When I log into Mint8 ,for example, the bottom bar (task bar) shows activity I did not start eg, keyboard amongst others. System logs are suspicious:

an 9 22:23:24 patti-desktop dhclient: DHCPACK of 192.168.0.100 from 192.168.0.1
Jan 9 22:23:24 patti-desktop dhclient: bound to 192.168.0.100 -- renewal in 40777 seconds.
Jan 9 22:23:24 patti-desktop NetworkManager: <info> DHCP: device eth0 state changed preinit -> bound
Jan 9 22:23:24 patti-desktop NetworkManager: <info> Activation (eth0) Stage 4 of 5 (IP4 Configure Get) scheduled...
Jan 9 22:23:24 patti-desktop NetworkManager: <info> Activation (eth0) Stage 4 of 5 (IP4 Configure Get) started...
Jan 9 22:23:24 patti-desktop NetworkManager: <info> address 192.168.0.100
Jan 9 22:23:24 patti-desktop NetworkManager: <info> prefix 24 (255.255.255.0)
Jan 9 22:23:24 patti-desktop NetworkManager: <info> gateway 192.168.0.1
Jan 9 22:23:24 patti-desktop NetworkManager: <info> nameserver '194.168.4.100'
Jan 9 22:23:24 patti-desktop NetworkManager: <info> nameserver '194.168.8.100'
Jan 9 22:23:24 patti-desktop NetworkManager: <info> Activation (eth0) Stage 5 of 5 (IP Configure Commit) scheduled...
Jan 9 22:23:24 patti-desktop NetworkManager: <info> Activation (eth0) Stage 4 of 5 (IP4 Configure Get) complete.
Jan 9 22:23:24 patti-desktop NetworkManager: <info> Activation (eth0) Stage 5 of 5 (IP Configure Commit) started...
Jan 9 22:23:24 patti-desktop avahi-daemon[1120]: Joining mDNS multicast group on interface eth0.IPv4 with address 192.168.0.100.
Jan 9 22:23:24 patti-desktop avahi-daemon[1120]: New relevant interface eth0.IPv4 for mDNS.
Jan 9 22:23:24 patti-desktop avahi-daemon[1120]: Registering new address record for 192.168.0.100 on eth0.IPv4.
Jan 9 22:23:24 patti-desktop acpid: client connected from 1463[107:114]
Jan 9 22:23:25 patti-desktop NetworkManager: <info> (eth0): device state change: 7 -> 8 (reason 0)
Jan 9 22:23:25 patti-desktop NetworkManager: <info> Policy set 'Auto eth0' (eth0) as default for routing and DNS.
Jan 9 22:23:25 patti-desktop NetworkManager: <info> Activation (eth0) successful, device activated.
Jan 9 22:23:25 patti-desktop NetworkManager: <info> Activation (eth0) Stage 5 of 5 (IP Configure Commit) complete.
Jan 9 22:23:25 patti-desktop ntpdate[1908]: adjust time server 91.189.94.4 offset -0.343663 sec
Jan 9 22:23:29 patti-desktop kernel: [ 24.360012] eth0: no IPv6 routers present
Jan 9 22:28:24 patti-desktop gdm-session-worker[1843]: pam_sm_authenticate: Called
Jan 9 22:28:24 patti-desktop gdm-session-worker[1843]: pam_sm_authenticate: username = [blob]


'patti-desktop' is not the user I'm trying to login to but its was and still exist a group (ops). Also having difficulty using sudo but that might be my error. Is there a program I can use see what is going wrong correct it.

Fred.

I don't see anything suspicious there... patti-desktop would be the hostname of the machine not the name of the logged in user. Can you describe your problem with sudo a little more ?

cheers

Thats easily said that nothing is wrong, are u sure that the mint linux has an firewall on by default?Also make sure to putoff unnesasary services like ssh and remote login etc, if u are unsure of the protection try to instal an firewall or move to an more secure distro like mandriva or fedora wich have an builtin firewall.

If you want to see what is going on use netstat as root:
That will show you the ports that are listening.

You might also want to look to see what ports are available using zenmap.

(Or find it in synaptic).
Then use to find your network address:
in the form of
inet addr:*these numbers*
and scan that.

I agree with kbp that the provided log does not contain anything overly suspicious. That doesn't mean that there aren't any problems, but those problems not show up in that log snippet. A running system will usually have a lot of stuff running in the background, and most of these send their cryptic log messages - that's confusing, but normal.

The logs weren't suspicious. Some other things to look at are:
Tiger is a little dated; be forewarned there will be a few 'alerts' that may unnecessarily alarm you.

You may also use tcpdump to keep track of all packets sent and received by your eth0 or etherape might be a more graphically entertaining way to watch net traffic.

Thanks for all your replies .

Sorry for the interruption.The following resulted from Ubuntu 9.10 while with etho disconnected:

# netstat -patn
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 127.0.0.1:631 0.0.0.0:* LISTEN 1188/cupsd
tcp6 0 0 ::1:631 :::* LISTEN 1188/cupsd

Printer was switched off. Have router to anther (centros 5) that reports an attempted intrusion on Selinux.
While your at it (please) how do you get into sudo when you forgot, or did not know how to, associate a replaced user with sudoers ie cannot reset unix password.
In the meantime I will work through the suggestions, providing I can get access to root. Case of panic maybe.

Fred.

It's just listening for a printer. It doesn't depend on whether the printer is on or not.
Was that the only listening port on the Mint Machine?
What were the reported intrusion attempts?


What do you mean?

Dear sirs,
the listening port I do not know, only that the router seems to be open, ease of use! Selinux reports an intruder on a different connected computer but running 'apt-get update' 'apt-get install chktrootkit triger' results in:

______________________________________
/ Q: What do you call a boomerang that \
\ doesn't come back? A: A stick. /
--------------------------------------
\
\
.--.
|o_o |
|:_/ |
// \ \
(| | )
/'\_ _/`\
\___)=(___/

carno@carno-desktop ~ $ sudo apt-get update
[sudo] password for carno:
Sorry, try again.
[sudo] password for carno:
Building old list of packages... [done]
Building old list of available updates... [done]
Building old list of watched packages... [done]
Hit http://archive.ubuntu.com karmic Release.gpg
Hit http://archive.ubuntu.com karmic/main Translation-en_GB
Hit http://archive.canonical.com karmic Release.gpg
Ign http://archive.canonical.com karmic/partner Translation-en_GB
Hit http://archive.ubuntu.com karmic/restricted Translation-en_GB
Hit http://archive.ubuntu.com karmic/universe Translation-en_GB
Hit http://archive.ubuntu.com karmic/multiverse Translation-en_GB
Hit http://archive.ubuntu.com karmic-updates Release.gpg
Ign http://archive.ubuntu.com karmic-updates/main Translation-en_GB
Ign http://archive.ubuntu.com karmic-updates/restricted Translation-en_GB
Ign http://archive.ubuntu.com karmic-updates/universe Translation-en_GB
Ign http://archive.ubuntu.com karmic-updates/multiverse Translation-en_GB
Hit http://security.ubuntu.com karmic-security Release.gpg
Ign http://security.ubuntu.com karmic-security/main Translation-en_GB
Hit http://archive.canonical.com karmic Release
Hit http://archive.ubuntu.com karmic Release
Ign http://security.ubuntu.com karmic-security/restricted Translation-en_GB
Ign http://security.ubuntu.com karmic-security/universe Translation-en_GB
Ign http://security.ubuntu.com karmic-security/multiverse Translation-en_GB
Hit http://security.ubuntu.com karmic-security Release
Hit http://archive.ubuntu.com karmic-updates Release
Hit http://archive.canonical.com karmic/partner Packages
Hit http://archive.ubuntu.com karmic/main Packages
Hit http://security.ubuntu.com karmic-security/main Packages
Hit http://archive.ubuntu.com karmic/restricted Packages
Hit http://archive.ubuntu.com karmic/universe Packages
Hit http://archive.ubuntu.com karmic/multiverse Packages
Hit http://archive.ubuntu.com karmic-updates/main Packages
Hit http://security.ubuntu.com karmic-security/restricted Packages
Hit http://security.ubuntu.com karmic-security/universe Packages
Hit http://security.ubuntu.com karmic-security/multiverse Packages
Hit http://archive.ubuntu.com karmic-updates/restricted Packages
Hit http://archive.ubuntu.com karmic-updates/universe Packages
Hit http://archive.ubuntu.com karmic-updates/multiverse Packages
Get: 1 http://packages.linuxmint.com helena Release.gpg [198B]
Hit http://packages.medibuntu.org karmic Release.gpg
Ign http://packages.medibuntu.org karmic/free Translation-en_GB
Ign http://packages.medibuntu.org karmic/non-free Translation-en_GB
Ign http://packages.linuxmint.com helena/main Translation-en_GB
Ign http://packages.linuxmint.com helena/upstream Translation-en_GB
Ign http://packages.linuxmint.com helena/import Translation-en_GB
Hit http://packages.medibuntu.org karmic Release
Get: 2 http://packages.linuxmint.com helena Release [7,251B]
Hit http://packages.medibuntu.org karmic/free Packages
Hit http://packages.medibuntu.org karmic/non-free Packages
Ign http://packages.linuxmint.com helena/main Packages
Ign http://packages.linuxmint.com helena/upstream Packages
Ign http://packages.linuxmint.com helena/import Packages
Ign http://packages.linuxmint.com helena/main Packages
Ign http://packages.linuxmint.com helena/upstream Packages
Ign http://packages.linuxmint.com helena/import Packages
Hit http://packages.linuxmint.com helena/main Packages
Hit http://packages.linuxmint.com helena/upstream Packages
Hit http://packages.linuxmint.com helena/import Packages
Fetched 7,449B in 5s (1,318B/s)
Building new list of packages... [done]
Building new list of available updates... [done]
Building new list of watched packages... [done]
Building list of outdated packages... [done]

No new updates.
No new or removed packages.
No news in watched packages.
Outdated packages:
linux-generic/karmic - 2.6.31.14.27 -> 2.6.31.17.30, 96 days
linux-headers-generic/karmic - 2.6.31.14.27 -> 2.6.31.17.30, 96 days
linux-image-generic/karmic - 2.6.31.14.27 -> 2.6.31.17.30, 96 days
Reading package lists... Done
carno@carno-desktop ~ $ sudo apt-get install chkrootkit triger
Reading package lists... Done
Building dependency tree
Reading state information... Done
chkrootkit is already the newest version.
E: Couldn't find package triger
carno@carno-desktop ~ $
Does that slove the problem or make more?

Fred

X-D

It's tiger, not triger.

You say your router is open for "ease of use", yet you've been wrestling with this "issue" for over a week now. How is this easier than simply securing your network?

Here are a few general suggestions:

(1) Don't "assume" that "anyone can get in if they merely try." They can't. This is not a Windows Home Edition box being run by "a clueless doofus with Administrator privileges." Your system's default configuration will have set you up as a non-root user, which is therefore limited to having access to just "your" files. The reason why so many Windows systems have problems is that their users have carte-blanche access to everything, "including Windows itself." Linux doesn't do this (and Windows certainly doesn't have to!!).

(2) Use a firewall-equipped Router. You probably already do. Change the network-ID if it's wireless, install a meaningful password, secure the admin-page, and otherwise just leave it to its defaults. Without further attention from you, it will keep most things out.

(3) Rogue programs are opportunists. They scope-out the networks looking for "easy pickin's," knowing that they will find millions of unprotected targets. Even the slightest defenses (and your system is bristling with them...) will generally keep these rogues away.

dear senior member and all,
thanks for all your replies. The reason why I have not applied myself sufficiently is that other things have taken over and had 4 hard drives die in the last 2 weeks but will examine all comments... eventually!

Fred.