LinuxQuestions.org
Latest LQ Deal: Complete CCNA, CCNP & Red Hat Certification Training Bundle
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 01-09-2010, 06:14 PM   #1
Fred Caro
Member
 
Registered: May 2007
Posts: 999

Rep: Reputation: 166Reputation: 166
howto trace and remove intruders


When I log into Mint8 ,for example, the bottom bar (task bar) shows activity I did not start eg, keyboard amongst others. System logs are suspicious:

an 9 22:23:24 patti-desktop dhclient: DHCPACK of 192.168.0.100 from 192.168.0.1
Jan 9 22:23:24 patti-desktop dhclient: bound to 192.168.0.100 -- renewal in 40777 seconds.
Jan 9 22:23:24 patti-desktop NetworkManager: <info> DHCP: device eth0 state changed preinit -> bound
Jan 9 22:23:24 patti-desktop NetworkManager: <info> Activation (eth0) Stage 4 of 5 (IP4 Configure Get) scheduled...
Jan 9 22:23:24 patti-desktop NetworkManager: <info> Activation (eth0) Stage 4 of 5 (IP4 Configure Get) started...
Jan 9 22:23:24 patti-desktop NetworkManager: <info> address 192.168.0.100
Jan 9 22:23:24 patti-desktop NetworkManager: <info> prefix 24 (255.255.255.0)
Jan 9 22:23:24 patti-desktop NetworkManager: <info> gateway 192.168.0.1
Jan 9 22:23:24 patti-desktop NetworkManager: <info> nameserver '194.168.4.100'
Jan 9 22:23:24 patti-desktop NetworkManager: <info> nameserver '194.168.8.100'
Jan 9 22:23:24 patti-desktop NetworkManager: <info> Activation (eth0) Stage 5 of 5 (IP Configure Commit) scheduled...
Jan 9 22:23:24 patti-desktop NetworkManager: <info> Activation (eth0) Stage 4 of 5 (IP4 Configure Get) complete.
Jan 9 22:23:24 patti-desktop NetworkManager: <info> Activation (eth0) Stage 5 of 5 (IP Configure Commit) started...
Jan 9 22:23:24 patti-desktop avahi-daemon[1120]: Joining mDNS multicast group on interface eth0.IPv4 with address 192.168.0.100.
Jan 9 22:23:24 patti-desktop avahi-daemon[1120]: New relevant interface eth0.IPv4 for mDNS.
Jan 9 22:23:24 patti-desktop avahi-daemon[1120]: Registering new address record for 192.168.0.100 on eth0.IPv4.
Jan 9 22:23:24 patti-desktop acpid: client connected from 1463[107:114]
Jan 9 22:23:25 patti-desktop NetworkManager: <info> (eth0): device state change: 7 -> 8 (reason 0)
Jan 9 22:23:25 patti-desktop NetworkManager: <info> Policy set 'Auto eth0' (eth0) as default for routing and DNS.
Jan 9 22:23:25 patti-desktop NetworkManager: <info> Activation (eth0) successful, device activated.
Jan 9 22:23:25 patti-desktop NetworkManager: <info> Activation (eth0) Stage 5 of 5 (IP Configure Commit) complete.
Jan 9 22:23:25 patti-desktop ntpdate[1908]: adjust time server 91.189.94.4 offset -0.343663 sec
Jan 9 22:23:29 patti-desktop kernel: [ 24.360012] eth0: no IPv6 routers present
Jan 9 22:28:24 patti-desktop gdm-session-worker[1843]: pam_sm_authenticate: Called
Jan 9 22:28:24 patti-desktop gdm-session-worker[1843]: pam_sm_authenticate: username = [blob]


'patti-desktop' is not the user I'm trying to login to but its was and still exist a group (ops). Also having difficulty using sudo but that might be my error. Is there a program I can use see what is going wrong correct it.

Fred.
 
Old 01-09-2010, 06:26 PM   #2
kbp
Senior Member
 
Registered: Aug 2009
Posts: 3,790

Rep: Reputation: 650Reputation: 650Reputation: 650Reputation: 650Reputation: 650Reputation: 650
I don't see anything suspicious there... patti-desktop would be the hostname of the machine not the name of the logged in user. Can you describe your problem with sudo a little more ?

cheers
 
Old 01-09-2010, 06:48 PM   #3
vastvet
LQ Newbie
 
Registered: Jan 2010
Posts: 20

Rep: Reputation: 0
Quote:
Originally Posted by kbp View Post
I don't see anything suspicious there... patti-desktop would be the hostname of the machine not the name of the logged in user. Can you describe your problem with sudo a little more ?

cheers
Thats easily said that nothing is wrong, are u sure that the mint linux has an firewall on by default?Also make sure to putoff unnesasary services like ssh and remote login etc, if u are unsure of the protection try to instal an firewall or move to an more secure distro like mandriva or fedora wich have an builtin firewall.
 
Old 01-09-2010, 07:36 PM   #4
donnied
Member
 
Registered: Oct 2006
Distribution: Debian x64
Posts: 198

Rep: Reputation: 30
If you want to see what is going on use netstat as root:
Code:
sudo netstat -patn
That will show you the ports that are listening.

You might also want to look to see what ports are available using zenmap.

Code:
sudo -i 
aptitude update
aptitude install zenmap nmap
(Or find it in synaptic).
Then use
Code:
sudo ifconfig
to find your network address:
in the form of
inet addr:*these numbers*
and scan that.
 
Old 01-10-2010, 03:38 PM   #5
AngTheo789
Member
 
Registered: Sep 2009
Posts: 110

Rep: Reputation: 24
I agree with kbp that the provided log does not contain anything overly suspicious. That doesn't mean that there aren't any problems, but those problems not show up in that log snippet. A running system will usually have a lot of stuff running in the background, and most of these send their cryptic log messages - that's confusing, but normal.
 
Old 01-10-2010, 08:05 PM   #6
donnied
Member
 
Registered: Oct 2006
Distribution: Debian x64
Posts: 198

Rep: Reputation: 30
The logs weren't suspicious. Some other things to look at are:
Code:
aptitude update
aptitude install chkrootkit tiger
Tiger is a little dated; be forewarned there will be a few 'alerts' that may unnecessarily alarm you.

You may also use tcpdump to keep track of all packets sent and received by your eth0 or etherape might be a more graphically entertaining way to watch net traffic.

Last edited by donnied; 01-10-2010 at 08:55 PM.
 
Old 01-10-2010, 09:48 PM   #7
Fred Caro
Member
 
Registered: May 2007
Posts: 999

Original Poster
Rep: Reputation: 166Reputation: 166
'invaders'

Thanks for all your replies .
 
Old 01-10-2010, 10:21 PM   #8
Fred Caro
Member
 
Registered: May 2007
Posts: 999

Original Poster
Rep: Reputation: 166Reputation: 166
'invaders'

Sorry for the interruption.The following resulted from Ubuntu 9.10 while with etho disconnected:

# netstat -patn
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 127.0.0.1:631 0.0.0.0:* LISTEN 1188/cupsd
tcp6 0 0 ::1:631 :::* LISTEN 1188/cupsd

Printer was switched off. Have router to anther (centros 5) that reports an attempted intrusion on Selinux.
While your at it (please) how do you get into sudo when you forgot, or did not know how to, associate a replaced user with sudoers ie cannot reset unix password.
In the meantime I will work through the suggestions, providing I can get access to root. Case of panic maybe.

Fred.
 
Old 01-14-2010, 06:02 PM   #9
donnied
Member
 
Registered: Oct 2006
Distribution: Debian x64
Posts: 198

Rep: Reputation: 30
It's just listening for a printer. It doesn't depend on whether the printer is on or not.
Quote:
Originally Posted by Fred Caro View Post
Have router to anther (centros 5) that reports an attempted intrusion on Selinux.
Was that the only listening port on the Mint Machine?
What were the reported intrusion attempts?


Quote:
Originally Posted by Fred Caro View Post
While your at it (please) how do you get into sudo when you forgot, or did not know how to, associate a replaced user with sudoers ie cannot reset unix password.
What do you mean?

Last edited by donnied; 01-14-2010 at 06:06 PM.
 
Old 01-18-2010, 06:05 PM   #10
Fred Caro
Member
 
Registered: May 2007
Posts: 999

Original Poster
Rep: Reputation: 166Reputation: 166
invaders

Dear sirs,
the listening port I do not know, only that the router seems to be open, ease of use! Selinux reports an intruder on a different connected computer but running 'apt-get update' 'apt-get install chktrootkit triger' results in:

______________________________________
/ Q: What do you call a boomerang that \
\ doesn't come back? A: A stick. /
--------------------------------------
\
\
.--.
|o_o |
|:_/ |
// \ \
(| | )
/'\_ _/`\
\___)=(___/

carno@carno-desktop ~ $ sudo apt-get update
[sudo] password for carno:
Sorry, try again.
[sudo] password for carno:
Building old list of packages... [done]
Building old list of available updates... [done]
Building old list of watched packages... [done]
Hit http://archive.ubuntu.com karmic Release.gpg
Hit http://archive.ubuntu.com karmic/main Translation-en_GB
Hit http://archive.canonical.com karmic Release.gpg
Ign http://archive.canonical.com karmic/partner Translation-en_GB
Hit http://archive.ubuntu.com karmic/restricted Translation-en_GB
Hit http://archive.ubuntu.com karmic/universe Translation-en_GB
Hit http://archive.ubuntu.com karmic/multiverse Translation-en_GB
Hit http://archive.ubuntu.com karmic-updates Release.gpg
Ign http://archive.ubuntu.com karmic-updates/main Translation-en_GB
Ign http://archive.ubuntu.com karmic-updates/restricted Translation-en_GB
Ign http://archive.ubuntu.com karmic-updates/universe Translation-en_GB
Ign http://archive.ubuntu.com karmic-updates/multiverse Translation-en_GB
Hit http://security.ubuntu.com karmic-security Release.gpg
Ign http://security.ubuntu.com karmic-security/main Translation-en_GB
Hit http://archive.canonical.com karmic Release
Hit http://archive.ubuntu.com karmic Release
Ign http://security.ubuntu.com karmic-security/restricted Translation-en_GB
Ign http://security.ubuntu.com karmic-security/universe Translation-en_GB
Ign http://security.ubuntu.com karmic-security/multiverse Translation-en_GB
Hit http://security.ubuntu.com karmic-security Release
Hit http://archive.ubuntu.com karmic-updates Release
Hit http://archive.canonical.com karmic/partner Packages
Hit http://archive.ubuntu.com karmic/main Packages
Hit http://security.ubuntu.com karmic-security/main Packages
Hit http://archive.ubuntu.com karmic/restricted Packages
Hit http://archive.ubuntu.com karmic/universe Packages
Hit http://archive.ubuntu.com karmic/multiverse Packages
Hit http://archive.ubuntu.com karmic-updates/main Packages
Hit http://security.ubuntu.com karmic-security/restricted Packages
Hit http://security.ubuntu.com karmic-security/universe Packages
Hit http://security.ubuntu.com karmic-security/multiverse Packages
Hit http://archive.ubuntu.com karmic-updates/restricted Packages
Hit http://archive.ubuntu.com karmic-updates/universe Packages
Hit http://archive.ubuntu.com karmic-updates/multiverse Packages
Get: 1 http://packages.linuxmint.com helena Release.gpg [198B]
Hit http://packages.medibuntu.org karmic Release.gpg
Ign http://packages.medibuntu.org karmic/free Translation-en_GB
Ign http://packages.medibuntu.org karmic/non-free Translation-en_GB
Ign http://packages.linuxmint.com helena/main Translation-en_GB
Ign http://packages.linuxmint.com helena/upstream Translation-en_GB
Ign http://packages.linuxmint.com helena/import Translation-en_GB
Hit http://packages.medibuntu.org karmic Release
Get: 2 http://packages.linuxmint.com helena Release [7,251B]
Hit http://packages.medibuntu.org karmic/free Packages
Hit http://packages.medibuntu.org karmic/non-free Packages
Ign http://packages.linuxmint.com helena/main Packages
Ign http://packages.linuxmint.com helena/upstream Packages
Ign http://packages.linuxmint.com helena/import Packages
Ign http://packages.linuxmint.com helena/main Packages
Ign http://packages.linuxmint.com helena/upstream Packages
Ign http://packages.linuxmint.com helena/import Packages
Hit http://packages.linuxmint.com helena/main Packages
Hit http://packages.linuxmint.com helena/upstream Packages
Hit http://packages.linuxmint.com helena/import Packages
Fetched 7,449B in 5s (1,318B/s)
Building new list of packages... [done]
Building new list of available updates... [done]
Building new list of watched packages... [done]
Building list of outdated packages... [done]

No new updates.
No new or removed packages.
No news in watched packages.
Outdated packages:
linux-generic/karmic - 2.6.31.14.27 -> 2.6.31.17.30, 96 days
linux-headers-generic/karmic - 2.6.31.14.27 -> 2.6.31.17.30, 96 days
linux-image-generic/karmic - 2.6.31.14.27 -> 2.6.31.17.30, 96 days
Reading package lists... Done
carno@carno-desktop ~ $ sudo apt-get install chkrootkit triger
Reading package lists... Done
Building dependency tree
Reading state information... Done
chkrootkit is already the newest version.
E: Couldn't find package triger
carno@carno-desktop ~ $
Does that slove the problem or make more?

Fred
 
Old 01-18-2010, 09:06 PM   #11
DaveChelios
LQ Newbie
 
Registered: Feb 2006
Distribution: openSUSE 11.0
Posts: 6

Rep: Reputation: 0
X-D

It's tiger, not triger.

You say your router is open for "ease of use", yet you've been wrestling with this "issue" for over a week now. How is this easier than simply securing your network?
 
Old 01-18-2010, 11:33 PM   #12
sundialsvcs
LQ Guru
 
Registered: Feb 2004
Location: SE Tennessee, USA
Distribution: Gentoo, LFS
Posts: 8,706
Blog Entries: 4

Rep: Reputation: 3030Reputation: 3030Reputation: 3030Reputation: 3030Reputation: 3030Reputation: 3030Reputation: 3030Reputation: 3030Reputation: 3030Reputation: 3030Reputation: 3030
Here are a few general suggestions:

(1) Don't "assume" that "anyone can get in if they merely try." They can't. This is not a Windows Home Edition box being run by "a clueless doofus with Administrator privileges." Your system's default configuration will have set you up as a non-root user, which is therefore limited to having access to just "your" files. The reason why so many Windows systems have problems is that their users have carte-blanche access to everything, "including Windows itself." Linux doesn't do this (and Windows certainly doesn't have to!!).

(2) Use a firewall-equipped Router. You probably already do. Change the network-ID if it's wireless, install a meaningful password, secure the admin-page, and otherwise just leave it to its defaults. Without further attention from you, it will keep most things out.

(3) Rogue programs are opportunists. They scope-out the networks looking for "easy pickin's," knowing that they will find millions of unprotected targets. Even the slightest defenses (and your system is bristling with them...) will generally keep these rogues away.
 
Old 01-19-2010, 12:37 AM   #13
Fred Caro
Member
 
Registered: May 2007
Posts: 999

Original Poster
Rep: Reputation: 166Reputation: 166
invaders again

dear senior member and all,
thanks for all your replies. The reason why I have not applied myself sufficiently is that other things have taken over and had 4 hard drives die in the last 2 weeks but will examine all comments... eventually!

Fred.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
How to completely remove any trace of programs in redhat through putty africa4444 Linux - Newbie 6 07-14-2009 03:37 PM
How to trace and disable the HTTP TRACE method in Apache 1.3.33 with FreeBSD? SomnathG Linux - Security 1 11-11-2008 10:41 AM
Howto remove firefox from opt Mykewl Ubuntu 2 04-20-2006 12:22 AM
Howto remove Windows using Knoppix Haraldsh Linux - Newbie 7 12-10-2005 12:33 PM
howto manually remove hardware mcalizo Linux - Hardware 5 04-29-2005 09:32 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie

All times are GMT -5. The time now is 06:32 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration