LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (https://www.linuxquestions.org/questions/linux-security-4/)
-   -   I seem to be running a mailserver on opensuse 10.3 and I didn't set it up (https://www.linuxquestions.org/questions/linux-security-4/i-seem-to-be-running-a-mailserver-on-opensuse-10-3-and-i-didnt-set-it-up-640265/)

ilago 05-06-2008 07:37 AM
I seem to be running a mailserver on opensuse 10.3 and I didn't set it up
 
I think I have a security issue. I'll be quite happy to find out I'm dumb and paranoid and take off my tinfoil hat.

I've been running various distros of linux for the last 3 years with some previous intermittent use back to around Suse 7.2. I'm not any sort of linux guru and I'm not as familiar with linux security as I am with Windows security. I'm running Opensuse 10.3 64 bit, KDE default installation and all fully updated. This is my first 64 bit installation. I've run 32 bit up until now.

For the last two or three days my LCD monitor has been behaving oddly - slight lack of focus and then OK. I assumed it was the monitor and swapped it with my old trusty CRT and ran that for a day. Still the odd behaviour. On the old box both the monitors work fine.

I ran top as a user and there was nothing interesting I could see. I ran it as user though, not as root. The machine has root, me and smallchild as users. Is that setup users or current users? So I ran netstat -an and I got screens full of CONNECTED and LISTENING.Probably 2 or 3 more screenfuls than usual and several paths I didn't recognise. I googled heaps of them and discounted several as legitimate but there are several directories that don't appear to be default. They are all listed in the 12000 port range. Why do I have entries for /private/xxxxxxx but no /private directory? Why am I running ssh when I don't have it set up and I don't need it? I seem to be running a mailserver.

Code:
linux:/ # ls
.kconfig  .qt  boot  etc  image  lost+found  mnt  proc  sbin  sys  usr  windows
.profile  bin  dev  home  lib    media      opt  root  srv  tmp  var

So I checked the firewall status and it was OFF. I re-enabled the firewall. But it was not me that disabled it. It has always been enabled since installation as far as I know. I only need email and web access and no need for anything more exiting than the odd upload to my website. I have crossover for my two Windows "must haves" Everything else is standard opensuse and from the repos except for a couple of games for under 5s.

I'm trying to decide whether it's a reinstall job or if I should try and track it down and learn a bit more. I'd like to wait for the next release if possible.

Where would I start? I have kept the logs I did but I ran them as a user, not as root. I wasn't going to log in as root while I thought something was wrong.

ronlau9 05-06-2008 10:45 AM
To disable the firewall you need root privilege
In you,re dsl modem is there a build in firewall ?
If so do you protect it with Administrator and password ?
If you do so with different passwords than somebody meet two firewall
May be it is worth while to run a virus scanner.

all the best

unSpawn 05-06-2008 11:34 AM
Instead of running a virus scanner I'd suggest booting a Live CD and using the Intruder Detection Checklist (CERT): http://www.cert.org/tech_tips/intrud...checklist.html checklist to look for clues. Just before you reboot into the CD, log in as root and run these commands: '( /bin/ps -axfwww -eo ppid,pid,uid,args 2>&1; /bin/netstat -n 2>&1; /usr/sbin/lsof -w -n 2>&1; /usr/bin/last 2>&1; /usr/bin/who --heading --dead -u --login --lookup --process --time --mesg --users 2>&1 ) | tee /tmp/tee.log' (maybe put that in a script to run). Also try running 'rpm -qVa' after you booted the CD.

ilago 05-06-2008 05:04 PM
Quote:
Instead of running a virus scanner I'd suggest booting a Live CD and using the Intruder Detection Checklist (CERT): http://www.cert.org/tech_tips/intrud...checklist.html checklist to look for clues. Just before you reboot into the CD, log in as root and run these commands: '( /bin/ps -axfwww -eo ppid,pid,uid,args 2>&1; /bin/netstat -n 2>&1; /usr/sbin/lsof -w -n 2>&1; /usr/bin/last 2>&1; /usr/bin/who --heading --dead -u --login --lookup --process --time --mesg --users 2>&1 ) | tee /tmp/tee.log' (maybe put that in a script to run). Also try running 'rpm -qVa' after you booted the CD.
Thanks for that unSpawn. That's exactly what I was after because I wasn't sure where to start. I'd know in Windows, but this is first chance I've had to look at a linux situation.

I usually use a Knoppix Live CD for fixing so I'll make sure all my data is backed up and see what I can learn before I nuke this one.

My router has NAT enabled and it doesn't have default log in passwords. There is no evidence that any other computer on my LAN has issues. Whatever this is, is limited to this machine and it looks like a trojan of some type to me. It seems very controlled. Viruses, on Windows anyway, tend to have scattergun effects and I'm not aware of too many Windows type viruses on linux machines. Trojans and rootkits are a bigger concern.

It can't do much if the machine is shutdown or not connected.

unSpawn 05-06-2008 05:50 PM
Not trying to influence perception but, unless you ran (outdated versions of) applications or services unrestricted and exposed to world, the chance of you catching a rootkit or trojan will be smaller than you winning the lottery (sorry).

ilago 05-06-2008 11:03 PM
Quote:
Originally Posted by unSpawn (Post 3145032)
Not trying to influence perception but, unless you ran (outdated versions of) applications or services unrestricted and exposed to world, the chance of you catching a rootkit or trojan will be smaller than you winning the lottery (sorry).
I know that - I just do a lot Windows malware removal, so I've learnt to expect the worst :)

I do have some sort of a problem though and I'd like to at least know what it is.

ilago 05-07-2008 08:09 AM
This is the netstat -an result I'm concerned about.
gail@linux:~> netstat -an
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 0.0.0.0:111 0.0.0.0:* LISTEN
tcp 0 0 127.0.0.1:631 0.0.0.0:* LISTEN
tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN
tcp 0 0 192.168.1.102:52313 202.6.74.96:80 ESTABLISHED
tcp 0 0 192.168.1.102:45256 202.6.74.96:80 ESTABLISHED
tcp 0 0 :::22 :::* LISTEN
tcp 0 0 ::1:631 :::* LISTEN
tcp 0 0 ::1:25 :::* LISTEN
udp 0 0 0.0.0.0:32768 0.0.0.0:*
udp 0 0 0.0.0.0:68 0.0.0.0:*
udp 0 0 0.0.0.0:5353 0.0.0.0:*
udp 0 0 0.0.0.0:111 0.0.0.0:*
udp 0 0 0.0.0.0:631 0.0.0.0:*
Active UNIX domain sockets (servers and established)

I used bold on the entries I'm concerned about.
Code:
Proto RefCnt Flags      Type      State        I-Node Path
unix  2      [ ACC ]    STREAM    LISTENING    12545  private/relay
unix  2      [ ACC ]    STREAM    LISTENING    12549 public/showq
unix  2      [ ACC ]    STREAM    LISTENING    12553  private/error[
unix  2      [ ACC ]    STREAM    LISTENING    14601  /tmp/orbit-gail/linc-d39-0-411ccd2759ed1
unix  2      [ ACC ]    STREAM    LISTENING    12557  private/discard
unix  2      [ ACC ]    STREAM    LISTENING    14608  /tmp/orbit-gail/linc-d32-0-3ae18d4766a6e
unix  2      [ ACC ]    STREAM    LISTENING    15094  /tmp/orbit-gail/linc-d9c-0-5f18729070b7d
unix  2      [ ACC ]    STREAM    LISTENING    12561  private/local
unix  2      [ ACC ]    STREAM    LISTENING    12565  private/virtual
unix  2      [ ACC ]    STREAM    LISTENING    12569  private/lmtp
unix  2      [ ACC ]    STREAM    LISTENING    12573  private/anvil
unix  2      [ ACC ]    STREAM    LISTENING    12577  private/scache
unix  2      [ ACC ]    STREAM    LISTENING    12581  private/maildrop
unix  2      [ ACC ]    STREAM    LISTENING    14030  /tmp/gpg-5sWDuc/S.gpg-agent
unix  2      [ ACC ]    STREAM    LISTENING    12585  private/cyrus
unix  2      [ ACC ]    STREAM    LISTENING    12589  private/uucp
unix  2      [ ACC ]    STREAM    LISTENING    12593  private/ifmail
unix  2      [ ACC ]    STREAM    LISTENING    12597  private/bsmtp
unix  2      [ ACC ]    STREAM    LISTENING    12601  private/procmail
unix  2      [ ACC ]    STREAM    LISTENING    12605  private/retry
unix  2      [ ACC ]    STREAM    LISTENING    15126  /tmp/orbit-gail/linc-dbc-0-1feb883edc9c0
unix  2      [ ACC ]    STREAM    LISTENING    16420  /tmp/orbit-gail/linc-e7f-0-7138968d5291
unix  2      [ ACC ]    STREAM    LISTENING    43287  /tmp/orbit-gail/linc-178c-0-52d285ffef1f2
unix  2      [ ACC ]    STREAM    LISTENING    14033  /tmp/ssh-Fmzlg3235/agent.3235
unix  2      [ ACC ]    STREAM    LISTENING    12063  @/var/run/dbus-9StAE4IJ1s
unix  2      [ ACC ]    STREAM    LISTENING    14950  /tmp/keyring-PDy8m1/socket
unix  2      [ ACC ]    STREAM    LISTENING    33199  socket
unix  2      [ ACC ]    STREAM    LISTENING    14042  @/tmp/dbus-1tHAEbrrYy
unix  20    [ ]        DGRAM                    8535  /dev/log
unix  2      [ ACC ]    STREAM    LISTENING    11622  /var/run/xdmctl/dmctl/socket
unix  2      [ ACC ]    STREAM    LISTENING    11645  /var/run/xdmctl/dmctl-:0/socket
unix  2      [ ]        DGRAM                    4492  @/org/kernel/udev/udevd
unix  2      [ ACC ]    STREAM    LISTENING    12506  public/cleanup
unix  2      [ ]        DGRAM                    8586  @/org/freedesktop/hal/udev_event
unix  2      [ ACC ]    STREAM    LISTENING    15019  /home/gail/.beagle/socket
unix  2      [ ACC ]    STREAM    LISTENING    8492  /var/run/.resmgr_socket
unix  2      [ ACC ]    STREAM    LISTENING    8510  /var/run/acpid.socket
unix  2      [ ACC ]    STREAM    LISTENING    8182  /var/run/dbus/system_bus_socket
unix  2      [ ACC ]    STREAM    LISTENING    12529  private/verify
unix  2      [ ACC ]    STREAM    LISTENING    12513  private/rewrite
unix  2      [ ACC ]    STREAM    LISTENING    12517  private/bounce
unix  2      [ ACC ]    STREAM    LISTENING    8568  @/var/run/hald/dbus-SylOXYGAqF
unix  2      [ ACC ]    STREAM    LISTENING    14117  /tmp/ksocket-gail/kdeinit__0
unix  2      [ ACC ]    STREAM    LISTENING    14119  /tmp/ksocket-gail/kdeinit-:0
unix  2      [ ACC ]    STREAM    LISTENING    11730  /var/run/audit_events
unix  2      [ ACC ]    STREAM    LISTENING    12061  /var/run/sdp
unix  2      [ ACC ]    STREAM    LISTENING    14126  /tmp/.ICE-unix/dcop3336-1210019800
unix  2      [ ACC ]    STREAM    LISTENING    11805  /var/run/avahi-daemon/socket
unix  2      [ ACC ]    STREAM    LISTENING    14219  /tmp/.ICE-unix/3347
unix  2      [ ACC ]    STREAM    LISTENING    14147  /tmp/ksocket-gail/klauncherI0t1ya.slave-socket
unix  2      [ ACC ]    STREAM    LISTENING    20609  /tmp/ksocket-gail/kdesud_:0
unix  2      [ ACC ]    STREAM    LISTENING    12533  public/flush
unix  2      [ ACC ]    STREAM    LISTENING    11912  /var/run/nscd/socket
unix  2      [ ACC ]    STREAM    LISTENING    12537  private/proxymap
unix  2      [ ACC ]    STREAM    LISTENING    12315  /var/run/cups/cups.sock
unix  2      [ ACC ]    STREAM    LISTENING    8565  @/var/run/hald/dbus-qOCmW0rVCY
unix  2      [ ACC ]    STREAM    LISTENING    12816  /var/run/smpppd/control
unix  2      [ ACC ]    STREAM    LISTENING    11630  /tmp/.X11-unix/X0
unix  2      [ ACC ]    STREAM    LISTENING    12521  private/defer
unix  2      [ ACC ]    STREAM    LISTENING    12525  private/trace
unix  2      [ ACC ]    STREAM    LISTENING    12541  private/smtp
unix  3      [ ]        STREAM    CONNECTED    62260  @/tmp/dbus-1tHAEbrrYy
unix  3      [ ]        STREAM    CONNECTED    62259
unix  3      [ ]        STREAM    CONNECTED    61795  /tmp/ksocket-gail/klauncherI0t1ya.slave-socket
unix  3      [ ]        STREAM    CONNECTED    61794
unix  3      [ ]        STREAM    CONNECTED    61349  /tmp/.ICE-unix/dcop3336-1210019800
unix  3      [ ]        STREAM    CONNECTED    61348
unix  3      [ ]        STREAM    CONNECTED    61342  /tmp/.ICE-unix/3347
unix  3      [ ]        STREAM    CONNECTED    61341
unix  3      [ ]        STREAM    CONNECTED    61340  /tmp/.X11-unix/X0
unix  3      [ ]        STREAM    CONNECTED    61339
unix  3      [ ]        STREAM    CONNECTED    61067  /tmp/.X11-unix/X0
unix  3      [ ]        STREAM    CONNECTED    61066
unix  2      [ ]        DGRAM                    59767
unix  3      [ ]        STREAM    CONNECTED    43290  /tmp/orbit-gail/linc-178c-0-52d285ffef1f2
unix  3      [ ]        STREAM    CONNECTED    43289
unix  3      [ ]        STREAM    CONNECTED    43286  /tmp/orbit-gail/linc-d39-0-411ccd2759ed1
unix  3      [ ]        STREAM    CONNECTED    43285
unix  3      [ ]        STREAM    CONNECTED    43267  /tmp/.X11-unix/X0
unix  3      [ ]        STREAM    CONNECTED    43266
unix  3      [ ]        STREAM    CONNECTED    33259  /tmp/.X11-unix/X0
unix  3      [ ]        STREAM    CONNECTED    33258
unix  3      [ ]        STREAM    CONNECTED    33257  /tmp/.X11-unix/X0
unix  3      [ ]        STREAM    CONNECTED    33256
unix  3      [ ]        STREAM    CONNECTED    33247
unix  3      [ ]        STREAM    CONNECTED    33246
unix  3      [ ]        STREAM    CONNECTED    33242  /var/run/dbus/system_bus_socket
unix  3      [ ]        STREAM    CONNECTED    33241
unix  3      [ ]        STREAM    CONNECTED    33237  /tmp/.X11-unix/X0
unix  3      [ ]        STREAM    CONNECTED    33236
unix  3      [ ]        STREAM    CONNECTED    33235  /tmp/.X11-unix/X0
unix  3      [ ]        STREAM    CONNECTED    33234
unix  3      [ ]        STREAM    CONNECTED    33225
unix  3      [ ]        STREAM    CONNECTED    33224
unix  3      [ ]        STREAM    CONNECTED    33223  /tmp/.X11-unix/X0
unix  3      [ ]        STREAM    CONNECTED    33222
unix  3      [ ]        STREAM    CONNECTED    33219  /tmp/.X11-unix/X0
unix  3      [ ]        STREAM    CONNECTED    33218
unix  3      [ ]        STREAM    CONNECTED    33210  socket
unix  3      [ ]        STREAM    CONNECTED    33206
unix  3      [ ]        STREAM    CONNECTED    32333  /tmp/.ICE-unix/dcop3336-1210019800
unix  3      [ ]        STREAM    CONNECTED    32332
unix  3      [ ]        STREAM    CONNECTED    32328  /tmp/.ICE-unix/3347
unix  3      [ ]        STREAM    CONNECTED    32327
unix  3      [ ]        STREAM    CONNECTED    32326  /tmp/.X11-unix/X0
unix  3      [ ]        STREAM    CONNECTED    32325
unix  3      [ ]        STREAM    CONNECTED    20612  /tmp/.X11-unix/X0
unix  3      [ ]        STREAM    CONNECTED    20611
unix  3      [ ]        STREAM    CONNECTED    16438  /var/run/dbus/system_bus_socket
unix  3      [ ]        STREAM    CONNECTED    16437
unix  3      [ ]        STREAM    CONNECTED    16423  /tmp/orbit-gail/linc-e7f-0-7138968d5291
unix  3      [ ]        STREAM    CONNECTED    16422
unix  3      [ ]        STREAM    CONNECTED    16419  /tmp/orbit-gail/linc-d39-0-411ccd2759ed1
unix  3      [ ]        STREAM    CONNECTED    16418
unix  3      [ ]        STREAM    CONNECTED    16417  /tmp/.ICE-unix/3347
unix  3      [ ]        STREAM    CONNECTED    16416
unix  3      [ ]        STREAM    CONNECTED    16410  /tmp/.X11-unix/X0
unix  3      [ ]        STREAM    CONNECTED    16409
unix  3      [ ]        STREAM    CONNECTED    15333  /tmp/.X11-unix/X0
unix  3      [ ]        STREAM    CONNECTED    15332
unix  3      [ ]        STREAM    CONNECTED    15329  /tmp/.ICE-unix/3347
unix  3      [ ]        STREAM    CONNECTED    15328
unix  2      [ ]        STREAM    CONNECTED    15326
unix  3      [ ]        STREAM    CONNECTED    15324  /tmp/.ICE-unix/dcop3336-1210019800
unix  3      [ ]        STREAM    CONNECTED    15323
unix  3      [ ]        STREAM    CONNECTED    15319  /tmp/.ICE-unix/3347
unix  3      [ ]        STREAM    CONNECTED    15318
unix  3      [ ]        STREAM    CONNECTED    15315  /tmp/.X11-unix/X0
unix  3      [ ]        STREAM    CONNECTED    15314
unix  3      [ ]        STREAM    CONNECTED    15311  /tmp/.X11-unix/X0
unix  3      [ ]        STREAM    CONNECTED    15310
unix  3      [ ]        STREAM    CONNECTED    15139  /tmp/orbit-gail/linc-d32-0-3ae18d4766a6e
unix  3      [ ]        STREAM    CONNECTED    15138
unix  3      [ ]        STREAM    CONNECTED    15137  /tmp/orbit-gail/linc-dbc-0-1feb883edc9c0
unix  3      [ ]        STREAM    CONNECTED    15136
unix  3      [ ]        STREAM    CONNECTED    15135  /tmp/orbit-gail/linc-dbc-0-1feb883edc9c0
unix  3      [ ]        STREAM    CONNECTED    15134
unix  3      [ ]        STREAM    CONNECTED    15133  /tmp/orbit-gail/linc-d9c-0-5f18729070b7d
unix  3      [ ]        STREAM    CONNECTED    15132
unix  3      [ ]        STREAM    CONNECTED    15129  /tmp/orbit-gail/linc-dbc-0-1feb883edc9c0
unix  3      [ ]        STREAM    CONNECTED    15128
unix  3      [ ]        STREAM    CONNECTED    15125  /tmp/orbit-gail/linc-d39-0-411ccd2759ed1
unix  3      [ ]        STREAM    CONNECTED    15124
unix  3      [ ]        STREAM    CONNECTED    15103  /tmp/orbit-gail/linc-d32-0-3ae18d4766a6e
unix  3      [ ]        STREAM    CONNECTED    15102
unix  3      [ ]        STREAM    CONNECTED    15101  /tmp/orbit-gail/linc-d9c-0-5f18729070b7d
unix  3      [ ]        STREAM    CONNECTED    15100
unix  3      [ ]        STREAM    CONNECTED    15078  /tmp/.X11-unix/X0
unix  3      [ ]        STREAM    CONNECTED    15077
unix  3      [ ]        STREAM    CONNECTED    15010  /tmp/.X11-unix/X0
unix  3      [ ]        STREAM    CONNECTED    15009
unix  3      [ ]        STREAM    CONNECTED    14974  @/tmp/dbus-1tHAEbrrYy
unix  3      [ ]        STREAM    CONNECTED    14973
unix  3      [ ]        STREAM    CONNECTED    14969  /var/run/dbus/system_bus_socket
unix  3      [ ]        STREAM    CONNECTED    14968
unix  3      [ ]        STREAM    CONNECTED    14762  /tmp/.ICE-unix/3347
unix  3      [ ]        STREAM    CONNECTED    14761
unix  3      [ ]        STREAM    CONNECTED    14758  /tmp/.X11-unix/X0
unix  3      [ ]        STREAM    CONNECTED    14757
unix  3      [ ]        STREAM    CONNECTED    14756  /tmp/.ICE-unix/dcop3336-1210019800
unix  3      [ ]        STREAM    CONNECTED    14755
unix  3      [ ]        STREAM    CONNECTED    14753  /tmp/orbit-gail/linc-d32-0-3ae18d4766a6e
unix  3      [ ]        STREAM    CONNECTED    14752
unix  3      [ ]        STREAM    CONNECTED    14722  /tmp/.ICE-unix/3347
unix  3      [ ]        STREAM    CONNECTED    14721
unix  3      [ ]        STREAM    CONNECTED    14702  /tmp/.ICE-unix/3347
unix  3      [ ]        STREAM    CONNECTED    14701
unix  3      [ ]        STREAM    CONNECTED    14693  /tmp/.X11-unix/X0
unix  3      [ ]        STREAM    CONNECTED    14692
unix  3      [ ]        STREAM    CONNECTED    14690  /tmp/.ICE-unix/dcop3336-1210019800
unix  3      [ ]        STREAM    CONNECTED    14689
unix  3      [ ]        STREAM    CONNECTED    14687  /var/run/dbus/system_bus_socket
unix  3      [ ]        STREAM    CONNECTED    14686
unix  3      [ ]        STREAM    CONNECTED    14682  /tmp/.X11-unix/X0
unix  3      [ ]        STREAM    CONNECTED    14681
unix  3      [ ]        STREAM    CONNECTED    14673  /tmp/.ICE-unix/3347
unix  3      [ ]        STREAM    CONNECTED    14672
unix  3      [ ]        STREAM    CONNECTED    14667  /tmp/.ICE-unix/3347
unix  3      [ ]        STREAM    CONNECTED    14666
unix  3      [ ]        STREAM    CONNECTED    14658  /tmp/.X11-unix/X0
unix  3      [ ]        STREAM    CONNECTED    14657
unix  3      [ ]        STREAM    CONNECTED    14659  /tmp/.ICE-unix/dcop3336-1210019800
unix  3      [ ]        STREAM    CONNECTED    14655
unix  3      [ ]        STREAM    CONNECTED    14645  /tmp/.X11-unix/X0
unix  3      [ ]        STREAM    CONNECTED    14644
unix  3      [ ]        STREAM    CONNECTED    14642  /tmp/.ICE-unix/dcop3336-1210019800
unix  3      [ ]        STREAM    CONNECTED    14641
unix  3      [ ]        STREAM    CONNECTED    14632  /tmp/.ICE-unix/dcop3336-1210019800
unix  3      [ ]        STREAM    CONNECTED    14631
unix  3      [ ]        STREAM    CONNECTED    14751  /tmp/orbit-gail/linc-d39-0-411ccd2759ed1
unix  3      [ ]        STREAM    CONNECTED    14607
unix  2      [ ]        DGRAM                    14597
unix  3      [ ]        STREAM    CONNECTED    14560  /tmp/.ICE-unix/3347
unix  3      [ ]        STREAM    CONNECTED    14559
unix  3      [ ]        STREAM    CONNECTED    14545  /tmp/.X11-unix/X0
unix  3      [ ]        STREAM    CONNECTED    14544
unix  3      [ ]        STREAM    CONNECTED    14541  /tmp/.ICE-unix/dcop3336-1210019800
unix  3      [ ]        STREAM    CONNECTED    14540
unix  3      [ ]        STREAM    CONNECTED    14530  /tmp/.ICE-unix/3347
unix  3      [ ]        STREAM    CONNECTED    14529
unix  3      [ ]        STREAM    CONNECTED    14525  /tmp/.X11-unix/X0
unix  3      [ ]        STREAM    CONNECTED    14524
unix  3      [ ]        STREAM    CONNECTED    14508  /tmp/.ICE-unix/3347
unix  3      [ ]        STREAM    CONNECTED    14507
unix  3      [ ]        STREAM    CONNECTED    14504  /tmp/.X11-unix/X0
unix  3      [ ]        STREAM    CONNECTED    14503
unix  3      [ ]        STREAM    CONNECTED    14502  /tmp/.ICE-unix/dcop3336-1210019800
unix  3      [ ]        STREAM    CONNECTED    14501
unix  3      [ ]        STREAM    CONNECTED    14458  /tmp/.ICE-unix/dcop3336-1210019800
unix  3      [ ]        STREAM    CONNECTED    14457
unix  3      [ ]        STREAM    CONNECTED    14392  /tmp/.ICE-unix/dcop3336-1210019800
unix  3      [ ]        STREAM    CONNECTED    14391
unix  3      [ ]        STREAM    CONNECTED    14323  /tmp/.ICE-unix/3347
unix  3      [ ]        STREAM    CONNECTED    14322
unix  3      [ ]        STREAM    CONNECTED    14319  /tmp/.X11-unix/X0
unix  3      [ ]        STREAM    CONNECTED    14318
unix  3      [ ]        STREAM    CONNECTED    14315  /tmp/.ICE-unix/dcop3336-1210019800
unix  3      [ ]        STREAM    CONNECTED    14314
unix  3      [ ]        STREAM    CONNECTED    14280  /tmp/.ICE-unix/3347
unix  3      [ ]        STREAM    CONNECTED    14279
unix  3      [ ]        STREAM    CONNECTED    14278  /tmp/.X11-unix/X0
unix  3      [ ]        STREAM    CONNECTED    14277
unix  3      [ ]        STREAM    CONNECTED    14272  /tmp/.ICE-unix/dcop3336-1210019800
unix  3      [ ]        STREAM    CONNECTED    14271
unix  3      [ ]        STREAM    CONNECTED    14258  /tmp/.ICE-unix/3347
unix  3      [ ]        STREAM    CONNECTED    14257
unix  3      [ ]        STREAM    CONNECTED    14256  /tmp/.X11-unix/X0
unix  3      [ ]        STREAM    CONNECTED    14255
unix  3      [ ]        STREAM    CONNECTED    14250  /tmp/.ICE-unix/dcop3336-1210019800
unix  3      [ ]        STREAM    CONNECTED    14249
unix  3      [ ]        STREAM    CONNECTED    14218  /tmp/.ICE-unix/dcop3336-1210019800
unix  3      [ ]        STREAM    CONNECTED    14217
unix  3      [ ]        STREAM    CONNECTED    14212  /tmp/.X11-unix/X0
unix  3      [ ]        STREAM    CONNECTED    14211
unix  3      [ ]        STREAM    CONNECTED    14203  /tmp/ksocket-gail/kdeinit__0
unix  3      [ ]        STREAM    CONNECTED    14202
unix  3      [ ]        STREAM    CONNECTED    14195  /var/run/dbus/system_bus_socket
unix  3      [ ]        STREAM    CONNECTED    14194
unix  3      [ ]        STREAM    CONNECTED    14162  /tmp/.X11-unix/X0
unix  3      [ ]        STREAM    CONNECTED    14161
unix  3      [ ]        STREAM    CONNECTED    14160  /tmp/.ICE-unix/dcop3336-1210019800
unix  3      [ ]        STREAM    CONNECTED    14159
unix  3      [ ]        STREAM    CONNECTED    14150  /tmp/.X11-unix/X0
unix  3      [ ]        STREAM    CONNECTED    14149
unix  3      [ ]        STREAM    CONNECTED    14142  /tmp/.ICE-unix/dcop3336-1210019800
unix  3      [ ]        STREAM    CONNECTED    14141
unix  3      [ ]        STREAM    CONNECTED    14137
unix  3      [ ]        STREAM    CONNECTED    14136
unix  3      [ ]        STREAM    CONNECTED    14046  /tmp/.X11-unix/X0
unix  3      [ ]        STREAM    CONNECTED    14045
unix  3      [ ]        STREAM    CONNECTED    14044
unix  3      [ ]        STREAM    CONNECTED    14043
unix  3      [ ]        STREAM    CONNECTED    13871  /var/run/dbus/system_bus_socket
unix  3      [ ]        STREAM    CONNECTED    13870
unix  2      [ ]        DGRAM                    12815
unix  3      [ ]        STREAM    CONNECTED    12802  /var/run/acpid.socket
unix  3      [ ]        STREAM    CONNECTED    12801
unix  3      [ ]        STREAM    CONNECTED    12795  /var/run/dbus/system_bus_socket
unix  3      [ ]        STREAM    CONNECTED    12794
unix  2      [ ]        DGRAM                    12640
unix  2      [ ]        DGRAM                    12619
unix  3      [ ]        STREAM    CONNECTED    12608
unix  3      [ ]        STREAM    CONNECTED    12607
unix  3      [ ]        STREAM    CONNECTED    12604
unix  3      [ ]        STREAM    CONNECTED    12603
unix  3      [ ]        STREAM    CONNECTED    12600
unix  3      [ ]        STREAM    CONNECTED    12599
unix  3      [ ]        STREAM    CONNECTED    12596
unix  3      [ ]        STREAM    CONNECTED    12595
unix  3      [ ]        STREAM    CONNECTED    12592
unix  3      [ ]        STREAM    CONNECTED    12591
unix  3      [ ]        STREAM    CONNECTED    12588
unix  3      [ ]        STREAM    CONNECTED    12587
unix  3      [ ]        STREAM    CONNECTED    12584
unix  3      [ ]        STREAM    CONNECTED    12583
unix  3      [ ]        STREAM    CONNECTED    12580
unix  3      [ ]        STREAM    CONNECTED    12579
unix  3      [ ]        STREAM    CONNECTED    12576
unix  3      [ ]        STREAM    CONNECTED    12575
unix  3      [ ]        STREAM    CONNECTED    12572
unix  3      [ ]        STREAM    CONNECTED    12571
unix  3      [ ]        STREAM    CONNECTED    12568
unix  3      [ ]        STREAM    CONNECTED    12567
unix  3      [ ]        STREAM    CONNECTED    12564
unix  3      [ ]        STREAM    CONNECTED    12563
unix  3      [ ]        STREAM    CONNECTED    12560
unix  3      [ ]        STREAM    CONNECTED    12559
unix  3      [ ]        STREAM    CONNECTED    12556
unix  3      [ ]        STREAM    CONNECTED    12555
unix  3      [ ]        STREAM    CONNECTED    12552
unix  3      [ ]        STREAM    CONNECTED    12551
unix  3      [ ]        STREAM    CONNECTED    12548
unix  3      [ ]        STREAM    CONNECTED    12547
unix  3      [ ]        STREAM    CONNECTED    12544
unix  3      [ ]        STREAM    CONNECTED    12543
unix  3      [ ]        STREAM    CONNECTED    12540
unix  3      [ ]        STREAM    CONNECTED    12539
unix  3      [ ]        STREAM    CONNECTED    12536
unix  3      [ ]        STREAM    CONNECTED    12535
unix  3      [ ]        STREAM    CONNECTED    12532
unix  3      [ ]        STREAM    CONNECTED    12531
unix  3      [ ]        STREAM    CONNECTED    12528
unix  3      [ ]        STREAM    CONNECTED    12527
unix  3      [ ]        STREAM    CONNECTED    12524
unix  3      [ ]        STREAM    CONNECTED    12523
unix  3      [ ]        STREAM    CONNECTED    12520
unix  3      [ ]        STREAM    CONNECTED    12519
unix  3      [ ]        STREAM    CONNECTED    12516
unix  3      [ ]        STREAM    CONNECTED    12515
unix  3      [ ]        STREAM    CONNECTED    12512
unix  3      [ ]        STREAM    CONNECTED    12511
unix  3      [ ]        STREAM    CONNECTED    12509
unix  3      [ ]        STREAM    CONNECTED    12508
unix  3      [ ]        STREAM    CONNECTED    12505
unix  3      [ ]        STREAM    CONNECTED    12504
unix  3      [ ]        STREAM    CONNECTED    12502
unix  3      [ ]        STREAM    CONNECTED    12501
unix  2      [ ]        DGRAM                    12403
unix  2      [ ]        DGRAM                    12161
unix  3      [ ]        STREAM    CONNECTED    12090  /var/run/dbus/system_bus_socket
unix  3      [ ]        STREAM    CONNECTED    12089
unix  2      [ ]        DGRAM                    12088
unix  2      [ ]        DGRAM                    12075
unix  3      [ ]        STREAM    CONNECTED    12052  /var/run/dbus/system_bus_socket
unix  3      [ ]        STREAM    CONNECTED    12051
unix  2      [ ]        DGRAM                    12022
unix  2      [ ]        DGRAM                    11900
unix  3      [ ]        STREAM    CONNECTED    11899  /var/run/avahi-daemon/socket
unix  3      [ ]        STREAM    CONNECTED    11882
unix  3      [ ]        STREAM    CONNECTED    11877  /var/run/acpid.socket
unix  3      [ ]        STREAM    CONNECTED    11876
unix  3      [ ]        STREAM    CONNECTED    11860  /var/run/dbus/system_bus_socket
unix  3      [ ]        STREAM    CONNECTED    11807
unix  2      [ ]        DGRAM                    11769
unix  2      [ ]        DGRAM                    11729
unix  2      [ ]        DGRAM                    11728
unix  2      [ ]        DGRAM                    11715
unix  3      [ ]        STREAM    CONNECTED    11714
unix  3      [ ]        STREAM    CONNECTED    11713
unix  3      [ ]        STREAM    CONNECTED    11655  /var/run/acpid.socket
Next bit in next post

ilago 05-07-2008 08:17 AM
Rest of log
Code:
unix  3      [ ]        STREAM    CONNECTED    11654
unix  5      [ ]        STREAM    CONNECTED    12129  /tmp/.X11-unix/X0
unix  3      [ ]        STREAM    CONNECTED    11651
unix  3      [ ]        STREAM    CONNECTED    11547  /var/run/dbus/system_bus_socket
unix  3      [ ]        STREAM    CONNECTED    11546
unix  2      [ ]        DGRAM                    11542
unix  3      [ ]        STREAM    CONNECTED    11529  /var/run/dbus/system_bus_socket
unix  3      [ ]        STREAM    CONNECTED    11528
unix  3      [ ]        STREAM    CONNECTED    11508  /var/run/dbus/system_bus_socket
unix  3      [ ]        STREAM    CONNECTED    11507
unix  2      [ ]        DGRAM                    11506
unix  3      [ ]        STREAM    CONNECTED    11476  @/var/run/hald/dbus-qOCmW0rVCY
unix  3      [ ]        STREAM    CONNECTED    11475
unix  3      [ ]        STREAM    CONNECTED    11474  /var/run/dbus/system_bus_socket
unix  3      [ ]        STREAM    CONNECTED    11473
unix  3      [ ]        STREAM    CONNECTED    11289  /var/run/dbus/system_bus_socket
unix  3      [ ]        STREAM    CONNECTED    11288
unix  3      [ ]        STREAM    CONNECTED    11287  /var/run/acpid.socket
unix  3      [ ]        STREAM    CONNECTED    11286
unix  3      [ ]        STREAM    CONNECTED    11283  @/var/run/hald/dbus-qOCmW0rVCY
unix  3      [ ]        STREAM    CONNECTED    11279
unix  3      [ ]        STREAM    CONNECTED    11274  @/var/run/hald/dbus-qOCmW0rVCY
unix  3      [ ]        STREAM    CONNECTED    11272
unix  3      [ ]        STREAM    CONNECTED    10826  @/var/run/hald/dbus-qOCmW0rVCY
unix  3      [ ]        STREAM    CONNECTED    10825
unix  3      [ ]        STREAM    CONNECTED    8571  @/var/run/hald/dbus-SylOXYGAqF
unix  3      [ ]        STREAM    CONNECTED    8570
unix  3      [ ]        STREAM    CONNECTED    8567  /var/run/dbus/system_bus_socket
unix  3      [ ]        STREAM    CONNECTED    8566
unix  2      [ ]        DGRAM                    8561
unix  3      [ ]        STREAM    CONNECTED    8540  /var/run/dbus/system_bus_socket
unix  3      [ ]        STREAM    CONNECTED    8539
unix  3      [ ]        STREAM    CONNECTED    8185
unix  3      [ ]        STREAM    CONNECTED    8184
Within the limits of my knowledge and experience, the only thing I found of concern is that I have nx installed in my user profile. It was installed from the repos, but there are clear indications that it belongs to to gopc.net with their legitimate IP included. The logs show it has never been used. I have no idea how it got there. It's dated 1st May

I did run some of the commands suggested. Should I post those so someone can have a look.

unSpawn 05-08-2008 06:35 AM
Quote:
Originally Posted by ilago (Post 3145633)
This is the netstat -an result I'm concerned about.
You have SSH, mail, RPC, mDNS, BOOTP and IPP listening. If the machine was not firewalled to deny access from the 'net to those services that could be a Bad Thing if they allowed access to the system one way or another. That doesn't automagically mean your machine got subverted (and there are no outbound network connections that look suspicious) but proceding with further checks would be a Good Thing, even if only to get acquainted with a procedure.


Quote:
Originally Posted by ilago (Post 3145633)
I used bold on the entries I'm concerned about.
Proto RefCnt Flags Type State I-Node Path
unix 2 [ ACC ] STREAM LISTENING 12545 private/relay
unix 2 [ ACC ] STREAM LISTENING 12549 public/showq
unix 2 [ ACC ] STREAM LISTENING 12553 private/error[
unix 2 [ ACC ] STREAM LISTENING 12557 private/discard
unix 2 [ ACC ] STREAM LISTENING 12561 private/local
unix 2 [ ACC ] STREAM LISTENING 12565 private/virtual
unix 2 [ ACC ] STREAM LISTENING 12569 private/lmtp
unix 2 [ ACC ] STREAM LISTENING 12573 private/anvil
unix 2 [ ACC ] STREAM LISTENING 12577 private/scache
unix 2 [ ACC ] STREAM LISTENING 12581 private/maildrop
unix 2 [ ACC ] STREAM LISTENING 12585 private/cyrus
unix 2 [ ACC ] STREAM LISTENING 12589 private/uucp
unix 2 [ ACC ] STREAM LISTENING 12593 private/ifmail
unix 2 [ ACC ] STREAM LISTENING 12597 private/bsmtp
unix 2 [ ACC ] STREAM LISTENING 12601 private/procmail
unix 2 [ ACC ] STREAM LISTENING 12605 private/retry
unix 2 [ ACC ] STREAM LISTENING 12506 public/cleanup
unix 2 [ ACC ] STREAM LISTENING 12529 private/verify
unix 2 [ ACC ] STREAM LISTENING 12513 private/rewrite
unix 2 [ ACC ] STREAM LISTENING 12517 private/bounce
unix 2 [ ACC ] STREAM LISTENING 12533 public/flush
unix 2 [ ACC ] STREAM LISTENING 12537 private/proxymap
unix 2 [ ACC ] STREAM LISTENING 12521 private/defer
unix 2 [ ACC ] STREAM LISTENING 12525 private/trace
unix 2 [ ACC ] STREAM LISTENING 12541 private/smtp
These are "UNIX" domain sockets (AF_UNIX), not to be mistaken for network connections (AF_INET). They are basically named pipes through which processes "talk" to eachother. If you 'lsof -w -n | egrep "private/(relay|error|anvil)"', you can see the process name, process ID, username, socket type and location of the process. Knowing the process ID or PID means that for PID $PID, the executable is located at /proc/$PID. So 'readlink -f /proc/$PID/exe' shows you which binary is responsable. Why not simply look at the process name? Well, the name (argv[0]) can be changed easily. If you only see "httpd" you might think it's Apache, but finding it's "/tmp/.../apache" would be more than suspicious. In your case you'll find your sockets are part of that certain MTA that needs a gazillion binaries and processes to do what others do with just one or two.



Quote:
Originally Posted by ilago (Post 3145643)
I did run some of the commands suggested. Should I post those so someone can have a look.
Please do, but please use BB code tags. If it's too much lines you could make a compressed tarball out of it, upload to some free file hosting provider and post the URI here.


All times are GMT -5. The time now is 04:02 AM.