LinuxQuestions.org
Did you know LQ has a Linux Hardware Compatibility List?
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices



Reply
 
Search this Thread
Old 06-17-2011, 12:43 PM   #1
macaal
LQ Newbie
 
Registered: Dec 2006
Posts: 18

Rep: Reputation: 0
psad: scan detected: 127.0.0.1 -> 127.0.0.1 tcp


Hi any body,

I have detected a possible security problem in my system...

after this messeges it follows other with higher TCP and UDP ports.
In the moment that this happen I've disconnect my Wifi, but the problem persits (genereted more
localhost to localhost port scans) after that I try chkrootkit several times and in some ocations it detects a hiden program, only in some ocasions and this with network down. After all a decided to shutdown and look what happening, after that I connect to network and seems silent...

This was all the traffic that generate at the time in cuestion.

Oh...
have forgot to say that I have iptables set up with default policy for INPUT OUTPUT and FORWARD to drop and have open the needed ports for inet comunications apart from having psad running as a daemon.

If some one can tell me if my system has been comprimise or only tell me what happening...?

Best regards,

and I would thank any help
Thanks at all

Last edited by macaal; 06-23-2011 at 09:18 AM.
 
Old 06-17-2011, 01:31 PM   #2
MensaWater
Guru
 
Registered: May 2005
Location: Atlanta Georgia USA
Distribution: Redhat (RHEL), CentOS, Fedora, Debian, FreeBSD, HP-UX, Solaris, SCO
Posts: 6,028
Blog Entries: 5

Rep: Reputation: 791Reputation: 791Reputation: 791Reputation: 791Reputation: 791Reputation: 791Reputation: 791
I fear I'm missing something here.

localhost (127.0.0.1) is exactly that. Any traffic on that interface (lo0 usually) is internal to the host it is on. You should be more concerned with traffic on external interfaces such as eth0, eth1 etc... or the IPs assigned to same.

Is there something that makes you think localhost traffic is somehow getting out of your system?
 
Old 06-17-2011, 02:03 PM   #3
macaal
LQ Newbie
 
Registered: Dec 2006
Posts: 18

Original Poster
Rep: Reputation: 0
localhost

That what make me think that this traffic whas no normal, althought is lo traffic, is that I used psad and the iptables firewall for couple of years, and have see in that years many things but nothing like that what happened, althought I am not an expert on tcp/ip traffic.
What make me more curios on this traffic is that what I have mentioned to chkrootkit output, think it is not normal, and more for a 2 days fresh instalation.
I have to mention, think is relevant, that this is not my network it is some one I don't now while I have cracked his password for use thats WIFI network.
I suppose that some body from the network, not really has access to my system, but I don't now how have introduce a prog that scanned the lo for open ports...???
Is this last possible???
Think not, but bader things have see the wordl.

Thanks for your reply...

Best regards
 
Old 06-17-2011, 02:25 PM   #4
sunnydrake
Member
 
Registered: Jul 2009
Location: Kiev,Ukraine
Distribution: Ubuntu,Slax,RedHat
Posts: 288
Blog Entries: 1

Rep: Reputation: 41
could this be local rootkit scanners? btw you can trace process that scans using netstat - some key(look in man) to display process name
 
Old 06-17-2011, 02:56 PM   #5
macaal
LQ Newbie
 
Registered: Dec 2006
Posts: 18

Original Poster
Rep: Reputation: 0
have one thing forgot

I have so far mentioned all what relavant is, apart that in the time that all successed I have for the first time in this pc via pidgin the msn service active and and have conversed with some one. This person, from the msn has for a couple of weeks tell me that some one has changed things in his hotmail account. I supose that the hacker that got cracked or in some way got the password from my fried, has a trojan in his Windows XP installation, althought she has NOD32 antivirus..., and this way the hacker have a way to other PC, via the msn.

Best regards,

Thanks for all replys...
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
"Clock skew detected" and 127.127.1.0 in ntp.conf Win32.Neshto Linux - Software 5 03-01-2011 04:15 PM
Anything but 127.0.0.1 Mufasa Linux - Software 5 08-22-2008 05:48 PM
Sendmail : relay=[127.0.0.1] [127.0.0.1], dsn=4.0.0, stat=Deferred: Connection refuse macadam Linux - Software 0 09-23-2007 03:44 PM
mailer=relay, pri=30008, relay=[127.0.0.1] [127.0.0.1], dsn=4.0.0, stat=Deferred: Con pralhad Linux - Software 1 08-11-2007 11:49 AM
DSN: Data format error & relay=[127.0.0.1] [127.0.0.1] calmbomb Linux - Software 0 11-07-2004 04:24 PM


All times are GMT -5. The time now is 03:55 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration