I'm looking at my log files and I see two weird things:

1.) in Firestarter's active connections space, I see a port 443 (HTTPS) connection connection going to 63.76.73.177, which is basically Scottrade.com. I was there earlier today, but didn't sign up for anything.

Firestarter shows a port 443 (HTTPS) connection going to portfolio-director.com, an alias for portfoliodirector.com, where I didn't go today.

Why would this happen? Firestarter's events list doesn't show any outgoing stuff, only a lot of people trying UDP or Microsoft-ds type scans.



2.) From /var/log/syslog/ I'm getting stuff like

2010-02-15 02:03:16 sibilla kernel [96053.346701] Inbound IN=eth1 OUT= MAC=00:1d:60:7f:d3:44:00:90:1a:40:90:1c:08:00 SRC=121.120.53.77 DST= (my ip address) LEN=48 TOS=0x00 PREC=0x20 TTL=116 ID=2297 DF PROTO=TCP SPT=1157 DPT=445 WINDOW=64380 RES=0x00 SYN URGP=0

I'm not an expert at this stuff, I'm still learning. I looked up 121.120.53.77 using whois and it's an address in Malaysia.

I've run who and only I'm showing up; running nmap on my IP address only shows port 80 being up (which is true) because I turn off port 22.

** Addendum **

I just used GNOME Network Tools and portscanned my IP address. It said 80 was open (fine) and that 42052 and 50858 are open, service unknown. I'll investigate this further...

I've always applied my bug fixes and system updates as soon as I get the notifications, but I suppose even that doesn't keep crackers away.

I'd seriously appreciate any help ...

Clean up /tmp, & ~/ close any port you don't know about and tighten up on permissions everywhere. Having only one user robs things of security, because he's almost as good as root. Can he sudo? Very bad if you're online.Are you Running X? Get serious, and tighten up.

In the medium term, consider switching to D.J.Bernstein's servers http://cr.yp.to
The man is mad imho, and hugely conceited, documentation is poor, but they are extremely secure. He can replace inetd, bind, sendmail, and possibly others with weirdo tools in strange places that have excellent security, and typically do things as weird users with shells like /bin/true. Throughput is achieved by three or four of these weirdo processes in a 'Mexican wave', appearing & disappearing for nearly instantly.

Hi business_kid,

Thank you for writing back!

By cleaning up /tmp, do you mean just blowing away everything in there and letting the system processes redo what's needed, or ...?

I ran nmap on localhost and found 3 open ports: www, mysql (3306) and 631, which is ipp, Internet printing protocol. I don't print, so I may as well uninstall CUPS. I'll close up mysql and edit Apache to refuse any exterior connection. I'll also permanently disable sshd, at least til such times that I can manage it effectively.

I am running X, because this is my main machine. I've unplugged the network cable and changed my password.

If someone else is using the machine while it's networked, what's the best way to tell if the intruder can sudo, one of the log files? And if he could, would his actions necessarily show up in the files?

Thanks again!

How is your computer connected to the Internet?

Hi catkin,

Thank you for writing! I'm on DSL going into eth1. I have a small apartment, so there wasn't any point in getting wifi.

I've alerted my ISP, just in case anything strange is happening that I don't know about.

Lets get sensible about this. At this point, you've presented nothing that indicates an attack has occurred, much less a successful breach. So before going off and messing with a ton of stuff, lets get an idea if we have a problem to begin with. First, if you're concerned about unauthorized access, cut it all off. You can either pull the network plug or put up a firewall that only allows SSH access from a trusted IP. Nothing else. Second, lets see if anything unusual is listening, not just open. Please post the output of:

lsof -Pwn
netstat -pane
ps -axfwwwe


What we're looking for out of these commands is something that you don't know about. Unknown servers, new users, that sort of thing. It would also be a good thing if we knew what you were serving up with Apache.

DSL via a NATting router or via hardware in your computer itself?

@ catkin,

Broadxent DSL modem straight into my computer's Ethernet port via CAT 6 cable.

@ HangDog,

Thank you for writing! I'm sorry to sound overly excited ... long night of paranoia with a two espresso accelerant. I'll post the files in a second.

The only thing I was serving with Apache was the index page, in the last couple of days, some FLAC files for a buddy to grab. I've seen deleted them from Apache

Note that lsof -Pwn is truncated. LQ is only letting me upload 3 files. The netstat file was done as sudo and without the Ethernet cable plugged in and no wifi hooked up.

Attached Files

	psdump.txt (66.2 KB, 21 views)
	netstat-pane.txt (38.1 KB, 14 views)
	lsof.txt (177.3 KB, 20 views)

I'll ping one of the more experienced handlers here to check my conclusions, but to be honest, I'm not seeing anything to get excited/worried about. Your netstat dump didn't show anything unusual listening on TCP, provided you know you're running Apache, CUPS, MySQL and KDE. If one of those is a surprise to you, then maybe we worry a bit more. Similarly, your ps output seems to be consistent with running KDE and a fairly normal complement of Linux stuff. I'm afraid the lsof file is of somewhat limited use as it is only the processes running under your user. If Apache was the vector of attack, the bad guys would have gotten that user as their access point and potentially escalated to root. Or created an entirely different user.

I'm not familiar with firestarter, so I don't know how much stock to put in its logs. However, firewall logs typically just show traffic, they can't really tell if there is something on your machine that is actively listening for a connection. The syslog entry you posted looks like normal traffic. One of the realities of connecting directly to the internet is that you are going to get scanned and scanned hard. It happens to everyone running a server.

I guess if I were in your shoes, I'd just keep an eye on the machine for odd behavior or traffic. You also might want to check the installed packages for integrity. I think the debsums program might do that, but I've never used it.

as hangdog stated there is nothing running that seems out of the ord. If you know you that apache, cups, mysql and kde are running then it looks fine. If you visit a page and it has an add in it then your system will normally reach out to that site to pull the add rather than the site you visited pull the link in it just says go "here" to get the info.

Personally, I don't see anything that indicates you've been compromised. I wouldn't worry about the outbound connection to portfolio-director.com. Chances are you went to a website that had an image or whatever that linked back to portfolio-director.com. You may of not gone there explicitly, but your browser downloaded something from that site, which would explain that log record.

As far as the firewall log record, that's probably just one of the many records that represents port sweeps or scans that happens all the time. With the way your network is apparently set up, you probably have a lot of log records like that.

Even if I only had one computer on my network, I would still use the common home router for extra protection instead of connecting my PC directly to the modem. Getting one of those routers, you won't see inbound connections like that unless you enabled port forwarding on the router.

1 members found this post helpful.

@ Hangdog42 and slimm609,

Yes, I knew I was running Apache, KDE, MySQL and CUPS. I noticed when I hooked the system back up the 'Net, it felt more sluggish, but I think that might be an issue with Wicd; the Network Manager was too painful to fight with, it didn't want to keep a static IP address, stuff like that.

I haven't noticed any weird web pages being set up. I'm taking a gander at files created in the last couple of weeks. So far, nothing out of the ordinary - at least once I've Googled what they are ... some of then are pretty deep in the system.

Firestarter is a firewall generally used under Ubuntu. I don't mind being portscanned; I know that's part of online life.

I did a brief Wireshark capture last night. Brief is all my knowledge would allow. I noticed the only time it recorded activity on eth1 was when pointed my browser to a few test sites.

I think what got me so hysterical was my own ignorance and a lot of caffeine ;-) I don't know how to expertly read /var/log/syslog, so what might be a mere scan, I automatically interpreted as an intrusion.

I've been meaning to install and learn Snort or somthing similar. Now's the time.

I'll set the machine to doing its sums.

Is the LQ limit on posted files a per user limit, or per thread? I didn't want to create a gigantic page from the lsof data; the file was 596 KB, and LQ doesn't take archives. Should I post the other two parts directly into the page?



@ anyone: If someone would be so kind as to break down the /var/log/syslog posting, or point to a good tutorial, I'd appreciate it.

Guide to Computer Security Log Management
Recommendations of the National Institute of Standards and Technology
By Karen Kent and Murugiah Souppaya
http://csrc.nist.gov/publications/ni...2/SP800-92.pdf

Just my 2 cents here but if you look through the source of the scottstrade website you will see that they make calls to a few other domains. Also looking through portfolio-director.com looks to be that they have a partnership with scottstrade

Here is a quick snipit from portfolio-director.com
This just shows you that they are partnering together. So I agree with the others. I would not think too much into it.