Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
I have detected a possible security problem in my system...
after this messeges it follows other with higher TCP and UDP ports.
In the moment that this happen I've disconnect my Wifi, but the problem persits (genereted more
localhost to localhost port scans) after that I try chkrootkit several times and in some ocations it detects a hiden program, only in some ocasions and this with network down. After all a decided to shutdown and look what happening, after that I connect to network and seems silent...
This was all the traffic that generate at the time in cuestion.
have forgot to say that I have iptables set up with default policy for INPUT OUTPUT and FORWARD to drop and have open the needed ports for inet comunications apart from having psad running as a daemon.
If some one can tell me if my system has been comprimise or only tell me what happening...?
localhost (127.0.0.1) is exactly that. Any traffic on that interface (lo0 usually) is internal to the host it is on. You should be more concerned with traffic on external interfaces such as eth0, eth1 etc... or the IPs assigned to same.
Is there something that makes you think localhost traffic is somehow getting out of your system?
That what make me think that this traffic whas no normal, althought is lo traffic, is that I used psad and the iptables firewall for couple of years, and have see in that years many things but nothing like that what happened, althought I am not an expert on tcp/ip traffic.
What make me more curios on this traffic is that what I have mentioned to chkrootkit output, think it is not normal, and more for a 2 days fresh instalation.
I have to mention, think is relevant, that this is not my network it is some one I don't now while I have cracked his password for use thats WIFI network.
I suppose that some body from the network, not really has access to my system, but I don't now how have introduce a prog that scanned the lo for open ports...???
Is this last possible???
Think not, but bader things have see the wordl.
I have so far mentioned all what relavant is, apart that in the time that all successed I have for the first time in this pc via pidgin the msn service active and and have conversed with some one. This person, from the msn has for a couple of weeks tell me that some one has changed things in his hotmail account. I supose that the hacker that got cracked or in some way got the password from my fried, has a trojan in his Windows XP installation, althought she has NOD32 antivirus..., and this way the hacker have a way to other PC, via the msn.