Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Not shown: 1705 closed ports
PORT STATE SERVICE
21/tcp open ftp
111/tcp open rpcbind
139/tcp open netbios-ssn
445/tcp open microsoft-ds
631/tcp open ipp
2049/tcp open nfs
2628/tcp open dict
5901/tcp open vnc-1
6001/tcp open X11:1
8080/tcp open http-proxy
Nmap done: 1 IP address (1 host up) scanned in 0.092 seconds
I dont understand all those ports on my machine. particularly this 8080, and netbios-ssn and 445 and ipp 631.
I run the vnc its me.
Quote:
rching for zaRwT rootkit default files and dirs... nothing found
Searching for Madalin rootkit default files... nothing found
Searching for Fu rootkit default files... nothing found
Searching for ESRK rootkit default files... nothing found
Searching for rootedoor... nothing found
Searching for ENYELKM rootkit default files... nothing found
Searching for common ssh-scanners default files... nothing found
Searching for anomalies in shell history files... nothing found
Checking `asp'... not infected
Checking `bindshell'... not infected
Checking `lkm'... You have 1 process hidden for readdir command
You have 1 process hidden for ps command
chkproc: Warning: Possible LKM Trojan installed
chkdirs: nothing detected
Checking `rexedcs'... not found
Checking `sniffer'... lo: not promisc and no packet sniffer sockets
eth0: PACKET SNIFFER(/sbin/dhclient3[6034])
Checking `w55808'... not infected
Checking `wted'... chkwtmp: nothing deleted
Checking `scalper'... not infected
Checking `slapper'... not infected
Checking `z2'
All results have been written to the logfile (/var/log/rkhunter.log)
One or more warnings have been found while checking the system.
Please check the log file (/var/log/rkhunter.log)
[23:40:47] /usr/sbin/tcpd [ OK ]
[23:40:47] /usr/sbin/unhide [ Warning ]
[23:40:47] Warning: The file '/usr/sbin/unhide' exists on the system, but it is not present in the rkhunter.dat fi
le.
[23:40:47] /usr/sbin/useradd [ OK ]
[23:40:47] /usr/sbin/userdel [ OK ]
[23:40:48] /usr/sbin/usermod [ OK ]
[23:40:48] /usr/sbin/vipw [ OK ]
[23:40:48] /usr/sbin/unhide-linux26 [ Warning ]
[23:40:48] Warning: The file '/usr/sbin/unhide-linux26' exists on the system, but it is not present in the rkhunte
r.dat file.
When I stop gdm, I get this:
nmap 192.168.2.101
Quote:
PORT STATE SERVICE
Not shown: 1708 closed ports
21/tcp open ftp
111/tcp open rpcbind
139/tcp open netbios-ssn
445/tcp open microsoft-ds
631/tcp open ipp
2049/tcp open nfs
2628/tcp open dict
the x has vncserver and skype running, and konsole, + gnome-panel
frenchn00b, I've moved your post to a thread of its own. I can't figure out why you decided to post this in that other thread (which had been inactive for months). Also, I share tredegar's interest in learning what exactly it is that you're asking.
I dont understand all those ports on my machine. particularly this 8080, and netbios-ssn and 445 and ipp 631.
If you don't know what a service is first try finding information on your machine with default commands like 'getent services 445', 'whatis samba' and 'apropos samba'. If you don't need to provide NFS, run portmap, Internet Printing Protocol or a proxy then please stop those services and prohibit them from running. If you need to provide those services please look into tcp_wrappers, application-specific configurable access restrictions, iptables filtering and using an IDS like Snort to provide "early warning" and auditing capabilities.
Quote:
Originally Posted by frenchn00b
Code:
Checking `lkm'... You have 1 process hidden for readdir command
You have 1 process hidden for ps command
chkproc: Warning: Possible LKM Trojan installed
Could be a false positive. See the Chkrootkit FAQ for more information about transient processes causing false positives.
Quote:
Originally Posted by frenchn00b
Code:
[23:40:47] Warning: The file '/usr/sbin/unhide' exists on the system, but it is not present in the rkhunter.dat file.
[23:40:47] /usr/sbin/useradd [ OK ]
[23:40:47] /usr/sbin/userdel [ OK ]
[23:40:48] /usr/sbin/usermod [ OK ]
[23:40:48] /usr/sbin/vipw [ OK ]
[23:40:48] /usr/sbin/unhide-linux26 [ Warning ]
[23:40:48] Warning: The file '/usr/sbin/unhide-linux26' exists on the system, but it is not present in the rkhunter.dat file.
These are informational warnings, not evidence of a system compromise. This happens if you run RKH without updating (see the manual page and other docs about "--propupd").
Quote:
Originally Posted by frenchn00b
I dont see my SSH daemon anymore, running, why??
I didn't see it running in the first place?
Quote:
Originally Posted by frenchn00b
it seems that this 8080 is coming from skype.
strange, no?
I don't see no TCP/8080 nor anything related to Skype.
Quote:
Originally Posted by frenchn00b
hmmm it seems that wireshack detects things
That's what it's made for. What it doesn't do is interprete things for you. What do you think you are seeing?
Quote:
Originally Posted by win32sux
Also, I share tredegar's interest in learning what exactly it is that you're asking.
Me too. What exactly is it you're having trouble with?..
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
