Download your favorite Linux distribution at LQ ISO.
Go Back > Forums > Linux Forums > Linux - Security
User Name
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.


  Search this Thread
Old 03-11-2011, 03:46 PM   #1
Registered: Sep 2003
Location: Halifax, Nova Scotia, Canada
Distribution: MX, Xubuntu, Zorin. BOYCOTTING: Vector, Beatrix, BLAG, Slackware. Life banned from: Facebook, Yahoo!
Posts: 186
Blog Entries: 1

Rep: Reputation: Disabled
UDP traffic unauthorized on Ubuntu 10.04

has my Ubuntu machine been cracked?

machine on home lan
it is the DMZ from router
ufw on (ports open for aMule)
sshd installed

p2p file sharing
local sharing
servers (only sshd)

afs-fileserver port 7000 detected by etherape
rkhunter 16 files show WARNING
UPD unknown traffic many connections, detected by etherape
no UDP shows in #sudo netstat
I only install software from U repos, authenticated
Old 03-12-2011, 03:37 PM   #2
Senior Member
Registered: Jul 2007
Distribution: Gentoo
Posts: 2,125

Rep: Reputation: 780Reputation: 780Reputation: 780Reputation: 780Reputation: 780Reputation: 780Reputation: 780
Chances are that you have not. Part of the problem with tools like rkhunter and etherape is that they give a lot of false warnings, as does any IDS software. You need to review the man pages and understand what the tools are doing and then evaluate the warnings you receive on a case-by-case basis. You mention SSHD, do you use password authentication? Do you allow root passwords? Do you have it restricted at all via IPtables. Do you run any other server processes? Do you examine your logs routinely? Do you use a program like fail2ban to help counteract brute force password attempts?

If you think you may have been compromised, then you will want to perform an investigation. Start by removing the network cable or putting a firewall up in front of the machine. Then review the CERT intruder detection check list for things to look for. Here is a link.

Next examine the output netstat -pane, lsof -pwn, ps -afwwwe. Look for any files with the setuid and guid bits set. If you need help analyzing these files, please post the output as an attachment or let one of use know and we will help arrange for a location to post them.
Old 03-12-2011, 07:05 PM   #3
Registered: Dec 2002
Posts: 304

Rep: Reputation: 86
Personally I'd take this more gradually before going all out, especially since I agree with Noway2 that it's probably nothing. If the UDP traffic is what is concerning you then try running tcpdump or wireshark for more details and go from there.
1 members found this post helpful.


security, ubuntu, udp

Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off

Similar Threads
Thread Thread Starter Forum Replies Last Post
What software for checking on unauthorized network traffic? BobNutfield Slackware 11 05-09-2010 11:33 AM
Strange problem with udp traffic rosen4o Linux - Networking 5 01-27-2010 02:45 PM
There seems to be constant unauthorized traffic on my computer. maestro52 Linux - Security 3 08-27-2008 03:28 PM
IDS/IPS for detecting/preventing unauthorized VPN or encrypted traffic. Maybe SNORT? sipecup Linux - Security 0 09-11-2007 08:23 AM
Linux and inbound UDP traffic Dwarflord Linux - Networking 4 04-16-2004 01:35 AM > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 05:08 PM.

Main Menu
Write for LQ is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration