Does Linux have the equivalent of the MAC "Little Snitch? Am sure my labtop is compromised, and it would be very useful

You should take the machine off the net as a first step, and
ideally turn it off for the time being if you suspect it's
been had.

No idea what little snitch is or does, but you may want to have
a look rkhunter and chkrootkit, run off a boot-CD like rescueCD
or R.I.P.


And with these words I'm moving this thread over to security.



Cheers,
Tink

3 members found this post helpful.

As Tinkster said, there are tools like rkhunter and chkrootkit, but these are not usually the best place to start. LQ Sec can definitely help you to determine if your system has been compromised by guiding you through an investigation of the situation. The investigation process focuses on diagnostics to gain facts and clues regarding the state of the system. Like with hunting for ghosts, we sometimes find rational explanations for seemingly compromise behavior and other times we get real evidence of a compromise.

As Tinkster pointed out the first step is to take the machine off line. It is best to do this by either disconnecting the network cable or putting up a firewall (iptables) to only allow SSH connections from a trusted source. Once you have secured the machine you can work with much less possibility of interference. The next step would be to review the CERT intruder detection checklist. It will give you an overview of the investigation process. Don't worry if a lot of it doesn't make sense, we can help with that.

Now, to begin, would you please describe what is happening that leads you to suspect that your machine may have been compromised? Please provide as much specific detail as possible, including log entries if you have them.

5 members found this post helpful.

From the web page:

"Little Snitch informs you whenever a program attempts to establish an outgoing Internet connection."

The same can be done with tcpdump, snort, or any sniffer-type program (Wireshark, for instance). But if you're looking for a GUI-type of software for Linux that's equivalent to Little Snitch, you're not going to have much luck.

But really, the same thing CAN be done with a firewall also...in Linux and with a FW front-end. The most misleading thing on the Little Snitch website description is this: "A firewall protects your computer against unwanted guests from the Internet. But who protects your private data from being sent out? Little Snitch does!" A properly configured firewall will protect against both inbound and outbound attacks/anomalies.

Such software should be run to prevent intrusion, not to install after-the-fact, but it can be done. Also, at this point, anything on the system is suspect, so you should probably use a live-CD to investigate, as its binaries would be more trustworthy than what's on your suspect machine.

At this point you should use the guidance that Tinkster and Noway2 supplied.

1 members found this post helpful.

As the above poster said:
A simple program i use to identify network traffic is nethogs: http://nethogs.sourceforge.net/

1 members found this post helpful.

Sorry for delay, but must post through library. All suggestions highly useful, and shall begin systematicly employing them as am able. Not only am I not connected to the internet, but it seems that trying to keep me off is part of the maliciousness which I've encountered. Even keeping me out of access to own yast software ("other process is attempting to ...etc." -- even when turn completely off and then back on with nothing done except straight to the yast software). Will get tremendous repetition of log messages (mostly with a reference to racoon as well as to avahi-daemon & kernel:bluetooth) and had to delete 18,000 lines in just couple of days (was back again day later, and now can't seem to get into /var/log/messages at all -- will try again much later in day); and that is when can get to them via command line (via yast control center will be able to read them anyway) as throughout the day will get for root's command /var/log/messages "permission denied".
That is until about 5 pm (saboteur taking meal or bathroom break?) when can suddenly get through and delete the repetative messages (to slow my access time? -- with 2 gigs of ram had some occasions of such slow response that internet said couldn't handle the connection). My first strong indication of a trojan was when ran "top" and got listing of 3 users; top of list was "nobody" with tremendous use total, but before could write it down, the screen looped, and it didn't show up again at all; just root and wiliam as the "3" users (on an occasion every day or two will see a daemon listed as a user). Other anomolies, but you see the picture. Don't believe this any sort of takeover to spread anything, but just to disrupt my laptop use. Thanks again for the advice, and will begin educating myself on this issue (some benefit from it at any length).

Was able to reduce interference to minimum (probably just viruses remaining) by removing my wifi card from it completely, and finally forcing way into software so could delete everything pertaining to bluetooth.

That would be beneficial. Based on what you've posted so far the only indication is a lack of basic understanding of the OS you use:


A warning there are locked files is an indication another process already is in the process of watching for or fetching package information or updates. If that is not the case then please post an example but only exact and complete (error) messages.


raccoon is related to IPSEC and VPN connectivity, Avahi to device and service discovery and bluetooth are is a set of kernel modules and services for anything-over-Bluetooth. repetitive messages can occur due to a service being configured for (way too) verbose logging, warnings and errors that may disappear when reconfiguring the service or stopping it from starting up or blacklisting it if you don't need it. One efficient way to filter out important messages is to run 'logwatch', read its report, research error messages and act on those.


Apart from reading Logwatch reporting, reconfiguring and disabling unnecessary services, in some cases when a file is opened by a process whatever you think delete will not actually be deleted at all. System and daemon logs are rotated by 'logrotate' so there is no need for you to delete 18K lines manually.


Nobody is a system account that enables services to run without excessive privileges. Run 'cat /etc/passwd' to see more user names.


Reading the documentation that comes with your distribution sure will help allay most of your fears, searching LQ and asking questions the rest.

2 members found this post helpful.

Thank you UnSpawn for your suggestions. When I deleted those 18,000 lines, I did later check and they were gone (as per vi notice of now have 18,000 fewer lines).
Have tried to act on the various WARNING statements, but to no effect.
GO1 lsvpd[5047];WARNING: /proc/device-tree not found (repeated 25 times) Have used all search terms (locate; find; whereis; vi; apropos) as root and on various directories to no result, as seems not to be in my laptop.
GO1 ksysguard[4457] "WARNING" The program 'ksysguard' uses the Apple Bonjour compatibility layer of Avahi WARNING: please fix your application to use the native API of Avahi! That very program is not only installed, but listed in that very file.
GO1 kernel: Buffer I/O error device fd0, logical block 0
GO1 kernel: end_request: I/O error, dev fd0, sector 0 (repeated 40 times -- I assume relates to the missing device-tree)
GO1 smartd[4859]: Problem creating device name scai list
GO1 same : Try adding: `-d sat' to device line in smartd.conf file for example: '/dev/sda -a -d sat' (did precisely that with no effect -- though -d was already there, so just added the -a and I think I also had to put in the 'sat', but it may have already been there; at any rate, it made no difference).

There are a few other DEBUG items of interest;
racoon: DEBUG:sub:0xbf9e675c: 127.0.0.018 [0] proto=any dir=fwd (then: 'in' 'fwd' 'out')
racoon: DEBUG2: PF_KEY message type 18 not registered in plugin
About these last messages, I don't have a clue as to their significance.

Don't know if any of this is helpful, but the inability to locate the device-tree certainly seems highly relevant, though don't know what I can do about it. At any rate, am not getting any apparent outside interference since removed the wifi card and bluetooth programs, but clearly still have a mess as to laptop functioning.

It looks to me like you either have some buggered up hardware or have installed the wrong distribution for your system. Most of these messages indicate that you are having issues associated with your IO devices. For example, /proc/device-tree is used on PowerPC platforms to access OpenFirmware configuration. (link). This is confirmed by other Google links for the term. The other errors are indicating trouble with the floppy drive and your hard drive (smartd is a hard drive monitor).

I would suggest trying to boot this system from a liveCD of the same variant that you are trying to boot from. A liveCD, properly verified against the md5sum and/or GPG signature is as guaranteed to be mal-ware free as you can be. If you still have troubles, this indicates a true hardware problem. If you don't have problems, try a wipe and re-install.

2 members found this post helpful.