looks like there's something or somebody in Croatia (the origin of that IP address) connecting my system to undernet.org for some nefarious purpose. Looking at my processes, ID 13839 shows up as Code: 13839 ?        S      0:00 bash Just 'bash', not '-bash' as Code: 13426 pts/0    S      0:00 -bash my session appears. Previously, this odd bash process was ID 2704, which seemed to imply that it had launched fairly soon after my system booted up, which really makes me wonder. Oh, and yes, I did kill that 2704 process, and it returned as this 13839. 2704 also had those same IRC connections present in lsof. Any ideas on where I might start with this? This kind of hacker crap really stresses me out. (HowTos)