LinuxQuestions.org
Review your favorite Linux distribution.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 02-14-2005, 08:02 PM   #1
rhoyerboat
Member
 
Registered: Feb 2005
Posts: 40

Rep: Reputation: 15
gconfd-2 and a defunt netstat that i didnt run


so all our bandwidth disapeared suddenly, and in my explorations i discovered what i posted the topic over, a gconfd-2 that i didnt run, and a defunct netstat that i didnt run, being run on a terminal that was running X, ive got my X11 port blocked to internet traffic

im running slackware 10 and kernel 2.6.9, i dont run X as root.

i also checked my routers logs and found a connection from my computer to a private address,
198.65.119.21, on a few ports, 987, 443 and 987, an nmap non-syn scan of this address returned filtered ports, like a windows firewall would

im new to the more advanced aspects of computing, although aware of root kits and such, is there a way i can check the integrity of my 2.6.9 modules? the only program im aware of will only run on 2.4

in the meantime i imagine our computers (4 or 5 of them) are dos-ing like mad, but i cant tell because my buddies mom is using one of those linksys firewall routers with non-verbose everything (grumble) .. anyone have a proposed solution?

thanks
andrew
(rhorhorhoyerboat)
 
Old 02-15-2005, 04:39 PM   #2
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Rep: Reputation: 69
Re: gconfd-2 and a defunt netstat that i didnt run

i also checked my routers logs and found a connection from my computer to a private address,
198.65.119.21, on a few ports, 987, 443 and 987, an nmap non-syn scan of this address returned filtered ports, like a windows firewall would

That actually is a public IP and takes you to a real website (liveperson.com) which sells some kind of chat software. Port 443 is an ssl port so that doesn't seem out of the ordinary for someone browsing a commercial site. Don't know what port 987 is tho.

im new to the more advanced aspects of computing, although aware of root kits and such, is there a way i can check the integrity of my 2.6.9 modules? the only program im aware of will only run on 2.4
You can use something like rootkit hunter to verify integrity of a varietyf things on the system, which should be a good start. For something specific in detecting rogue kernel modules on 2.6, try kern_check.c.

in the meantime i imagine our computers (4 or 5 of them) are dos-ing like mad, but i cant tell because my buddies mom is using one of those linksys firewall routers with non-verbose everything (grumble)
I'd be suprised is all of them all are compromised, but you may want to take a cd-rom based distro like knoppix or knoppix-std (download and burn on a secure system) and then boot one of the other machines of of it and sniff for any abnormal traffic. I'd also take a look around the system logs and /etc/passwd to see if you see anything abnormal. Also try lsof -i for weird connections/daemons and check last -i for any weird logins. To be honest though, gconfd and defunct netstats aren't all that abnormal. Definitely worth invesitgating though.
 
Old 02-15-2005, 07:20 PM   #3
rhoyerboat
Member
 
Registered: Feb 2005
Posts: 40

Original Poster
Rep: Reputation: 15
im probably fine

the windows computers definatly have a worm, and if someones on my box theyre not crashing it, so if the NSA comes to collect it as evidence against some cracker i suppose ill just have to politely ask them for a new one .. hehe. i stay up too long fiddling with this stuff, thank you for the response, the new commands and the easy to read program
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
rc.firewall didnt exist.. slazer Slackware 6 10-31-2005 01:35 AM
authenticate using LDAP to login + gconfd masand Linux - General 2 08-02-2005 04:15 AM
What is gconfd-2 and do I need it? BajaNick Linux - Software 4 02-26-2005 05:56 PM
gconfd error message glenn_meehan Linux - General 0 06-08-2004 03:46 AM
gconfd resolved address problem Sammy2ooo Linux - General 0 03-24-2004 07:09 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 09:27 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration