nethogs finds a lot of connections directed to my server ip...
Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
192.168.1.3 is my server local ip: what are all of those records? can you please tell me if someone is hacking my network? or maybe has already hacked it?
The ones you're talking about, starting with a question mark, are past connections: they're not bound to an active process anymore. Since they've all used ephemeral (meaning >=1024) destination ports it doesn't appear to be connecting to a common known service like HTTP or IRC or something like that. Also when resolving remote IP addresses (as in 'dig -x') they appear to be consumer lines not servers. Third these connections don't appear to have sent much data.
Quote:
Originally Posted by masavini
can you please tell me if someone is hacking my network? or maybe has already hacked it?
While the above, in a time of botnets and without payload inspection, doesn't leave much nfo to be gleaned from it may be cause by benign (your verdict, obviously) processes like Skype or a P2P application. To be able to answer your last question you would need to inspect your network equipment and server(s) and share nfo with respect to (anomalous?) entries in system and daemon log file, login records, any file alterations, foreign files or processes, etc, etc.
There certainly is an international feel to your business - Italy, Thailand, Brazil etc.
You're the sysadmin. Have you stuff running as root using those ports?
have you picked up another box on another network and run nmap on your own server? Take your laptop or smart phone down to a local wifi hotspot (even at home) and try it.
Do you know about rkhunter and friends?
What version/system are you using and is it up to date?
Post some results on the questions above and you'll get meaningful responses.
You are right to be seriously concerned.
Last edited by business_kid; 10-15-2014 at 06:23 AM.
thanks for your replies, you gave me several hints...
this is what i came to:
- the only daemon that could be responsible for those "suspicious" nethogs entries is tor. i think it has been installed with torsocks, do you think it could be possibile?
- i ran rkhunter and got a VERY long log ending with:
Code:
[13:30:29] System checks summary
[13:30:29] =====================
[13:30:29]
[13:30:29] File properties checks...
[13:30:29] Files checked: 139
[13:30:29] Suspect files: 1
[13:30:29]
[13:30:29] Rootkit checks...
[13:30:29] Rootkits checked : 307
[13:30:29] Possible rootkits: 0
[13:30:29]
[13:30:29] Applications checks...
[13:30:29] All checks skipped
[13:30:30]
[13:30:30] The system checks took: 1 minute and 29 seconds
the suspect file is /usr/bin/unhide.rb, but i can't go any further... i can post the full log if it may help...
my system is ubuntu 14.04 lts almost up to date (i fully updated a couple of weeks ago).
later i'll try with nmap from another network and i'll tell you what i got...
Unhide.rb is a tentative of rewrite in Ruby of the original Unhide, which is written in C. While being much faster, it does not implement all the diagnostics of the original version. It is also less secure as it cannot be statically compiled.
It's for daily rootkit scans :-). It needs ruby.
What upsets me is so many high and unusual port numbers claimed by root doing things. What services have you got communicating as root? It sounds crazy. It could be innocent, but I would hunt it down as far as possible.
What upsets me is so many high and unusual port numbers claimed by root doing things. What services have you got communicating as root? It sounds crazy. It could be innocent, but I would hunt it down as far as possible.
i don't really know... root's crontab is empty and there is no "visudo" command starting with teo's crontab.
i have another computer with the same os and almost the same programs and configurations. if i launch nethogs on that system, i don't get those weird records...
the main differences between the 2 systems are that the server is also running:
- tor daemon (but user should be "debian-to"...)
- pidgin and skype (but user should be "teo")
OK then, something like the following? (do it as root)
Code:
ps -u root -U root u > some_file
lsof -i |less
The first line lists all root processes
The second links processes to ports. If you have a rootkit, this kind of basic check may return false information. Make sense of it and post your results. for any process, in a quiet moment, you should be able to kill it and clear any suspicious ports.
You're the sysadmin. The idea was that YOU would look at them, figure out your ports <--> processes, investigate where suspicious, and cry foul if they were not right. If you were curious, YOU can kill those processes. I can't.
nice, rcuos processes were the only that i had already checked out...
what i can see from the logs is that the 2 ports recurring in the first nethogs log (3263 and 61246) only appear in lsof -i output and they're used by skype:
skype instances (i always have 2 running) are not launched by root, but i guess that there must be some skype subprocess running with root privileges...
is this impossible, just possible or even probable?
skype instances (i always have 2 running) are not launched by root, but i guess that there must be some skype subprocess running with root privileges... is this impossible, just possible or even probable?
I think you're interpreting things wrong. Else what makes you think there should be "some skype subprocess running with root privileges"? Because your 'lsof' output clearly shows the processes running as user "teo":
traps the syscall for all users and all processes so on a busy system this may cause an excessive amount of logging! It would be better apply a filter and anchor logging to for example one user. Also note that
Quote:
Originally Posted by alexs3
Code:
auditctl -D
deletes all rules. So that isn't a command you will want to run right after you set the logging rule...
I think you're interpreting things wrong. Else what makes you think there should be "some skype subprocess running with root privileges"? Because your 'lsof' output clearly shows the processes running as user "teo":
how can you be that sure? i'm not telling i was right, i'm only saying that skype is proprietary software and i just can't know what programmers stuffed in it, right?
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.