LinuxQuestions.org
View the Most Wanted LQ Wiki articles.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Distributions > Slackware
User Name
Password
Slackware This Forum is for the discussion of Slackware Linux.

Notices

Reply
 
Search this Thread
Old 04-23-2014, 02:11 AM   #1
Tachtory
Member
 
Registered: Dec 2011
Distribution: Mint, Slackware
Posts: 42

Rep: Reputation: Disabled
Slackware box possibly infected, how do I monitor TCP connections?


It looks like my Slackware box is trying to connect to random Chinese IPs. Here is the Firewall security log on the router:

http://i.imgur.com/r7ucTLA.png

I started experiencing network issues and tried a number of things like resetting the router and bypassing the router. Eventually I noticed this in the security log and I'm not sure what's causing it and I don't know how to find out.

Is netstat sufficient to see what process is spawning these socket connections? I'm really a newbie when it comes to networking. Also, the machine is headless (no desktop) so command line only.
 
Old 04-23-2014, 02:33 AM   #2
ReaperX7
Senior Member
 
Registered: Jul 2011
Distribution: LFS-SVN, Slackware-14.1, PCBSD-10.0
Posts: 2,849
Blog Entries: 15

Rep: Reputation: 743Reputation: 743Reputation: 743Reputation: 743Reputation: 743Reputation: 743Reputation: 743
Wireshark, Samhain, and iptables logs.

AlienBOBs script generator can be fairly tuned to be highly sensitive for logging or you can uses various wikis and wireshark can be downloaded and installed from the SlackBuild.org website. You also want an intrusion detection toolkit like possibly Samhain as well.

There's also aide and snort as well.

I would check your /etc/hosts file for any tampering as well and make sure you're running OpenSSL-1.0.1g or later SSL library, you should also look up how to lock down SSH clients and prevent login as root from remote sources.
 
Old 04-23-2014, 03:04 AM   #3
fbsduser
Member
 
Registered: Oct 2009
Distribution: Hackintosh, SlackWare
Posts: 266

Rep: Reputation: 30
Do you happen to have a chinese girl around that box? That would explain the spurious connections to spammy chinese urls coming from said slackware PC.
 
Old 04-23-2014, 03:12 AM   #4
genss
Member
 
Registered: Nov 2013
Posts: 164

Rep: Reputation: Disabled
Quote:
Originally Posted by Tachtory View Post
Is netstat sufficient to see what process is spawning these socket connections?
should be
you got to catch it in the act thou, don't know of a program to do it automatically
 
Old 04-23-2014, 03:22 AM   #5
Mark Pettit
Member
 
Registered: Dec 2008
Location: Cape Town, South Africa
Distribution: Slackware 14.1 64 Multi-Lib
Posts: 421

Rep: Reputation: 123Reputation: 123
How difficult to rebuild the box from scratch ?
 
Old 04-23-2014, 03:29 AM   #6
LukyLuke
LQ Newbie
 
Registered: Apr 2014
Location: Switzerland
Distribution: Slackware-current-x64, Slackware-14.1-x64, Slackware-13.37-x64, debian-EnterAFancyNameHere
Posts: 1

Rep: Reputation: Disabled
For me this sounds more like a "classic" Rootkit which has replaced some binaries (like ps,top,pstree,netstat,lsof,...) to hide himself and is connected to a remote iirc/command center. If so, there is no need for network analysis

To check this, you can use this small shell script. Save it to a file and run this as root:
Code:
#!/bin/bash
for F in /proc/*/cmdline; do
  P=${F}
  P=${P//\/proc\//}
  P=${P//\/cmdline/}
  if [ "$P" != "self" ]; then
    ps -p $P &>/dev/null
    if [ "$?" -gt 0 ]; then
      echo "Possible hidden Process: $P"
      echo $F
      cat $F
      echo
    fi
  fi
done
exit 0
If you see here some "possible hidden processes", check them manually (see the /proc/PID/cmdline) if they are suspicious and kill them maybe.
After you should clean your system (move or remove the netshell, reinstall the binaries from slackware ftp and check - like already said from others - how this came in and fill that gap)
 
4 members found this post helpful.
Old 04-23-2014, 05:52 AM   #7
enorbet
Member
 
Registered: Jun 2003
Location: Virginia
Distribution: Slackware 14 is Main OpSys on Main PC, 2ndary are OpenSuSe 13 and SolydK
Posts: 674

Rep: Reputation: 265Reputation: 265Reputation: 265
....or you could verify the IP is hostile and we could all send many longboats full of fat vikings
 
Old 04-23-2014, 08:02 AM   #8
tronayne
Senior Member
 
Registered: Oct 2003
Location: Northeastern Michigan, where Carhartt is a Designer Label
Distribution: Slackware 32- & 64-bit Stable
Posts: 3,006

Rep: Reputation: 742Reputation: 742Reputation: 742Reputation: 742Reputation: 742Reputation: 742Reputation: 742
Trying to connect is what those folks do; they'll walk IP addresses, get one that responds then walk ports looking for an entry.

Something you should think about is whether you have any system accounts open; no system account except root should be open (have a password). You /etc/passwd file should look like this:
Code:
root:x:0:0::/root:/bin/ksh
bin:x:1:1:bin:/bin:/bin/false
daemon:x:2:2:daemon:/sbin:/bin/false
adm:x:3:4:adm:/var/log:/bin/false
lp:x:4:7:lp:/var/spool/lpd:/bin/false
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
mail:x:8:12:mail:/:/bin/false
news:x:9:13:news:/usr/lib/news:/bin/false
uucp:x:10:14:uucp:/var/spool/uucppublic:/bin/false
operator:x:11:0:operator:/root:/bin/bash
games:x:12:100:games:/usr/games:/bin/false
ftp:x:14:50::/home/ftp:/bin/false
smmsp:x:25:25:smmsp:/var/spool/clientmqueue:/bin/false
mysql:x:27:27:MySQL:/var/lib/mysql:/bin/false
rpc:x:32:32:RPC portmap user:/:/bin/false
sshd:x:33:33:sshd:/:/bin/false
gdm:x:42:42:GDM:/var/state/gdm:/bin/bash
oprofile:x:51:51:oprofile:/:/bin/false
apache:x:80:80:User for Apache:/srv/httpd:/bin/false
messagebus:x:81:81:User for D-BUS:/var/run/dbus:/bin/false
haldaemon:x:82:82:User for HAL:/var/run/hald:/bin/false
pop:x:90:90:POP:/:/bin/false
nobody:x:99:99:nobody:/:/bin/false
<user accounts below here>
and your /etc/shadow file should look like this:
Code:
root:$1$a7IEQ/cm$N33kwrt.F6iuXHEKq5/NS/:15106:0:::::
bin:*:9797:0:::::
daemon:*:9797:0:::::
adm:*:9797:0:::::
lp:*:9797:0:::::
sync:*:9797:0:::::
shutdown:*:9797:0:::::
halt:*:9797:0:::::
mail:*:9797:0:::::
news:*:9797:0:::::
uucp:*:9797:0:::::
operator:*:9797:0:::::
games:*:9797:0:::::
ftp:*:9797:0:::::
smmsp:*:9797:0:::::
mysql:*:9797:0:::::
rpc:*:9797:0:::::
sshd:*:9797:0:::::
gdm:*:9797:0:::::
oprofile:*:9797:0:::::
pop:*:9797:0:::::
apache:*:9797:0:::::
messagebus:*:9797:0:::::
haldaemon:*:9797:0:::::
nobody:*:9797:0:::::
<user accounts below here>
The file mode of those should look like this:
Code:
-rw-r--r-- 1 root root 1565 Dec  7 15:13 passwd
-rw-r----- 1 root shadow 1026 Dec  7 15:13 shadow
There is an oldie but goodie you can install that will automatically recognize those attempts and, after a defined number of failed attempts, place the IP of the attacking site in /etc/hosts.deny (or, optionally, IPTABLES and some other methods). An entry in /etc/hosts.deny is effective, the attacking host will be denied a connection.

The application, DenyHosts (see http://denyhosts.sourceforge.net/) is effective, been using it for some years without any problems or break ins; it stops the bastards in their tracks quickly and effectively. DenyHosts runs as a daemon, you don't have to fiddle with it (after initial configuration and installation) and it optionally shares your experience with other DenyHosts users around the world (and, of course, theirs with you). Periodically, you'll send and receive the IP addresses of others' experience that are added to your /etc/hosts.deny file (or one of the other options; e.g., IPTABLES) -- after a while you'll have thousands of identified bad actors that are denied a connection. Of course, doing that is optional.

Most attackers are going to try to access your system via SSH. You must have a "good" root password (in any event) and not have passwords on any of the other system accounts (there is absolutely no reason to have a password or allow log in on any of them). "Good" means at least 10 characters (more are better), no dictionary words, include digits, include punctuation, never use qwerty or or a string of digits, all that sort of thing. Nothing guessable. If you have users, expire all their passwords so they'll need to change them on next log in.

Close ports (in your router) that are not necessary. Consider using an alternate port for SSH. If you are running a web page and using SSL, upgrade SSL to the current (or higher) version (be sure and reboot after you install it), revoke and regenerate all your SSL public/private keys, revoke and regenerate all your self-signed certificates (or get a new one from your certificate authority). You don't need to worry about your SSH public/private keys but it might not hurt to regenerate them while you're at it if you have had an intrusion (and use a really good passphrase too).

You can write a little shell program that scans your log for the IP addresses of failed log in attempts and create IPTABLES or /etc/hosts.deny entries for you, but you have actually set aside the time to do that every day or so. Might be better to take a look at DenyHosts or one of the other suggested utilities.

Hope this helps some.
 
Old 04-23-2014, 11:53 AM   #9
metaschima
Member
 
Registered: Dec 2013
Distribution: Slackware
Posts: 955

Rep: Reputation: Disabled
Use rkhunter and clamav to look for rootkits and malware. Also iptraf-ng is installed by default in slackware and is quite good at packet sniffing.
 
Old 04-23-2014, 12:19 PM   #10
fskmh
Member
 
Registered: Jun 2002
Location: South Africa
Distribution: Slackware64-current multilib
Posts: 235

Rep: Reputation: 55
Code:
netstat -cutpan
You can identify the PID or name of the process connecting to that IP on the right hand side and take further action from there.
 
Old 04-23-2014, 03:57 PM   #11
Nh3xus
Member
 
Registered: Jan 2013
Location: France
Distribution: Slackware 14.1 32 bits
Posts: 129

Rep: Reputation: 33
It might be only my own impression but, it looks like that the rate of working Linux malwares is rising right now.
 
Old 04-24-2014, 01:09 AM   #12
unSpawn
Moderator
 
Registered: May 2001
Posts: 26,984
Blog Entries: 54

Rep: Reputation: 2742Reputation: 2742Reputation: 2742Reputation: 2742Reputation: 2742Reputation: 2742Reputation: 2742Reputation: 2742Reputation: 2742Reputation: 2742Reputation: 2742
These replies are either only funny or not to the point while investigating. Please be mindful that if a fellow LQ member wishes to address a potential security issue you address it as such and not as a vehicle to showcase your jocularity or unfamiliarity with incident handling procedures,
thanks in advance.

Quote:
Originally Posted by Mark Pettit View Post
How difficult to rebuild the box from scratch ?
Quote:
Originally Posted by enorbet View Post
....or you could verify the IP is hostile and we could all send many longboats full of fat vikings
Quote:
Originally Posted by Nh3xus View Post
It might be only my own impression but, it looks like that the rate of working Linux malwares is rising right now.
 
2 members found this post helpful.
Old 04-24-2014, 01:50 AM   #13
unSpawn
Moderator
 
Registered: May 2001
Posts: 26,984
Blog Entries: 54

Rep: Reputation: 2742Reputation: 2742Reputation: 2742Reputation: 2742Reputation: 2742Reputation: 2742Reputation: 2742Reputation: 2742Reputation: 2742Reputation: 2742Reputation: 2742
Quote:
Originally Posted by Tachtory View Post
It looks like my Slackware box is trying to connect to random Chinese IPs. (..) I started experiencing network issues and tried a number of things like resetting the router and bypassing the router. Eventually I noticed this in the security log and I'm not sure what's causing it and I don't know how to find out.
- First of all, and while this is an unfortunate reflex in both seasoned and new admins, one of the things you should not do while investigating is alter the situation. Killing processes, deleting files and rebooting cause volatile data to be lost. That's kind of like trampling evidence by walking across a crime scene.
- Secondly, like fbsduser hinted at, there's Hanlon's Razor: never attribute to malice that which is adequately explained by stupidity. People often think their box is cracked while the actual explanation may be Something Completely Different. Also problems, like your "network issues" (which you didn't explain in detail BTW), may have different, completely unconnected causes.
- Third: don't focus on any single aspect or symptom but try to look at the whole situation. While admittedly hard for a new Linux user this also means looking carefully at advice given. For example installing software (again: disturbing the crime scene) isn't advisable and installing file system integrity checking software only make sense on a known clean machine.


Quote:
Originally Posted by Tachtory View Post
I'm really a newbie when it comes to networking.
Being a newbie is an opportunity to learn things.
- Start by reading your distributions security documentation (if any) and the CERT Intruder Detection Checklist CERT Intruder Detection Checklist (old but still contains usable steps to take), perform the checks and post your findings.
- Network connections originating from the machine are caused by (user land) processes. So running
Code:
lsof -Pwlni 2>&1|tee /tmp/conns.txt
as root will get you a list (unless these are spurious connections, see next). Also an iptables rule like for example
Code:
-A OUTPUT -o eth0 -p tcp -m conntrack --ctstate NEW -m tcp -m owner ! --uid-owner oprofile -j LOG --log-prefix "out_NEW " --log-uid
will get you all new egress TCP connections listing the UID where the process owner isn't "oprofile" (just an example but it shouldn't use network connections regularly anyway). No need to install WireShark or other pcap-based tools.
- Ask yourself when this situation started. Check your machine for file MAC time changes and user logins prior and up to that time.
- List what services the machine provides. Check your machine for system and daemon log file entries prior and up to that time.
- If you find changed or anomalous files and do make regular backups verify files against your backups.
*Unlikely, but if you somehow suspect a rootkit then don't use any kludges but boot from a Live CD and start your investigation.
**Please be verbose in replying, attach (or Pastebin) plain text output in support of your reply, reply timely and ask questions if unsure.
 
4 members found this post helpful.
Old 04-24-2014, 04:53 AM   #14
Smokey_justme
Member
 
Registered: Oct 2009
Distribution: Slackware
Posts: 276

Rep: Reputation: 83
Ok, well, upSpawn just grew in my eyes with these two last posts

As for the situation, so I'm not completely off-topic, LukyLuke gave the clear starting point.. What goes next is up to the output from his commands..
 
Old 04-24-2014, 06:07 AM   #15
genss
Member
 
Registered: Nov 2013
Posts: 164

Rep: Reputation: Disabled
a process can open a socket, send something and close the socket in way less time then it takes for lsof to parse /proc
so netstat, like fskmh said

bdw OP did not respond
also i liked that joke
 
  


Reply

Tags
iptablex


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
/tmp/ repeatedly infected: how to trace (and disable?) server IRC connections? juodojiakis Linux - Security 13 02-04-2012 11:57 AM
Max num of concurrent tcp connections && tcp auto tune rosv Linux - Networking 3 02-04-2011 02:57 AM
USB security - transferring files from infected windows machine to Linux box leighz Linux - Security 5 03-05-2009 09:11 AM
LXer: My Linux Box is INFECTED! LXer Syndicated Linux News 3 06-07-2008 09:00 PM
how many TCP connections at a time? hegdeshashi Linux - Networking 5 01-05-2006 11:19 PM


All times are GMT -5. The time now is 09:15 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration