LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (https://www.linuxquestions.org/questions/linux-security-4/)
-   -   gconfd-2 and a defunt netstat that i didnt run (https://www.linuxquestions.org/questions/linux-security-4/gconfd-2-and-a-defunt-netstat-that-i-didnt-run-290299/)

rhoyerboat 02-14-2005 08:02 PM
gconfd-2 and a defunt netstat that i didnt run
 
so all our bandwidth disapeared suddenly, and in my explorations i discovered what i posted the topic over, a gconfd-2 that i didnt run, and a defunct netstat that i didnt run, being run on a terminal that was running X, ive got my X11 port blocked to internet traffic

im running slackware 10 and kernel 2.6.9, i dont run X as root.

i also checked my routers logs and found a connection from my computer to a private address,
198.65.119.21, on a few ports, 987, 443 and 987, an nmap non-syn scan of this address returned filtered ports, like a windows firewall would

im new to the more advanced aspects of computing, although aware of root kits and such, is there a way i can check the integrity of my 2.6.9 modules? the only program im aware of will only run on 2.4

in the meantime i imagine our computers (4 or 5 of them) are dos-ing like mad, but i cant tell because my buddies mom is using one of those linksys firewall routers with non-verbose everything (grumble) .. anyone have a proposed solution?

thanks
andrew
(rhorhorhoyerboat)

Capt_Caveman 02-15-2005 04:39 PM
Re: gconfd-2 and a defunt netstat that i didnt run
 
i also checked my routers logs and found a connection from my computer to a private address,
198.65.119.21, on a few ports, 987, 443 and 987, an nmap non-syn scan of this address returned filtered ports, like a windows firewall would
That actually is a public IP and takes you to a real website (liveperson.com) which sells some kind of chat software. Port 443 is an ssl port so that doesn't seem out of the ordinary for someone browsing a commercial site. Don't know what port 987 is tho.

im new to the more advanced aspects of computing, although aware of root kits and such, is there a way i can check the integrity of my 2.6.9 modules? the only program im aware of will only run on 2.4
You can use something like rootkit hunter to verify integrity of a varietyf things on the system, which should be a good start. For something specific in detecting rogue kernel modules on 2.6, try kern_check.c.

in the meantime i imagine our computers (4 or 5 of them) are dos-ing like mad, but i cant tell because my buddies mom is using one of those linksys firewall routers with non-verbose everything (grumble)
I'd be suprised is all of them all are compromised, but you may want to take a cd-rom based distro like knoppix or knoppix-std (download and burn on a secure system) and then boot one of the other machines of of it and sniff for any abnormal traffic. I'd also take a look around the system logs and /etc/passwd to see if you see anything abnormal. Also try lsof -i for weird connections/daemons and check last -i for any weird logins. To be honest though, gconfd and defunct netstats aren't all that abnormal. Definitely worth invesitgating though.

rhoyerboat 02-15-2005 07:20 PM
im probably fine
 
the windows computers definatly have a worm, and if someones on my box theyre not crashing it, so if the NSA comes to collect it as evidence against some cracker i suppose ill just have to politely ask them for a new one .. hehe. i stay up too long fiddling with this stuff, thank you for the response, the new commands and the easy to read program


All times are GMT -5. The time now is 10:06 AM.