Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
hi, i think my system has been compromised, i would greatly appreciate any help understanding what is happening.
I have a partially wired/wireless network and have noticed a lot of outgoing traffic coming from my wireless laptop (this is the only wireless machine).
I have run iftop -i eth1 -P this shows a lot of traffic from random hight numbered ports to my isp's dns server and a lot of port 80 traffic to gv-in-f18.google.com, then occasionally several port 80 requests to seemingly random websites for example psg.com, there is also quite a lot of mdsn traffic but i don't know what that is.
My adsl router has ports 80 and 22 forwarded to my laptop as I use the machine for web development and need to show work to people.
I get a quite a lot of random requests on port 80 but i think that is fairly normal for an internet facing webserver, i have no open source sotware on the machine (apart from apache/php that is)
If i need to supply any more information please let me know.
sorry by no open source software i meant like phpbb which i know is the kind of way that people get into your system, this is a fully patched ubuntu box.
Distribution: OpenBSD 4.6, OS X 10.6.2, CentOS 4 & 5
Posts: 3,660
Rep:
It sounds to me like you have an entirely normal machine with an open web browser. What on Earth would lead you to believe that any of that indicates a hacked box?
It sounds to me like you have an entirely normal machine with an open web browser. What on Earth would lead you to believe that any of that indicates a hacked box?
Actually after much digging i think you are correct, it seems that when i close gmail all of the outgoing traffic stops.
The reasons i thought the box may be hacked was mainly due the amount of blinking lights on my adsl router, it seemed way more than normal, couple that with the fact that i did have a hacked box a couple of years ago, i was running phpbb and someone used that to install an irc bot on my machine and was using it to send huge amounts of spam email. ever since then i have a very health dose of paranoia about anything that is connected to the internet.
Thanks for all of your suggestions though, i think i may be at the bottom of this now.
Distribution: OpenBSD 4.6, OS X 10.6.2, CentOS 4 & 5
Posts: 3,660
Rep:
Gmail is an AJAX app. It's not like a normal website where you have to refresh the page for it to connect to the server again. It's constantly polling the server for new information (new messages, contacts going on/off line, etc).
Lot's of packets from high ports going to a DNS server = DNS lookups.
Port 80 traffic going to Google = checking for ads, the news ticker in GMail, etc.
Concerning traffic would be doing a lot of DNS lookups for weird domains* and a lot of port 25 traffic to places other than your e-mail provider.
*This means the second-level domain (ex: 3dna328nad3.com ), not sub-domains (ex: dk3n13813.google.com). Anything to the left of .google.com should be fine (well, as far as you trust Google any way).
However, it has been well known for a long time, in security circles, that open source is, a priori, more secure than closed.
While the bad guys have access to your code to seek vulnerabilities, that is not actually how they work - and the good guys also have access. There are many more good guys than bad guys.
More importantly, good guys who have an incentive to fix the problem now (rather than, say, cover it up or shift the blame) have the means to create a fix - something not available in the proprietary world.
For many, particularly web-exposed, programs, there are actually teams of academics looking for security vulnerabilities ... so they can publish a paper and get more research funding. So we sometimes see flaws appear in FOSS which have no exploits at all.
The exact effect does vary from app to app.
So, while phpbb was quite publicly hacked, and it was poor design, a set of best practices quickly emerged and specific vulnerabilities were addressed while other proprietary programs remained vulnerable... but quietly. Their owners taking the "shift the blame and don't talk about it" approach.
You see, most people set up their bb's by getting it to do what they wanted and stopping there. After all, it works don't it?
It was, and still is in some places, uncommon to assume that someone would try to do anything which is not there on the interface. In fact, design needs to assume that some user will deliberately try to break the system, and plan the design accordingly.
This usually means reduced functionality out of the box and an education package for each user that asks how to do something you know (but they don't) is insecure. Sadly, this is usually resisted by customers, which is mostly why all software ships with security holes ... but we try.
Last edited by Simon Bridge; 02-15-2009 at 06:29 PM.
So, while phpbb was quite publicly hacked, and it was poor design, a set of best practices quickly emerged and specific vulnerabilities were addressed while other proprietary programs remained vulnerable... but quietly. Their owners taking the "shift the blame and don't talk about it" approach.
Phpbb was hacked because of a third party tool, not phpbb.
They got hit by a 0-day exploit a few hours after it was discovered.
And their server was not super secure so it was not very hard for the bad guy.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.