LinuxQuestions.org
Review your favorite Linux distribution.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 06-11-2011, 09:10 AM   #16
robeich
Member
 
Registered: Aug 2010
Location: Millstreet, Co. Cork, Ireland
Distribution: Linux Mint
Posts: 37

Original Poster
Rep: Reputation: 0

Hallo noway2,
I already know that this IP is Google !! That was the first thing I figured out !
And I agree that I don't believe that google forces for any reason access to my computers !
But we should stop believing and start knowing.

And I know that hackers compromising other networks for sure do not use their own IP and MAC address !
beep, bad answer !

Fact is that that a computer with this IP is able to go through my netgear router, actually configured to REJECT all incoming connections !
Evidence of firewall accepted ?
Or reacts my firewall paranoid, just while somebody tries to connect in STEALTH mode at port 80 even their is no
webserver at this computer.

Fact is that I am asking more experienced people actually Linuxquestions.org if they can tell me why sometimes a username appears at login
that actually has be empty ?
Fact is as well that I had bluetooth processes with high priority that couldn't get killed even I do not got a bluetooth device !
I will not repeat the other facts described before.

Fact is as well, that you don't got any idea what causes that issues.

If you don't trust me or do not understand what's on, why do you contribute such totally useless attempts of help ?
I want facts and solutions from professionals, sorry but your contribution was NO help at all .

The only helpful ideas came fro unSpawn.
thanks , a little bit disappointed
robeich
 
Old 06-12-2011, 06:29 AM   #17
robeich
Member
 
Registered: Aug 2010
Location: Millstreet, Co. Cork, Ireland
Distribution: Linux Mint
Posts: 37

Original Poster
Rep: Reputation: 0
Dear linuxquestions,
I really get rid of totally unqualified answers to that incidents described earlier in this thread.
If I have a look at some answers, it seems that people should keep staying with facebook and
not pretend technical qualifications they obviously do NOT have.
There are definitely some people answering my questions overestimating their own qualifications !
And to cover up their lack of understanding of very simple to understand very serious security
issues like attacks over port 80 going through at least one firewall will be commented with sentences like this

"Given the level of paranoia you are expressing on a public forum, I can only guess how you come across in person. *It would not surprise me in the least to learn that someone is deliberately "yanking your chain" for lulz."

The only person for my point of view is knowing what he is doing is unSpawn !

I started this thread so I am the person to close this thread !
This thread is hereby closed.

One last thing I have to say, after getting more information from very qualified persons.
I doubt that after changes done in Kernel 2,6 udev replacing fstab and .. it will be possible to keep a system really secure.

robeich

Last edited by robeich; 06-12-2011 at 06:30 AM.
 
Old 06-12-2011, 06:41 AM   #18
TobiSGD
Moderator
 
Registered: Dec 2009
Location: Germany
Distribution: Whatever fits the task best
Posts: 17,148
Blog Entries: 2

Rep: Reputation: 4865Reputation: 4865Reputation: 4865Reputation: 4865Reputation: 4865Reputation: 4865Reputation: 4865Reputation: 4865Reputation: 4865Reputation: 4865Reputation: 4865
Quote:
Originally Posted by robeich View Post
I want facts and solutions from professionals, sorry but your contribution was NO help at all .
LQ is a community of volunteers that try to help other people. While there are professionals here, not all of us are, but most people here are knowledgeable at least in a few parts of the Linux system. We give away our free time to help people, and do our best with it.

If that is not good enough for you, you should buy professional support. Only then you have the right to blame the people that are trying to help you for not getting a solution for you.
 
Old 06-12-2011, 07:32 AM   #19
robeich
Member
 
Registered: Aug 2010
Location: Millstreet, Co. Cork, Ireland
Distribution: Linux Mint
Posts: 37

Original Poster
Rep: Reputation: 0
Hi Tobi,
Thanks for that hint but I already bought professional support !
But I really would recommend to some members stopping HELP like this :

"Given the level of paranoia you are expressing on a public forum, I can only guess how you come across in person. *It would not surprise me in the least to learn that someone is deliberately "yanking your chain" for lulz."

As well I'm really missing one question to my firewall entries:
May 20 10:45:04 Mac-Users-MacBook Firewall[55]: Stealth Mode
connection attempt to TCP 192.168.1.40:49279 from 209.85.143.99:80
May 20 10:45:12: --- last message repeated 3 times ---

A experienced person had asked something like this :
Please show me the entries before that entry, did you googled earlier this day ?
No I did not !
regards
robeich

Last edited by robeich; 06-12-2011 at 07:33 AM.
 
Old 06-12-2011, 01:16 PM   #20
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,414
Blog Entries: 55

Rep: Reputation: 3590Reputation: 3590Reputation: 3590Reputation: 3590Reputation: 3590Reputation: 3590Reputation: 3590Reputation: 3590Reputation: 3590Reputation: 3590Reputation: 3590
Quote:
Originally Posted by robeich View Post
I really would recommend to some members stopping HELP
There is a small group of Incident Response handlers that patrol the Linuxquestions.org Security forum. They are dedicated, knowledgeable and from my experience completely trustworthy. Noway2 is one of them and I'd say you should not misjudge him solely based on two OT sentences.


Quote:
Originally Posted by robeich View Post
Stealth Mode connection attempt to TCP 192.168.1.40:49279 from 209.85.143.99:80
Break that apart and you get:
Code:
TCP                   # protocol used for data transfer between end points
connection attempt    # the SYN bit was set
Stealth Mode          # ...but no transmission control block was (yet) allotted (also see RFC 2140) by the kernel
from 209.85.143.99:80 # unless spoofed port TCP/80 indicates a web server 
to 192.168.1.40:49279 # local LAN address has ephemeral port number and seems consistent with HTTP return traffic
Given the servers address (AS15169 belongs to a popular search engine company) this could be due to network issues rather than malicious activity. You should not see ipfw log this often.
 
Old 06-13-2011, 05:47 AM   #21
Noway2
Senior Member
 
Registered: Jul 2007
Distribution: Gentoo
Posts: 2,125

Rep: Reputation: 780Reputation: 780Reputation: 780Reputation: 780Reputation: 780Reputation: 780Reputation: 780
@robeich, please accept my apologies on my ill chosen words. I honestly meant no offense. I was responding to the multiple statements and your question in your post as to whether or not you were appearing overly concerned about these events. I once had a machine that had a mysterious user name appear on the login screen. It turned out that it was a co-worker attempting to login with his name and this reminded me of your situation. My concern was that if you mentioned these events to someone with physical access to the machine that they may be behind this and they may find it fun, especially if they knew you were concerned about it.

It is also apparent that you are studious about examining your log files. This is a good thing and is one of the most effective things you can do to keep your system safe. In my opinion, this puts you ahead of many users when it comes to maintaining the security of your systems. You have identified some pieces of traffic that appeared out of the ordinary. These entries can be caused by routine scanning traffic (think of it being like air traffic control radar) and malfunctions in the networks, as unSpawn pointed out.
 
1 members found this post helpful.
Old 06-13-2011, 04:39 PM   #22
Joe of Loath
Member
 
Registered: Dec 2009
Location: Bristol, UK
Distribution: Ubuntu, Debian, Arch.
Posts: 152

Rep: Reputation: 28
You know how to tell if it's physical or remote access?

Hide the keyboard. No one else can log in physically if there's no keys to press
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Hi new user to Linux here - getting error loading operating system jthelin@csc.com Linux - Newbie 2 02-15-2009 01:28 AM
'Operating system not found' Any operating system installed wont work. TechniSlave Linux - Newbie 55 02-09-2009 12:02 PM
Default user accounts in Unix Operating system srihariv Linux - General 2 03-31-2008 07:43 AM
LVM: Deleted my system VG0 and reinstalled system, can't find VG1 CoolAJ86 Linux - Software 0 10-29-2007 04:06 PM
LXer: OpenVZ User Community Enthusiastic About Operating System Virtualization Project LXer Syndicated Linux News 0 05-21-2006 03:21 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 09:30 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration