LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
LinkBack Search this Thread
Old 02-15-2009, 09:15 AM   #1
bigtl
Member
 
Registered: Aug 2001
Location: Worksop England
Distribution: debian, fedora core
Posts: 35

Rep: Reputation: 15
has my system been compromised


hi, i think my system has been compromised, i would greatly appreciate any help understanding what is happening.

I have a partially wired/wireless network and have noticed a lot of outgoing traffic coming from my wireless laptop (this is the only wireless machine).

I have run iftop -i eth1 -P this shows a lot of traffic from random hight numbered ports to my isp's dns server and a lot of port 80 traffic to gv-in-f18.google.com, then occasionally several port 80 requests to seemingly random websites for example psg.com, there is also quite a lot of mdsn traffic but i don't know what that is.

My adsl router has ports 80 and 22 forwarded to my laptop as I use the machine for web development and need to show work to people.

I get a quite a lot of random requests on port 80 but i think that is fairly normal for an internet facing webserver, i have no open source sotware on the machine (apart from apache/php that is)

If i need to supply any more information please let me know.

Thanks in advance,.
 
Old 02-15-2009, 09:47 AM   #2
Simon Bridge
Guru
 
Registered: Oct 2003
Location: Waiheke NZ
Distribution: Ubuntu
Posts: 9,211

Rep: Reputation: 197Reputation: 197
Quote:
i have no open source software on the machine
Then what do you have? This a Windows box?

Get your firewall logging outgoing packets - lots of outgoing when you don't expect it can be a sign you are runing some sort of malware. However ...

gv-in-f18.google.com
... the registered owner is google - why not ask them?

check who the other ones are.

How about some basic network security, like disconnecting when not in use and requiring authentication?
 
Old 02-15-2009, 10:42 AM   #3
bigtl
Member
 
Registered: Aug 2001
Location: Worksop England
Distribution: debian, fedora core
Posts: 35

Original Poster
Rep: Reputation: 15
Quote:
Then what do you have? This a Windows box?
sorry by no open source software i meant like phpbb which i know is the kind of way that people get into your system, this is a fully patched ubuntu box.
 
Old 02-15-2009, 11:14 AM   #4
ilikejam
Senior Member
 
Registered: Aug 2003
Location: Glasgow
Distribution: Fedora / Solaris
Posts: 3,109

Rep: Reputation: 96
Hi.

Run 'netstat -pantu' as root to see what apps are using the network.

Dave
 
Old 02-15-2009, 01:45 PM   #5
chort
Senior Member
 
Registered: Jul 2003
Location: Silicon Valley, USA
Distribution: OpenBSD 4.6, OS X 10.6.2, CentOS 4 & 5
Posts: 3,660

Rep: Reputation: 69
It sounds to me like you have an entirely normal machine with an open web browser. What on Earth would lead you to believe that any of that indicates a hacked box?
 
Old 02-15-2009, 01:54 PM   #6
bigtl
Member
 
Registered: Aug 2001
Location: Worksop England
Distribution: debian, fedora core
Posts: 35

Original Poster
Rep: Reputation: 15
Quote:
It sounds to me like you have an entirely normal machine with an open web browser. What on Earth would lead you to believe that any of that indicates a hacked box?
Actually after much digging i think you are correct, it seems that when i close gmail all of the outgoing traffic stops.

The reasons i thought the box may be hacked was mainly due the amount of blinking lights on my adsl router, it seemed way more than normal, couple that with the fact that i did have a hacked box a couple of years ago, i was running phpbb and someone used that to install an irc bot on my machine and was using it to send huge amounts of spam email. ever since then i have a very health dose of paranoia about anything that is connected to the internet.

Thanks for all of your suggestions though, i think i may be at the bottom of this now.
 
Old 02-15-2009, 03:33 PM   #7
chort
Senior Member
 
Registered: Jul 2003
Location: Silicon Valley, USA
Distribution: OpenBSD 4.6, OS X 10.6.2, CentOS 4 & 5
Posts: 3,660

Rep: Reputation: 69
Gmail is an AJAX app. It's not like a normal website where you have to refresh the page for it to connect to the server again. It's constantly polling the server for new information (new messages, contacts going on/off line, etc).

Lot's of packets from high ports going to a DNS server = DNS lookups.
Port 80 traffic going to Google = checking for ads, the news ticker in GMail, etc.

Concerning traffic would be doing a lot of DNS lookups for weird domains* and a lot of port 25 traffic to places other than your e-mail provider.

*This means the second-level domain (ex: 3dna328nad3.com ), not sub-domains (ex: dk3n13813.google.com). Anything to the left of .google.com should be fine (well, as far as you trust Google any way).
 
Old 02-15-2009, 06:23 PM   #8
Simon Bridge
Guru
 
Registered: Oct 2003
Location: Waiheke NZ
Distribution: Ubuntu
Posts: 9,211

Rep: Reputation: 197Reputation: 197
Quote:
sorry by no open source software i meant like phpbb which i know is the kind of way that people get into your system
... no, they con get access through poorly configured phpbb.
Quote:
i did have a hacked box a couple of years ago, i was running phpbb
... and now you associate being hacked with open source software?

You are not alone in making this mistake.

However, it has been well known for a long time, in security circles, that open source is, a priori, more secure than closed.

While the bad guys have access to your code to seek vulnerabilities, that is not actually how they work - and the good guys also have access. There are many more good guys than bad guys.

More importantly, good guys who have an incentive to fix the problem now (rather than, say, cover it up or shift the blame) have the means to create a fix - something not available in the proprietary world.

For many, particularly web-exposed, programs, there are actually teams of academics looking for security vulnerabilities ... so they can publish a paper and get more research funding. So we sometimes see flaws appear in FOSS which have no exploits at all.

The exact effect does vary from app to app.

So, while phpbb was quite publicly hacked, and it was poor design, a set of best practices quickly emerged and specific vulnerabilities were addressed while other proprietary programs remained vulnerable... but quietly. Their owners taking the "shift the blame and don't talk about it" approach.

You see, most people set up their bb's by getting it to do what they wanted and stopping there. After all, it works don't it?

It was, and still is in some places, uncommon to assume that someone would try to do anything which is not there on the interface. In fact, design needs to assume that some user will deliberately try to break the system, and plan the design accordingly.

This usually means reduced functionality out of the box and an education package for each user that asks how to do something you know (but they don't) is insecure. Sadly, this is usually resisted by customers, which is mostly why all software ships with security holes ... but we try.

Last edited by Simon Bridge; 02-15-2009 at 06:29 PM.
 
Old 02-16-2009, 05:00 AM   #9
nx5000
Senior Member
 
Registered: Sep 2005
Location: Out
Posts: 3,307

Rep: Reputation: 52
Quote:
So, while phpbb was quite publicly hacked, and it was poor design, a set of best practices quickly emerged and specific vulnerabilities were addressed while other proprietary programs remained vulnerable... but quietly. Their owners taking the "shift the blame and don't talk about it" approach.
Phpbb was hacked because of a third party tool, not phpbb.

They got hit by a 0-day exploit a few hours after it was discovered.

And their server was not super secure so it was not very hard for the bad guy.

Anyway php is very hard to fully secure...

Last edited by nx5000; 02-16-2009 at 05:05 AM.
 
Old 02-16-2009, 10:17 PM   #10
Simon Bridge
Guru
 
Registered: Oct 2003
Location: Waiheke NZ
Distribution: Ubuntu
Posts: 9,211

Rep: Reputation: 197Reputation: 197
@nx5000: all true.

Unfortunately, most of the top hits (I got) concerning the event blame "open source" instead.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off
Trackbacks are Off
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Has my system been compromised? Drfarfrompuken Linux - Security 3 05-18-2007 05:58 PM
Has my system been compromised? Palula Linux - Security 2 02-03-2006 09:09 AM
System compromised BruceCadieux Linux - Security 20 09-29-2003 08:24 PM
System compromised? Comatose51 Linux - Security 3 07-11-2003 08:28 AM
Help: I think my system has been compromised! Comatose51 Linux - General 2 06-29-2003 05:00 PM


All times are GMT -5. The time now is 01:27 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration