Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here. |
Notices |
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
|
|
01-26-2004, 08:07 PM
|
#1
|
LQ Newbie
Registered: Jan 2004
Posts: 3
Rep:
|
Am I compromised?
Hello,
I'm really new to linux. I was able to download mandrade 9.2 and installed it on one of my pc. I set the security to "higher".
a shorewall is running on the machine.
Last week when i booted up my linux box and checked the "last" command i noticed that all the entries has been "erased".
A tcp port has been open and listening on 32768.
What i can do to determined how the intruder got me?
and What is this port for?
tks for the help.
Dripter
|
|
|
01-26-2004, 09:33 PM
|
#2
|
Senior Member
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658
Rep:
|
Re: Am I compromised?
Last week when i booted up my linux box and checked the "last" command i noticed that all the entries has been "erased".
Download and run chkrootkit. One of it's features is to check system logs for signs of deletion using chkwtmp. You may need to compile chktmp in order for it to run that check. Could just be that the old wtmp was rotated out and now the new wtmp is empty.
A tcp port has been open and listening on 32768.
Probably just something that uses dynamic port assignment (could be a web browser, file shares, etc). Port 32768 is usually one of the first ports used and then as additional connections are needed it increments the port numbers (often you'll see it alternate between 32768+n and 1024+n). Run lsof -i to see what application is using the port.
What i can do to determined how the intruder got me?
Still don't have any evidence that you have been compromised. Download and run chkrootkit and go through your logs looking for any irregularities.
what is this port for?
See above.
Once your pretty sure that you haven't been compromised, do yourself a favor and take the time to install a file integrity scanner like tripwire, samhain, aide, etc. Ideally you'd want to install it immediately after installing the system and updating patches, but it will let you know with a single command whether any files have been altered (hopefully). Also turn off any un-needed server applications and verify all your patches are updated. There's also an ton of other security measures you can take, so do some reading in the security references thread.
Last edited by Capt_Caveman; 01-26-2004 at 10:47 PM.
|
|
|
01-26-2004, 11:39 PM
|
#3
|
LQ Newbie
Registered: Jan 2004
Posts: 3
Original Poster
Rep:
|
Am I Compromised?
Thanks, I did install and run chkrootkit and it doesn't seem to find anything suspicious .
When i run "Isof -i" to see what apps the port is tied to. The system replied "command not found" is Isof an standard apps on all distro? I using mandrake.
tks again.
|
|
|
01-26-2004, 11:51 PM
|
#4
|
LQ Newbie
Registered: Jan 2004
Posts: 3
Original Poster
Rep:
|
my mistake... pardon my ignorance... what i typed was "I" capital 'i' not small letter 'L' that's why the system cannot find the command "lsof -i"
i forgot that all commands in linux are in lower case? am i right? anyway...
the port is tied to "xinetd" is this just normal?
tks again.
|
|
|
01-27-2004, 12:04 AM
|
#5
|
Senior Member
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658
Rep:
|
Re: Am I Compromised?
When i run "Isof -i" to see what apps the port is tied to. The system replied "command not found" is Isof an standard apps on all distro? I using mandrake.
Unfortunately it's not a standard application, which sucks because it's a really handy tool. But you can actually do the same thing using netstat and ps, it just adds a little more work.
First look up the Process ID (PID) of the entry using netstat:
netstat -anp
The last column of that output will give you the PID and possibly the name of the process itself. If only a numeric PID is given and no name, then look up the process using ps:
ps -ef | grep < insert PID here>
Much easier just to use lsof -i Several rootkits also trojan the netstat command, but the creators forgot to change the lsof command too, so I guess it's got technical merits as well. Good that the chkrootkit command didn't show anything suspicious.
|
|
|
01-27-2004, 12:31 AM
|
#6
|
Senior Member
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658
Rep:
|
my mistake... pardon my ignorance... what i typed was "I" capital 'i' not small letter 'L' that's why the system cannot find the command "lsof -i"
Good, so you do have it.
i forgot that all commands in linux are in lower case? am i right?
Off the top of my head, I can't think of any of the commands that are uppercase, but you will see arguments which are upper or lowercased. (netstat -A)
the port is tied to "xinetd" is this just normal
Alot of distros have xinetd running by default. Personally I don't like xinetd, so I always turn it off. You should check what services are running through xinetd first and see if you need any of them. If not turn it off. In most cases, xinetd just runs as a manager for the weird servers like chargen, echo, sgi-fam, and some other oddities, but there are a few standard servers that run through xinetd. Check your /etc/xinetd.conf and xinetd.d directory to see what's running. If you don't need any of those servers, then just turn it off. Unless you see a server with an obviously abnormal name like "password sniffer" or "rootkit-backdoor", I don't think you have anything to be worried about.
|
|
|
All times are GMT -5. The time now is 08:48 AM.
|
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
|
Latest Threads
LQ News
|
|