LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 03-11-2011, 03:46 PM   #1
galen
Member
 
Registered: Sep 2003
Location: Halifax, Nova Scotia, Canada
Distribution: LinuxMint, PartedMagic, Puppy, xubuntu. BOYCOTTING: Vector, Beatrix, BLAG, Slackware
Posts: 63
Blog Entries: 1

Rep: Reputation: Disabled
UDP traffic unauthorized on Ubuntu 10.04


has my Ubuntu machine been cracked?

machine on home lan
192.168.0.102
it is the DMZ from router
ufw on (ports open for aMule)
sshd installed

no:
p2p file sharing
local sharing
IM
servers (only sshd)

afs-fileserver port 7000 detected by etherape
rkhunter 16 files show WARNING
UPD unknown traffic many connections, detected by etherape
no UDP shows in #sudo netstat
I only install software from U repos, authenticated
 
Old 03-12-2011, 03:37 PM   #2
Noway2
Senior Member
 
Registered: Jul 2007
Distribution: Ubuntu 10.10, Slackware 64-current
Posts: 2,124

Rep: Reputation: 776Reputation: 776Reputation: 776Reputation: 776Reputation: 776Reputation: 776Reputation: 776
Chances are that you have not. Part of the problem with tools like rkhunter and etherape is that they give a lot of false warnings, as does any IDS software. You need to review the man pages and understand what the tools are doing and then evaluate the warnings you receive on a case-by-case basis. You mention SSHD, do you use password authentication? Do you allow root passwords? Do you have it restricted at all via IPtables. Do you run any other server processes? Do you examine your logs routinely? Do you use a program like fail2ban to help counteract brute force password attempts?

If you think you may have been compromised, then you will want to perform an investigation. Start by removing the network cable or putting a firewall up in front of the machine. Then review the CERT intruder detection check list for things to look for. Here is a link.

Next examine the output netstat -pane, lsof -pwn, ps -afwwwe. Look for any files with the setuid and guid bits set. If you need help analyzing these files, please post the output as an attachment or let one of use know and we will help arrange for a location to post them.
 
Old 03-12-2011, 07:05 PM   #3
OlRoy
Member
 
Registered: Dec 2002
Posts: 304

Rep: Reputation: 86
Personally I'd take this more gradually before going all out, especially since I agree with Noway2 that it's probably nothing. If the UDP traffic is what is concerning you then try running tcpdump or wireshark for more details and go from there.
 
1 members found this post helpful.
  


Reply

Tags
security, ubuntu, udp


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
What software for checking on unauthorized network traffic? BobNutfield Slackware 11 05-09-2010 11:33 AM
Strange problem with udp traffic rosen4o Linux - Networking 5 01-27-2010 02:45 PM
There seems to be constant unauthorized traffic on my computer. maestro52 Linux - Security 3 08-27-2008 03:28 PM
IDS/IPS for detecting/preventing unauthorized VPN or encrypted traffic. Maybe SNORT? sipecup Linux - Security 0 09-11-2007 08:23 AM
Linux and inbound UDP traffic Dwarflord Linux - Networking 4 04-16-2004 01:35 AM


All times are GMT -5. The time now is 06:35 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration