LinuxQuestions.org
Support LQ: Use code LQ3 and save $3 on Domain Registration
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 05-06-2008, 07:37 AM   #1
ilago
LQ Newbie
 
Registered: Dec 2006
Location: Australia
Distribution: Mepis, PCLinuxOS, openSuse 10.3
Posts: 16

Rep: Reputation: 0
Unhappy I seem to be running a mailserver on opensuse 10.3 and I didn't set it up


I think I have a security issue. I'll be quite happy to find out I'm dumb and paranoid and take off my tinfoil hat.

I've been running various distros of linux for the last 3 years with some previous intermittent use back to around Suse 7.2. I'm not any sort of linux guru and I'm not as familiar with linux security as I am with Windows security. I'm running Opensuse 10.3 64 bit, KDE default installation and all fully updated. This is my first 64 bit installation. I've run 32 bit up until now.

For the last two or three days my LCD monitor has been behaving oddly - slight lack of focus and then OK. I assumed it was the monitor and swapped it with my old trusty CRT and ran that for a day. Still the odd behaviour. On the old box both the monitors work fine.

I ran top as a user and there was nothing interesting I could see. I ran it as user though, not as root. The machine has root, me and smallchild as users. Is that setup users or current users? So I ran netstat -an and I got screens full of CONNECTED and LISTENING.Probably 2 or 3 more screenfuls than usual and several paths I didn't recognise. I googled heaps of them and discounted several as legitimate but there are several directories that don't appear to be default. They are all listed in the 12000 port range. Why do I have entries for /private/xxxxxxx but no /private directory? Why am I running ssh when I don't have it set up and I don't need it? I seem to be running a mailserver.

Code:
linux:/ # ls
.kconfig  .qt  boot  etc   image  lost+found  mnt  proc  sbin  sys  usr  windows
.profile  bin  dev   home  lib    media       opt  root  srv   tmp  var

So I checked the firewall status and it was OFF. I re-enabled the firewall. But it was not me that disabled it. It has always been enabled since installation as far as I know. I only need email and web access and no need for anything more exiting than the odd upload to my website. I have crossover for my two Windows "must haves" Everything else is standard opensuse and from the repos except for a couple of games for under 5s.

I'm trying to decide whether it's a reinstall job or if I should try and track it down and learn a bit more. I'd like to wait for the next release if possible.

Where would I start? I have kept the logs I did but I ran them as a user, not as root. I wasn't going to log in as root while I thought something was wrong.
 
Old 05-06-2008, 10:45 AM   #2
ronlau9
Senior Member
 
Registered: Dec 2007
Location: In front of my LINUX OR MAC BOX
Distribution: Mandriva 2009 X86_64 suse 11.3 X86_64 Centos X86_64 Debian X86_64 Linux MInt 86_64 OS X
Posts: 2,369

Rep: Reputation: Disabled
To disable the firewall you need root privilege
In you,re dsl modem is there a build in firewall ?
If so do you protect it with Administrator and password ?
If you do so with different passwords than somebody meet two firewall
May be it is worth while to run a virus scanner.

all the best
 
Old 05-06-2008, 11:34 AM   #3
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,285
Blog Entries: 54

Rep: Reputation: 2854Reputation: 2854Reputation: 2854Reputation: 2854Reputation: 2854Reputation: 2854Reputation: 2854Reputation: 2854Reputation: 2854Reputation: 2854Reputation: 2854
Instead of running a virus scanner I'd suggest booting a Live CD and using the Intruder Detection Checklist (CERT): http://www.cert.org/tech_tips/intrud...checklist.html checklist to look for clues. Just before you reboot into the CD, log in as root and run these commands: '( /bin/ps -axfwww -eo ppid,pid,uid,args 2>&1; /bin/netstat -n 2>&1; /usr/sbin/lsof -w -n 2>&1; /usr/bin/last 2>&1; /usr/bin/who --heading --dead -u --login --lookup --process --time --mesg --users 2>&1 ) | tee /tmp/tee.log' (maybe put that in a script to run). Also try running 'rpm -qVa' after you booted the CD.
 
Old 05-06-2008, 05:04 PM   #4
ilago
LQ Newbie
 
Registered: Dec 2006
Location: Australia
Distribution: Mepis, PCLinuxOS, openSuse 10.3
Posts: 16

Original Poster
Rep: Reputation: 0
Quote:
Instead of running a virus scanner I'd suggest booting a Live CD and using the Intruder Detection Checklist (CERT): http://www.cert.org/tech_tips/intrud...checklist.html checklist to look for clues. Just before you reboot into the CD, log in as root and run these commands: '( /bin/ps -axfwww -eo ppid,pid,uid,args 2>&1; /bin/netstat -n 2>&1; /usr/sbin/lsof -w -n 2>&1; /usr/bin/last 2>&1; /usr/bin/who --heading --dead -u --login --lookup --process --time --mesg --users 2>&1 ) | tee /tmp/tee.log' (maybe put that in a script to run). Also try running 'rpm -qVa' after you booted the CD.
Thanks for that unSpawn. That's exactly what I was after because I wasn't sure where to start. I'd know in Windows, but this is first chance I've had to look at a linux situation.

I usually use a Knoppix Live CD for fixing so I'll make sure all my data is backed up and see what I can learn before I nuke this one.

My router has NAT enabled and it doesn't have default log in passwords. There is no evidence that any other computer on my LAN has issues. Whatever this is, is limited to this machine and it looks like a trojan of some type to me. It seems very controlled. Viruses, on Windows anyway, tend to have scattergun effects and I'm not aware of too many Windows type viruses on linux machines. Trojans and rootkits are a bigger concern.

It can't do much if the machine is shutdown or not connected.
 
Old 05-06-2008, 05:50 PM   #5
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,285
Blog Entries: 54

Rep: Reputation: 2854Reputation: 2854Reputation: 2854Reputation: 2854Reputation: 2854Reputation: 2854Reputation: 2854Reputation: 2854Reputation: 2854Reputation: 2854Reputation: 2854
Not trying to influence perception but, unless you ran (outdated versions of) applications or services unrestricted and exposed to world, the chance of you catching a rootkit or trojan will be smaller than you winning the lottery (sorry).
 
Old 05-06-2008, 11:03 PM   #6
ilago
LQ Newbie
 
Registered: Dec 2006
Location: Australia
Distribution: Mepis, PCLinuxOS, openSuse 10.3
Posts: 16

Original Poster
Rep: Reputation: 0
Quote:
Originally Posted by unSpawn View Post
Not trying to influence perception but, unless you ran (outdated versions of) applications or services unrestricted and exposed to world, the chance of you catching a rootkit or trojan will be smaller than you winning the lottery (sorry).
I know that - I just do a lot Windows malware removal, so I've learnt to expect the worst

I do have some sort of a problem though and I'd like to at least know what it is.
 
Old 05-07-2008, 08:09 AM   #7
ilago
LQ Newbie
 
Registered: Dec 2006
Location: Australia
Distribution: Mepis, PCLinuxOS, openSuse 10.3
Posts: 16

Original Poster
Rep: Reputation: 0
This is the netstat -an result I'm concerned about.
gail@linux:~> netstat -an
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 0.0.0.0:111 0.0.0.0:* LISTEN
tcp 0 0 127.0.0.1:631 0.0.0.0:* LISTEN
tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN
tcp 0 0 192.168.1.102:52313 202.6.74.96:80 ESTABLISHED
tcp 0 0 192.168.1.102:45256 202.6.74.96:80 ESTABLISHED
tcp 0 0 :::22 :::* LISTEN
tcp 0 0 ::1:631 :::* LISTEN
tcp 0 0 ::1:25 :::* LISTEN
udp 0 0 0.0.0.0:32768 0.0.0.0:*
udp 0 0 0.0.0.0:68 0.0.0.0:*
udp 0 0 0.0.0.0:5353 0.0.0.0:*
udp 0 0 0.0.0.0:111 0.0.0.0:*
udp 0 0 0.0.0.0:631 0.0.0.0:*
Active UNIX domain sockets (servers and established)

I used bold on the entries I'm concerned about.
Code:
Proto RefCnt Flags       Type       State         I-Node Path
unix  2      [ ACC ]     STREAM     LISTENING     12545  private/relay
unix  2      [ ACC ]     STREAM     LISTENING     12549 public/showq
unix  2      [ ACC ]     STREAM     LISTENING     12553  private/error[
unix  2      [ ACC ]     STREAM     LISTENING     14601  /tmp/orbit-gail/linc-d39-0-411ccd2759ed1
unix  2      [ ACC ]     STREAM     LISTENING     12557  private/discard
unix  2      [ ACC ]     STREAM     LISTENING     14608  /tmp/orbit-gail/linc-d32-0-3ae18d4766a6e
unix  2      [ ACC ]     STREAM     LISTENING     15094  /tmp/orbit-gail/linc-d9c-0-5f18729070b7d
unix  2      [ ACC ]     STREAM     LISTENING     12561  private/local
unix  2      [ ACC ]     STREAM     LISTENING     12565  private/virtual
unix  2      [ ACC ]     STREAM     LISTENING     12569  private/lmtp
unix  2      [ ACC ]     STREAM     LISTENING     12573  private/anvil
unix  2      [ ACC ]     STREAM     LISTENING     12577  private/scache
unix  2      [ ACC ]     STREAM     LISTENING     12581  private/maildrop
unix  2      [ ACC ]     STREAM     LISTENING     14030  /tmp/gpg-5sWDuc/S.gpg-agent
unix  2      [ ACC ]     STREAM     LISTENING     12585  private/cyrus
unix  2      [ ACC ]     STREAM     LISTENING     12589  private/uucp
unix  2      [ ACC ]     STREAM     LISTENING     12593  private/ifmail
unix  2      [ ACC ]     STREAM     LISTENING     12597  private/bsmtp
unix  2      [ ACC ]     STREAM     LISTENING     12601  private/procmail
unix  2      [ ACC ]     STREAM     LISTENING     12605  private/retry
unix  2      [ ACC ]     STREAM     LISTENING     15126  /tmp/orbit-gail/linc-dbc-0-1feb883edc9c0
unix  2      [ ACC ]     STREAM     LISTENING     16420  /tmp/orbit-gail/linc-e7f-0-7138968d5291
unix  2      [ ACC ]     STREAM     LISTENING     43287  /tmp/orbit-gail/linc-178c-0-52d285ffef1f2
unix  2      [ ACC ]     STREAM     LISTENING     14033  /tmp/ssh-Fmzlg3235/agent.3235
unix  2      [ ACC ]     STREAM     LISTENING     12063  @/var/run/dbus-9StAE4IJ1s
unix  2      [ ACC ]     STREAM     LISTENING     14950  /tmp/keyring-PDy8m1/socket
unix  2      [ ACC ]     STREAM     LISTENING     33199  socket
unix  2      [ ACC ]     STREAM     LISTENING     14042  @/tmp/dbus-1tHAEbrrYy
unix  20     [ ]         DGRAM                    8535   /dev/log
unix  2      [ ACC ]     STREAM     LISTENING     11622  /var/run/xdmctl/dmctl/socket
unix  2      [ ACC ]     STREAM     LISTENING     11645  /var/run/xdmctl/dmctl-:0/socket
unix  2      [ ]         DGRAM                    4492   @/org/kernel/udev/udevd
unix  2      [ ACC ]     STREAM     LISTENING     12506  public/cleanup
unix  2      [ ]         DGRAM                    8586   @/org/freedesktop/hal/udev_event
unix  2      [ ACC ]     STREAM     LISTENING     15019  /home/gail/.beagle/socket
unix  2      [ ACC ]     STREAM     LISTENING     8492   /var/run/.resmgr_socket
unix  2      [ ACC ]     STREAM     LISTENING     8510   /var/run/acpid.socket
unix  2      [ ACC ]     STREAM     LISTENING     8182   /var/run/dbus/system_bus_socket
unix  2      [ ACC ]     STREAM     LISTENING     12529  private/verify
unix  2      [ ACC ]     STREAM     LISTENING     12513  private/rewrite
unix  2      [ ACC ]     STREAM     LISTENING     12517  private/bounce
unix  2      [ ACC ]     STREAM     LISTENING     8568   @/var/run/hald/dbus-SylOXYGAqF
unix  2      [ ACC ]     STREAM     LISTENING     14117  /tmp/ksocket-gail/kdeinit__0
unix  2      [ ACC ]     STREAM     LISTENING     14119  /tmp/ksocket-gail/kdeinit-:0
unix  2      [ ACC ]     STREAM     LISTENING     11730  /var/run/audit_events
unix  2      [ ACC ]     STREAM     LISTENING     12061  /var/run/sdp
unix  2      [ ACC ]     STREAM     LISTENING     14126  /tmp/.ICE-unix/dcop3336-1210019800
unix  2      [ ACC ]     STREAM     LISTENING     11805  /var/run/avahi-daemon/socket
unix  2      [ ACC ]     STREAM     LISTENING     14219  /tmp/.ICE-unix/3347
unix  2      [ ACC ]     STREAM     LISTENING     14147  /tmp/ksocket-gail/klauncherI0t1ya.slave-socket
unix  2      [ ACC ]     STREAM     LISTENING     20609  /tmp/ksocket-gail/kdesud_:0
unix  2      [ ACC ]     STREAM     LISTENING     12533  public/flush
unix  2      [ ACC ]     STREAM     LISTENING     11912  /var/run/nscd/socket
unix  2      [ ACC ]     STREAM     LISTENING     12537  private/proxymap
unix  2      [ ACC ]     STREAM     LISTENING     12315  /var/run/cups/cups.sock
unix  2      [ ACC ]     STREAM     LISTENING     8565   @/var/run/hald/dbus-qOCmW0rVCY
unix  2      [ ACC ]     STREAM     LISTENING     12816  /var/run/smpppd/control
unix  2      [ ACC ]     STREAM     LISTENING     11630  /tmp/.X11-unix/X0
unix  2      [ ACC ]     STREAM     LISTENING     12521  private/defer
unix  2      [ ACC ]     STREAM     LISTENING     12525  private/trace
unix  2      [ ACC ]     STREAM     LISTENING     12541  private/smtp
unix  3      [ ]         STREAM     CONNECTED     62260  @/tmp/dbus-1tHAEbrrYy
unix  3      [ ]         STREAM     CONNECTED     62259
unix  3      [ ]         STREAM     CONNECTED     61795  /tmp/ksocket-gail/klauncherI0t1ya.slave-socket
unix  3      [ ]         STREAM     CONNECTED     61794
unix  3      [ ]         STREAM     CONNECTED     61349  /tmp/.ICE-unix/dcop3336-1210019800
unix  3      [ ]         STREAM     CONNECTED     61348
unix  3      [ ]         STREAM     CONNECTED     61342  /tmp/.ICE-unix/3347
unix  3      [ ]         STREAM     CONNECTED     61341
unix  3      [ ]         STREAM     CONNECTED     61340  /tmp/.X11-unix/X0
unix  3      [ ]         STREAM     CONNECTED     61339
unix  3      [ ]         STREAM     CONNECTED     61067  /tmp/.X11-unix/X0
unix  3      [ ]         STREAM     CONNECTED     61066
unix  2      [ ]         DGRAM                    59767
unix  3      [ ]         STREAM     CONNECTED     43290  /tmp/orbit-gail/linc-178c-0-52d285ffef1f2
unix  3      [ ]         STREAM     CONNECTED     43289
unix  3      [ ]         STREAM     CONNECTED     43286  /tmp/orbit-gail/linc-d39-0-411ccd2759ed1
unix  3      [ ]         STREAM     CONNECTED     43285
unix  3      [ ]         STREAM     CONNECTED     43267  /tmp/.X11-unix/X0
unix  3      [ ]         STREAM     CONNECTED     43266
unix  3      [ ]         STREAM     CONNECTED     33259  /tmp/.X11-unix/X0
unix  3      [ ]         STREAM     CONNECTED     33258
unix  3      [ ]         STREAM     CONNECTED     33257  /tmp/.X11-unix/X0
unix  3      [ ]         STREAM     CONNECTED     33256
unix  3      [ ]         STREAM     CONNECTED     33247
unix  3      [ ]         STREAM     CONNECTED     33246
unix  3      [ ]         STREAM     CONNECTED     33242  /var/run/dbus/system_bus_socket
unix  3      [ ]         STREAM     CONNECTED     33241
unix  3      [ ]         STREAM     CONNECTED     33237  /tmp/.X11-unix/X0
unix  3      [ ]         STREAM     CONNECTED     33236
unix  3      [ ]         STREAM     CONNECTED     33235  /tmp/.X11-unix/X0
unix  3      [ ]         STREAM     CONNECTED     33234
unix  3      [ ]         STREAM     CONNECTED     33225
unix  3      [ ]         STREAM     CONNECTED     33224
unix  3      [ ]         STREAM     CONNECTED     33223  /tmp/.X11-unix/X0
unix  3      [ ]         STREAM     CONNECTED     33222
unix  3      [ ]         STREAM     CONNECTED     33219  /tmp/.X11-unix/X0
unix  3      [ ]         STREAM     CONNECTED     33218
unix  3      [ ]         STREAM     CONNECTED     33210  socket
unix  3      [ ]         STREAM     CONNECTED     33206
unix  3      [ ]         STREAM     CONNECTED     32333  /tmp/.ICE-unix/dcop3336-1210019800
unix  3      [ ]         STREAM     CONNECTED     32332
unix  3      [ ]         STREAM     CONNECTED     32328  /tmp/.ICE-unix/3347
unix  3      [ ]         STREAM     CONNECTED     32327
unix  3      [ ]         STREAM     CONNECTED     32326  /tmp/.X11-unix/X0
unix  3      [ ]         STREAM     CONNECTED     32325
unix  3      [ ]         STREAM     CONNECTED     20612  /tmp/.X11-unix/X0
unix  3      [ ]         STREAM     CONNECTED     20611
unix  3      [ ]         STREAM     CONNECTED     16438  /var/run/dbus/system_bus_socket
unix  3      [ ]         STREAM     CONNECTED     16437
unix  3      [ ]         STREAM     CONNECTED     16423  /tmp/orbit-gail/linc-e7f-0-7138968d5291
unix  3      [ ]         STREAM     CONNECTED     16422
unix  3      [ ]         STREAM     CONNECTED     16419  /tmp/orbit-gail/linc-d39-0-411ccd2759ed1
unix  3      [ ]         STREAM     CONNECTED     16418
unix  3      [ ]         STREAM     CONNECTED     16417  /tmp/.ICE-unix/3347
unix  3      [ ]         STREAM     CONNECTED     16416
unix  3      [ ]         STREAM     CONNECTED     16410  /tmp/.X11-unix/X0
unix  3      [ ]         STREAM     CONNECTED     16409
unix  3      [ ]         STREAM     CONNECTED     15333  /tmp/.X11-unix/X0
unix  3      [ ]         STREAM     CONNECTED     15332
unix  3      [ ]         STREAM     CONNECTED     15329  /tmp/.ICE-unix/3347
unix  3      [ ]         STREAM     CONNECTED     15328
unix  2      [ ]         STREAM     CONNECTED     15326
unix  3      [ ]         STREAM     CONNECTED     15324  /tmp/.ICE-unix/dcop3336-1210019800
unix  3      [ ]         STREAM     CONNECTED     15323
unix  3      [ ]         STREAM     CONNECTED     15319  /tmp/.ICE-unix/3347
unix  3      [ ]         STREAM     CONNECTED     15318
unix  3      [ ]         STREAM     CONNECTED     15315  /tmp/.X11-unix/X0
unix  3      [ ]         STREAM     CONNECTED     15314
unix  3      [ ]         STREAM     CONNECTED     15311  /tmp/.X11-unix/X0
unix  3      [ ]         STREAM     CONNECTED     15310
unix  3      [ ]         STREAM     CONNECTED     15139  /tmp/orbit-gail/linc-d32-0-3ae18d4766a6e
unix  3      [ ]         STREAM     CONNECTED     15138
unix  3      [ ]         STREAM     CONNECTED     15137  /tmp/orbit-gail/linc-dbc-0-1feb883edc9c0
unix  3      [ ]         STREAM     CONNECTED     15136
unix  3      [ ]         STREAM     CONNECTED     15135  /tmp/orbit-gail/linc-dbc-0-1feb883edc9c0
unix  3      [ ]         STREAM     CONNECTED     15134
unix  3      [ ]         STREAM     CONNECTED     15133  /tmp/orbit-gail/linc-d9c-0-5f18729070b7d
unix  3      [ ]         STREAM     CONNECTED     15132
unix  3      [ ]         STREAM     CONNECTED     15129  /tmp/orbit-gail/linc-dbc-0-1feb883edc9c0
unix  3      [ ]         STREAM     CONNECTED     15128
unix  3      [ ]         STREAM     CONNECTED     15125  /tmp/orbit-gail/linc-d39-0-411ccd2759ed1
unix  3      [ ]         STREAM     CONNECTED     15124
unix  3      [ ]         STREAM     CONNECTED     15103  /tmp/orbit-gail/linc-d32-0-3ae18d4766a6e
unix  3      [ ]         STREAM     CONNECTED     15102
unix  3      [ ]         STREAM     CONNECTED     15101  /tmp/orbit-gail/linc-d9c-0-5f18729070b7d
unix  3      [ ]         STREAM     CONNECTED     15100
unix  3      [ ]         STREAM     CONNECTED     15078  /tmp/.X11-unix/X0
unix  3      [ ]         STREAM     CONNECTED     15077
unix  3      [ ]         STREAM     CONNECTED     15010  /tmp/.X11-unix/X0
unix  3      [ ]         STREAM     CONNECTED     15009
unix  3      [ ]         STREAM     CONNECTED     14974  @/tmp/dbus-1tHAEbrrYy
unix  3      [ ]         STREAM     CONNECTED     14973
unix  3      [ ]         STREAM     CONNECTED     14969  /var/run/dbus/system_bus_socket
unix  3      [ ]         STREAM     CONNECTED     14968
unix  3      [ ]         STREAM     CONNECTED     14762  /tmp/.ICE-unix/3347
unix  3      [ ]         STREAM     CONNECTED     14761
unix  3      [ ]         STREAM     CONNECTED     14758  /tmp/.X11-unix/X0
unix  3      [ ]         STREAM     CONNECTED     14757
unix  3      [ ]         STREAM     CONNECTED     14756  /tmp/.ICE-unix/dcop3336-1210019800
unix  3      [ ]         STREAM     CONNECTED     14755
unix  3      [ ]         STREAM     CONNECTED     14753  /tmp/orbit-gail/linc-d32-0-3ae18d4766a6e
unix  3      [ ]         STREAM     CONNECTED     14752
unix  3      [ ]         STREAM     CONNECTED     14722  /tmp/.ICE-unix/3347
unix  3      [ ]         STREAM     CONNECTED     14721
unix  3      [ ]         STREAM     CONNECTED     14702  /tmp/.ICE-unix/3347
unix  3      [ ]         STREAM     CONNECTED     14701
unix  3      [ ]         STREAM     CONNECTED     14693  /tmp/.X11-unix/X0
unix  3      [ ]         STREAM     CONNECTED     14692
unix  3      [ ]         STREAM     CONNECTED     14690  /tmp/.ICE-unix/dcop3336-1210019800
unix  3      [ ]         STREAM     CONNECTED     14689
unix  3      [ ]         STREAM     CONNECTED     14687  /var/run/dbus/system_bus_socket
unix  3      [ ]         STREAM     CONNECTED     14686
unix  3      [ ]         STREAM     CONNECTED     14682  /tmp/.X11-unix/X0
unix  3      [ ]         STREAM     CONNECTED     14681
unix  3      [ ]         STREAM     CONNECTED     14673  /tmp/.ICE-unix/3347
unix  3      [ ]         STREAM     CONNECTED     14672
unix  3      [ ]         STREAM     CONNECTED     14667  /tmp/.ICE-unix/3347
unix  3      [ ]         STREAM     CONNECTED     14666
unix  3      [ ]         STREAM     CONNECTED     14658  /tmp/.X11-unix/X0
unix  3      [ ]         STREAM     CONNECTED     14657
unix  3      [ ]         STREAM     CONNECTED     14659  /tmp/.ICE-unix/dcop3336-1210019800
unix  3      [ ]         STREAM     CONNECTED     14655
unix  3      [ ]         STREAM     CONNECTED     14645  /tmp/.X11-unix/X0
unix  3      [ ]         STREAM     CONNECTED     14644
unix  3      [ ]         STREAM     CONNECTED     14642  /tmp/.ICE-unix/dcop3336-1210019800
unix  3      [ ]         STREAM     CONNECTED     14641
unix  3      [ ]         STREAM     CONNECTED     14632  /tmp/.ICE-unix/dcop3336-1210019800
unix  3      [ ]         STREAM     CONNECTED     14631
unix  3      [ ]         STREAM     CONNECTED     14751  /tmp/orbit-gail/linc-d39-0-411ccd2759ed1
unix  3      [ ]         STREAM     CONNECTED     14607
unix  2      [ ]         DGRAM                    14597
unix  3      [ ]         STREAM     CONNECTED     14560  /tmp/.ICE-unix/3347
unix  3      [ ]         STREAM     CONNECTED     14559
unix  3      [ ]         STREAM     CONNECTED     14545  /tmp/.X11-unix/X0
unix  3      [ ]         STREAM     CONNECTED     14544
unix  3      [ ]         STREAM     CONNECTED     14541  /tmp/.ICE-unix/dcop3336-1210019800
unix  3      [ ]         STREAM     CONNECTED     14540
unix  3      [ ]         STREAM     CONNECTED     14530  /tmp/.ICE-unix/3347
unix  3      [ ]         STREAM     CONNECTED     14529
unix  3      [ ]         STREAM     CONNECTED     14525  /tmp/.X11-unix/X0
unix  3      [ ]         STREAM     CONNECTED     14524
unix  3      [ ]         STREAM     CONNECTED     14508  /tmp/.ICE-unix/3347
unix  3      [ ]         STREAM     CONNECTED     14507
unix  3      [ ]         STREAM     CONNECTED     14504  /tmp/.X11-unix/X0
unix  3      [ ]         STREAM     CONNECTED     14503
unix  3      [ ]         STREAM     CONNECTED     14502  /tmp/.ICE-unix/dcop3336-1210019800
unix  3      [ ]         STREAM     CONNECTED     14501
unix  3      [ ]         STREAM     CONNECTED     14458  /tmp/.ICE-unix/dcop3336-1210019800
unix  3      [ ]         STREAM     CONNECTED     14457
unix  3      [ ]         STREAM     CONNECTED     14392  /tmp/.ICE-unix/dcop3336-1210019800
unix  3      [ ]         STREAM     CONNECTED     14391
unix  3      [ ]         STREAM     CONNECTED     14323  /tmp/.ICE-unix/3347
unix  3      [ ]         STREAM     CONNECTED     14322
unix  3      [ ]         STREAM     CONNECTED     14319  /tmp/.X11-unix/X0
unix  3      [ ]         STREAM     CONNECTED     14318
unix  3      [ ]         STREAM     CONNECTED     14315  /tmp/.ICE-unix/dcop3336-1210019800
unix  3      [ ]         STREAM     CONNECTED     14314
unix  3      [ ]         STREAM     CONNECTED     14280  /tmp/.ICE-unix/3347
unix  3      [ ]         STREAM     CONNECTED     14279
unix  3      [ ]         STREAM     CONNECTED     14278  /tmp/.X11-unix/X0
unix  3      [ ]         STREAM     CONNECTED     14277
unix  3      [ ]         STREAM     CONNECTED     14272  /tmp/.ICE-unix/dcop3336-1210019800
unix  3      [ ]         STREAM     CONNECTED     14271
unix  3      [ ]         STREAM     CONNECTED     14258  /tmp/.ICE-unix/3347
unix  3      [ ]         STREAM     CONNECTED     14257
unix  3      [ ]         STREAM     CONNECTED     14256  /tmp/.X11-unix/X0
unix  3      [ ]         STREAM     CONNECTED     14255
unix  3      [ ]         STREAM     CONNECTED     14250  /tmp/.ICE-unix/dcop3336-1210019800
unix  3      [ ]         STREAM     CONNECTED     14249
unix  3      [ ]         STREAM     CONNECTED     14218  /tmp/.ICE-unix/dcop3336-1210019800
unix  3      [ ]         STREAM     CONNECTED     14217
unix  3      [ ]         STREAM     CONNECTED     14212  /tmp/.X11-unix/X0
unix  3      [ ]         STREAM     CONNECTED     14211
unix  3      [ ]         STREAM     CONNECTED     14203  /tmp/ksocket-gail/kdeinit__0
unix  3      [ ]         STREAM     CONNECTED     14202
unix  3      [ ]         STREAM     CONNECTED     14195  /var/run/dbus/system_bus_socket
unix  3      [ ]         STREAM     CONNECTED     14194
unix  3      [ ]         STREAM     CONNECTED     14162  /tmp/.X11-unix/X0
unix  3      [ ]         STREAM     CONNECTED     14161
unix  3      [ ]         STREAM     CONNECTED     14160  /tmp/.ICE-unix/dcop3336-1210019800
unix  3      [ ]         STREAM     CONNECTED     14159
unix  3      [ ]         STREAM     CONNECTED     14150  /tmp/.X11-unix/X0
unix  3      [ ]         STREAM     CONNECTED     14149
unix  3      [ ]         STREAM     CONNECTED     14142  /tmp/.ICE-unix/dcop3336-1210019800
unix  3      [ ]         STREAM     CONNECTED     14141
unix  3      [ ]         STREAM     CONNECTED     14137
unix  3      [ ]         STREAM     CONNECTED     14136
unix  3      [ ]         STREAM     CONNECTED     14046  /tmp/.X11-unix/X0
unix  3      [ ]         STREAM     CONNECTED     14045
unix  3      [ ]         STREAM     CONNECTED     14044
unix  3      [ ]         STREAM     CONNECTED     14043
unix  3      [ ]         STREAM     CONNECTED     13871  /var/run/dbus/system_bus_socket
unix  3      [ ]         STREAM     CONNECTED     13870
unix  2      [ ]         DGRAM                    12815
unix  3      [ ]         STREAM     CONNECTED     12802  /var/run/acpid.socket
unix  3      [ ]         STREAM     CONNECTED     12801
unix  3      [ ]         STREAM     CONNECTED     12795  /var/run/dbus/system_bus_socket
unix  3      [ ]         STREAM     CONNECTED     12794
unix  2      [ ]         DGRAM                    12640
unix  2      [ ]         DGRAM                    12619
unix  3      [ ]         STREAM     CONNECTED     12608
unix  3      [ ]         STREAM     CONNECTED     12607
unix  3      [ ]         STREAM     CONNECTED     12604
unix  3      [ ]         STREAM     CONNECTED     12603
unix  3      [ ]         STREAM     CONNECTED     12600
unix  3      [ ]         STREAM     CONNECTED     12599
unix  3      [ ]         STREAM     CONNECTED     12596
unix  3      [ ]         STREAM     CONNECTED     12595
unix  3      [ ]         STREAM     CONNECTED     12592
unix  3      [ ]         STREAM     CONNECTED     12591
unix  3      [ ]         STREAM     CONNECTED     12588
unix  3      [ ]         STREAM     CONNECTED     12587
unix  3      [ ]         STREAM     CONNECTED     12584
unix  3      [ ]         STREAM     CONNECTED     12583
unix  3      [ ]         STREAM     CONNECTED     12580
unix  3      [ ]         STREAM     CONNECTED     12579
unix  3      [ ]         STREAM     CONNECTED     12576
unix  3      [ ]         STREAM     CONNECTED     12575
unix  3      [ ]         STREAM     CONNECTED     12572
unix  3      [ ]         STREAM     CONNECTED     12571
unix  3      [ ]         STREAM     CONNECTED     12568
unix  3      [ ]         STREAM     CONNECTED     12567
unix  3      [ ]         STREAM     CONNECTED     12564
unix  3      [ ]         STREAM     CONNECTED     12563
unix  3      [ ]         STREAM     CONNECTED     12560
unix  3      [ ]         STREAM     CONNECTED     12559
unix  3      [ ]         STREAM     CONNECTED     12556
unix  3      [ ]         STREAM     CONNECTED     12555
unix  3      [ ]         STREAM     CONNECTED     12552
unix  3      [ ]         STREAM     CONNECTED     12551
unix  3      [ ]         STREAM     CONNECTED     12548
unix  3      [ ]         STREAM     CONNECTED     12547
unix  3      [ ]         STREAM     CONNECTED     12544
unix  3      [ ]         STREAM     CONNECTED     12543
unix  3      [ ]         STREAM     CONNECTED     12540
unix  3      [ ]         STREAM     CONNECTED     12539
unix  3      [ ]         STREAM     CONNECTED     12536
unix  3      [ ]         STREAM     CONNECTED     12535
unix  3      [ ]         STREAM     CONNECTED     12532
unix  3      [ ]         STREAM     CONNECTED     12531
unix  3      [ ]         STREAM     CONNECTED     12528
unix  3      [ ]         STREAM     CONNECTED     12527
unix  3      [ ]         STREAM     CONNECTED     12524
unix  3      [ ]         STREAM     CONNECTED     12523
unix  3      [ ]         STREAM     CONNECTED     12520
unix  3      [ ]         STREAM     CONNECTED     12519
unix  3      [ ]         STREAM     CONNECTED     12516
unix  3      [ ]         STREAM     CONNECTED     12515
unix  3      [ ]         STREAM     CONNECTED     12512
unix  3      [ ]         STREAM     CONNECTED     12511
unix  3      [ ]         STREAM     CONNECTED     12509
unix  3      [ ]         STREAM     CONNECTED     12508
unix  3      [ ]         STREAM     CONNECTED     12505
unix  3      [ ]         STREAM     CONNECTED     12504
unix  3      [ ]         STREAM     CONNECTED     12502
unix  3      [ ]         STREAM     CONNECTED     12501
unix  2      [ ]         DGRAM                    12403
unix  2      [ ]         DGRAM                    12161
unix  3      [ ]         STREAM     CONNECTED     12090  /var/run/dbus/system_bus_socket
unix  3      [ ]         STREAM     CONNECTED     12089
unix  2      [ ]         DGRAM                    12088
unix  2      [ ]         DGRAM                    12075
unix  3      [ ]         STREAM     CONNECTED     12052  /var/run/dbus/system_bus_socket
unix  3      [ ]         STREAM     CONNECTED     12051
unix  2      [ ]         DGRAM                    12022
unix  2      [ ]         DGRAM                    11900
unix  3      [ ]         STREAM     CONNECTED     11899  /var/run/avahi-daemon/socket
unix  3      [ ]         STREAM     CONNECTED     11882
unix  3      [ ]         STREAM     CONNECTED     11877  /var/run/acpid.socket
unix  3      [ ]         STREAM     CONNECTED     11876
unix  3      [ ]         STREAM     CONNECTED     11860  /var/run/dbus/system_bus_socket
unix  3      [ ]         STREAM     CONNECTED     11807
unix  2      [ ]         DGRAM                    11769
unix  2      [ ]         DGRAM                    11729
unix  2      [ ]         DGRAM                    11728
unix  2      [ ]         DGRAM                    11715
unix  3      [ ]         STREAM     CONNECTED     11714
unix  3      [ ]         STREAM     CONNECTED     11713
unix  3      [ ]         STREAM     CONNECTED     11655  /var/run/acpid.socket
Next bit in next post

Last edited by unSpawn; 05-08-2008 at 06:49 AM. Reason: using BB code tags providing improved readability
 
Old 05-07-2008, 08:17 AM   #8
ilago
LQ Newbie
 
Registered: Dec 2006
Location: Australia
Distribution: Mepis, PCLinuxOS, openSuse 10.3
Posts: 16

Original Poster
Rep: Reputation: 0
Rest of log
Code:
unix  3      [ ]         STREAM     CONNECTED     11654
unix  5      [ ]         STREAM     CONNECTED     12129  /tmp/.X11-unix/X0
unix  3      [ ]         STREAM     CONNECTED     11651
unix  3      [ ]         STREAM     CONNECTED     11547  /var/run/dbus/system_bus_socket
unix  3      [ ]         STREAM     CONNECTED     11546
unix  2      [ ]         DGRAM                    11542
unix  3      [ ]         STREAM     CONNECTED     11529  /var/run/dbus/system_bus_socket
unix  3      [ ]         STREAM     CONNECTED     11528
unix  3      [ ]         STREAM     CONNECTED     11508  /var/run/dbus/system_bus_socket
unix  3      [ ]         STREAM     CONNECTED     11507
unix  2      [ ]         DGRAM                    11506
unix  3      [ ]         STREAM     CONNECTED     11476  @/var/run/hald/dbus-qOCmW0rVCY
unix  3      [ ]         STREAM     CONNECTED     11475
unix  3      [ ]         STREAM     CONNECTED     11474  /var/run/dbus/system_bus_socket
unix  3      [ ]         STREAM     CONNECTED     11473
unix  3      [ ]         STREAM     CONNECTED     11289  /var/run/dbus/system_bus_socket
unix  3      [ ]         STREAM     CONNECTED     11288
unix  3      [ ]         STREAM     CONNECTED     11287  /var/run/acpid.socket
unix  3      [ ]         STREAM     CONNECTED     11286
unix  3      [ ]         STREAM     CONNECTED     11283  @/var/run/hald/dbus-qOCmW0rVCY
unix  3      [ ]         STREAM     CONNECTED     11279
unix  3      [ ]         STREAM     CONNECTED     11274  @/var/run/hald/dbus-qOCmW0rVCY
unix  3      [ ]         STREAM     CONNECTED     11272
unix  3      [ ]         STREAM     CONNECTED     10826  @/var/run/hald/dbus-qOCmW0rVCY
unix  3      [ ]         STREAM     CONNECTED     10825
unix  3      [ ]         STREAM     CONNECTED     8571   @/var/run/hald/dbus-SylOXYGAqF
unix  3      [ ]         STREAM     CONNECTED     8570
unix  3      [ ]         STREAM     CONNECTED     8567   /var/run/dbus/system_bus_socket
unix  3      [ ]         STREAM     CONNECTED     8566
unix  2      [ ]         DGRAM                    8561
unix  3      [ ]         STREAM     CONNECTED     8540   /var/run/dbus/system_bus_socket
unix  3      [ ]         STREAM     CONNECTED     8539
unix  3      [ ]         STREAM     CONNECTED     8185
unix  3      [ ]         STREAM     CONNECTED     8184
Within the limits of my knowledge and experience, the only thing I found of concern is that I have nx installed in my user profile. It was installed from the repos, but there are clear indications that it belongs to to gopc.net with their legitimate IP included. The logs show it has never been used. I have no idea how it got there. It's dated 1st May

I did run some of the commands suggested. Should I post those so someone can have a look.

Last edited by unSpawn; 05-08-2008 at 06:37 AM.
 
Old 05-08-2008, 06:35 AM   #9
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,285
Blog Entries: 54

Rep: Reputation: 2854Reputation: 2854Reputation: 2854Reputation: 2854Reputation: 2854Reputation: 2854Reputation: 2854Reputation: 2854Reputation: 2854Reputation: 2854Reputation: 2854
Quote:
Originally Posted by ilago View Post
This is the netstat -an result I'm concerned about.
You have SSH, mail, RPC, mDNS, BOOTP and IPP listening. If the machine was not firewalled to deny access from the 'net to those services that could be a Bad Thing if they allowed access to the system one way or another. That doesn't automagically mean your machine got subverted (and there are no outbound network connections that look suspicious) but proceding with further checks would be a Good Thing, even if only to get acquainted with a procedure.


Quote:
Originally Posted by ilago View Post
I used bold on the entries I'm concerned about.
Proto RefCnt Flags Type State I-Node Path
unix 2 [ ACC ] STREAM LISTENING 12545 private/relay
unix 2 [ ACC ] STREAM LISTENING 12549 public/showq
unix 2 [ ACC ] STREAM LISTENING 12553 private/error[
unix 2 [ ACC ] STREAM LISTENING 12557 private/discard
unix 2 [ ACC ] STREAM LISTENING 12561 private/local
unix 2 [ ACC ] STREAM LISTENING 12565 private/virtual
unix 2 [ ACC ] STREAM LISTENING 12569 private/lmtp
unix 2 [ ACC ] STREAM LISTENING 12573 private/anvil
unix 2 [ ACC ] STREAM LISTENING 12577 private/scache
unix 2 [ ACC ] STREAM LISTENING 12581 private/maildrop
unix 2 [ ACC ] STREAM LISTENING 12585 private/cyrus
unix 2 [ ACC ] STREAM LISTENING 12589 private/uucp
unix 2 [ ACC ] STREAM LISTENING 12593 private/ifmail
unix 2 [ ACC ] STREAM LISTENING 12597 private/bsmtp
unix 2 [ ACC ] STREAM LISTENING 12601 private/procmail
unix 2 [ ACC ] STREAM LISTENING 12605 private/retry

unix 2 [ ACC ] STREAM LISTENING 12506 public/cleanup
unix 2 [ ACC ] STREAM LISTENING 12529 private/verify
unix 2 [ ACC ] STREAM LISTENING 12513 private/rewrite
unix 2 [ ACC ] STREAM LISTENING 12517 private/bounce
unix 2 [ ACC ] STREAM LISTENING 12533 public/flush
unix 2 [ ACC ] STREAM LISTENING 12537 private/proxymap
unix 2 [ ACC ] STREAM LISTENING 12521 private/defer
unix 2 [ ACC ] STREAM LISTENING 12525 private/trace
unix 2 [ ACC ] STREAM LISTENING 12541 private/smtp
These are "UNIX" domain sockets (AF_UNIX), not to be mistaken for network connections (AF_INET). They are basically named pipes through which processes "talk" to eachother. If you 'lsof -w -n | egrep "private/(relay|error|anvil)"', you can see the process name, process ID, username, socket type and location of the process. Knowing the process ID or PID means that for PID $PID, the executable is located at /proc/$PID. So 'readlink -f /proc/$PID/exe' shows you which binary is responsable. Why not simply look at the process name? Well, the name (argv[0]) can be changed easily. If you only see "httpd" you might think it's Apache, but finding it's "/tmp/.../apache" would be more than suspicious. In your case you'll find your sockets are part of that certain MTA that needs a gazillion binaries and processes to do what others do with just one or two.



Quote:
Originally Posted by ilago View Post
I did run some of the commands suggested. Should I post those so someone can have a look.
Please do, but please use BB code tags. If it's too much lines you could make a compressed tarball out of it, upload to some free file hosting provider and post the URI here.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
LXer: Set Up VirtualBox On openSUSE 10.3. LXer Syndicated Linux News 0 11-16-2007 09:41 AM
How to set up skystar 2 dvb card on OpenSuse-10.2 hamid212 Linux - Hardware 0 04-03-2007 09:18 AM
running %post script for Mailserver through kickstart abhi2778 Fedora 0 09-06-2006 03:12 AM
set up mailserver mithereal Debian 3 08-06-2005 03:03 PM
Running Own Mailserver:Ports,Security mac_phil Linux - Networking 7 12-06-2003 12:32 AM


All times are GMT -5. The time now is 09:18 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration