Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I'm using mint 10 - ubuntu 10 derivative.
I'm a programmer with 10 years experience with linux
comfortable (but not a genius) with the command line.
Adept with vim.
My security knowledge is woefully low.
My bandwith usage has gone way up.
To make a long story short, I am suspecting an intrusion
of some sort on my machine. Currently I'm using a
router with wireless turned off. I'm running iftop and the Rx total for today (still high)
is showing 333MB. For starters, I have two questions:
1)What should I be looking for in /var/log?
2)Any recommendations on software that might help here?
And anything else helpful is welcomed.
thanks
tim
Click here to see the post LQ members have rated as the most helpful post in this thread.
I'm using mint 10 - ubuntu 10 derivative.
I'm a programmer with 10 years experience with linux
comfortable (but not a genius) with the command line.
Adept with vim.
My security knowledge is woefully low.
My bandwith usage has gone way up.
To make a long story short, I am suspecting an intrusion
of some sort on my machine. Currently I'm using a
router with wireless turned off. I'm running iftop and the Rx total for today (still high)
is showing 333MB. For starters, I have two questions:
1)What should I be looking for in /var/log?
2)Any recommendations on software that might help here?
And anything else helpful is welcomed.
thanks
tim
You would prob need to monitor bandwidth in/out of the ethernet interface over a period of a few hours up to a day or so.
Loads of software available to do this. mrtg/cacti/ntop etc etc. Personally, i would recommend ntop for what you wish to do as you can get a breakdown of ip addresses that are sending/receiving traffic, so this would prob me more helpful for you to see where traffic is going or where it is coming from.
Only after this you can decide the next step (cleaning up/upping security)
I'd also look for anything running on the machine that might be suspicious. Have a look at the output of lsof -Pwn and netstat -nape and see if anything unexpected is listening/running. If you really like digging into logs, ps axfwwwwe will give you a ton of info on what is running.
As for the stuff in /var/log, given what you've said so far about the best I can suggest is that you look for things that shouldn't be there. If you have a good idea of when your net usage started to increase, I'd start looking in the logs shortly before that.
Thanks to both of your for your replies.
I'm going to first do a (fresh) re-install. That
should take me much of this day. I will post back when
finished. Thanks again very much.
tim
Thanks to both of your for your replies. I'm going to first do a (fresh) re-install.
You were on the right track initially. If you haven't already wiped the system, please investigate the problem before doing so.
The problem with this approach is that it may temporarily alleviate your problem, be it a compromise or some other form of hardware or software issue. That is why performing an in depth investigation and analysis is so important. If you were compromised, do you know how? When you re-install will you open up the same window that you had before? It may not have been a password type compromise, in which case a wipe-and re-install alone is next to meaningless. If it is a hardware issue or a software issue a re-install is unlikely to fix it. In either case, you could be back where you started or worse.
In reply to Noway2, I'm willing to stay and fight,so to speak,
but in the meantime, this is costing me money in overage charges.
Right now, I'm looking at iftop with 210MB received
since I started the computer 2 hours and 30 minutes ago. At this rate, I
will have a gig or more by the end of the day.
So I'm going to start by posting the dump from netstat -nape
Please let me know right away if there is anything at this site
that might further compromise me. At 310 lines, I'm not sure if I can
post it directly to this forum. http://www.johnsons-web.com/netstat.txt
PS: maybe someone can shoot me the best way to use ntop for logging.
I'm going to read the man page as soon as I can.
Last edited by Tim Johnson; 03-08-2011 at 12:57 PM.
At 310 lines, I'm not sure if I can
post it directly to this forum.
Yeah, some of that gets big. If you need, feel free to contact me directly and I can arrange for the logs to be posted or otherwise disseminated.
As an alternative to nuking, can you bring up the firewall so that only SSH is allowed and then only from trusted IP addresses? If the overage charges are killing you, that should put a stop to the traffic and allow some investigation. By the way, I'm assuming this computer is at a remote location and you don't have physical access. If you do, then just yank the network cable for now.
If you do feel you need to re-install, please try to save at least the log files. You also might try a quick look over the CERT Checklist for other kinds of information that might be worth preserving. As Noway2 pointed out, re-installs do make it really difficult to figure out what happened. However, it is your wallet at risk, not mine, so you have to make the decision.
Looking at the output of netstat, I myself don't see where you bandwidth usage is coming from. It is showing that you don't have any connections on the TCP or UDP, just sockets listening, and none of those look out of the ordinary. Just to clarify, you are talking about network usage, not CPU usage right?
Some things that I do notice that look a little odd:
1) you have a LARGE number of the master process running, which I assume is Postfix's Master daemon.
2) it looks like you have multiple X / GUI systems running as you are showing both Gnome and Fluxbox, and KDE. This could also correspond with the large number of google-chrome connections. Do you have multiple users running desktops on this system? What I don't get is why you would have lots of browsers open and no TCP connections (to remote hosts) to speak of.
Unless this is a system that would impact many other users negatively, and maybe even if it would, I would consider throwing up the firewall to block all traffic and then start releasing things one at a time until you find the culprit/s.
3) I notice that there is an open /tmp file for what appears to be ssh-agent. Are you using ssh-agent, which I believe to be a password-less login utility for ssh. It struck me because /tmp is a common ground for putting rogue binaries.
Last edited by Noway2; 03-08-2011 at 02:25 PM.
Reason: added ssh-agent comment
Yeah, some of that gets big. If you need, feel free to contact me directly and I can arrange for the logs to be posted or otherwise disseminated.
As an alternative to nuking, can you bring up the firewall so that only SSH is allowed and then only from trusted IP addresses? If the overage charges are killing you, that should put a stop to the traffic and allow some investigation. By the way, I'm assuming this computer is at a remote location and you don't have physical access. If you do, then just yank the network cable for now.
If you do feel you need to re-install, please try to save at least the log files. You also might try a quick look over the CERT Checklist for other kinds of information that might be worth preserving. As Noway2 pointed out, re-installs do make it really difficult to figure out what happened. However, it is your wallet at risk, not mine, so you have to make the decision.
This computer is not at a remote location. It is my workstation and how I earn my living.
I do not serve anything to the outside world.
Unless someone comes up with a solution soon, and that is not likely given my limited ability to communicate or diagnose this problem
I'm going to do the following:
1)Will do a new install on different partitions (leaving this OS intact). That will give an opportunity for logs to be reviewed.
and the current partition will remain bootable.
2)I will monitor for traffic on the new install.
3)I may bypass the router, given a circumstance where one computer only is needed here.
In the meantime I'm open to other ideas. In a couple of hours, I'll have the new OS
co-existing with the current one. And I can easily do data dumps and present at
my website, they'd be easier to read from this forum. Also, I appear to be firewalled well,
at least by testing at grc.com I have no ports open at all.
Although I am a security noob, I suspect a breach thru my router originally. That breach may
now be sealed.
Looking at the output of netstat, I myself don't see where you bandwidth usage is coming from. It is showing that you don't have any connections on the TCP or UDP, just sockets listening, and none of those look out of the ordinary. Just to clarify, you are talking about network usage, not CPU usage right?
Some things that I do notice that look a little odd:
1) you have a LARGE number of the master process running, which I assume is Postfix's Master daemon.
2) it looks like you have multiple X / GUI systems running as you are showing both Gnome and Fluxbox, and KDE. This could also correspond with the large number of google-chrome connections. Do you have multiple users running desktops on this system? What I don't get is why you would have lots of browsers open and no TCP connections (to remote hosts) to speak of.
Unless this is a system that would impact many other users negatively, and maybe even if it would, I would consider throwing up the firewall to block all traffic and then start releasing things one at a time until you find the culprit/s.
3) I notice that there is an open /tmp file for what appears to be ssh-agent. Are you using ssh-agent, which I believe to be a password-less login utility for ssh. It struck me because /tmp is a common ground for putting rogue binaries.
Darn, I've been so busy that I overlooked this reply. To keep things simple,
1)Does it look to you like postfix is not terminating when it is invoked?
2)I have Gnome, FluxBox, and Xfce installed, but I am certainly not running them concurrently.
3)I'm wondering if you observation on /tmp is pointing to the breach? Or the rogue process.
But backtracking usage, this all started when I switched to mint 10.
I'm going to put a version of kubuntu on and switch to that - hopefully.
thanks
tim
I'm with Noway2 on the netstat output, nothing really looks out of place.
Quote:
Originally Posted by Tim Johnson
This computer is not at a remote location. It is my workstation and how I earn my living.
That can make things easier. If this is your workstation, I certainly understand the need to get it back and running quickly.
Quote:
Originally Posted by Tim Johnson
I do not serve anything to the outside world.
Interesting. If there are no routes from the outside to this machine, that probably means we should focus a bit more on the outbound traffic and trying to identify what it is and where it is coming from. Did you do any updates/upgrades to software before this started?
Quote:
Originally Posted by Tim Johnson
Although I am a security noob, I suspect a breach thru my router originally. That breach may
now be sealed.
Could you elaborate a bit on this one? Just so you know, the way the Security forum generally handles potential breaches is by asking people to post facts about what they see. We try to keep speculation to a minimum since it is really easy to get way off track that way. I'd be very interested in knowing more about why you suspect your router.
Those processes from postfix look normal. Postfix consists of several separate daemon processes that will run when called upon. For example, there is a queue manager, a pickup, trivial re-write, and cleanup process. These are shown in your netstat output. The daemon's are co-ordinated by Master (master.cf) which also handles the process for accepting and delivering mail. The large number of master connections was interesting in light of high bandwidth usage, which lead me to think potential spam-bot activity as an avenue to investigate.
Having those desktop environments installed could explain the files in netstat. If you notice, the connections are unix stream sockets to the process, via an inode. These are probably just 'files' that exist to connect X to the window manager.
I think Hangdog is on the right track. Please elaborate on the router breach. Also, how did you determine this machine was the source of the high bandwidth usage?
Those processes from postfix look normal. Postfix consists of several separate daemon processes that will run when called upon. For example, there is a queue manager, a pickup, trivial re-write, and cleanup process. These are shown in your netstat output. The daemon's are co-ordinated by Master (master.cf) which also handles the process for accepting and delivering mail. The large number of master connections was interesting in light of high bandwidth usage, which lead me to think potential spam-bot activity as an avenue to investigate.
Having those desktop environments installed could explain the files in netstat. If you notice, the connections are unix stream sockets to the process, via an inode. These are probably just 'files' that exist to connect X to the window manager.
I think Hangdog is on the right track. Please elaborate on the router breach. Also, how did you determine this machine was the source of the high bandwidth usage?
Originally the router administration was not password protected. The WPA key was set, but to log into the web-based admin was not password protected, so
I surmised the possibly that gave someone a way in - I can't imagine how since this house is occupied by just my wife and I - but somehow that might have
given a way in from outside.
I've surmised that it is this machine because iftop shows me intense usage on this machine, sometimes a megabyte every refresh. I don't see such activity on
my wife's computer. This high level of usage started when I started using this OS. As far as I can tell. And the usage - as far as I can tell - is in reception as
opposed to transmission (I.E. downloading) as far as I can tell from iftop.
i see you have ntop running. from within the web interface (port 3000) you should be able to see each ip address endpoint and how much traffic in kb by these ips and also which protocol being used...
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.