Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Introduction to Linux - A Hands on Guide
This guide was created as an overview of the Linux Operating System, geared toward new users as an exploration tour and getting started guide, with exercises at the end of each chapter.
For more advanced trainees it can be a desktop reference, and a collection of the base knowledge needed to proceed with system and network administration. This book contains many real life examples derived from the author's experience as a Linux system and network administrator, trainer and consultant. They hope these examples will help you to get a better understanding of the Linux system and that you feel encouraged to try out things on your own.
Click Here to receive this Complete Guide absolutely free.
could please anybody help me to find out to be sure if it is problem
or if it is just epmd application on local machine just using this port
and is not exploited by some rootkit ?
any more investigation possibilites and how ?
Seems like 4369 is a long-standing known issue. It is quite normal with a program like chkrootkit to find one or two false positives, and the first thing to do is to fire up your favourite search engine and check it out, rather than panicking immediately (panicking can wait 'till a little later).
Thank you folks for the answers.
I have read about the long-standing issue for port 4369, so no I am not panicking at all :-)
I am as well aware of add bindshell port to whitelist.
But my question was how to investigate to be sure that it is like that ?
I am interested in investigation process - how to go more deeply in it.
(simplfied Example: I am not specialist in linux but in windows I have been playing with source code of rootkit capable of exploited all running processes in memory.
rootkit has been using another application/s which had allowed access through the port to internet and sending packets outside the OS to another URL. So, firewall did not detect anything. Only more deep analyze of process/ess resulted to it was a rootkit. I do not want to describe it more deeply because it was on windows.) I would like to know how to do deeper analyzing in linux.
I hope it is more clear now.
The thing about rootkits is that you have to burrow extremely deeply into the system in order to "plant" one.
Quite frankly, for any exploit to be successful in a reasonably-recently patched system, you have to leave a rather large door or window open somewhere. Unfortunately for most Windows users, Microsoft helpfully does this chore for them ... collecting very lucrative profits from its de facto subsidiary companies for so doing.