jschiwal

rootkit hunter can now monitor file system changes in the cvs edition so you do not need gamin.....personal choice of course.

The Watcher

hmmm well I was responding to my memory leak so sorry gamin is re-appearing. And yes I am suggesting close it down.

2) what did you do to disable ssh? What do you mean by no effect if you used root powers to disable it?

So i have been copped -- I guess that is a form of hacking?

I need a remedy:

• Can I simply kill gam_server with kill -9 ????
• How do I stop copping all together?
• Does this mean that some one can get into my machine and cause havoc and destruction -- this really firghtens me
• I turned off sshd by doing "/sbin/service sshd stop", but the system did not seem to respond at all and the gam_server is still running
• the gam_server is taking up about 20% of my cpu time which is annoying because I am running some major calculations at the moment and I need maximum cpu time
• How do I use SElinux as some one suggested?
• Any other advice would be very welcome
• Apologies again for naieve questions, but I am new to these things

Cheers.

The Watcher

The Watcher

forgive me for replying to some but not all of your questions as I do not use Rh.

1) In your first post....you allowed sshd to listen and allow root login so brute force passwords techniques could (i repeat could not have) been used on you.

2) please confirm sshd is not running....ways include...rerun rkhunter to check that protocol 2 is only allowed and permit root is not if you decided to keep /etc/ssh/ssh* configs....there are 2 files

And forgive me but you did not explain your last failure with ssh so pls be explicit.

If you do not need ssh at all....use root powers to delete all ssh configs from /home/yourname..../root....and /etc/ssh.....If you think you may need it ....change the permissions to ---- in lieu of rw-or however your distro defines these config files.


3) A reread of rkh for detected rootkits is zero....but you can run chkrootkit and read unspawn's security sticky in the security forum if you suspect you have been intruded. IMHO you have not.

4) getting back to gam_server....do a search of /etc for any init script that may be starting it on reboot...start.....and disable the the script so it goes from rwx to ----......and at this stage do not delete it.

also search for alias in etc..in case alias is used to replace fam with gam-server


also search for gamin and I think we talked about before?


good luck

oh forgot...sshd stop is only good if you never reboot and I prefer the above way

Thanks aus9. Here is my sequence of events:

1. I found "gam_sever" running on my machine taking up an entier CPU processor
2. I turned off access to sshd by "/sbin/service sshd stop"
3. I also changed entries in /etc/ssh/sshd_config and set protocol to 2 and permit root is not allowed, as advised previously.
4. However gam_server did not stop running, so I rebooted my machine and it disappeared
5. However, a few days later it appeared again.
6. In frustration, I did "kill -TERM *****" and the gam_server disappeared to no apparent ill effect.
7. I did "/sbin/chkconfig --level 2345 sshd off" so that sshd is not initiated at restart
8. I restarted my machine and all seems good so far.
   [*} I have checked with "chkconfig --list | grep ssh" and I get:
   sshd 0ff 1ff 2ff 3ff 4ff 5ff 6ff
9. And also with "/sbin/service --status-all | grep ssh" and I get: "sshd is stopped".
10. I will ocassionally need ssh so I do not want it removed. If what I have done now is ok and secure, I guess if I want to use it then I simply do "/sbin/service sshd start", and then thrun it off again after use?
11. I am still puzzled as to what gamit actually does, and if I have not been hacked or copped and then how did this gam_server anomoly arise?
12. If the gam_server process arises again, what would that mean?
13. I do not understand properly your points 3) and 4) ?

Thanks, and regards.

Please check your RPM database for a package that includes the /usr/lib*/gamin* thing (rpm -q --whatprovides /usr/libexec/gam*) thing. If it isn't there it's likely not part of an installed RPM package.
In that case there's three things to do:
- do research yourself. Google for the gamin stuff and read their website info,
- identify which files in root-owned directories are not part of RPM packages to weed out "known-good" files,
- provide output from lsof (-w -n $PID) if the process runs.
Until you do any other questions or speculations about this Gamin stuff will be just a waste of time.