Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I think Ihave been hacked - I have not my mistake. - Thanks for the help
I do not know why my linux box (knoppix 3.9) is very slow.
I have just discovered that port 22 was open. Is there any way I can check to see if anything has happened ?
You may want to run a program such as "top" from the terminal. Top will tell you (or us, if you post the output), what is using the system resources, and may be a good indication as to what is causing the system to act slowly.
Port 22 being open is not a bad thing in itself, as SSH is a fairly secure protocol, assuming that you changed the root password (or have remote root login disabled), and don't have any user accounts with trivial passwords.
There's nothing in top output that will indicate to you, me or anyone sane your box has been cracked. Please post the required information. If not I intend to rename the thread and move it to a more appropriate forum like Linux - General.
The reasons why I was worried were :-
1) I thought my firewall was working correctly for the last year but when I went to http://www.grc.com/default.htm I found that it was not (assuming that it this is a good test).
2) Services which I thought were not running were which alarmed me slightly
3) I did not reply as quickly as I had because I have been moving.
4) It seems to be that it has been getting slower over the last year. Of course I have not got any validation for that ie I have not run anything to check.
Thanks everyone for the help and apologies for wasting peoples, time.
My apologies to everyone for over reacting.
No. Anybody who has *any* doubts about the integrity of their box *should* address that. You did, and your OP contains questions worth answering. So your apologies are absolutely unnecessary even though I appreciate the gesture.
1) (..) I found that it was not (assuming that it this is a good test).
Without posting relevant info this means zilch but the "regular" cause for GRC questions to pop up is the bit about achieving "Stealth". That is IMNSHO a misinterpretation of what enhances security. Stealth does NOT enhance security. In fact blocking all ICMP is a good way to hamper traffic flow since the other protocols in the IP suite depend on it.
2) Services which I thought were not running were which alarmed me slightly
Basically we're looking at three types of invertebrata: crackers, spackers, defacers and skiddies (OK, so I made the spacker bit up: a contraction of spammer and cracker). Simply said it is in the crackers MO to become root and hide processes and files: as long as detection can be thwarted there is a workable environment. Defacers are the opposite, taking the easiest and fastest way possible to "advertise" their "victory": most noisy. Spackers (those crews getting paid to subvert boxen for spamming purposes) go the easy route as well (time is money) and won't need root to achieve their goals. Script kiddies are noisy for just trying whatever 0-day they can get their hands on.
So if you take that simplified MO you could say that a) either something has gone wrong while hiding (five percent probability), b) you or another legitimate user inadvertedly started the service (ninetyfive percent probability). I haven't seen any hostiles try use SSH for transfering files :-p
3) I did not reply as quickly as I had because I have been moving.
Keeping a compromised box accessable is a hazard for local and remote users as well as for the rest of the community and it's a bad ad for GNU/Linux in general. Determining if a box is (perceived) compromised is a priority because the faster the situation can be dealt decisively with the better.
4) It seems to be that it has been getting slower over the last year. Of course I have not got any validation for that ie I have not run anything to check.
To determine if things are getting slower (performance vs perception) over such a period is hard without continuously running any SAR or SAR-like tools like Atsar, Atop or Dstat. In any case that is a whole different game compared to determining if a box was compromised and to what extent. In this thread we've shown enough info for you to use to check for a compromise.
PS I would close the thread but I can not see where to.
Only the site owner and moderators can do that.
I will close this thread so you can open a new one for determining performance drop.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.