LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 03-14-2007, 05:07 PM   #1
drmjh
Member
 
Registered: Mar 2005
Location: North Carolina, USA
Distribution: Ubuntu
Posts: 308

Rep: Reputation: 31
Data Rate transmission discrepancy suggesting hijack


Hi,
I think my computer has been hijacked. I have a miserable dialup service here in rural Ireland that operates at Max. 5-6 Kb/s. (usual is 3Kb/s)
Recently I have been uploading photos onto Picasa, at Gmail and noticed several times that a larger amount of traffic was going through on the Receive portion of "Data Rate-Kinternet panel" rather than the Send portion. No other connections were open and I was receiving nothing (that I know about ) I have a solitary Desktop and run Susse 10.2
This evening, whilst uploading some photos, it was painfully obvious that something wasn't exactly right.
The Receive Data Rate showed a Rx rate of 3.5Kb/s (average) and Transmit, a Data Rate of about 100B/s Tx (about) .
I let the program run out and watched as the photos were uploaded. At that point, the Tx dropped to Zero and the Receive was boosted up to almost 5Kb/sec.I watched this for a short time and it gave no indication of slacking. I then terminated the connection.
I am pretty much of a Newbie and would like to know:
1/ Does this mean with certainty that I've got a problem ?
2/ If it does, how can I ascertain what the problem is ?
Any help is much appreciated.
drmjh
 
Old 03-15-2007, 05:18 AM   #2
win32sux
LQ Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 380Reputation: 380Reputation: 380Reputation: 380
Quote:
Originally Posted by drmjh
Hi,
I think my computer has been hijacked. I have a miserable dialup service here in rural Ireland that operates at Max. 5-6 Kb/s. (usual is 3Kb/s)
Recently I have been uploading photos onto Picasa, at Gmail and noticed several times that a larger amount of traffic was going through on the Receive portion of "Data Rate-Kinternet panel" rather than the Send portion. No other connections were open and I was receiving nothing (that I know about ) I have a solitary Desktop and run Susse 10.2
This evening, whilst uploading some photos, it was painfully obvious that something wasn't exactly right.
The Receive Data Rate showed a Rx rate of 3.5Kb/s (average) and Transmit, a Data Rate of about 100B/s Tx (about) .
I let the program run out and watched as the photos were uploaded. At that point, the Tx dropped to Zero and the Receive was boosted up to almost 5Kb/sec.I watched this for a short time and it gave no indication of slacking. I then terminated the connection.
I am pretty much of a Newbie and would like to know:
Quote:
1/ Does this mean with certainty that I've got a problem ?
yeah, most likely... we'd need to know more in order to say it's a security breach, though...

Quote:
2/ If it does, how can I ascertain what the problem is ?
let's start by having a look at what this command's output looks like while the problem is manifesting itself (make sure you run the command as root):
Code:
netstat -pantu
try to not have anything else using the network when you run this test... that way it'll be much easier to spot which program is connecting and to where... also, make sure your terminal window is maximized when you do this, cuz if not then the copy/paste will be missing some details...

a few questions which would be great if you could comment on: when did this start?? was it after you did something specific?? is your box firewalled?? anyone else have an account on it?? have you seen anything funny in any log files recently?? do you have an ssh daemon running on it (or any other daemon for that matter)?? if possible, let us see the outputs of these commands also:
Code:
ps aux
Code:
iptables -nvL
BTW: please remember to use [ code ] tags when you post command outputs...

Last edited by win32sux; 03-15-2007 at 05:21 AM.
 
Old 03-15-2007, 10:54 AM   #3
drmjh
Member
 
Registered: Mar 2005
Location: North Carolina, USA
Distribution: Ubuntu
Posts: 308

Original Poster
Rep: Reputation: 31
mathay is the sole user on this machine. I noticed a discrepancy one other time, about 6 Mos. ago, when the data continually showed Receiving, while the mail program had finished downloading the mail. I watched for a while to make sure I was seeing correctly and it continued until I terminated the connection. I do have a simple firewall activated through Yast. I hate to admit it but 99% of what I see when I seldom look at log file is opaque for me.
I'll try to run the netstat -pantu this evening.
Thanks much for your help.
drmjh

Last edited by drmjh; 03-15-2007 at 11:03 AM.
 
Old 03-15-2007, 10:59 AM   #4
drmjh
Member
 
Registered: Mar 2005
Location: North Carolina, USA
Distribution: Ubuntu
Posts: 308

Original Poster
Rep: Reputation: 31
Code:
linux:/home/mathay # ps aux
USER       PID %CPU %MEM    VSZ   RSS TTY      STAT START   TIME COMMAND
root         1  0.0  0.0    744   284 ?        Ss   07:54   0:01 init [5]
root         2  0.0  0.0      0     0 ?        S    07:54   0:00 [migration/0]
root         3  0.0  0.0      0     0 ?        SN   07:54   0:00 [ksoftirqd/0]
root         4  0.0  0.0      0     0 ?        S    07:54   0:00 [migration/1]
root         5  0.0  0.0      0     0 ?        SN   07:54   0:00 [ksoftirqd/1]
root         6  0.0  0.0      0     0 ?        S<   07:54   0:00 [events/0]
root         7  0.0  0.0      0     0 ?        S<   07:54   0:00 [events/1]
root         8  0.0  0.0      0     0 ?        S<   07:54   0:00 [khelper]
root         9  0.0  0.0      0     0 ?        S<   07:54   0:00 [kthread]
root        13  0.0  0.0      0     0 ?        S<   07:54   0:00 [kblockd/0]
root        14  0.0  0.0      0     0 ?        S<   07:54   0:00 [kblockd/1]
root        15  0.0  0.0      0     0 ?        S<   07:54   0:00 [kacpid]
root        16  0.0  0.0      0     0 ?        S<   07:54   0:00 [kacpi_notify]
root        90  0.0  0.0      0     0 ?        S<   07:54   0:00 [cqueue/0]
root        91  0.0  0.0      0     0 ?        S<   07:54   0:00 [cqueue/1]
root        92  0.0  0.0      0     0 ?        S<   07:54   0:00 [kseriod]
root       136  0.0  0.0      0     0 ?        S    07:54   0:00 [pdflush]
root       137  0.0  0.0      0     0 ?        S    07:54   0:00 [pdflush]
root       138  0.0  0.0      0     0 ?        S<   07:54   0:00 [kswapd0]
root       139  0.0  0.0      0     0 ?        S<   07:54   0:00 [aio/0]
root       140  0.0  0.0      0     0 ?        S<   07:54   0:00 [aio/1]
root       386  0.0  0.0      0     0 ?        S<   07:54   0:00 [kpsmoused]
root       815  0.0  0.0      0     0 ?        S<   07:54   0:00 [reiserfs/0]
root       816  0.0  0.0      0     0 ?        S<   07:54   0:00 [reiserfs/1]
root       864  0.0  0.0   1956   592 ?        S<s  07:54   0:00 /sbin/udevd --daemon
root      1300  0.0  0.0      0     0 ?        S<   07:54   0:00 [khubd]
root      1416  0.0  0.0      0     0 ?        S<   07:54   0:00 [kgameportd]
root      1846  0.0  0.0   1992   840 ?        S<s  07:54   0:00 /usr/sbin/hcid -f /etc/
root      1849  0.0  0.0   1656   564 ?        S<s  07:54   0:00 /usr/sbin/sdpd
root      1862  0.0  0.0   1816   456 ?        S<s  07:54   0:00 /usr/bin/hidd --server
root      1867  0.0  0.0   1732   560 ?        S<s  07:54   0:00 opd: waiting for incomm
root      1874  0.0  0.0      0     0 ?        S<   07:54   0:00 [krfcommd]
root      1881  0.0  0.0   1652   500 ?        S<s  07:55   0:00 /usr/bin/pand --listen
root      2531  0.0  0.0   2104   644 ?        Ss   07:55   0:00 /sbin/syslog-ng
root      2540  0.0  0.0   1720   532 ?        Ss   07:55   0:00 /sbin/klogd -c 1 -x -x
root      2601  0.0  0.0   1824   672 ?        Ss   07:55   0:00 /sbin/resmgrd
root      2606  0.0  0.1   4992  1088 ?        Ss   07:55   0:00 ./hpiod
root      2638  0.0  0.0   1588   516 ?        Ss   07:55   0:00 /sbin/acpid
100       2642  0.0  0.0   3680  1028 ?        Ss   07:55   0:00 /usr/bin/dbus-daemon --
101       2677  0.0  0.3   5756  4036 ?        Ss   07:55   0:01 /usr/sbin/hald --daemon
root      2681  0.0  0.1   3256  1732 ?        Ss   07:55   0:00 /usr/sbin/polkitd
root      2689  0.0  0.1   2952  1116 ?        S    07:55   0:00 hald-runner
root      3215  0.0  0.0   1480   408 ?        S    07:55   0:00 /sbin/dhcpcd -C -H -D -
root      3225  0.0  0.4  10036  5072 ?        S    07:55   0:00 python ./hpssd.py
101       3233  0.0  0.0   2024   860 ?        S    07:55   0:00 hald-addon-keyboard: li
101       3250  0.0  0.0   2024   852 ?        S    07:55   0:00 hald-addon-acpi: listen
root      3304  0.0  0.0   3380   880 ?        S    07:55   0:00 /opt/kde3/bin/kdm
root      3329  3.6  3.8 128624 39788 tty7     Ss+  07:55  11:56 /usr/bin/Xorg -br -noli
root      3332  0.0  0.0   1828   636 ?        S    07:55   0:00 hald-addon-storage: pol
root      3333  0.0  0.1   4048  1368 ?        S    07:55   0:00 -:0
root      3721  0.0  0.0      0     0 ?        S<   07:55   0:00 [kauditd]
mathay    3856  0.0  0.1   4060  1452 ?        Ss   07:55   0:00 /bin/sh /opt/kde3/bin/s
mathay    3914  0.0  0.0   3392   428 ?        Ss   07:55   0:00 /usr/bin/gpg-agent --sh
mathay    3924  0.0  0.0   5152   820 ?        Ss   07:55   0:00 /usr/bin/ssh-agent /bin
mathay    3942  0.0  0.0   3552   580 ?        Ss   07:55   0:00 /usr/bin/dbus-daemon --
mathay    4060  0.0  0.0   1436   140 ?        S    07:55   0:00 start_kdeinit --new-sta
mathay    4133  0.0  0.6  24296  7092 ?        Ss   07:55   0:00 kdeinit Running...
mathay    4155  0.0  0.2  23692  2728 ?        S    07:55   0:00 dcopserver [kdeinit] --
mathay    4184  0.0  0.7  26164  7456 ?        S    07:55   0:00 klauncher [kdeinit] --n
mathay    4186  0.0  1.6  34000 16636 ?        S    07:55   0:00 kded [kdeinit] --new-st
mathay    4247  0.0  0.0   1568   344 ?        S    07:55   0:00 kwrapper ksmserver
mathay    4255  0.0  0.9  26464 10144 ?        S    07:55   0:00 ksmserver [kdeinit]
mathay    4268  0.0  1.2  28724 13372 ?        S    07:55   0:03 kwin [kdeinit] -session
mathay    4316  0.0  1.6  31444 16616 ?        S    07:55   0:03 kdesktop [kdeinit]
mathay    4438  0.0  2.0  38344 21116 ?        S    07:55   0:02 kicker [kdeinit]
mathay    4493  0.0  0.6  24704  6772 ?        S    07:55   0:00 kio_file [kdeinit] file
mdnsd     4867  0.0  0.0   2048   876 ?        Ss   07:55   0:00 /usr/sbin/mdnsd -f /etc
nobody    4904  0.0  0.0   1632   432 ?        Ss   07:55   0:00 /sbin/portmap
root      5012  0.0  0.2   4784  2272 ?        Ss   07:55   0:00 /usr/sbin/cupsd
root      5013  0.0  0.0   1440   304 ?        Ss   07:55   0:01 zmd /usr/lib/zmd/zmd.ex
root      5053  0.0  0.1 106564  1064 ?        Ssl  07:55   0:00 /usr/sbin/nscd
root      5064  0.0  0.0   9952   612 ?        S<sl 07:55   0:00 /sbin/auditd -n
root      5138  0.0  0.1   5808  1292 ?        Ss   07:55   0:00 /usr/sbin/sshd -o PidFi
root      5147  0.0  0.1   4956  1188 ?        Ss   07:55   0:00 /usr/sbin/smpppd
root      5160  0.0  0.1   4424  1780 ?        S    07:55   0:00 /usr/sbin/powersaved -d
root      5196  0.0  0.1   5728  1820 ?        Ss   07:55   0:00 /usr/lib/postfix/master
root      5214  0.0  0.0   1972   564 ?        Ss   07:55   0:00 /usr/sbin/cron
postfix   5216  0.0  0.1   5732  1732 ?        S    07:55   0:00 qmgr -l -t fifo -u
mathay    5322  0.0  1.1  27848 12328 ?        S    07:55   0:00 kxkb [kdeinit]
root      5359  0.0  0.0   2056   648 tty1     Ss+  07:56   0:00 /sbin/mingetty --noclea
root      5360  0.0  0.0   2056   636 tty2     Ss+  07:56   0:00 /sbin/mingetty tty2
root      5367  0.0  0.0   2060   636 tty3     Ss+  07:56   0:00 /sbin/mingetty tty3
root      5368  0.0  0.0   2056   652 tty4     Ss+  07:56   0:00 /sbin/mingetty tty4
root      5371  0.0  0.0   2056   632 tty5     Ss+  07:56   0:00 /sbin/mingetty tty5
root      5374  0.0  0.0   2060   636 tty6     Ss+  07:56   0:00 /sbin/mingetty tty6
mathay    5383  0.0  1.7  31376 18192 ?        S    07:56   0:00 oooqs -session 10e4696e
mathay    5416  0.0  1.3  31448 14324 ?        S    07:56   0:00 kerry [kdeinit] -sessio
mathay    5418  0.0  1.4  30428 15244 ?        S    07:56   0:00 kgpg -session 10e4696e7
root      5422  0.0  2.4  27780 24948 ?        Ss   07:56   0:00 /usr/sbin/spamd -d -c -
mathay    5425  0.0  3.1  86968 32540 ?        Sl   07:56   0:04 kontact -session 10e469
mathay    5439  0.0  1.3  63132 14216 ?        S    07:56   0:00 knotify [kdeinit]
mathay    5447  0.0  2.3  54120 24200 ?        Sl   07:56   0:01 zen-updater --desktop /
mathay    5450  0.0  1.2  28772 12824 ?        S    07:56   0:00 kpowersave [kdeinit]
mathay    5456  0.0  1.3  29220 14172 ?        S    07:56   0:00 kmix [kdeinit] -autosta
mathay    5461  0.0  1.1  27332 11644 ?        S    07:56   0:00 klipper [kdeinit]
mathay    5467  0.0  1.2  27524 13416 ?        S    07:56   0:00 kbluetoothd --dontforce
mathay    5472  0.0  1.2  29528 13004 ?        S    07:56   0:00 kinternet [kdeinit] --q
root      5474  0.0  2.2  27780 23372 ?        S    07:56   0:00 spamd child
root      5475  0.0  2.2  27780 23260 ?        S    07:56   0:00 spamd child
mathay    5477  0.0  1.8  53656 19300 ?        Sl   07:56   0:05 beagled /usr/lib/beagle
mathay    5511  0.0  1.3  29244 14240 ?        S    07:56   0:00 korgac --miniicon korga
mathay    5969  0.0  1.2  26764 12956 ?        S    08:01   0:00 kwalletmanager --kwalle
mathay    6532  0.0  1.5  32376 15828 ?        R    09:33   0:01 konsole [kdeinit]
mathay    6533  0.0  0.1   4532  1948 pts/1    Ss   09:33   0:00 /bin/bash
root      6565  0.0  0.1   4056  1416 pts/1    S    09:41   0:00 su
root      6568  0.0  0.1   4272  1916 pts/1    S    09:41   0:00 bash
mathay    6628  0.0  2.2  39420 23212 ?        S    10:13   0:00 konqueror [kdeinit] --s
mathay    6902  0.1  1.7  43660 17912 ?        Sl   10:56   0:15 beagled-helper /usr/lib
mathay    7000  0.0  0.0      0     0 ?        Z    11:16   0:01 [mono] <defunct>
mathay    7004  0.0  0.0      0     0 ?        Z    11:16   0:01 [mono] <defunct>
mathay    7034  0.0  0.0      0     0 ?        Z    11:25   0:01 [mono] <defunct>
mathay    7038  0.0  0.0      0     0 ?        Z    11:25   0:01 [mono] <defunct>
root      7396  0.0  0.0      0     0 ?        S<   12:25   0:00 [scsi_eh_0]
root      7397  0.0  0.0      0     0 ?        S<   12:25   0:00 [usb-storage]
root      7442  0.0  0.0   1828   636 ?        S    12:25   0:00 hald-addon-storage: pol
postfix   7609  0.0  0.1   5700  1708 ?        S    12:52   0:00 pickup -l -t fifo -u
mathay    7815  0.0  0.1   3792  1404 ?        S    13:15   0:00 /bin/sh /usr/bin/firefo
mathay    7820  3.3  4.9 184548 50964 ?        Sl   13:15   0:09 /usr/lib/firefox/firefo
mathay    7826  0.0  0.2   5792  2548 ?        S    13:15   0:00 /opt/gnome/lib/GConf/2/
mathay    7985  0.2  1.1  28696 11692 ?        SN   13:19   0:00 kio_thumbnail [kdeinit]
root      7986  0.0  0.0   2484   860 pts/1    R+   13:19   0:00 ps aux
linux:/home/mathay #
 
Old 03-15-2007, 11:01 AM   #5
drmjh
Member
 
Registered: Mar 2005
Location: North Carolina, USA
Distribution: Ubuntu
Posts: 308

Original Poster
Rep: Reputation: 31
Code:
linux:/home/mathay # iptables -nvL
Chain INPUT (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
12809 1068K ACCEPT     0    --  lo     *       0.0.0.0/0            0.0.0.0/0
    0     0 ACCEPT     0    --  *      *       0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED
    0     0 input_ext  0    --  *      *       0.0.0.0/0            0.0.0.0/0
    0     0 LOG        0    --  *      *       0.0.0.0/0            0.0.0.0/0           limit: avg 3/min burst 5 LOG flags
6 level 4 prefix `SFW2-IN-ILL-TARGET '
    0     0 DROP       0    --  *      *       0.0.0.0/0            0.0.0.0/0

Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 LOG        0    --  *      *       0.0.0.0/0            0.0.0.0/0           limit: avg 3/min burst 5 LOG flags
6 level 4 prefix `SFW2-FWD-ILL-ROUTING '

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
12809 1068K ACCEPT     0    --  *      lo      0.0.0.0/0            0.0.0.0/0
    0     0 ACCEPT     0    --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW,RELATED,ESTABLISHED
    0     0 LOG        0    --  *      *       0.0.0.0/0            0.0.0.0/0           limit: avg 3/min burst 5 LOG flags
6 level 4 prefix `SFW2-OUT-ERROR '

Chain forward_ext (0 references)
 pkts bytes target     prot opt in     out     source               destination

Chain input_ext (1 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 DROP       0    --  *      *       0.0.0.0/0            0.0.0.0/0           PKTTYPE = broadcast
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0           icmp type 4
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0           icmp type 8
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED icmp type                 0
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED icmp type                 3
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED icmp type                 11
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED icmp type                 12
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED icmp type                 14
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED icmp type                 18
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED icmp type                 3 code 2
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED icmp type                 5
    0     0 reject_func  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:113 state NEW
    0     0 LOG        0    --  *      *       0.0.0.0/0            0.0.0.0/0           limit: avg 3/min burst 5 PKTTYPE =                 multicast LOG flags 6 level 4 prefix `SFW2-INext-DROP-DEFLT '
    0     0 DROP       0    --  *      *       0.0.0.0/0            0.0.0.0/0           PKTTYPE = multicast
    0     0 LOG        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           limit: avg 3/min burst 5 tcp flags:                0x17/0x02 LOG flags 6 level 4 prefix `SFW2-INext-DROP-DEFLT '
    0     0 LOG        icmp --  *      *       0.0.0.0/0            0.0.0.0/0           limit: avg 3/min burst 5 LOG flags                 6 level 4 prefix `SFW2-INext-DROP-DEFLT '
    0     0 LOG        udp  --  *      *       0.0.0.0/0            0.0.0.0/0           limit: avg 3/min burst 5 LOG flags                 6 level 4 prefix `SFW2-INext-DROP-DEFLT '
    0     0 LOG        0    --  *      *       0.0.0.0/0            0.0.0.0/0           limit: avg 3/min burst 5 state INVA                LID LOG flags 6 level 4 prefix `SFW2-INext-DROP-DEFLT-INV '
    0     0 DROP       0    --  *      *       0.0.0.0/0            0.0.0.0/0

Chain reject_func (1 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 REJECT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           reject-with tcp-reset
    0     0 REJECT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0           reject-with icmp-port-unreachable
    0     0 REJECT     0    --  *      *       0.0.0.0/0            0.0.0.0/0           reject-with icmp-proto-unreachable
linux:/home/mathay #
 
Old 03-16-2007, 04:02 AM   #6
drmjh
Member
 
Registered: Mar 2005
Location: North Carolina, USA
Distribution: Ubuntu
Posts: 308

Original Poster
Rep: Reputation: 31
Well, I don't know whether to laugh or cry. I tried at least 6 times yesterday and evening to tempt my hi-jacker(?) to usurp the transmission but was unable to see the same discrepancy I have in the past. I'll continue to monitor things and see what happens.

BTW, I can't seem to send a message if it's wrapped in text quotes. I get an err. Msg. that the "Msg. is too short" This also happened yesterday when I tried to wrap the Msg. in code quotes. That was resolved by choosing the option 'ADVANCED'.
 
Old 03-16-2007, 04:55 AM   #7
win32sux
LQ Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 380Reputation: 380Reputation: 380Reputation: 380
cool, let us know how it goes... meanwhile, it probably wouldn't be a bad idea to run Rootkit Hunter through your system and see if it spots anything suspicious...

Last edited by win32sux; 03-16-2007 at 04:56 AM.
 
Old 03-16-2007, 05:39 PM   #8
drmjh
Member
 
Registered: Mar 2005
Location: North Carolina, USA
Distribution: Ubuntu
Posts: 308

Original Poster
Rep: Reputation: 31
Code:
linux:/home/mathay # netstat -pantu
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
tcp        0      0 127.0.0.1:2208          0.0.0.0:*               LISTEN      2608/hpiod
tcp        0      0 127.0.0.1:60006         0.0.0.0:*               LISTEN      3256/python
tcp        0      0 127.0.0.1:783           0.0.0.0:*               LISTEN      5416/spamd.pid
tcp        0      0 0.0.0.0:111             0.0.0.0:*               LISTEN      4874/portmap
tcp        0      0 127.0.0.1:2544          0.0.0.0:*               LISTEN      5148/zmd
tcp        0      0 127.0.0.1:631           0.0.0.0:*               LISTEN      4969/cupsd
tcp        0      0 127.0.0.1:25            0.0.0.0:*               LISTEN      5212/master
tcp        0      0 159.134.157.54:1308     80.237.136.138:80       ESTABLISHED 8766/parse-metadata
tcp        0      0 :::22                   :::*                    LISTEN      5031/sshd
tcp        0      0 ::1:631                 :::*                    LISTEN      4969/cupsd
tcp        0      0 ::1:25                  :::*                    LISTEN      5212/master
udp        0      0 0.0.0.0:32768           0.0.0.0:*                           4856/mdnsd
udp        0      0 0.0.0.0:68              0.0.0.0:*                           3211/dhcpcd
udp        0      0 0.0.0.0:5353            0.0.0.0:*                           4856/mdnsd
udp        0      0 0.0.0.0:111             0.0.0.0:*                           4874/portmap
udp        0      0 0.0.0.0:631             0.0.0.0:*                           4969/cupsd
linux:/home/mathay #
 
Old 03-16-2007, 05:42 PM   #9
drmjh
Member
 
Registered: Mar 2005
Location: North Carolina, USA
Distribution: Ubuntu
Posts: 308

Original Poster
Rep: Reputation: 31
My hijacker was certainly active when I issued the netstat pandu command.
What do I look for?
 
Old 03-17-2007, 06:54 AM   #10
win32sux
LQ Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 380Reputation: 380Reputation: 380Reputation: 380
Quote:
Originally Posted by drmjh
Code:
tcp        0      0 159.134.157.54:1308     80.237.136.138:80       ESTABLISHED 8766/parse-metadata
let's focus on this one, as it's the only established connection at the time you ran netstat... parse-metadata seems to be the name of a process that's part of zmd (which is one of the other processes you are running)... this isn't anything factual, it's just the impression i got after a quick google... but let's assume that is correct for a second... i am not familiar with suse and its tools, but zmd seems to be some kind of update manager (i'm not sure)... if you go to the remote IP with which the connection was established, it does look like a mirror, and it does have a suse directory... the IP reverse-resolves to ftp.hosteurope.de... the domain hosteurope.de checks-out at siteadvisor.com... based on these things, i think your next step should be to see if disabling zmd stops the weird network activity...

Last edited by win32sux; 03-17-2007 at 06:55 AM.
 
Old 03-18-2007, 06:56 AM   #11
drmjh
Member
 
Registered: Mar 2005
Location: North Carolina, USA
Distribution: Ubuntu
Posts: 308

Original Poster
Rep: Reputation: 31
Thumbs up Sounds like an answer

I think you are on to something. I'm not sure what zmd stands for but I do have a pesky 'auto online update Mgr' icon in my kicker. Back in Suse 10.0, I engaged this by mistake and can't seem to locate it, to disable it.Since it hasn't been pestering me to 'Update' etc. since 10.1, I thought it was inactive . It would make sense that this is usurping my meagre bandwidth intermittently. Last night, I 'quit' the auto-online-updater' and then went to google to upload photos, something that consumes every inch of bandwidth and which slows to impossible if the BW is compromised. The upload went smoothly and quicker than usual. I'll work on finding out where I can permanently disable this process(Cron? some Config?) and see how it goes. I did download the root kit and detarred it. I'll put off using it until it looks like I need to.
Many thanks for your help. BTW, I just got April's Linux Mag. and it is featuring "Detecting Intruders". There is a neat "Port Monitoring Script" in awk and a Perl module which takes advantage of the kernel's 'Inotify' interface.
Now, if I only really understood. what the output actually means...sigh
 
Old 03-18-2007, 05:32 PM   #12
drmjh
Member
 
Registered: Mar 2005
Location: North Carolina, USA
Distribution: Ubuntu
Posts: 308

Original Poster
Rep: Reputation: 31
I located zmd and it is a daemon found in /etc/sysconfig/zmd
Trouble is, I can't seem to read anything in it, i.e., cat or view doesn't return info I can use ?
 
Old 03-19-2007, 01:12 AM   #13
win32sux
LQ Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 380Reputation: 380Reputation: 380Reputation: 380
before you permanently disable zmd, you could do a test by doing a kill on its process number or by doing a:
Code:
killall zmd
while the problem is happening...

that should let you see if killing that process stops the bandwidth usage right away... i'm not sure how to permanently disable zmd (maybe chmod 644 its init file?), but googling for "disable zmd" should provide the necesarry clues i think...
 
Old 03-23-2007, 05:29 PM   #14
drmjh
Member
 
Registered: Mar 2005
Location: North Carolina, USA
Distribution: Ubuntu
Posts: 308

Original Poster
Rep: Reputation: 31
Talking disabling ZMD

Hi,
A quick trip to the Suse site here provided the answer I needed.
Through YAST-> System Services/Run Level-> disable Novel Zen.
It makes a big difference!
Many thanks for your answer, I would still be thrashing around looking for a worm/intruder etc. without it.
drmjh
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
How to increase Data transfer Rate of ftp arunabh_biswas Linux - Networking 1 11-18-2006 03:44 PM
estimating the data transfer rate between hard disk sharathksin Programming 1 02-27-2006 10:25 PM
intel 536ep + data rate mtm76 Slackware 6 05-10-2005 07:03 AM
Monitor refresh rate discrepancy. pcd007 Linux - Software 1 12-12-2004 01:19 AM
Measuring Data Flow/Rate Bicco Linux - Networking 0 08-21-2003 08:50 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 04:17 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration