Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I have 10 or 20 strange files in a folder called /tmp/orbit-root/ that have names like
linc-e8e-0-2b61a9f6550a1, and are of the type "x-special socket", are zero bytes, and have the permission string: -rwxr-xr-x (755).
Also, I seem to always have 2 instances of dhclient running:
udp 0 0 *:bootpc *:* 1857/dhclient
udp 0 0 *:bootpc *:* 1367/dhclient
.
Does anyone know offhand if this is normal?
Offhand yes this is perfectly normal. Dhclient would be run if you're network card is set to get its IP off your ISP using DHCP, this is probably the most common configuration these days.
The /tmp/orbit stuff is created by the ORBit CORBA thingo. This is a normal system component used in many GUI apps - mainly those that use GTK and/or GNOME.
Code:
rpm -qi ORBit
ORBit is a high-performance CORBA (Common Object Request Broker
Architecture) ORB (object request broker). It allows programs to send
requests and receive replies from other programs, regardless of the
locations of the two programs. CORBA is an architecture that enables
communication between program objects, regardless of the programming
language they are written in or the operating system they run on.
You will need to install this package and ORBit-devel if you want to
write programs that use CORBA technology
Thanks for the response --- I'm new to *NIX. I guess this CORBA is as close a protocol to COM & DCOM as there is. I lock down my firewall with
:FORWARD DROP [0:0]
:INPUT DROP [4:764]
:OUTPUT DROP [32:2292]
when I'm not using the system, but I notice ethereal can still log any packets on the wire, my point being that perhaps a trojan could still receive input even under this draconian ruleset, maybe masquerading as dhclient to call home? Well, I suppose if there is already such a process running to start with, all is lost, and the only way a firewall can be effective is if it's running on a clean system and all it can realisticaly be expected to do is help keep a clean system clean --- it's unreal;istic to think it can uncompromise a compromised box.
thanks. I guess I can consider this issue resolved.
Ethereal captures raw packets directly from the interface. It is possible, but unlikely, for software to do the same. I also believe that it is IMPOSSIBLE for software to send packets without it traversing IPTables: hence, only one side of a conversation would work, making a TCP connection impossible.
Of course - ethereal can still see the packets coming into or out of your machine wether the firewall ends up dropping them or rejecting them or whatever doesn't matter because ethereal's packet capture driver works at a low level. This is why it usually asks you to run it as root when you start it.
Quote:
Well, I suppose if there is already such a process running to start with, all is lost
Yeah exactly. Even if you blocked everything incoming and outgoing except for port 80 outgoing your trojan could still contact the hacker's computer on port 80 and establish a connection. Trojans and viruses are extremely rare on linux, to the point where as long as you don't do anything stupid you dont have to worry about them.
-------------------
Trojans and viruses are extremely rare on linux, to the point where as long as you don't do anything stupid you dont have to worry about them.
------------------
Yep --- thats why I switched. Too much trouble keeping the rabble out of my winXP system --- compounded by the fact that windows doesn't come with much ware to start with, necessitating the downloading of many (potentialy treacherous) apps that you can never be too sure of because they're proprietary and default-configured for minimizing support calls, not maximim security (ie all services up, remote desktop available for 'support people', etc). You know, with winXP home, you're simply not supposed to be able to remove the guest account or prevent null sessions? And I don't even have anything valuable on my system, all they're after is my lousy megabit class bandwidth --- the lamers.
OK, thanks guys --- I guess this one's resolved now, too.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
