LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 01-26-2004, 08:07 PM   #1
dripter
LQ Newbie
 
Registered: Jan 2004
Posts: 3

Rep: Reputation: 0
Am I compromised?


Hello,

I'm really new to linux. I was able to download mandrade 9.2 and installed it on one of my pc. I set the security to "higher".

a shorewall is running on the machine.

Last week when i booted up my linux box and checked the "last" command i noticed that all the entries has been "erased".


A tcp port has been open and listening on 32768.

What i can do to determined how the intruder got me?
and What is this port for?

tks for the help.

Dripter
 
Old 01-26-2004, 09:33 PM   #2
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Rep: Reputation: 69
Re: Am I compromised?

Last week when i booted up my linux box and checked the "last" command i noticed that all the entries has been "erased".
Download and run chkrootkit. One of it's features is to check system logs for signs of deletion using chkwtmp. You may need to compile chktmp in order for it to run that check. Could just be that the old wtmp was rotated out and now the new wtmp is empty.

A tcp port has been open and listening on 32768.
Probably just something that uses dynamic port assignment (could be a web browser, file shares, etc). Port 32768 is usually one of the first ports used and then as additional connections are needed it increments the port numbers (often you'll see it alternate between 32768+n and 1024+n). Run lsof -i to see what application is using the port.

What i can do to determined how the intruder got me?
Still don't have any evidence that you have been compromised. Download and run chkrootkit and go through your logs looking for any irregularities.

what is this port for?
See above.

Once your pretty sure that you haven't been compromised, do yourself a favor and take the time to install a file integrity scanner like tripwire, samhain, aide, etc. Ideally you'd want to install it immediately after installing the system and updating patches, but it will let you know with a single command whether any files have been altered (hopefully). Also turn off any un-needed server applications and verify all your patches are updated. There's also an ton of other security measures you can take, so do some reading in the security references thread.

Last edited by Capt_Caveman; 01-26-2004 at 10:47 PM.
 
Old 01-26-2004, 11:39 PM   #3
dripter
LQ Newbie
 
Registered: Jan 2004
Posts: 3

Original Poster
Rep: Reputation: 0
Am I Compromised?

Thanks, I did install and run chkrootkit and it doesn't seem to find anything suspicious .

When i run "Isof -i" to see what apps the port is tied to. The system replied "command not found" is Isof an standard apps on all distro? I using mandrake.

tks again.
 
Old 01-26-2004, 11:51 PM   #4
dripter
LQ Newbie
 
Registered: Jan 2004
Posts: 3

Original Poster
Rep: Reputation: 0
my mistake... pardon my ignorance... what i typed was "I" capital 'i' not small letter 'L' that's why the system cannot find the command "lsof -i"

i forgot that all commands in linux are in lower case? am i right? anyway...
the port is tied to "xinetd" is this just normal?

tks again.
 
Old 01-27-2004, 12:04 AM   #5
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Rep: Reputation: 69
Re: Am I Compromised?

When i run "Isof -i" to see what apps the port is tied to. The system replied "command not found" is Isof an standard apps on all distro? I using mandrake.
Unfortunately it's not a standard application, which sucks because it's a really handy tool. But you can actually do the same thing using netstat and ps, it just adds a little more work.

First look up the Process ID (PID) of the entry using netstat:

netstat -anp

The last column of that output will give you the PID and possibly the name of the process itself. If only a numeric PID is given and no name, then look up the process using ps:

ps -ef | grep <insert PID here>

Much easier just to use lsof -i Several rootkits also trojan the netstat command, but the creators forgot to change the lsof command too, so I guess it's got technical merits as well. Good that the chkrootkit command didn't show anything suspicious.
 
Old 01-27-2004, 12:31 AM   #6
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Rep: Reputation: 69
my mistake... pardon my ignorance... what i typed was "I" capital 'i' not small letter 'L' that's why the system cannot find the command "lsof -i"
Good, so you do have it.

i forgot that all commands in linux are in lower case? am i right?
Off the top of my head, I can't think of any of the commands that are uppercase, but you will see arguments which are upper or lowercased. (netstat -A)

the port is tied to "xinetd" is this just normal
Alot of distros have xinetd running by default. Personally I don't like xinetd, so I always turn it off. You should check what services are running through xinetd first and see if you need any of them. If not turn it off. In most cases, xinetd just runs as a manager for the weird servers like chargen, echo, sgi-fam, and some other oddities, but there are a few standard servers that run through xinetd. Check your /etc/xinetd.conf and xinetd.d directory to see what's running. If you don't need any of those servers, then just turn it off. Unless you see a server with an obviously abnormal name like "password sniffer" or "rootkit-backdoor", I don't think you have anything to be worried about.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
My NTP has been compromised wylie1001 Linux - Networking 4 05-09-2005 07:24 PM
Sever compromised? Avatar33 Linux - Security 11 05-09-2005 09:19 AM
Compromised? I can't tell. Chuck23 Linux - Security 11 02-15-2005 07:33 AM
possibly compromised - what to do? TreeHugger Linux - Security 4 02-04-2005 11:03 PM
Server was compromised, need help Asiana Linux - Security 3 06-02-2004 12:39 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 08:48 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration