ubuntu-users@lists.ubuntu.com
[Top] [All Lists]

Re: intrusion detected

Subject: Re: intrusion detected
From: Matt Patterson
Date: Sun, 21 Aug 2005 11:25:45 -0400
Thanks for the reminder. I installed it to do some apache admin, but in the end decided to just do it all by hand since I had some old config files laying around. I simply forgot to uninstall it. Gone now!

Matt



MrKnisely wrote:

Matt Patterson wrote:

I did indeed mean "the". I type a lot and tend to get lazy when chatting and writing email.

As for checking your process list, you can use things like "System Monitor" or just start a terminal and do "ps -A". The best way to figure out what is supposed to be running on a hoary system is to do take inventory before the machine is ever connected to the network.


Here is my process list (pretty sure my machine is clean):

mpatterson@mattrp:~ $ ps -A
 PID TTY          TIME CMD
   1 ?        00:00:00 init
   2 ?        00:00:00 migration/0
   3 ?        00:00:00 ksoftirqd/0
   4 ?        00:00:00 migration/1
   5 ?        00:00:00 ksoftirqd/1
   6 ?        00:00:00 events/0
   7 ?        00:00:00 events/1
   8 ?        00:00:00 khelper
  21 ?        00:00:00 kacpid
  84 ?        00:00:01 kblockd/0
  85 ?        00:00:01 kblockd/1
 119 ?        00:00:03 pdflush
 120 ?        00:00:02 pdflush
 122 ?        00:00:00 aio/0
 123 ?        00:00:00 aio/1
 121 ?        00:00:27 kswapd0
 710 ?        00:00:00 kseriod
1122 ?        00:00:21 kjournald
1147 ?        00:00:00 udevd
4023 ?        00:00:00 kjournald
4024 ?        00:00:00 kjournald
4852 ?        00:00:00 khubd
6768 ?        00:00:00 portmap
7139 ?        00:00:00 dd
7141 ?        00:00:00 klogd
7155 ?        00:00:01 apcupsd
7162 ?        00:00:00 gdm
7171 ?        00:00:00 gdm
7398 ?        05:46:49 Xorg
7913 ?        00:00:00 dbus-daemon-1
7925 ?        00:03:42 hald
7942 ?        00:00:00 inetd
8140 ?        00:00:00 nfsd
8141 ?        00:00:00 nfsd
8142 ?        00:00:00 nfsd
8143 ?        00:00:00 nfsd
8144 ?        00:00:00 nfsd
8145 ?        00:00:00 nfsd
8146 ?        00:00:00 nfsd
8147 ?        00:00:00 nfsd
8149 ?        00:00:00 lockd
8150 ?        00:00:00 rpciod
8153 ?        00:00:00 rpc.mountd
8215 ?        00:00:00 master
8226 ?        00:00:00 qmgr
8370 ?        00:00:00 nmbd
8372 ?        00:00:00 smbd
8382 ?        00:00:00 smbd
8388 ?        00:00:00 sshd
8403 ?        00:00:00 rpc.statd
8421 ?        00:00:01 ntpd
8448 ?        00:00:00 atd
8459 ?        00:00:00 cron
8532 ?        00:00:00 vmnet-bridge
8542 ?        00:00:00 apache
8558 tty1     00:00:00 getty
8559 tty2     00:00:00 getty
8560 tty3     00:00:00 getty
8561 tty4     00:00:00 getty
8562 tty5     00:00:00 getty
8563 tty6     00:00:00 getty
8664 ?        00:00:00 miniserv.pl
8668 ?        00:00:09 gnome-session
8715 ?        00:00:00 gpg-agent
8718 ?        00:00:00 ssh-agent
8721 ?        00:00:00 dbus-launch
8722 ?        00:00:00 dbus-daemon-1
8724 ?        00:00:02 gconfd-2
8727 ?        00:00:00 gnome-keyring-d
8729 ?        00:02:52 esd
8731 ?        00:00:00 bonobo-activati
8733 ?        00:00:43 gnome-settings-
8736 ?        00:00:10 gam_server
8748 ?        00:02:16 xscreensaver
8773 ?        00:00:17 gnome-smproxy
8775 ?        00:01:32 metacity
8777 ?        00:00:07 gnome-volume-ma
8779 ?        00:00:44 nautilus
8781 ?        00:00:32 gnome-panel
8785 ?        00:02:37 gnome-cups-icon
8789 ?        00:02:24 xmms
8796 ?        00:00:00 gnome-vfs-daemo
8797 ?        00:01:29 ksensors
8806 ?        00:01:44 wnck-applet
8807 ?        00:00:00 kdeinit
8811 ?        00:00:00 dcopserver
8814 ?        00:00:00 mapping-daemon
8815 ?        00:00:00 klauncher
8826 ?        00:00:19 kded
8834 ?        00:00:04 korgac
8841 ?        00:00:10 trashapplet
8848 ?        00:00:15 mixer_applet2
8850 ?        00:00:06 notification-ar
8852 ?        00:00:16 clock-applet
8854 ?        00:00:10 mini_commander_
9141 ?        00:11:17 xemacs
9204 ?        00:01:02 gnome-terminal
9205 ?        00:00:00 gnome-pty-helpe
9206 pts/0    00:00:00 bash
9213 ?        00:00:00 ssh-agent
9358 ?        00:00:00 gksudo
9361 ?        00:00:00 sudo
9362 ?        00:16:58 vmware
9368 ?        07:04:48 vmware-vmx
9369 ?        00:00:00 vmware-vmx
9405 ?        00:18:00 smbd
9512 ?        03:34:04 firefox-bin
10805 pts/1    00:00:00 bash
13615 ?        00:02:12 xemacs
13731 ?        00:00:57 python
24945 ?        00:08:58 gaim
30366 ?        00:00:00 mozilla-thunder
30397 ?        00:00:00 run-mozilla.sh
30402 ?        00:08:12 mozilla-thunder
14303 ?        00:04:25 java_vm
15856 ?        00:00:00 acpid
15906 ?        00:00:00 apache
15907 ?        00:00:00 apache
19961 ?        00:05:08 smbd
3058 ?        00:00:17 cupsd
3496 ?        00:00:00 syslogd
6191 ?        00:00:00 apache
11097 ?        00:00:14 soffice.bin
11652 ?        00:00:00 evolution-data-
11655 ?        00:00:00 evolution-excha
11906 ?        00:00:00 pickup
11916 pts/2    00:00:00 bash
11919 pts/2    00:00:00 ps

Obviously I do a little more than the average joe with my machine. But things to look at are, nfsd, apache, smbd, nmbd, sshd, ftpd. If you havent installed those but yet they are running, something might be wrong.



You can also do an nmap scan on your machine:

mpatterson@mattrp:~ $ nmap localhost

Starting nmap 3.75 ( http://www.insecure.org/nmap/ ) at 2005-08-08 17:53 EDT
Interesting ports on localhost.localdomain (127.0.0.1):
(The 1652 ports scanned but not shown below are in state: closed)
PORT      STATE SERVICE
22/tcp    open  ssh
25/tcp    open  smtp
80/tcp    open  http
111/tcp   open  rpcbind
139/tcp   open  netbios-ssn
445/tcp   open  microsoft-ds
631/tcp   open  ipp
700/tcp   open  unknown
953/tcp   open  rndc
2049/tcp  open  nfs
10000/tcp open  snet-sensor-mgmt

Nmap run completed -- 1 IP address (1 host up) scanned in 0.228 seconds

I can account for every port that is open on my machine, so I feel reasonably safe.

Matt




Peter Garrett wrote:

On Mon, 08 Aug 2005 20:13:16 +0200
"J.Markoll" <j.markoll@xxxxxxx> wrote:

Matt Patterson a écrit :
The best tools for checking zombifying is just looking at hte running processes.


Please, what does 'hte' here means ? I looked in 5 or 6 dictionnaries on line and don't find any logical answer in the context here. It does not mean 'High-temperature electrolysis' for sure ?



I think it was meant to be "the" ;-)



Running Webmin I see... what do you manage with webmin?

Mike K.



--
ubuntu-users mailing list
ubuntu-users@xxxxxxxxxxxxxxxx
http://lists.ubuntu.com/mailman/listinfo/ubuntu-users

<Prev in Thread] Current Thread [Next in Thread>