so all our bandwidth disapeared suddenly, and in my explorations i discovered what i posted the topic over, a gconfd-2 that i didnt run, and a defunct netstat that i didnt run, being run on a terminal that was running X, ive got my X11 port blocked to internet traffic

im running slackware 10 and kernel 2.6.9, i dont run X as root.

i also checked my routers logs and found a connection from my computer to a private address,
198.65.119.21, on a few ports, 987, 443 and 987, an nmap non-syn scan of this address returned filtered ports, like a windows firewall would

im new to the more advanced aspects of computing, although aware of root kits and such, is there a way i can check the integrity of my 2.6.9 modules? the only program im aware of will only run on 2.4

in the meantime i imagine our computers (4 or 5 of them) are dos-ing like mad, but i cant tell because my buddies mom is using one of those linksys firewall routers with non-verbose everything (grumble) .. anyone have a proposed solution?

thanks
andrew
(rhorhorhoyerboat)

i also checked my routers logs and found a connection from my computer to a private address,
198.65.119.21, on a few ports, 987, 443 and 987, an nmap non-syn scan of this address returned filtered ports, like a windows firewall would
That actually is a public IP and takes you to a real website (liveperson.com) which sells some kind of chat software. Port 443 is an ssl port so that doesn't seem out of the ordinary for someone browsing a commercial site. Don't know what port 987 is tho.

im new to the more advanced aspects of computing, although aware of root kits and such, is there a way i can check the integrity of my 2.6.9 modules? the only program im aware of will only run on 2.4
You can use something like rootkit hunter to verify integrity of a varietyf things on the system, which should be a good start. For something specific in detecting rogue kernel modules on 2.6, try kern_check.c.

in the meantime i imagine our computers (4 or 5 of them) are dos-ing like mad, but i cant tell because my buddies mom is using one of those linksys firewall routers with non-verbose everything (grumble)
I'd be suprised is all of them all are compromised, but you may want to take a cd-rom based distro like knoppix or knoppix-std (download and burn on a secure system) and then boot one of the other machines of of it and sniff for any abnormal traffic. I'd also take a look around the system logs and /etc/passwd to see if you see anything abnormal. Also try lsof -i for weird connections/daemons and check last -i for any weird logins. To be honest though, gconfd and defunct netstats aren't all that abnormal. Definitely worth invesitgating though.

the windows computers definatly have a worm, and if someones on my box theyre not crashing it, so if the NSA comes to collect it as evidence against some cracker i suppose ill just have to politely ask them for a new one .. hehe. i stay up too long fiddling with this stuff, thank you for the response, the new commands and the easy to read program