I do not know why my linux box (knoppix 3.9) is very slow.
I have just discovered that port 22 was open. Is there any way I can check to see if anything has happened ?

https://www.linuxquestions.org/quest...d.php?t=467808
https://www.linuxquestions.org/quest...ad.php?t=45261

Read those and use the links. What, apart from the speed, makes you think you've been hacked?

And get that pc off the network/internet asap.

Only the speed and the fact that port 22 was open.

port 22 is ssh which is by default open on most linux distro setups..unless u closed it later..

You may want to run a program such as "top" from the terminal. Top will tell you (or us, if you post the output), what is using the system resources, and may be a good indication as to what is causing the system to act slowly.

Port 22 being open is not a bad thing in itself, as SSH is a fairly secure protocol, assuming that you changed the root password (or have remote root login disabled), and don't have any user accounts with trivial passwords.

How do I upload the results of top ? If I do top >results I just get rubbish ?

Can I post a screenshot here ?

Have a look through man top - but the following should do it:

Better start here: Intruder Detection Checklist (CERT): http://www.cert.org/tech_tips/intrud...checklist.html

top - 22:32:13 up 5 min, 1 user, load average: 0.86, 0.98, 0.47
Tasks: 78 total, 2 running, 76 sleeping, 0 stopped, 0 zombie
Cpu(s): 32.8% us, 8.1% sy, 0.0% ni, 29.5% id, 29.1% wa, 0.5% hi, 0.1% si
Mem: 255124k total, 251320k used, 3804k free, 34868k buffers
Swap: 265032k total, 0k used, 265032k free, 78752k cached

PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND
5211 David 16 0 28632 15m 13m S 2.0 6.1 0:00.45 kscd
5520 David 15 0 142m 49m 22m R 2.0 19.7 0:29.78 firefox-bin
1 root 16 0 156 80 52 S 0.0 0.0 0:01.28 init
2 root RT 0 0 0 0 S 0.0 0.0 0:00.00 migration/0
3 root 34 19 0 0 0 S 0.0 0.0 0:00.00 ksoftirqd/0
4 root 10 -5 0 0 0 S 0.0 0.0 0:00.53 events/0
5 root 10 -5 0 0 0 S 0.0 0.0 0:00.01 khelper
10 root 10 -5 0 0 0 S 0.0 0.0 0:00.00 kthread
47 root 10 -5 0 0 0 S 0.0 0.0 0:00.06 kblockd/0
111 root 15 0 0 0 0 S 0.0 0.0 0:00.04 pdflush
112 root 15 0 0 0 0 S 0.0 0.0 0:00.13 pdflush
114 root 19 -5 0 0 0 S 0.0 0.0 0:00.00 aio/0
113 root 15 0 0 0 0 S 0.0 0.0 0:00.13 kswapd0
705 root 25 0 0 0 0 S 0.0 0.0 0:00.00 kseriod
780 root 11 -5 0 0 0 S 0.0 0.0 0:00.00 ata/0
859 root 10 -5 0 0 0 S 0.0 0.0 0:00.03 reiserfs/0
1304 root 15 0 0 0 0 S 0.0 0.0 0:00.00 khubd
1492 root 19 0 0 0 0 S 0.0 0.0 0:00.00 khpsbpkt
1575 root 15 0 0 0 0 S 0.0 0.0 0:00.00 kapmd
3036 root 16 0 1580 548 480 S 0.0 0.2 0:00.00 apmd
3248 root 19 0 1744 708 588 S 0.0 0.3 0:00.00 pump
3331 root 16 0 1716 700 588 S 0.0 0.3 0:00.03 automount
3534 root 16 0 1848 724 600 S 0.0 0.3 0:00.13 syslogd
4173 root 16 0 2604 1516 460 S 0.0 0.6 0:00.16 klogd
4206 root 25 0 2672 1268 1032 S 0.0 0.5 0:00.03 mysqld_safe
4267 mysql 15 0 124m 16m 4196 S 0.0 6.5 0:00.18 mysqld
4268 root 15 0 1560 492 428 S 0.0 0.2 0:00.00 logger
4408 root 16 0 2812 1124 980 S 0.0 0.4 0:00.00 lisa
4893 root 20 0 4864 1844 1504 S 0.0 0.7 0:00.05 sshd
4901 daemon 18 0 1900 660 564 S 0.0 0.3 0:00.00 atd
4904 root 16 0 2092 896 736 S 0.0 0.4 0:00.00 cron
4908 root 16 0 2772 768 628 S 0.0 0.3 0:00.00 kdm
4916 root 5 -10 100m 18m 2816 S 0.0 7.3 0:17.93 XFree86
4918 root 17 0 1696 484 420 S 0.0 0.2 0:00.00 getty
4919 root 16 0 1696 484 420 S 0.0 0.2 0:00.00 getty
4920 root 16 0 1696 484 420 S 0.0 0.2 0:00.00 getty
4921 root 16 0 1696 484 420 S 0.0 0.2 0:00.00 getty
4922 root 16 0 1696 484 420 S 0.0 0.2 0:00.00 getty
4923 root 16 0 1696 484 420 S 0.0 0.2 0:00.00 getty
4956 root 16 0 3384 1352 1088 S 0.0 0.5 0:00.00 kdm
5046 David 17 0 2932 1320 908 S 0.0 0.5 0:00.05 startkde
5083 David 16 0 4424 1276 1008 S 0.0 0.5 0:00.00 ssh-agent
5110 David 16 0 24256 9940 8732 S 0.0 3.9 0:00.10 kdeinit
5113 David 15 0 13868 5780 5068 S 0.0 2.3 0:00.91 dcopserver
5115 David 16 0 25604 10m 9888 S 0.0 4.4 0:00.09 klauncher
5118 David 15 0 64224 16m 14m S 0.0 6.8 0:04.49 kded
5161 David 16 0 1556 332 272 S 0.0 0.1 0:00.00 kwrapper
5163 David 15 0 20980 10m 9600 S 0.0 4.3 0:00.35 ksmserver
5164 David 16 0 20800 10m 9560 S 0.0 4.2 0:00.13 kaccess
5165 David 15 0 22808 13m 11m S 0.0 5.3 0:01.47 kwin
5172 David 15 0 30476 18m 15m S 0.0 7.4 0:02.88 kdesktop
5176 David 15 0 31184 19m 16m S 0.0 7.6 0:02.79 kicker
5180 David 15 0 26204 13m 11m S 0.0 5.5 0:00.36 klipper
5184 David 16 0 41020 27m 20m S 0.0 11.2 0:04.01 konqueror
5205 David 16 0 30316 16m 14m S 0.0 6.4 0:00.32 korgac
5206 David 16 0 45556 32m 21m S 0.0 13.0 0:10.65 konqueror
5212 David 16 0 30224 16m 14m S 0.0 6.7 0:01.37 konsole
5213 David 16 0 24532 10m 9484 S 0.0 4.2 0:00.01 kio_file
5216 David 15 0 25172 12m 10m S 0.0 5.1 0:01.10 gaim
5224 David 15 0 5440 3968 1196 S 0.0 1.6 0:00.40 bash
5254 David 16 0 51364 11m 9m S 0.0 4.6 0:00.26 kio_http
5256 David 16 0 51276 11m 9m S 0.0 4.6 0:00.13 kio_http
5265 David 15 0 51276 11m 9m S 0.0 4.6 0:00.34 kio_http
5270 David 16 0 51276 11m 9.9m S 0.0 4.5 0:00.16 kio_http
5271 David 16 0 51276 11m 9.9m S 0.0 4.5 0:00.13 kio_http
5273 David 16 0 51276 11m 9.9m S 0.0 4.5 0:00.14 kio_http
5291 David 15 0 51276 11m 9.9m S 0.0 4.5 0:00.26 kio_http
5299 David 16 0 51276 11m 9.9m S 0.0 4.5 0:00.11 kio_http
5303 David 16 0 51276 11m 9.8m S 0.0 4.5 0:00.07 kio_http
5329 David 15 0 51360 11m 9m S 0.0 4.6 0:00.30 kio_http
5330 David 16 0 51360 11m 9m S 0.0 4.6 0:00.23 kio_http
5406 David 16 0 51276 11m 9.9m S 0.0 4.5 0:00.14 kio_http
5422 David 15 0 51276 11m 9.9m S 0.0 4.5 0:00.14 kio_http
5478 David 15 0 51276 11m 9.9m S 0.0 4.5 0:00.08 kio_http
5534 David 16 0 4612 3080 1772 S 0.0 1.2 0:00.36 gconfd-2
5672 root 17 0 3868 2588 1196 S 0.0 1.0 0:00.22 bash
5688 David 18 0 32644 15m 13m S 0.0 6.2 0:00.16 knotify
5694 root 15 0 2172 952 744 R 0.0 0.4 0:00.01 top

Did you just install Knoppix? Have you been using it for awhile? What are your hardware specs? Has it always run slow?

There's nothing in top output that will indicate to you, me or anyone sane your box has been cracked. Please post the required information. If not I intend to rename the thread and move it to a more appropriate forum like Linux - General.

My apologies to everyone for over reacting.


The reasons why I was worried were :-
1) I thought my firewall was working correctly for the last year but when I went to
http://www.grc.com/default.htm I found that it was not (assuming that it this is a good test).
2) Services which I thought were not running were which alarmed me slightly
3) I did not reply as quickly as I had because I have been moving.
4) It seems to be that it has been getting slower over the last year. Of course I have not got any validation for that ie I have not run anything to check.
Thanks everyone for the help and apologies for wasting peoples, time.

PS I would close the thread but I can not see where to.

My apologies to everyone for over reacting.
No. Anybody who has *any* doubts about the integrity of their box *should* address that. You did, and your OP contains questions worth answering. So your apologies are absolutely unnecessary even though I appreciate the gesture.


1) (..) I found that it was not (assuming that it this is a good test).
Without posting relevant info this means zilch but the "regular" cause for GRC questions to pop up is the bit about achieving "Stealth". That is IMNSHO a misinterpretation of what enhances security. Stealth does NOT enhance security. In fact blocking all ICMP is a good way to hamper traffic flow since the other protocols in the IP suite depend on it.


2) Services which I thought were not running were which alarmed me slightly
Basically we're looking at three types of invertebrata: crackers, spackers, defacers and skiddies (OK, so I made the spacker bit up: a contraction of spammer and cracker). Simply said it is in the crackers MO to become root and hide processes and files: as long as detection can be thwarted there is a workable environment. Defacers are the opposite, taking the easiest and fastest way possible to "advertise" their "victory": most noisy. Spackers (those crews getting paid to subvert boxen for spamming purposes) go the easy route as well (time is money) and won't need root to achieve their goals. Script kiddies are noisy for just trying whatever 0-day they can get their hands on.

So if you take that simplified MO you could say that a) either something has gone wrong while hiding (five percent probability), b) you or another legitimate user inadvertedly started the service (ninetyfive percent probability). I haven't seen any hostiles try use SSH for transfering files :-p


3) I did not reply as quickly as I had because I have been moving.
Keeping a compromised box accessable is a hazard for local and remote users as well as for the rest of the community and it's a bad ad for GNU/Linux in general. Determining if a box is (perceived) compromised is a priority because the faster the situation can be dealt decisively with the better.


4) It seems to be that it has been getting slower over the last year. Of course I have not got any validation for that ie I have not run anything to check.
To determine if things are getting slower (performance vs perception) over such a period is hard without continuously running any SAR or SAR-like tools like Atsar, Atop or Dstat. In any case that is a whole different game compared to determining if a box was compromised and to what extent. In this thread we've shown enough info for you to use to check for a compromise.


PS I would close the thread but I can not see where to.
Only the site owner and moderators can do that.
I will close this thread so you can open a new one for determining performance drop.