Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Hi there,
I am new in linux sysadmin. How can I will be sure if my system is compromised? In my netstat output, I am seeing many ip addresses as Local Address (each of them are looks like myip:5randomdigits) and many differrent Foreign Address, State; some are TIME_WAIT and some are ESTABLISHED. What does that mean? Should I upload the output here?
Code:
[zillur@genomics ~]$ last
zillur pts/2 :0 Mon Feb 12 13:16 still logged in
zillur pts/1 :0 Mon Feb 12 13:02 still logged in
zillur pts/1 :0 Mon Feb 12 13:01 - 13:02 (00:00)
zillur pts/1 :0 Mon Feb 12 13:00 - 13:01 (00:00)
zillur pts/0 :0 Mon Feb 12 12:55 still logged in
zillur :0 :0 Mon Feb 12 12:55 still logged in
reboot system boot 3.10.0-693.17.1. Mon Feb 12 12:53 - 13:29 (00:35)
zillur tty1 Mon Feb 12 12:07 - 12:50 (00:43)
zillur tty1 Mon Feb 12 11:33 - 12:07 (00:33)
reboot system boot 3.10.0-693.el7.x Mon Feb 12 11:31 - 12:50 (01:19)
wtmp begins Mon Feb 12 11:31:42 2018
How can I will be sure if my system is compromised? In my netstat output, I am seeing many ip addresses as Local Address (each of them are looks like myip:5randomdigits) and many differrent Foreign Address, State; some are TIME_WAIT and some are ESTABLISHED. What does that mean? Should I upload the output here?
The wtmp output you posted shows no one logged in but you. Since you've posted zero netstat output or tell us ANYTHING about your setup, version/distro of Linux, what kind of network you're on, existing firewalls/iptables protection, etc., there's no way we can begin to speculate on if you could be 'compromised'.
Why would you THINK you're compromised?? After being 'new' for two years, you should be familiar with how to check and configure network services, and how to troubleshoot your system. Have you done ANY troubleshooting? Looked at the system logs? Authentication errors/messages? Anything?
Thank you for a quick reply. I am novice because, I didn't learn anything or tried anything new when the machine was running good. It was my fault. Yesterday I saw unusual behavior(lost many system files). Today I reinstalled os. Here is my netstat output:
Code:
[zillur@genomics ~]$ netstat
Active Internet connections (w/o servers)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 genomics.rrp.camp:47838 152.195.14.89:http ESTABLISHED
tcp 0 0 genomics.rrp.camp:48356 a104-113-11-162.de:http ESTABLISHED
tcp 0 0 genomics.rrp.camp:54216 8.43.72.97:https ESTABLISHED
tcp 0 0 genomics.rrp.camp:47540 ec2-52-55-162-249:https ESTABLISHED
tcp 0 0 genomics.rrp.camp:53548 ec2-52-202-228-20:https TIME_WAIT
tcp 0 0 genomics.rrp.camp:46094 208.185.50.46.ipyx:http ESTABLISHED
tcp 0 0 genomics.rrp.camp:51904 server-13-32-80-11:http ESTABLISHED
tcp 0 0 genomics.rrp.camp:37646 93.184.216.38:http ESTABLISHED
tcp 0 0 genomics.rrp.camp:39486 ec2-34-193-176-145:http ESTABLISHED
tcp 0 0 genomics.rrp.camp:50446 207.166.120.17:http ESTABLISHED
tcp 0 0 genomics.rrp.camp:37478 69.172.216.111:http TIME_WAIT
tcp 0 0 genomics.rrp.camp:47210 52.94.234.174:http ESTABLISHED
tcp 0 0 genomics.rrp.camp:44872 217.19.190.35.bc.:https ESTABLISHED
tcp 0 0 genomics.rrp.camp:38600 ec2-34-196-91-221:https TIME_WAIT
tcp 0 0 genomics.rrp.camp:59564 74.121.138.91:https ESTABLISHED
tcp 0 0 genomics.rrp.camp:52378 a172-224-86-53.de:https ESTABLISHED
tcp 0 0 genomics.rrp.camp:58736 m-prd-umpxl-adcom:https ESTABLISHED
tcp 0 0 genomics.rrp.camp:57536 ec2-34-250-143-16:https TIME_WAIT
tcp 0 0 genomics.rrp.camp:46018 151.101.204.166:http ESTABLISHED
tcp 0 0 genomics.rrp.camp:43814 151.101.206.49:https ESTABLISHED
tcp 0 0 genomics.rrp.camp:36906 152.195.14.100:http ESTABLISHED
tcp 0 0 genomics.rrp.camp:55754 ec2-54-173-246-88:https TIME_WAIT
tcp 0 0 genomics.rrp.camp:37542 74.119.119.69:http ESTABLISHED
tcp 0 0 genomics.rrp.camp:50448 207.166.120.17:http ESTABLISHED
tcp 0 0 genomics.rrp.camp:47070 8.43.72.47:https ESTABLISHED
tcp 0 0 genomics.rrp.camp:49910 ec2-34-232-251-80:https TIME_WAIT
tcp 0 0 genomics.rrp.camp:50452 207.166.120.17:http ESTABLISHED
tcp 0 0 genomics.rrp.camp:50450 207.166.120.17:http ESTABLISHED
tcp 0 0 genomics.rrp.camp:49602 72.21.81.253:http ESTABLISHED
tcp 0 0 genomics.rrp.camp:39648 152.195.32.112:http ESTABLISHED
tcp 0 0 genomics.rrp.camp:58118 mia09s19-in-f2.1e1:http ESTABLISHED
tcp 0 0 genomics.rrp.camp:35718 a209-91-216-40.dep:http ESTABLISHED
tcp 0 0 genomics.rrp.camp:49606 72.21.81.253:http ESTABLISHED
tcp 0 0 genomics.rrp.camp:43148 ec2-52-87-149-170:https TIME_WAIT
tcp 0 0 genomics.rrp.camp:46350 72.21.91.29:http ESTABLISHED
tcp 0 0 genomics.rrp.camp:54290 8.43.72.97:https ESTABLISHED
tcp 0 0 genomics.rrp.camp:37652 yyz08s09-in-f98.1:https ESTABLISHED
tcp 0 0 genomics.rrp.camp:49604 72.21.81.253:http ESTABLISHED
tcp 0 0 genomics.rrp.camp:34118 a209-91-216-48.dep:http ESTABLISHED
tcp 0 0 genomics.rrp.camp:47494 207.166.120.11:http ESTABLISHED
tcp 0 0 genomics.rrp.camp:49598 72.21.81.253:http ESTABLISHED
tcp 0 0 genomics.rrp.camp:46100 208.185.50.46.ipyx:http ESTABLISHED
tcp 0 0 genomics.rrp.camp:46092 208.185.50.46.ipyx:http ESTABLISHED
tcp 0 0 genomics.rrp.camp:34116 a209-91-216-48.dep:http ESTABLISHED
tcp 0 0 genomics.rrp.camp:45762 a23-36-69-215.depl:http ESTABLISHED
tcp 0 0 genomics.rrp.camp:39632 mia09s20-in-f2.1e:https ESTABLISHED
tcp 0 0 genomics.rrp.camp:51024 ec2-52-206-49-191:https TIME_WAIT
tcp 0 0 genomics.rrp.camp:57646 a172-224-91-134.de:http TIME_WAIT
tcp 0 0 genomics.rrp.camp:35708 a209-91-216-40.dep:http ESTABLISHED
tcp 0 0 genomics.rrp.camp:45328 a23-36-68-143.depl:http ESTABLISHED
tcp 0 0 genomics.rrp.camp:52728 185.167.164.42:https ESTABLISHED
tcp 0 0 genomics.rrp.camp:59416 199.187.193.130:http TIME_WAIT
tcp 0 0 genomics.rrp.camp:33790 a209-91-216-41.dep:http TIME_WAIT
tcp 0 0 genomics.rrp.camp:34120 a209-91-216-48.dep:http TIME_WAIT
tcp 0 0 genomics.rrp.camp:38200 8.43.72.97:http TIME_WAIT
tcp 0 0 genomics.rrp.camp:56808 server-13-32-80-5:https TIME_WAIT
tcp 0 0 genomics.rrp.camp:54218 8.43.72.97:https ESTABLISHED
tcp 0 0 genomics.rrp.camp:54288 8.43.72.97:https ESTABLISHED
tcp 0 0 genomics.rrp.camp:43238 74.121.138.91:http ESTABLISHED
tcp 0 0 genomics.rrp.camp:33194 a209-91-216-42.dep:http TIME_WAIT
tcp 0 0 genomics.rrp.camp:44378 217.202.186.35.bc:https ESTABLISHED
tcp 0 0 genomics.rrp.camp:40114 server-13-32-80-4:https TIME_WAIT
tcp 0 0 genomics.rrp.camp:43486 ec2-34-193-176-14:https TIME_WAIT
tcp 0 0 genomics.rrp.camp:56342 a23-36-69-163.depl:http TIME_WAIT
tcp 0 0 genomics.rrp.camp:57648 a172-224-91-134.de:http TIME_WAIT
tcp 0 0 genomics.rrp.camp:57804 ec2-52-202-39-97.:https ESTABLISHED
tcp 0 0 genomics.rrp.camp:47180 207.166.120.11:http TIME_WAIT
tcp 0 0 genomics.rrp.camp:60470 ec2-50-16-83-52.c:https TIME_WAIT
tcp 0 0 genomics.rrp.camp:36658 199.187.193.140:http TIME_WAIT
tcp 0 0 genomics.rrp.camp:42968 a23-36-69-148.dep:https ESTABLISHED
tcp 0 0 genomics.rrp.camp:41524 a23-36-68-94.deplo:http TIME_WAIT
tcp 0 0 genomics.rrp.camp:54232 8.43.72.97:https ESTABLISHED
tcp 0 0 genomics.rrp.camp:49600 72.21.81.253:http TIME_WAIT
tcp 0 0 genomics.rrp.camp:59614 60.5.211.130.bc.g:https ESTABLISHED
tcp 0 0 genomics.rrp.camp:34534 ec2-54-165-252-21:https TIME_WAIT
tcp 0 0 genomics.rrp.camp:40142 204.236.186.35.bc:https ESTABLISHED
tcp 0 0 genomics.rrp.camp:43004 a23-36-69-148.dep:https ESTABLISHED
tcp 0 0 genomics.rrp.camp:48704 72.21.81.253:http TIME_WAIT
tcp 0 0 genomics.rrp.camp:48500 107.154.249.36.ip.:http TIME_WAIT
tcp 0 0 genomics.rrp.camp:38728 a172-224-83-111.de:http TIME_WAIT
tcp 0 0 genomics.rrp.camp:46102 208.185.50.46.ipyx:http TIME_WAIT
tcp 0 0 genomics.rrp.camp:54234 8.43.72.97:https ESTABLISHED
tcp 0 0 genomics.rrp.camp:47398 a23-36-69-35.deplo:http TIME_WAIT
tcp 0 0 genomics.rrp.camp:37696 a104-112-244-122.d:http TIME_WAIT
tcp 0 0 genomics.rrp.camp:33546 a209-91-216-42.dep:http ESTABLISHED
tcp 0 0 genomics.rrp.camp:46020 151.101.204.166:http TIME_WAIT
tcp 0 0 genomics.rrp.camp:43204 74.121.138.91:http ESTABLISHED
tcp 0 0 genomics.rrp.camp:37686 74.119.119.84:http TIME_WAIT
tcp 0 0 genomics.rrp.camp:36016 142.0.197.68:https ESTABLISHED
tcp 0 0 genomics.rrp.camp:40058 ec2-34-199-146-7.:https TIME_WAIT
tcp 0 0 genomics.rrp.camp:56288 ec2-54-173-10-224:https TIME_WAIT
tcp 0 0 genomics.rrp.camp:47400 a104-113-11-162.d:https ESTABLISHED
tcp 0 0 genomics.rrp.camp:38726 a172-224-83-111.de:http TIME_WAIT
tcp 0 0 genomics.rrp.camp:53866 ec2-34-227-245-54:https TIME_WAIT
tcp 0 0 genomics.:ssr-servermgr 151.101.204.166:http TIME_WAIT
tcp 0 0 genomics.rrp.camp:35314 47.30.acb8.ip4.st:https TIME_WAIT
tcp 0 0 genomics.rrp.camp:44642 a209-91-216-43.dep:http TIME_WAIT
tcp 0 0 genomics.rrp.camp:36290 pr-bh.pbp.vip.bf1:https ESTABLISHED
tcp 0 0 genomics.rrp.camp:46098 208.185.50.46.ipyx:http TIME_WAIT
tcp 0 0 genomics.rrp.camp:38268 ec2-34-197-26-148:https TIME_WAIT
tcp 0 0 genomics.rrp.camp:50246 ec2-23-21-56-63.c:https TIME_WAIT
tcp6 0 0 genomics.rrp.camp:60810 edge-atlas6-shv-0:https ESTABLISHED
tcp6 0 0 genomics.rrp.camp:54342 mia09s20-in-x06.1:https ESTABLISHED
tcp6 0 0 genomics.rrp.camp:36746 mia09s20-in-x02.1:https ESTABLISHED
tcp6 0 0 genomics.rrp.camp:35102 atl26s14-in-x03.1:https ESTABLISHED
tcp6 0 0 genomics.rrp.camp:54284 atl26s14-in-x04.1:https ESTABLISHED
tcp6 0 0 genomics.rrp.camp:52062 mia07s35-in-x02.1:https ESTABLISHED
tcp6 0 0 genomics.rrp.camp:52566 mia09s20-in-x0e.1:https ESTABLISHED
tcp6 0 0 genomics.rrp.camp:57960 mia09s20-in-x08.1:https ESTABLISHED
tcp6 0 0 genomics.rrp.camp:34018 g2600-1403-0009-01:http TIME_WAIT
tcp6 0 0 genomics.rrp.camp:33376 mia09s20-in-x01.1:https ESTABLISHED
tcp6 0 0 genomics.rrp.camp:45416 edge-star-mini6-s:https ESTABLISHED
tcp6 0 0 genomics.rrp.camp:45420 edge-star-mini6-s:https ESTABLISHED
tcp6 0 0 genomics.rrp.camp:53828 mia09s20-in-x05.1:https ESTABLISHED
tcp6 0 0 genomics.rrp.camp:42610 mia07s35-in-x02.1e:http TIME_WAIT
tcp6 0 0 genomics.rrp.camp:51692 mia07s35-in-x02.1:https ESTABLISHED
tcp6 0 0 genomics.rrp.camp:46578 edge-star6-shv-02:https ESTABLISHED
tcp6 0 0 genomics.rrp.camp:42026 xx-fbcdn6-shv-02-:https ESTABLISHED
tcp6 0 0 genomics.rrp.camp:52586 mia09s20-in-x0e.1:https TIME_WAIT
tcp6 0 0 genomics.rrp.camp:51728 mia07s35-in-x02.1:https ESTABLISHED
tcp6 0 0 genomics.rrp.camp:34020 g2600-1403-0009-01:http TIME_WAIT
tcp6 0 0 genomics.rrp.camp:43094 edge-z-m-mini6-sh:https ESTABLISHED
tcp6 0 0 genomics.rrp.camp:38676 vl-in-x9b.1e100.n:https ESTABLISHED
tcp6 0 0 genomics.rrp.camp:44088 edge-star-mini6-s:https ESTABLISHED
tcp6 0 0 genomics.rrp.camp:51926 mia07s35-in-x02.1:https ESTABLISHED
tcp6 0 0 genomics.rrp.camp:59846 2607:f8b0:4002:c0:https ESTABLISHED
tcp6 0 0 genomics.rrp.camp:50476 mia09s20-in-x0e.1:https ESTABLISHED
tcp6 0 0 genomics.rrp.camp:42612 mia07s35-in-x02.1e:http TIME_WAIT
tcp6 0 0 genomics.rrp.camp:43422 xx-fbcdn6-shv-02-:https ESTABLISHED
Active UNIX domain sockets (w/o servers)
Proto RefCnt Flags Type State I-Node Path
unix 5 [ ] DGRAM 13568 /run/systemd/journal/socket
unix 21 [ ] DGRAM 13570 /dev/log
unix 2 [ ] DGRAM 15452 /run/systemd/shutdownd
unix 2 [ ] DGRAM 12754 /var/run/chrony/chronyd.sock
unix 2 [ ] DGRAM 13552 /run/systemd/notify
unix 2 [ ] DGRAM 13554 /run/systemd/cgroups-agent
unix 3 [ ] STREAM CONNECTED 27017 @/tmp/.ICE-unix/13497
unix 3 [ ] STREAM CONNECTED 131595 @/tmp/.ICE-unix/13497
unix 3 [ ] STREAM CONNECTED 82181
[zillur@genomics ~]$ sudo tail /var/log/messages
Feb 12 15:02:43 localhost dbus-daemon: dbus[944]: [system] Successfully activated service 'org.fedoraproject.Setroubleshootd'
Feb 12 15:02:44 localhost setroubleshoot: failed to retrieve rpm info for mozplugger
Feb 12 15:02:44 localhost setroubleshoot: failed to retrieve rpm info for spice-xpi
Feb 12 15:02:44 localhost setroubleshoot: failed to retrieve rpm info for mozplugger
Feb 12 15:02:44 localhost setroubleshoot: SELinux is preventing 57656220436F6E74656E74 from create access on the rawip_socket Unknown. For complete SELinux messages run: sealert -l 8256e2db-74ba-49c2-bfe0-dbf4990e8877
Feb 12 15:02:44 localhost python: SELinux is preventing 57656220436F6E74656E74 from create access on the rawip_socket Unknown.#012#012***** Plugin mozplugger (99.1 confidence) suggests ************************#012#012If you want to use the plugin package#012Then you must turn off SELinux controls on the Firefox plugins.#012Do#012# setsebool -P unconfined_mozilla_plugin_transition 0#012#012***** Plugin catchall (1.81 confidence) suggests **************************#012#012If you believe that 57656220436F6E74656E74 should be allowed create access on the Unknown rawip_socket by default.#012Then you should report this as a bug.#012You can generate a local policy module to allow this access.#012Do#012allow this access for now by executing:#012# ausearch -c '57656220436F6E74656E74' --raw | audit2allow -M my-57656220436F6E74656E74#012# semodule -i my-57656220436F6E74656E74.pp#012
Feb 12 15:03:29 localhost chronyd[970]: Selected source 198.60.22.240
Feb 12 15:03:29 localhost chronyd[970]: System clock wrong by -3594.411932 seconds, adjustment started
Feb 12 15:04:34 localhost chronyd[970]: Source 45.127.113.2 replaced with 45.127.112.2
Feb 12 15:08:54 localhost chronyd[970]: Selected source 45.33.84.208
Thank you for a quick reply. I am novice because, I didn't learn anything or tried anything new when the machine was running good. It was my fault.
You've posted pretty regularly over the past two years, so continually saying "I'm new" doesn't ring true.
Quote:
Yesterday I saw unusual behavior(lost many system files). Today I reinstalled os.Thanks again and sorry for your inconvenience.
As asked before:
Version/distro of Linux?
Network environment? (home? office?)
Existing firewalls/iptables?
And at this point, none of what you posted matters, since you say that you have already blown away your system and reloaded. Any evidence/logs/etc., are now gone. There is no problem to diagnose. There are many basic guides you can follow about system hardening and basic security. It looks as if you're not running anything but smtp (why?), SSH, and CUPS.
Yesterday I saw unusual behavior (lost many system files). Today I reinstalled os.
. . .
Unfortunately, "knee-jerk reactions" in this business are more-than useless: if you "lost many system files," and can say no more about the event than this, and responded by "reinstall OS," then "you are shadow-boxing at shadows."
[zillur@localhost ~]$ systemctl status NetworkManager.service
● NetworkManager.service - Network Manager
Loaded: loaded (/usr/lib/systemd/system/NetworkManager.service; enabled; vendor preset: enabled)
Active: active (running) since Mon 2018-02-12 17:55:54 AST; 3h 20min ago
Docs: man:NetworkManager(8)
Main PID: 987 (NetworkManager)
CGroup: /system.slice/NetworkManager.service
├─ 987 /usr/sbin/NetworkManager --no-daemon
└─12112 /sbin/dhclient -d -q -sf /usr/libexec/nm-dhcp-helper -pf /var/run/dhclient-enp6s0.pid -lf /var/lib/NetworkManager/dhclient-db2d7690-1e0f...
Feb 12 18:06:03 localhost.localdomain NetworkManager[987]: <info> [1518473163.0360] manager: NetworkManager state is now CONNECTED_SITE
Feb 12 18:06:03 localhost.localdomain NetworkManager[987]: <info> [1518473163.0361] policy: set 'enp6s0' (enp6s0) as default for IPv4 routing and DNS
Feb 12 18:06:03 localhost.localdomain NetworkManager[987]: <info> [1518473163.0478] device (enp6s0): Activation: successful, device activated.
Feb 12 18:06:03 localhost.localdomain NetworkManager[987]: <info> [1518473163.0494] manager: NetworkManager state is now CONNECTED_GLOBAL
Feb 12 18:06:04 localhost.localdomain NetworkManager[987]: <info> [1518473164.3732] policy: set 'enp6s0' (enp6s0) as default for IPv6 routing and DNS
Feb 12 17:08:46 localhost.localdomain NetworkManager[987]: <info> [1518469726.1541] manager: kernel firmware directory '/lib/firmware' changed
Feb 12 17:08:51 localhost.localdomain NetworkManager[987]: <info> [1518469731.1517] manager: kernel firmware directory '/lib/firmware' changed
Feb 12 17:09:18 localhost.localdomain NetworkManager[987]: <info> [1518469758.9946] manager: kernel firmware directory '/lib/firmware' changed
Feb 12 17:09:23 localhost.localdomain NetworkManager[987]: <info> [1518469763.4478] manager: kernel firmware directory '/lib/firmware' changed
Feb 12 17:09:27 localhost.localdomain NetworkManager[987]: <info> [1518469767.4438] manager: kernel firmware directory '/lib/firmware' changed
Code:
[zillur@localhost ~]$ systemctl status firewalld.service
● firewalld.service - firewalld - dynamic firewall daemon
Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled; vendor preset: enabled)
Active: active (running) since Mon 2018-02-12 17:55:54 AST; 3h 20min ago
Docs: man:firewalld(1)
Main PID: 957 (firewalld)
CGroup: /system.slice/firewalld.service
└─957 /usr/bin/python -Es /usr/sbin/firewalld --nofork --nopid
Feb 12 17:55:53 localhost.localdomain systemd[1]: Starting firewalld - dynamic firewall daemon...
Feb 12 17:55:54 localhost.localdomain systemd[1]: Started firewalld - dynamic firewall daemon.
Feb 12 17:55:54 localhost.localdomain firewalld[957]: WARNING: ICMP type 'beyond-scope' is not supported by the kernel for ipv6.
Feb 12 17:55:54 localhost.localdomain firewalld[957]: WARNING: beyond-scope: INVALID_ICMPTYPE: No supported ICMP type., ignoring for run-time.
Feb 12 17:55:54 localhost.localdomain firewalld[957]: WARNING: ICMP type 'failed-policy' is not supported by the kernel for ipv6.
Feb 12 17:55:54 localhost.localdomain firewalld[957]: WARNING: failed-policy: INVALID_ICMPTYPE: No supported ICMP type., ignoring for run-time.
Feb 12 17:55:54 localhost.localdomain firewalld[957]: WARNING: ICMP type 'reject-route' is not supported by the kernel for ipv6.
Feb 12 17:55:54 localhost.localdomain firewalld[957]: WARNING: reject-route: INVALID_ICMPTYPE: No supported ICMP type., ignoring for run-time.
Sorry for your inconveniences.
Best Regards
Zillur
I should not say new after these much time and I did learn nothing. Here is my current system:
Code:
Linux localhost.localdomain 3.10.0-693.el7.x86_64 #1 SMP Tue Aug 22 21:09:27 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux
...and you ***STILL HAVE NOT*** told us what version/distro of Linux. Is this Red Hat Enterprise 7? CentOS 7? What????
Quote:
The machine is in my lab.
...and you **STILL HAVE NOT** told us what firewalls/protection is already in place between this lab and the internet.
Quote:
Sorry for your inconveniences.
Posting a DHCP address, and stating that you have firewalld started, and that your network is up tells us NOTHING. And again, since you've appeared to miss it twice now, you have RELOADED YOUR SYSTEM. ANY evidence of what was done to possibly compromise your system IS GONE. There is ZERO we can tell you.
Again, if you want to know about basic system security, then please look up any of the MANY how-to guides you can find on the basics of Linux network security, and follow them.
Just pay me $10,000 (USD) and I'll send you a pretty "security certificate" which will cause your system to be secure. You don't need to understand or even to do anything: just hang it on the wall nearby and it will chase away all the bad things. On sale today . . .
Can't answer any more Qs because someone re-installed. Now, we'll never know. Nor will you ever "figure out" much, unfortunately.
I'd like to suggest some advice: You are not new, so stop the newbie re-installs as a "fix" or any other "remedy" for anything other than an empty platter.
Your cheating yourself out of the Experience, and Skill.
I tell people I'm Lazy (I write shell scripts and love automation).
I never Lose either. I either Win or I learn.
Your log outputs appear normal enough showing recent activity to Amazon's AWS Service(s) (ec2-..."foreign hosts" via netstat)
Amazon and CDN assets in web traffic among others.
One user.
I don't know if you meant to publish "136.145.xyz.ab" Looks kind of "personal"
You can edit post #6 or Report it using the "Report" button in post #6 and state you wish to sanitize that IP.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.