LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (http://www.linuxquestions.org/questions/linux-security-4/)
-   -   has my system been compromised (http://www.linuxquestions.org/questions/linux-security-4/has-my-system-been-compromised-704818/)

bigtl 02-15-2009 10:15 AM

has my system been compromised
 
hi, i think my system has been compromised, i would greatly appreciate any help understanding what is happening.

I have a partially wired/wireless network and have noticed a lot of outgoing traffic coming from my wireless laptop (this is the only wireless machine).

I have run iftop -i eth1 -P this shows a lot of traffic from random hight numbered ports to my isp's dns server and a lot of port 80 traffic to gv-in-f18.google.com, then occasionally several port 80 requests to seemingly random websites for example psg.com, there is also quite a lot of mdsn traffic but i don't know what that is.

My adsl router has ports 80 and 22 forwarded to my laptop as I use the machine for web development and need to show work to people.

I get a quite a lot of random requests on port 80 but i think that is fairly normal for an internet facing webserver, i have no open source sotware on the machine (apart from apache/php that is)

If i need to supply any more information please let me know.

Thanks in advance,.

Simon Bridge 02-15-2009 10:47 AM

Quote:

i have no open source software on the machine
Then what do you have? This a Windows box?

Get your firewall logging outgoing packets - lots of outgoing when you don't expect it can be a sign you are runing some sort of malware. However ...

gv-in-f18.google.com
... the registered owner is google - why not ask them?

check who the other ones are.

How about some basic network security, like disconnecting when not in use and requiring authentication?

bigtl 02-15-2009 11:42 AM

Quote:

Then what do you have? This a Windows box?
sorry by no open source software i meant like phpbb which i know is the kind of way that people get into your system, this is a fully patched ubuntu box.

ilikejam 02-15-2009 12:14 PM

Hi.

Run 'netstat -pantu' as root to see what apps are using the network.

Dave

chort 02-15-2009 02:45 PM

It sounds to me like you have an entirely normal machine with an open web browser. What on Earth would lead you to believe that any of that indicates a hacked box?

bigtl 02-15-2009 02:54 PM

Quote:

It sounds to me like you have an entirely normal machine with an open web browser. What on Earth would lead you to believe that any of that indicates a hacked box?
Actually after much digging i think you are correct, it seems that when i close gmail all of the outgoing traffic stops.

The reasons i thought the box may be hacked was mainly due the amount of blinking lights on my adsl router, it seemed way more than normal, couple that with the fact that i did have a hacked box a couple of years ago, i was running phpbb and someone used that to install an irc bot on my machine and was using it to send huge amounts of spam email. ever since then i have a very health dose of paranoia about anything that is connected to the internet.

Thanks for all of your suggestions though, i think i may be at the bottom of this now.

chort 02-15-2009 04:33 PM

Gmail is an AJAX app. It's not like a normal website where you have to refresh the page for it to connect to the server again. It's constantly polling the server for new information (new messages, contacts going on/off line, etc).

Lot's of packets from high ports going to a DNS server = DNS lookups.
Port 80 traffic going to Google = checking for ads, the news ticker in GMail, etc.

Concerning traffic would be doing a lot of DNS lookups for weird domains* and a lot of port 25 traffic to places other than your e-mail provider.

*This means the second-level domain (ex: 3dna328nad3.com ), not sub-domains (ex: dk3n13813.google.com). Anything to the left of .google.com should be fine (well, as far as you trust Google any way).

Simon Bridge 02-15-2009 07:23 PM

Quote:

sorry by no open source software i meant like phpbb which i know is the kind of way that people get into your system
... no, they con get access through poorly configured phpbb.
Quote:

i did have a hacked box a couple of years ago, i was running phpbb
... and now you associate being hacked with open source software?

You are not alone in making this mistake.

However, it has been well known for a long time, in security circles, that open source is, a priori, more secure than closed.

While the bad guys have access to your code to seek vulnerabilities, that is not actually how they work - and the good guys also have access. There are many more good guys than bad guys.

More importantly, good guys who have an incentive to fix the problem now (rather than, say, cover it up or shift the blame) have the means to create a fix - something not available in the proprietary world.

For many, particularly web-exposed, programs, there are actually teams of academics looking for security vulnerabilities ... so they can publish a paper and get more research funding. So we sometimes see flaws appear in FOSS which have no exploits at all.

The exact effect does vary from app to app.

So, while phpbb was quite publicly hacked, and it was poor design, a set of best practices quickly emerged and specific vulnerabilities were addressed while other proprietary programs remained vulnerable... but quietly. Their owners taking the "shift the blame and don't talk about it" approach.

You see, most people set up their bb's by getting it to do what they wanted and stopping there. After all, it works don't it?

It was, and still is in some places, uncommon to assume that someone would try to do anything which is not there on the interface. In fact, design needs to assume that some user will deliberately try to break the system, and plan the design accordingly.

This usually means reduced functionality out of the box and an education package for each user that asks how to do something you know (but they don't) is insecure. Sadly, this is usually resisted by customers, which is mostly why all software ships with security holes ... but we try.

nx5000 02-16-2009 06:00 AM

Quote:

So, while phpbb was quite publicly hacked, and it was poor design, a set of best practices quickly emerged and specific vulnerabilities were addressed while other proprietary programs remained vulnerable... but quietly. Their owners taking the "shift the blame and don't talk about it" approach.
Phpbb was hacked because of a third party tool, not phpbb.

They got hit by a 0-day exploit a few hours after it was discovered.

And their server was not super secure so it was not very hard for the bad guy.

Anyway php is very hard to fully secure...

Simon Bridge 02-16-2009 11:17 PM

@nx5000: all true.

Unfortunately, most of the top hits (I got) concerning the event blame "open source" instead.


All times are GMT -5. The time now is 06:38 AM.