|
psad: scan detected: 127.0.0.1 -> 127.0.0.1 tcp
Hi any body,
I have detected a possible security problem in my system... after this messeges it follows other with higher TCP and UDP ports. In the moment that this happen I've disconnect my Wifi, but the problem persits (genereted more localhost to localhost port scans) after that I try chkrootkit several times and in some ocations it detects a hiden program, only in some ocasions and this with network down. After all a decided to shutdown and look what happening, after that I connect to network and seems silent... This was all the traffic that generate at the time in cuestion. Oh... have forgot to say that I have iptables set up with default policy for INPUT OUTPUT and FORWARD to drop and have open the needed ports for inet comunications apart from having psad running as a daemon. If some one can tell me if my system has been comprimise or only tell me what happening...? Best regards, and I would thank any help Thanks at all |
I fear I'm missing something here.
localhost (127.0.0.1) is exactly that. Any traffic on that interface (lo0 usually) is internal to the host it is on. You should be more concerned with traffic on external interfaces such as eth0, eth1 etc... or the IPs assigned to same. Is there something that makes you think localhost traffic is somehow getting out of your system? |
localhost
That what make me think that this traffic whas no normal, althought is lo traffic, is that I used psad and the iptables firewall for couple of years, and have see in that years many things but nothing like that what happened, althought I am not an expert on tcp/ip traffic.
What make me more curios on this traffic is that what I have mentioned to chkrootkit output, think it is not normal, and more for a 2 days fresh instalation. I have to mention, think is relevant, that this is not my network it is some one I don't now while I have cracked his password for use thats WIFI network. I suppose that some body from the network, not really has access to my system, but I don't now how have introduce a prog that scanned the lo for open ports...??? Is this last possible??? Think not, but bader things have see the wordl. Thanks for your reply... Best regards |
could this be local rootkit scanners? btw you can trace process that scans using netstat - some key(look in man) to display process name
|
have one thing forgot
I have so far mentioned all what relavant is, apart that in the time that all successed I have for the first time in this pc via pidgin the msn service active and and have conversed with some one. This person, from the msn has for a couple of weeks tell me that some one has changed things in his hotmail account. I supose that the hacker that got cracked or in some way got the password from my fried, has a trojan in his Windows XP installation, althought she has NOD32 antivirus..., and this way the hacker have a way to other PC, via the msn.
Best regards, Thanks for all replys... |
| All times are GMT -5. The time now is 09:00 AM. |