Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here. |
Notices |
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
|
 |
|
06-26-2007, 09:45 PM
|
#16
|
LQ 5k Club
Registered: Oct 2003
Location: Western Australia
Distribution: Icewm
Posts: 5,842
Rep: 
|
jschiwal
rootkit hunter can now monitor file system changes in the cvs edition so you do not need gamin.....personal choice of course.
The Watcher
hmmm well I was responding to my memory leak so sorry gamin is re-appearing. And yes I am suggesting close it down.
2) what did you do to disable ssh? What do you mean by no effect if you used root powers to disable it?
|
|
|
06-27-2007, 05:22 AM
|
#17
|
Member
Registered: Mar 2007
Location: London
Posts: 40
Original Poster
Rep:
|
Quote:
Originally Posted by aus9
jschiwal
rootkit hunter can now monitor file system changes in the cvs edition so you do not need gamin.....personal choice of course.
The Watcher
hmmm well I was responding to my memory leak so sorry gamin is re-appearing. And yes I am suggesting close it down.
2) what did you do to disable ssh? What do you mean by no effect if you used root powers to disable it?
|
So i have been copped -- I guess that is a form of hacking?
I need a remedy:
- Can I simply kill gam_server with kill -9 ????
- How do I stop copping all together?
- Does this mean that some one can get into my machine and cause havoc and destruction -- this really firghtens me
- I turned off sshd by doing "/sbin/service sshd stop", but the system did not seem to respond at all and the gam_server is still running
- the gam_server is taking up about 20% of my cpu time which is annoying because I am running some major calculations at the moment and I need maximum cpu time
- How do I use SElinux as some one suggested?
- Any other advice would be very welcome
- Apologies again for naieve questions, but I am new to these things
Cheers.
The Watcher
|
|
|
06-27-2007, 10:18 PM
|
#18
|
LQ 5k Club
Registered: Oct 2003
Location: Western Australia
Distribution: Icewm
Posts: 5,842
Rep: 
|
The Watcher
forgive me for replying to some but not all of your questions as I do not use Rh.
1) In your first post....you allowed sshd to listen and allow root login so brute force passwords techniques could (i repeat could not have) been used on you.
2) please confirm sshd is not running....ways include...rerun rkhunter to check that protocol 2 is only allowed and permit root is not if you decided to keep /etc/ssh/ssh* configs....there are 2 files
And forgive me but you did not explain your last failure with ssh so pls be explicit.
If you do not need ssh at all....use root powers to delete all ssh configs from /home/yourname..../root....and /etc/ssh.....If you think you may need it ....change the permissions to ---- in lieu of rw-or however your distro defines these config files.
3) A reread of rkh for detected rootkits is zero....but you can run chkrootkit and read unspawn's security sticky in the security forum if you suspect you have been intruded. IMHO you have not.
4) getting back to gam_server....do a search of /etc for any init script that may be starting it on reboot...start.....and disable the the script so it goes from rwx to ----......and at this stage do not delete it.
also search for alias in etc..in case alias is used to replace fam with gam-server
also search for gamin and I think we talked about before?
good luck
Last edited by aus9; 06-27-2007 at 10:19 PM.
|
|
|
06-27-2007, 10:22 PM
|
#19
|
LQ 5k Club
Registered: Oct 2003
Location: Western Australia
Distribution: Icewm
Posts: 5,842
Rep: 
|
oh forgot...sshd stop is only good if you never reboot and I prefer the above way
|
|
|
06-28-2007, 08:01 AM
|
#20
|
Member
Registered: Mar 2007
Location: London
Posts: 40
Original Poster
Rep:
|
Quote:
Originally Posted by aus9
The Watcher
1) In your first post....you allowed sshd to listen and allow root login so brute force passwords techniques could (i repeat could not have) been used on you.
2) please confirm sshd is not running....ways include...rerun rkhunter to check that protocol 2 is only allowed and permit root is not if you decided to keep /etc/ssh/ssh* configs....there are 2 files
If you do not need ssh at all....use root powers to delete all ssh configs from /home/yourname..../root....and /etc/ssh.....If you think you may need it ....change the permissions to ---- in lieu of rw-or however your distro defines these config files.
3) A reread of rkh for detected rootkits is zero....but you can run chkrootkit and read unspawn's security sticky in the security forum if you suspect you have been intruded. IMHO you have not.
4) getting back to gam_server....do a search of /etc for any init script that may be starting it on reboot...start.....and disable the the script so it goes from rwx to ----......and at this stage do not delete it.
also search for alias in etc..in case alias is used to replace fam with gam-server
also search for gamin and I think we talked about before?
good luck
|
Thanks aus9. Here is my sequence of events:
- I found "gam_sever" running on my machine taking up an entier CPU processor
- I turned off access to sshd by "/sbin/service sshd stop"
- I also changed entries in /etc/ssh/sshd_config and set protocol to 2 and permit root is not allowed, as advised previously.
- However gam_server did not stop running, so I rebooted my machine and it disappeared
- However, a few days later it appeared again.
- In frustration, I did "kill -TERM *****" and the gam_server disappeared to no apparent ill effect.
- I did "/sbin/chkconfig --level 2345 sshd off" so that sshd is not initiated at restart
- I restarted my machine and all seems good so far.
[*} I have checked with "chkconfig --list | grep ssh" and I get:
sshd 0 ff 1 ff 2 ff 3 ff 4 ff 5 ff 6 ff
- And also with "/sbin/service --status-all | grep ssh" and I get: "sshd is stopped".
- I will ocassionally need ssh so I do not want it removed. If what I have done now is ok and secure, I guess if I want to use it then I simply do "/sbin/service sshd start", and then thrun it off again after use?
- I am still puzzled as to what gamit actually does, and if I have not been hacked or copped and then how did this gam_server anomoly arise?
- If the gam_server process arises again, what would that mean?
- I do not understand properly your points 3) and 4) ?
Thanks, and regards.
|
|
|
06-28-2007, 04:32 PM
|
#21
|
Moderator
Registered: May 2001
Posts: 29,415
|
Please check your RPM database for a package that includes the /usr/lib*/gamin* thing (rpm -q --whatprovides /usr/libexec/gam*) thing. If it isn't there it's likely not part of an installed RPM package.
In that case there's three things to do:
- do research yourself. Google for the gamin stuff and read their website info,
- identify which files in root-owned directories are not part of RPM packages to weed out "known-good" files,
- provide output from lsof (-w -n $PID) if the process runs.
Until you do any other questions or speculations about this Gamin stuff will be just a waste of time.
Last edited by unSpawn; 06-28-2007 at 04:34 PM.
|
|
|
All times are GMT -5. The time now is 02:05 AM.
|
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
|
Latest Threads
LQ News
|
|