LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 06-26-2007, 10:45 PM   #16
aus9
LQ Addict
 
Registered: Oct 2003
Location: Australia
Distribution: MX 17
Posts: 5,298

Rep: Reputation: Disabled

jschiwal

rootkit hunter can now monitor file system changes in the cvs edition so you do not need gamin.....personal choice of course.

The Watcher

hmmm well I was responding to my memory leak so sorry gamin is re-appearing. And yes I am suggesting close it down.

2) what did you do to disable ssh? What do you mean by no effect if you used root powers to disable it?
 
Old 06-27-2007, 06:22 AM   #17
The_Watcher
Member
 
Registered: Mar 2007
Location: London
Posts: 40

Original Poster
Rep: Reputation: 15
Quote:
Originally Posted by aus9
jschiwal

rootkit hunter can now monitor file system changes in the cvs edition so you do not need gamin.....personal choice of course.

The Watcher

hmmm well I was responding to my memory leak so sorry gamin is re-appearing. And yes I am suggesting close it down.

2) what did you do to disable ssh? What do you mean by no effect if you used root powers to disable it?

So i have been copped -- I guess that is a form of hacking?

I need a remedy:
  • Can I simply kill gam_server with kill -9 ????
  • How do I stop copping all together?
  • Does this mean that some one can get into my machine and cause havoc and destruction -- this really firghtens me
  • I turned off sshd by doing "/sbin/service sshd stop", but the system did not seem to respond at all and the gam_server is still running
  • the gam_server is taking up about 20% of my cpu time which is annoying because I am running some major calculations at the moment and I need maximum cpu time
  • How do I use SElinux as some one suggested?
  • Any other advice would be very welcome
  • Apologies again for naieve questions, but I am new to these things

Cheers.

The Watcher
 
Old 06-27-2007, 11:18 PM   #18
aus9
LQ Addict
 
Registered: Oct 2003
Location: Australia
Distribution: MX 17
Posts: 5,298

Rep: Reputation: Disabled
The Watcher

forgive me for replying to some but not all of your questions as I do not use Rh.

1) In your first post....you allowed sshd to listen and allow root login so brute force passwords techniques could (i repeat could not have) been used on you.

2) please confirm sshd is not running....ways include...rerun rkhunter to check that protocol 2 is only allowed and permit root is not if you decided to keep /etc/ssh/ssh* configs....there are 2 files

And forgive me but you did not explain your last failure with ssh so pls be explicit.

If you do not need ssh at all....use root powers to delete all ssh configs from /home/yourname..../root....and /etc/ssh.....If you think you may need it ....change the permissions to ---- in lieu of rw-or however your distro defines these config files.


3) A reread of rkh for detected rootkits is zero....but you can run chkrootkit and read unspawn's security sticky in the security forum if you suspect you have been intruded. IMHO you have not.

4) getting back to gam_server....do a search of /etc for any init script that may be starting it on reboot...start.....and disable the the script so it goes from rwx to ----......and at this stage do not delete it.

also search for alias in etc..in case alias is used to replace fam with gam-server


also search for gamin and I think we talked about before?


good luck

Last edited by aus9; 06-27-2007 at 11:19 PM.
 
Old 06-27-2007, 11:22 PM   #19
aus9
LQ Addict
 
Registered: Oct 2003
Location: Australia
Distribution: MX 17
Posts: 5,298

Rep: Reputation: Disabled
oh forgot...sshd stop is only good if you never reboot and I prefer the above way
 
Old 06-28-2007, 09:01 AM   #20
The_Watcher
Member
 
Registered: Mar 2007
Location: London
Posts: 40

Original Poster
Rep: Reputation: 15
Quote:
Originally Posted by aus9
The Watcher

1) In your first post....you allowed sshd to listen and allow root login so brute force passwords techniques could (i repeat could not have) been used on you.

2) please confirm sshd is not running....ways include...rerun rkhunter to check that protocol 2 is only allowed and permit root is not if you decided to keep /etc/ssh/ssh* configs....there are 2 files

If you do not need ssh at all....use root powers to delete all ssh configs from /home/yourname..../root....and /etc/ssh.....If you think you may need it ....change the permissions to ---- in lieu of rw-or however your distro defines these config files.


3) A reread of rkh for detected rootkits is zero....but you can run chkrootkit and read unspawn's security sticky in the security forum if you suspect you have been intruded. IMHO you have not.

4) getting back to gam_server....do a search of /etc for any init script that may be starting it on reboot...start.....and disable the the script so it goes from rwx to ----......and at this stage do not delete it.

also search for alias in etc..in case alias is used to replace fam with gam-server


also search for gamin and I think we talked about before?


good luck
Thanks aus9. Here is my sequence of events:
  1. I found "gam_sever" running on my machine taking up an entier CPU processor
  2. I turned off access to sshd by "/sbin/service sshd stop"
  3. I also changed entries in /etc/ssh/sshd_config and set protocol to 2 and permit root is not allowed, as advised previously.
  4. However gam_server did not stop running, so I rebooted my machine and it disappeared
  5. However, a few days later it appeared again.
  6. In frustration, I did "kill -TERM *****" and the gam_server disappeared to no apparent ill effect.
  7. I did "/sbin/chkconfig --level 2345 sshd off" so that sshd is not initiated at restart
  8. I restarted my machine and all seems good so far.
    [*} I have checked with "chkconfig --list | grep ssh" and I get:
    sshd 0ff 1ff 2ff 3ff 4ff 5ff 6ff
  9. And also with "/sbin/service --status-all | grep ssh" and I get: "sshd is stopped".
  10. I will ocassionally need ssh so I do not want it removed. If what I have done now is ok and secure, I guess if I want to use it then I simply do "/sbin/service sshd start", and then thrun it off again after use?
  11. I am still puzzled as to what gamit actually does, and if I have not been hacked or copped and then how did this gam_server anomoly arise?
  12. If the gam_server process arises again, what would that mean?
  13. I do not understand properly your points 3) and 4) ?

Thanks, and regards.
 
Old 06-28-2007, 05:32 PM   #21
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,393
Blog Entries: 55

Rep: Reputation: 3565Reputation: 3565Reputation: 3565Reputation: 3565Reputation: 3565Reputation: 3565Reputation: 3565Reputation: 3565Reputation: 3565Reputation: 3565Reputation: 3565
Please check your RPM database for a package that includes the /usr/lib*/gamin* thing (rpm -q --whatprovides /usr/libexec/gam*) thing. If it isn't there it's likely not part of an installed RPM package.
In that case there's three things to do:
- do research yourself. Google for the gamin stuff and read their website info,
- identify which files in root-owned directories are not part of RPM packages to weed out "known-good" files,
- provide output from lsof (-w -n $PID) if the process runs.
Until you do any other questions or speculations about this Gamin stuff will be just a waste of time.

Last edited by unSpawn; 06-28-2007 at 05:34 PM.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Which one is better, Chkrootkit or Rkhunter? ComputerHermit_ Linux - Security 7 04-16-2007 11:17 PM
rkhunter atlaika Linux - Security 7 11-29-2005 11:47 AM
rkhunter cronjob simcox1 Linux - Security 11 11-21-2005 09:25 AM
rkhunter found the following monroetech Linux - Security 3 12-20-2004 09:51 PM
rkhunter phatbastard Linux - Security 3 12-08-2004 10:44 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 09:40 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration