finding a process that bind a spcific port
Hello, i think i’ve been hacked on one of my boxes... I try to find with process bind a specific port : # netstat -anpe |grep udp gives me udp0 0 0.0.0.0:10001 0.0.0.0:* 0 5950269 - but # lsof |grep 10001 doesn’t show me anything i’ve tried to cat /proc/*/cmdline... no 10001 found no 10001 in ‘ps aux’ no 10001 in ‘rpcinfo –p’ any idea ? Thanks Nico
Re: finding a process that bind a spcific port
On Wed, Jan 22, 2014 at 7:20 PM, Nico Angenon n...@creaweb.fr wrote: Hello, i think i’ve been hacked on one of my boxes... I try to find with process bind a specific port : # netstat -anpe |grep udp gives me udp0 0 0.0.0.0:10001 0.0.0.0:* 0 5950269 - but # lsof |grep 10001 doesn’t show me anything lsof -i -n | grep 10001 -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/CANHSFsuy3A_bMZwquT=nnn07cff9h1xxxvqrn2ibzosar2o...@mail.gmail.com
Re: finding a process that bind a spcific port
the same...no output Nico -Message d'origine- From: Andika Triwidada Sent: Wednesday, January 22, 2014 1:33 PM To: Nico Angenon Cc: debian security Subject: Re: finding a process that bind a spcific port On Wed, Jan 22, 2014 at 7:20 PM, Nico Angenon n...@creaweb.fr wrote: Hello, i think i’ve been hacked on one of my boxes... I try to find with process bind a specific port : # netstat -anpe |grep udp gives me udp0 0 0.0.0.0:10001 0.0.0.0:* 0 5950269 - but # lsof |grep 10001 doesn’t show me anything lsof -i -n | grep 10001 -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/B0AA26B538DD4C15884CB658AD15788D@NicoPC
Re: finding a process that bind a spcific port
On mer 22 gen, Andika Triwidada wrote: On Wed, Jan 22, 2014 at 7:20 PM, Nico Angenon n...@creaweb.fr wrote: Hello, i think i’ve been hacked on one of my boxes... I try to find with process bind a specific port : # netstat -anpe |grep udp gives me udp0 0 0.0.0.0:10001 0.0.0.0:* 0 5950269 - but # lsof |grep 10001 doesn’t show me anything lsof -i -n | grep 10001 sudo lsof -i :10001 -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20140122123529.ga11...@galliera.it
Re: finding a process that bind a spcific port
netstat -tulpn | grep :10001 grep 10001 /etc/services or: fuser 10001/udp This will output PID Then find out process name associated with PID ls -l /proc/PID/exe ---Permission to forward and reprint is given.--- *Don't confuse my personality with my attitude. My personality is who I am. My attitude depends on who you are.* On Wed, Jan 22, 2014 at 12:37 PM, Nico Angenon n...@creaweb.fr wrote: the same...no output Nico -Message d'origine- From: Andika Triwidada Sent: Wednesday, January 22, 2014 1:33 PM To: Nico Angenon Cc: debian security Subject: Re: finding a process that bind a spcific port On Wed, Jan 22, 2014 at 7:20 PM, Nico Angenon n...@creaweb.fr wrote: Hello, i think i’ve been hacked on one of my boxes... I try to find with process bind a specific port : # netstat -anpe |grep udp gives me udp0 0 0.0.0.0:10001 0.0.0.0:* 0 5950269 - but # lsof |grep 10001 doesn’t show me anything lsof -i -n | grep 10001 -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/B0AA26B538DD4C15884CB658AD15788D@NicoPC
Re: finding a process that bind a spcific port
On Wed, Jan 22, 2014 at 7:37 PM, Nico Angenon n...@creaweb.fr wrote: the same...no output could be hidden by rootkit :( Nico -Message d'origine- From: Andika Triwidada Sent: Wednesday, January 22, 2014 1:33 PM To: Nico Angenon Cc: debian security Subject: Re: finding a process that bind a spcific port On Wed, Jan 22, 2014 at 7:20 PM, Nico Angenon n...@creaweb.fr wrote: Hello, i think i’ve been hacked on one of my boxes... I try to find with process bind a specific port : # netstat -anpe |grep udp gives me udp0 0 0.0.0.0:10001 0.0.0.0:* 0 5950269 - but # lsof |grep 10001 doesn’t show me anything lsof -i -n | grep 10001 -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/canhsfsvdo_usjxsit-ihax1f0pv7mz07brgwyyprjgtoajt...@mail.gmail.com
Re: finding a process that bind a spcific port
The same... no output using lsof -i :10001 Nico -Message d'origine- From: Marco De Benedetto Sent: Wednesday, January 22, 2014 1:35 PM To: debian-security@lists.debian.org Subject: Re: finding a process that bind a spcific port On mer 22 gen, Andika Triwidada wrote: On Wed, Jan 22, 2014 at 7:20 PM, Nico Angenon n...@creaweb.fr wrote: Hello, i think i’ve been hacked on one of my boxes... I try to find with process bind a specific port : # netstat -anpe |grep udp gives me udp0 0 0.0.0.0:10001 0.0.0.0:* 0 5950269 - but # lsof |grep 10001 doesn’t show me anything lsof -i -n | grep 10001 sudo lsof -i :10001 -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20140122123529.ga11...@galliera.it -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/150A2DAFDE394A189BEAA72993B697F4@NicoPC
Re: finding a process that bind a spcific port
nope... never used this service... Still looking for an explanation, try chrootkit and rkhunter right now Nico From: wootanaz Sent: Wednesday, January 22, 2014 1:45 PM To: Nico Angenon Cc: debian security Subject: Re: finding a process that bind a spcific port Maybe you are using (or had been) cloud service tonido? http://www.tonido.com/forum/viewtopic.php?f=55t=3368start=10 hth 2014/1/22 Nico Angenon n...@creaweb.fr the same...no output Nico -Message d'origine- From: Andika Triwidada Sent: Wednesday, January 22, 2014 1:33 PM To: Nico Angenon Cc: debian security Subject: Re: finding a process that bind a spcific port On Wed, Jan 22, 2014 at 7:20 PM, Nico Angenon n...@creaweb.fr wrote: Hello, i think i’ve been hacked on one of my boxes... I try to find with process bind a specific port : # netstat -anpe |grep udp gives me udp0 0 0.0.0.0:10001 0.0.0.0:* 0 5950269 - but # lsof |grep 10001 doesn’t show me anything lsof -i -n | grep 10001 -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/B0AA26B538DD4C15884CB658AD15788D@NicoPC
Re: finding a process that bind a spcific port
On 01/22/2014 01:20 PM, Nico Angenon wrote: Hello, i think i’ve been hacked on one of my boxes... I try to find with process bind a specific port : # netstat -anpe |grep udp gives me udp0 0 0.0.0.0:10001 0.0.0.0:* 0 5950269 - Try as root. Best Frank
Re: finding a process that bind a spcific port
On Wed, 2014-01-22 at 13:37, Nico Angenon wrote: the same...no output Maybe you can be lucky with: ss -ulp But, if you are really hacked it would be better to shutdown machine, move disk to clean machine and try some forensic tools. -Message d'origine- From: Andika Triwidada Sent: Wednesday, January 22, 2014 1:33 PM To: Nico Angenon Cc: debian security Subject: Re: finding a process that bind a spcific port On Wed, Jan 22, 2014 at 7:20 PM, Nico Angenon n...@creaweb.fr wrote: Hello, i think i’ve been hacked on one of my boxes... I try to find with process bind a specific port : # netstat -anpe |grep udp gives me udp0 0 0.0.0.0:10001 0.0.0.0:* 0 5950269 - but # lsof |grep 10001 doesn’t show me anything lsof -i -n | grep 10001 -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20140122124234.ga17...@arvanta.net
Re: finding a process that bind a spcific port
i do try as root... Nico From: Frank Sent: Wednesday, January 22, 2014 1:45 PM To: debian-security@lists.debian.org Subject: Re: finding a process that bind a spcific port On 01/22/2014 01:20 PM, Nico Angenon wrote: Hello, i think i’ve been hacked on one of my boxes... I try to find with process bind a specific port : # netstat -anpe |grep udp gives me udp0 0 0.0.0.0:10001 0.0.0.0:* 0 5950269 - Try as root. Best Frank
Re: finding a process that bind a spcific port
Same : No output... Nico -Message d'origine- From: johan A. van Zanten Sent: Wednesday, January 22, 2014 1:56 PM To: n...@creaweb.fr Cc: debian-security@lists.debian.org Subject: Re: finding a process that bind a spcific port Nico Angenon n...@creaweb.fr wrote: nope... never used this service... Still looking for an explanation, try chrootkit and rkhunter right now Try fuser: fuser -n udp 10001 -johan -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/7FDB49F9BD694384B75B034AE72A5825@NicoPC
Re: finding a process that bind a spcific port
Do you have IntelliJ installed in this box? http://stackoverflow.com/questions/13345986/intellij-idea-using-10001-port Mit freundlichen Grüßen / best regards, Kevin Olbrich. (mobil vom iPhone) -- Diese E-Mail enthält vertrauliche und/oder rechtlich geschützte Informationen. Wenn Sie nicht der richtige Adressat sind und/oder diese E-Mail irrtümlich erhalten haben, informieren Sie bitte sofort den Absender und vernichten Sie diese Mail. Das unerlaubte Kopieren sowie die unbefugte Weitergabe dieser Mail ist nicht gestattet. Am 22.01.2014 um 14:01 schrieb Nico Angenon n...@creaweb.fr: Same : No output... Nico -Message d'origine- From: johan A. van Zanten Sent: Wednesday, January 22, 2014 1:56 PM To: n...@creaweb.fr Cc: debian-security@lists.debian.org Subject: Re: finding a process that bind a spcific port Nico Angenon n...@creaweb.fr wrote: nope... never used this service... Still looking for an explanation, try chrootkit and rkhunter right now Try fuser: fuser -n udp 10001 -johan -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/7FDB49F9BD694384B75B034AE72A5825@NicoPC
Re: finding a process that bind a spcific port
if it installed, i didn’t do it... i’ve never heard about this... Nico From: Kevin Olbrich Sent: Wednesday, January 22, 2014 2:04 PM To: Nico Angenon Cc: debian security Subject: Re: finding a process that bind a spcific port Do you have IntelliJ installed in this box? http://stackoverflow.com/questions/13345986/intellij-idea-using-10001-port Mit freundlichen Grüßen / best regards, Kevin Olbrich. (mobil vom iPhone) -- Diese E-Mail enthält vertrauliche und/oder rechtlich geschützte Informationen. Wenn Sie nicht der richtige Adressat sind und/oder diese E-Mail irrtümlich erhalten haben, informieren Sie bitte sofort den Absender und vernichten Sie diese Mail. Das unerlaubte Kopieren sowie die unbefugte Weitergabe dieser Mail ist nicht gestattet. Am 22.01.2014 um 14:01 schrieb Nico Angenon n...@creaweb.fr: Same : No output... Nico -Message d'origine- From: johan A. van Zanten Sent: Wednesday, January 22, 2014 1:56 PM To: n...@creaweb.fr Cc: debian-security@lists.debian.org Subject: Re: finding a process that bind a spcific port Nico Angenon n...@creaweb.fr wrote: nope... never used this service... Still looking for an explanation, try chrootkit and rkhunter right now Try fuser: fuser -n udp 10001 -johan -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/7FDB49F9BD694384B75B034AE72A5825@NicoPC
Re: finding a process that bind a spcific port
You can try something like: cd /proc/ ls -d1 [0-9]* | sort -n /tmp/a ps ax -o pid | grep [0-9] | tr -d | sort -n /tmp/b and check with ip exits in /proc dir but not in ps example in my box: .. 46154615 46244624 46474647 4702 | 4704 4703 | 4705 4706 4707 in my case i have difference but is because the grep/etc pid -- Matias On Wednesday, January 22, 2014 10:01:09 AM Nico Angenon wrote: Same : No output... Nico -Message d'origine- From: johan A. van Zanten Sent: Wednesday, January 22, 2014 1:56 PM To: n...@creaweb.fr Cc: debian-security@lists.debian.org Subject: Re: finding a process that bind a spcific port Nico Angenon n...@creaweb.fr wrote: nope... never used this service... Still looking for an explanation, try chrootkit and rkhunter right now Try fuser: fuser -n udp 10001 -johan -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/7FDB49F9BD694384B75B034AE72A5825@NicoPC -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/201401221014.14815.mmucci...@suteba.org.ar
Re: finding a process that bind a spcific port
File /tmp/a and tmp/b gives me the same numberlist... I'll fromat the box, it'll go faster... Nico -Message d'origine- From: Matias Mucciolo Sent: Wednesday, January 22, 2014 2:14 PM To: debian-security@lists.debian.org Cc: Nico Angenon Subject: Re: finding a process that bind a spcific port You can try something like: cd /proc/ ls -d1 [0-9]* | sort -n /tmp/a ps ax -o pid | grep [0-9] | tr -d | sort -n /tmp/b and check with ip exits in /proc dir but not in ps example in my box: .. 46154615 46244624 46474647 4702 | 4704 4703 | 4705 4706 4707 in my case i have difference but is because the grep/etc pid -- Matias On Wednesday, January 22, 2014 10:01:09 AM Nico Angenon wrote: Same : No output... Nico -Message d'origine- From: johan A. van Zanten Sent: Wednesday, January 22, 2014 1:56 PM To: n...@creaweb.fr Cc: debian-security@lists.debian.org Subject: Re: finding a process that bind a spcific port Nico Angenon n...@creaweb.fr wrote: nope... never used this service... Still looking for an explanation, try chrootkit and rkhunter right now Try fuser: fuser -n udp 10001 -johan -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/7FDB49F9BD694384B75B034AE72A5825@NicoPC -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/201401221014.14815.mmucci...@suteba.org.ar -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/2982F3BBF0F24EE283ACDB8DF366C387@NicoPC
Re: finding a process that bind a spcific port
Nico Angenon n...@creaweb.fr wrote: nope... never used this service... Still looking for an explanation, try chrootkit and rkhunter right now Try fuser: fuser -n udp 10001 -johan -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20140122.125650.367853660900983582.jo...@brandwatch.com
Re: finding a process that bind a spcific port
no output Thanks for all... Nico -Message d'origine- From: johan A. van Zanten Sent: Wednesday, January 22, 2014 1:56 PM To: n...@creaweb.fr Cc: debian-security@lists.debian.org Subject: Re: finding a process that bind a spcific port Nico Angenon n...@creaweb.fr wrote: nope... never used this service... Still looking for an explanation, try chrootkit and rkhunter right now Try fuser: fuser -n udp 10001 -johan -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20140122.125650.367853660900983582.jo...@brandwatch.com -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/4DBF73DFC57C4F76AF3902A5199BB05C@NicoPC
Re: finding a process that bind a spcific port
On Wed, Jan 22, 2014 at 02:33:27PM CET, Nico Angenon n...@creaweb.fr said: no output Thanks for all... Nico You may also try lsof -i udp:10001 Launch it as root, because a normal user cannot see the descriptors of processes owned by others. -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20140122133528.gi11...@rail.eu.org
Re: finding a process that bind a spcific port
Sorry for top posting. I'm on my phone. You can always check for data on the interface using tcpdump. Worth using it to verify what's happening. Lesley On 22 Jan 2014 13:33, Nico Angenon n...@creaweb.fr wrote: no output Thanks for all... Nico -Message d'origine- From: johan A. van Zanten Sent: Wednesday, January 22, 2014 1:56 PM To: n...@creaweb.fr Cc: debian-security@lists.debian.org Subject: Re: finding a process that bind a spcific port Nico Angenon n...@creaweb.fr wrote: nope... never used this service... Still looking for an explanation, try chrootkit and rkhunter right now Try fuser: fuser -n udp 10001 -johan -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20140122.125650.367853660900983582.johan@ brandwatch.com -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/4DBF73DFC57C4F76AF3902A5199BB05C@NicoPC
Re: finding a process that bind a spcific port
On Wed, 2014-01-22 at 14:26, Nico Angenon wrote: File /tmp/a and tmp/b gives me the same numberlist... I'll fromat the box, it'll go faster... True! But if there is vulnerability (security hole) in your system it's just a question of time when you'll have this situation again. -Message d'origine- From: Matias Mucciolo Sent: Wednesday, January 22, 2014 2:14 PM To: debian-security@lists.debian.org Cc: Nico Angenon Subject: Re: finding a process that bind a spcific port You can try something like: cd /proc/ ls -d1 [0-9]* | sort -n /tmp/a ps ax -o pid | grep [0-9] | tr -d | sort -n /tmp/b and check with ip exits in /proc dir but not in ps example in my box: .. 46154615 46244624 46474647 4702 | 4704 4703 | 4705 4706 4707 in my case i have difference but is because the grep/etc pid -- Matias On Wednesday, January 22, 2014 10:01:09 AM Nico Angenon wrote: Same : No output... Nico -Message d'origine- From: johan A. van Zanten Sent: Wednesday, January 22, 2014 1:56 PM To: n...@creaweb.fr Cc: debian-security@lists.debian.org Subject: Re: finding a process that bind a spcific port Nico Angenon n...@creaweb.fr wrote: nope... never used this service... Still looking for an explanation, try chrootkit and rkhunter right now Try fuser: fuser -n udp 10001 -johan -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/7FDB49F9BD694384B75B034AE72A5825@NicoPC -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/201401221014.14815.mmucci...@suteba.org.ar -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/2982F3BBF0F24EE283ACDB8DF366C387@NicoPC -- Kind regards, Milan -- Arvanta,http://www.arvanta.net Please do not send me e-mail containing HTML code or documents in proprietary format (word, excel, pps and so on) -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20140122135637.ga18...@arvanta.net
Re: finding a process that bind a spcific port
Hello, i’ve put a firewall rules on this before the box, so, there is no connexion left on this port... but there was a lot of trafic on this port before the rule... Nico From: Lesley Binks Sent: Wednesday, January 22, 2014 2:46 PM To: Nico Angenon Cc: debian-security@lists.debian.org Subject: Re: finding a process that bind a spcific port Sorry for top posting. I'm on my phone. You can always check for data on the interface using tcpdump. Worth using it to verify what's happening. Lesley On 22 Jan 2014 13:33, Nico Angenon n...@creaweb.fr wrote: no output Thanks for all... Nico -Message d'origine- From: johan A. van Zanten Sent: Wednesday, January 22, 2014 1:56 PM To: n...@creaweb.fr Cc: debian-security@lists.debian.org Subject: Re: finding a process that bind a spcific port Nico Angenon n...@creaweb.fr wrote: nope... never used this service... Still looking for an explanation, try chrootkit and rkhunter right now Try fuser: fuser -n udp 10001 -johan -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20140122.125650.367853660900983582.jo...@brandwatch.com -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/4DBF73DFC57C4F76AF3902A5199BB05C@NicoPC
Re: finding a process that bind a spcific port
can you paste a ps auxf output ? maybe someone see some strange process -- Matias On Wednesday, January 22, 2014 10:57:14 AM Nico Angenon wrote: Hello, i’ve put a firewall rules on this before the box, so, there is no connexion left on this port... but there was a lot of trafic on this port before the rule... Nico From: Lesley Binks Sent: Wednesday, January 22, 2014 2:46 PM To: Nico Angenon Cc: debian-security@lists.debian.org Subject: Re: finding a process that bind a spcific port Sorry for top posting. I'm on my phone. You can always check for data on the interface using tcpdump. Worth using it to verify what's happening. Lesley On 22 Jan 2014 13:33, Nico Angenon n...@creaweb.fr wrote: no output Thanks for all... Nico -Message d'origine- From: johan A. van Zanten Sent: Wednesday, January 22, 2014 1:56 PM To: n...@creaweb.fr Cc: debian-security@lists.debian.org Subject: Re: finding a process that bind a spcific port Nico Angenon n...@creaweb.fr wrote: nope... never used this service... Still looking for an explanation, try chrootkit and rkhunter right now Try fuser: fuser -n udp 10001 -johan -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20140122.125650.367853660900983582.jo...@brandwatch.com -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/4DBF73DFC57C4F76AF3902A5199BB05C@NicoPC -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/201401221100.48230.mmucci...@suteba.org.ar
Re: NSA software in Debian
On Sun, 19 Jan 2014 21:17:03 -0800 Andrew Merenbach and...@merenbach.com wrote: I just decided to try this out the other day on my Wheezy 7.3 install. It wasn't that painful and I haven't noticed any performance impact or misbehaving (read: broken) programs, at least not yet. Then again, I haven't done real benchmarks. Yes, most features doesn't make significant performance impact. It appears that this patch is available in the apt repos under the kernel section (sensibly enough) as: linux-patch-grsecurity2 Once it's downloaded, it patches the kernel in an automated fashion and doesn't force a reboot (although I believe you still need one to make it effective, I suppose). AFAIK, it's for kernel 3.2.21, I don't see how could it work with Wheezy kernel - 3.2.51. That said, since it's a kernel patch, /caveat emptor/... your mileage may vary. And maybe some prefer to customize the options for the patch being applied. ;) -- Education is a process of making people see what is advanced and not obvious, but also not seeing what is basic and obvious. http://markorandjelovic.hopto.org -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20140122150147.0b1b3...@eunet.rs
Re: finding a process that bind a spcific port
if you think you are been hacked, you can use ps, lsof and others commands from other not hacked server, for example scp goodserver:/bin/ps /tmp/ps and use /tmp/ps, this isn't secure, because maybe the attacker installed one rootkit 2014/1/22 Matias Mucciolo mmucci...@suteba.org.ar can you paste a ps auxf output ? maybe someone see some strange process -- Matias On Wednesday, January 22, 2014 10:57:14 AM Nico Angenon wrote: Hello, i’ve put a firewall rules on this before the box, so, there is no connexion left on this port... but there was a lot of trafic on this port before the rule... Nico From: Lesley Binks Sent: Wednesday, January 22, 2014 2:46 PM To: Nico Angenon Cc: debian-security@lists.debian.org Subject: Re: finding a process that bind a spcific port Sorry for top posting. I'm on my phone. You can always check for data on the interface using tcpdump. Worth using it to verify what's happening. Lesley On 22 Jan 2014 13:33, Nico Angenon n...@creaweb.fr wrote: no output Thanks for all... Nico -Message d'origine- From: johan A. van Zanten Sent: Wednesday, January 22, 2014 1:56 PM To: n...@creaweb.fr Cc: debian-security@lists.debian.org Subject: Re: finding a process that bind a spcific port Nico Angenon n...@creaweb.fr wrote: nope... never used this service... Still looking for an explanation, try chrootkit and rkhunter right now Try fuser: fuser -n udp 10001 -johan -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20140122.125650.367853660900983582.jo...@brandwatch.com -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/4DBF73DFC57C4F76AF3902A5199BB05C@NicoPC -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/201401221100.48230.mmucci...@suteba.org.ar -- esta es mi vida e me la vivo hasta que dios quiera
Re: NSA software in Debian
On Wed, 2014-01-22 at 15:01, Marko Randjelovic wrote: On Sun, 19 Jan 2014 21:17:03 -0800 Andrew Merenbach and...@merenbach.com wrote: I just decided to try this out the other day on my Wheezy 7.3 install. It wasn't that painful and I haven't noticed any performance impact or misbehaving (read: broken) programs, at least not yet. Then again, I haven't done real benchmarks. Yes, most features doesn't make significant performance impact. It appears that this patch is available in the apt repos under the kernel section (sensibly enough) as: linux-patch-grsecurity2 Once it's downloaded, it patches the kernel in an automated fashion and doesn't force a reboot (although I believe you still need one to make it effective, I suppose). AFAIK, it's for kernel 3.2.21, I don't see how could it work with Wheezy kernel - 3.2.51. I found it a lot easier to go with vanilla kernel and grsec/pax patch instead of using Debian kernels. That said, since it's a kernel patch, /caveat emptor/... your mileage may vary. And maybe some prefer to customize the options for the patch being applied. ;) -- Kind regards, Milan -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20140122140839.gb18...@arvanta.net
Re: NSA software in Debian
On Mon, 20 Jan 2014 09:22:04 -0800 Octavio Alvarez alvar...@alvarezp.ods.org wrote: On 01/20/2014 05:29 AM, Marco Saller wrote: I have read that the NSA proposed to include SELinux in linux 2.5. (Linux Kernel Summit 2001) Don't you think that may be one of their fancy tricks to gain access to computers running linux? Some news websites also mention vulnerabilities similar to this one. It would be a great idea to include malicious software to kernel modules. It is easy to come up with that idea, and it's easy to fear to it. It's easy to write about it and to popularize it and cause mass-delusion. It's difficult to prove, though. If you consider that SELinux code available and with so many auditing humans and tools it's not as easy as it sounds. It can happen, but it's not as easy as they can, therefore they are. As others have said, the NSA doesn't need specific backdoors. There are many vulnerabilities in all software already available which are already being exploited. The more general problem is that not all programmers like or know formality and that not all developers like strict code and algorithm correctness. *That* is something to worry about. I wouldn't worry about SELinux specifically. As I already pointed out, there is something: http://lists.debian.org/20140120005556.612de...@eunet.rs -- Education is a process of making people see what is advanced and not obvious, but also not seeing what is basic and obvious. http://markorandjelovic.hopto.org -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20140122151053.60f20...@eunet.rs
Re: NSA software in Debian
On Wed, 22 Jan 2014 15:08:39 +0100 Milan P. Stanic m...@arvanta.net wrote: I found it a lot easier to go with vanilla kernel and grsec/pax patch instead of using Debian kernels. Of course, but then secret services won't see you are using Debian :) -- Education is a process of making people see what is advanced and not obvious, but also not seeing what is basic and obvious. http://markorandjelovic.hopto.org -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20140122151300.72162...@eunet.rs
Re: finding a process that bind a spcific port
Here is the ps aufx result... (a bit long) Nico USER PID %CPU %MEMVSZ RSS TTY STAT START TIME COMMAND root 2 0.0 0.0 0 0 ?S 2013 0:00 [kthreadd] root 3 0.0 0.0 0 0 ?S 2013 0:07 \_ [migration/0] root 4 0.0 0.0 0 0 ?S 2013 0:24 \_ [ksoftirqd/0] root 5 0.0 0.0 0 0 ?S 2013 0:00 \_ [watchdog/0] root 6 0.0 0.0 0 0 ?S 2013 0:07 \_ [migration/1] root 7 0.0 0.0 0 0 ?S 2013 0:05 \_ [ksoftirqd/1] root 8 0.0 0.0 0 0 ?S 2013 0:00 \_ [watchdog/1] root 9 0.0 0.0 0 0 ?S 2013 0:13 \_ [migration/2] root10 0.0 0.0 0 0 ?S 2013 0:03 \_ [ksoftirqd/2] root11 0.0 0.0 0 0 ?S 2013 0:00 \_ [watchdog/2] root12 0.0 0.0 0 0 ?S 2013 0:14 \_ [migration/3] root13 0.0 0.0 0 0 ?S 2013 0:02 \_ [ksoftirqd/3] root14 0.0 0.0 0 0 ?S 2013 0:00 \_ [watchdog/3] root15 0.0 0.0 0 0 ?S 2013 5:08 \_ [events/0] root16 0.0 0.0 0 0 ?S 2013 0:29 \_ [events/1] root17 0.0 0.0 0 0 ?S 2013 0:24 \_ [events/2] root18 0.0 0.0 0 0 ?S 2013 0:27 \_ [events/3] root19 0.0 0.0 0 0 ?S 2013 0:00 \_ [cpuset] root20 0.0 0.0 0 0 ?S 2013 0:00 \_ [khelper] root21 0.0 0.0 0 0 ?S 2013 0:00 \_ [netns] root22 0.0 0.0 0 0 ?S 2013 0:00 \_ [async/mgr] root23 0.0 0.0 0 0 ?S 2013 0:00 \_ [pm] root24 0.0 0.0 0 0 ?S 2013 0:04 \_ [sync_supers] root25 0.0 0.0 0 0 ?S 2013 0:05 \_ [bdi-default] root26 0.0 0.0 0 0 ?S 2013 0:00 \_ [kintegrityd/0] root27 0.0 0.0 0 0 ?S 2013 0:00 \_ [kintegrityd/1] root28 0.0 0.0 0 0 ?S 2013 0:00 \_ [kintegrityd/2] root29 0.0 0.0 0 0 ?S 2013 0:00 \_ [kintegrityd/3] root30 0.0 0.0 0 0 ?S 2013 2:36 \_ [kblockd/0] root31 0.0 0.0 0 0 ?S 2013 0:03 \_ [kblockd/1] root32 0.0 0.0 0 0 ?S 2013 0:03 \_ [kblockd/2] root33 0.0 0.0 0 0 ?S 2013 0:02 \_ [kblockd/3] root34 0.0 0.0 0 0 ?S 2013 0:00 \_ [kacpid] root35 0.0 0.0 0 0 ?S 2013 0:00 \_ [kacpi_notify] root36 0.0 0.0 0 0 ?S 2013 0:00 \_ [kacpi_hotplug] root37 0.0 0.0 0 0 ?S 2013 0:00 \_ [kseriod] root42 0.0 0.0 0 0 ?S 2013 0:00 \_ [kondemand/0] root43 0.0 0.0 0 0 ?S 2013 0:00 \_ [kondemand/1] root44 0.0 0.0 0 0 ?S 2013 0:00 \_ [kondemand/2] root45 0.0 0.0 0 0 ?S 2013 0:00 \_ [kondemand/3] root46 0.0 0.0 0 0 ?S 2013 0:02 \_ [khungtaskd] root47 0.0 0.0 0 0 ?S 2013 13:20 \_ [kswapd0] root48 0.0 0.0 0 0 ?SN2013 0:00 \_ [ksmd] root49 0.0 0.0 0 0 ?S 2013 0:00 \_ [aio/0] root50 0.0 0.0 0 0 ?S 2013 0:00 \_ [aio/1] root51 0.0 0.0 0 0 ?S 2013 0:00 \_ [aio/2] root52 0.0 0.0 0 0 ?S 2013 0:00 \_ [aio/3] root53 0.0 0.0 0 0 ?S 2013 0:00 \_ [crypto/0] root54 0.0 0.0 0 0 ?S 2013 0:00 \_ [crypto/1] root55 0.0 0.0 0 0 ?S 2013 0:00 \_ [crypto/2] root56 0.0 0.0 0 0 ?S 2013 0:00 \_ [crypto/3] root 229 0.0 0.0 0 0 ?S 2013 0:00 \_ [ksuspend_usbd] root 231 0.0 0.0 0 0 ?S 2013 0:00 \_ [khubd] root 291 0.0 0.0 0 0 ?S 2013 0:00 \_ [ata/0] root 292 0.0 0.0 0 0 ?S 2013 0:00 \_ [ata/1] root 293 0.0 0.0 0 0 ?S 2013 0:00 \_ [ata/2] root 294 0.0 0.0 0 0 ?S 2013 0:00 \_ [ata/3] root 295 0.0 0.0 0 0 ?S 2013 0:00 \_ [ata_aux] root 296 0.0 0.0 0 0 ?S 2013 0:00 \_ [scsi_eh_0] root 297 0.0 0.0 0 0 ?S 2013
Re: NSA software in Debian
debian-security@lists.debian.org X-Mailer: iPhone Mail (11D5134c) Am 22.01.2014 um 15:13 schrieb Marko Randjelovic marko...@eunet.rs: On Wed, 22 Jan 2014 15:08:39 +0100 Milan P. Stanic m...@arvanta.net wrote: I found it a lot easier to go with vanilla kernel and grsec/pax patch instead of using Debian kernels. Of course, but then secret services won't see you are using Debian :) Yes, but he could mail them the root password ;) -- Education is a process of making people see what is advanced and not obvious, but also not seeing what is basic and obvious. http://markorandjelovic.hopto.org -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20140122151300.72162...@eunet.rs -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/6630a598-d280-46fc-aefe-e5a4d00eb...@dolphin-it.de
Re: NSA software in Debian
On Jan 22, 2014, at 6:01 AM, Marko Randjelovic marko...@eunet.rs wrote: It appears that this patch is available in the apt repos under the kernel section (sensibly enough) as: linux-patch-grsecurity2 Once it's downloaded, it patches the kernel in an automated fashion and doesn't force a reboot (although I believe you still need one to make it effective, I suppose). AFAIK, it's for kernel 3.2.21, I don't see how could it work with Wheezy kernel - 3.2.51. Hi Marko, Thank you for the heads-up. `uname -a` indicates that I am indeed using 3.2.51. I should probably have done my research more carefully before blindly installing a kernel patch. :-X Cheers, Andrew
Re: NSA software in Debian
Wouldn't this mean there is an error message? The patch could work with a newer kernel in general (?). I did not try it but are there so many changes between both releases? Mit freundlichen Grüßen / best regards, Kevin Olbrich. (mobil vom iPhone) -- Diese E-Mail enthält vertrauliche und/oder rechtlich geschützte Informationen. Wenn Sie nicht der richtige Adressat sind und/oder diese E-Mail irrtümlich erhalten haben, informieren Sie bitte sofort den Absender und vernichten Sie diese Mail. Das unerlaubte Kopieren sowie die unbefugte Weitergabe dieser Mail ist nicht gestattet. Am 22.01.2014 um 18:53 schrieb Andrew Merenbach and...@merenbach.com: On Jan 22, 2014, at 6:01 AM, Marko Randjelovic marko...@eunet.rs wrote: It appears that this patch is available in the apt repos under the kernel section (sensibly enough) as: linux-patch-grsecurity2 Once it's downloaded, it patches the kernel in an automated fashion and doesn't force a reboot (although I believe you still need one to make it effective, I suppose). AFAIK, it's for kernel 3.2.21, I don't see how could it work with Wheezy kernel - 3.2.51. Hi Marko, Thank you for the heads-up. `uname -a` indicates that I am indeed using 3.2.51. I should probably have done my research more carefully before blindly installing a kernel patch. :-X Cheers, Andrew
Re: finding a process that bind a spcific port
Perhaps in your haste, you missed something. If I run netstat -anpe as a user I get this specific message and the PID column is populated with only a - for all entries, just like you showed. I.E. netstat -anpe |grep udp (Not all processes could be identified, non-owned process info will not be shown, you would have to be root to see it all.) udp0 0 0.0.0.0:631 0.0.0.0:* 0 5285429 - see the message? However, running sudo netstat -anpe |grep udp actually displays the PID/Binary udp0 0 0.0.0.0:631 0.0.0.0:* 0 5285429 3334/cupsd The Process ID is what you are supposed to use to match a socket to the binary that opened it. **Try sudo netstat -anpeev You can also try to fine the inode. Though, it is a large number and you may not find it on disk. **Also, try find / -inum 5950269 -print You might also try starting a packet capture and removing the firewall. After a bit kill the packet capture and see what Wireshark tells you. **sudo tcpdump -i eth0? -nASs0 -c 500 -w `hostname`-`date +%F-%H% M`.pcap port 10001 This will automatically stop after 500 packets to/from port 10001. On Wed, 2014-01-22 at 13:20 +0100, Nico Angenon wrote: Hello, i think i’ve been hacked on one of my boxes... I try to find with process bind a specific port : # netstat -anpe |grep udp gives me udp0 0 0.0.0.0:10001 0.0.0.0:* 0 5950269 - but # lsof |grep 10001 doesn’t show me anything i’ve tried to cat /proc/*/cmdline... no 10001 found no 10001 in ‘ps aux’ no 10001 in ‘rpcinfo –p’ any idea ? Thanks Nico
Re: NSA software in Debian
On Jan 22, 2014, at 9:59 AM, Kevin Olbrich kolbr...@dolphin-it.de wrote: Wouldn't this mean there is an error message? The patch could work with a newer kernel in general (?). I did not try it but are there so many changes between both releases? Hi Kevin, I just tried this an Debian with kernel 3.2.51 in a VM and while it succeeds (as it did in my primary install), the patch version may indeed be mismatched, which I definitely missed before. Bold formatting added by me: Preconfiguring packages ... Selecting previously unselected package libgettextpo0:amd64. (Reading database ... 114419 files and directories currently installed.) Unpacking libgettextpo0:amd64 (from .../libgettextpo0_0.18.1.1-9_amd64.deb) ... Selecting previously unselected package autopoint. Unpacking autopoint (from .../autopoint_0.18.1.1-9_all.deb) ... Selecting previously unselected package dctrl-tools. Unpacking dctrl-tools (from .../dctrl-tools_2.22.2_amd64.deb) ... Selecting previously unselected package gettext. Unpacking gettext (from .../gettext_0.18.1.1-9_amd64.deb) ... Selecting previously unselected package gradm2. Unpacking gradm2 (from .../gradm2_2.9.1~201206091838-1_amd64.deb) ... Selecting previously unselected package intltool-debian. Unpacking intltool-debian (from .../intltool-debian_0.35.0+20060710.1_all.deb) ... Selecting previously unselected package po-debconf. Unpacking po-debconf (from .../po-debconf_1.0.16+nmu2_all.deb) ... Selecting previously unselected package kernel-package. Unpacking kernel-package (from .../kernel-package_12.036+nmu3_all.deb) ... Selecting previously unselected package libsys-hostname-long-perl. Unpacking libsys-hostname-long-perl (from .../libsys-hostname-long-perl_1.4-2_all.deb) ... Selecting previously unselected package libmail-sendmail-perl. Unpacking libmail-sendmail-perl (from .../libmail-sendmail-perl_0.79.16-1_all.deb) ... Selecting previously unselected package linux-source-3.2. Unpacking linux-source-3.2 (from .../linux-source-3.2_3.2.51-1_all.deb) ... Selecting previously unselected package linux-patch-grsecurity2. Unpacking linux-patch-grsecurity2 (from .../linux-patch-grsecurity2_2.9.1+3.2.21-201206221855-1_all.deb) ... Processing triggers for man-db ... Processing triggers for install-info ... Setting up libgettextpo0:amd64 (0.18.1.1-9) ... Setting up autopoint (0.18.1.1-9) ... Setting up dctrl-tools (2.22.2) ... Setting up gettext (0.18.1.1-9) ... Setting up gradm2 (2.9.1~201206091838-1) ... Setting up intltool-debian (0.35.0+20060710.1) ... Setting up po-debconf (1.0.16+nmu2) ... Setting up kernel-package (12.036+nmu3) ... Setting up libsys-hostname-long-perl (1.4-2) ... Setting up libmail-sendmail-perl (0.79.16-1) ... Setting up linux-source-3.2 (3.2.51-1) ... Setting up linux-patch-grsecurity2 (2.9.1+3.2.21-201206221855-1) ... Best, Andrew
Re: NSA software in Debian
Marko Randjelovic: Octavio Alvarez alvar...@alvarezp.ods.org wrote: I wouldn't worry about SELinux specifically. As I already pointed out, there is something: http://lists.debian.org/20140120005556.612de...@eunet.rs And Russel Coker carefully explained in his reply to your mail why that approach does not help to improve security. Cheers, Andreas -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/52e01e9c.3080...@ping.de
Re: finding a process that bind a spcific port
On Jan 22, 2014 9:11 AM, Nico Angenon n...@creaweb.fr wrote: Here is the ps aufx result... (a bit long) (Please excuse any wonky formatting or glaring oversights, I'm on a mobile device.) You appear to be running an nfs server on this host. Try stopping the nfs-kernel-server service and see if anything changes. SNIP root 11015 0.0 0.0 0 0 ? S 2013 0:00 \_ [rpciod/0] root 11017 0.0 0.0 0 0 ? S 2013 0:00 \_ [rpciod/1] root 11018 0.0 0.0 0 0 ? S 2013 0:00 \_ [rpciod/2] root 11019 0.0 0.0 0 0 ? S 2013 0:00 \_ [rpciod/3] ... root 11024 0.0 0.0 0 0 ? S 2013 0:00 \_ [nfsiod] ... root 29114 0.0 0.0 18736 812 ? Ss 13:16 0:00 /sbin/rpcbind -w
Re: NSA software in Debian
* Marco Saller: i am not sure if this question has been asked or answered yet, please do not mind if i would ask it again. Is it possible that the NSA or other services included investigative software in some Debian packages? We don't reject contributions just because they come from a government or a government employee, if that's what you mean. -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/87y5277kmw@mid.deneb.enyo.de
Re: finding a process that bind a spcific port
At Wed, 22 Jan 2014 19:47:27 +0700, Andika Triwidada wrote: On Wed, Jan 22, 2014 at 7:37 PM, Nico Angenon n...@creaweb.fr wrote: the same...no output could be hidden by rootkit :( I think so too. Could you try to use debsum and rkhunter? It would find cracked commands. -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/87ob3338mc.wl%k...@daionet.gr.jp
Re: finding a process that bind a spcific port
Yes but this is only the case when rkhunter was active before. AFAIK rkhunter itself has no signatures, it generates the initial checksumms on first start. Mit freundlichen Grüßen / best regards, Kevin Olbrich. Web: http://kevin-olbrich.de/ -- Diese E-Mail enthält vertrauliche und/oder rechtlich geschützte Informationen. Wenn Sie nicht der richtige Adressat sind und/oder diese E-Mail irrtümlich erhalten haben, informieren Sie bitte sofort den Absender und vernichten Sie diese Mail. Das unerlaubte Kopieren sowie die unbefugte Weitergabe dieser Mail ist nicht gestattet. Am 23.01.2014 um 00:22 schrieb NOKUBI Takatsugu k...@daionet.gr.jp: At Wed, 22 Jan 2014 19:47:27 +0700, Andika Triwidada wrote: On Wed, Jan 22, 2014 at 7:37 PM, Nico Angenon n...@creaweb.fr wrote: the same...no output could be hidden by rootkit :( I think so too. Could you try to use debsum and rkhunter? It would find cracked commands. -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/87ob3338mc.wl%k...@daionet.gr.jp
Re: NSA software in Debian
On Jan 22, 2014, at 10:51 AM, Kevin Olbrich kolbr...@dolphin-it.de wrote: Okay but this missmatch does not automatically mean it is not working. Can you check if the features are present? Maybe the patch is still compatible with a newer kernel? Hi Kevin, I installed the i386 architecture and installed the `paxtest' suite. My results were fairly disappointing, to be honest: $ sudo paxtest blackhat PaXtest - Copyright(c) 2003,2004 by Peter Busser pe...@adamantix.org Released under the GNU Public Licence version 2 or later Writing output to /root/paxtest.log It may take a while for the tests to complete Test results: PaXtest - Copyright(c) 2003,2004 by Peter Busser pe...@adamantix.org Released under the GNU Public Licence version 2 or later Mode: Blackhat Linux pinguino 3.2.0-4-amd64 #1 SMP Debian 3.2.51-1 x86_64 GNU/Linux Executable anonymous mapping : Killed Executable bss : Killed Executable data : Killed Executable heap : Killed Executable stack : Killed Executable shared library bss: Killed Executable shared library data : Killed Executable anonymous mapping (mprotect) : Vulnerable Executable bss (mprotect): Vulnerable Executable data (mprotect) : Vulnerable Executable heap (mprotect) : Vulnerable Executable stack (mprotect) : Vulnerable Executable shared library bss (mprotect) : Vulnerable Executable shared library data (mprotect): Vulnerable Writable text segments : Vulnerable Anonymous mapping randomisation test : 9 bits (guessed) Heap randomisation test (ET_EXEC): 13 bits (guessed) Heap randomisation test (PIE): 16 bits (guessed) Main executable randomisation (ET_EXEC) : No randomisation Main executable randomisation (PIE) : 8 bits (guessed) Shared library randomisation test: 10 bits (guessed) Stack randomisation test (SEGMEXEC) : 19 bits (guessed) Stack randomisation test (PAGEEXEC) : 19 bits (guessed) Return to function (strcpy) : Vulnerable Return to function (memcpy) : Vulnerable Return to function (strcpy, PIE) : Vulnerable Return to function (memcpy, PIE) : Vulnerable and in kiddie mode, pretty much the same: $ paxtest kiddie PaXtest - Copyright(c) 2003,2004 by Peter Busser pe...@adamantix.org Released under the GNU Public Licence version 2 or later Writing output to /home/andrew/paxtest.log It may take a while for the tests to complete Test results: PaXtest - Copyright(c) 2003,2004 by Peter Busser pe...@adamantix.org Released under the GNU Public Licence version 2 or later Mode: Kiddie Linux pinguino 3.2.0-4-amd64 #1 SMP Debian 3.2.51-1 x86_64 GNU/Linux Executable anonymous mapping : Killed Executable bss : Killed Executable data : Killed Executable heap : Killed Executable stack : Killed Executable shared library bss: Killed Executable shared library data : Killed Executable anonymous mapping (mprotect) : Vulnerable Executable bss (mprotect): Vulnerable Executable data (mprotect) : Vulnerable Executable heap (mprotect) : Vulnerable Executable stack (mprotect) : Vulnerable Executable shared library bss (mprotect) : Vulnerable Executable shared library data (mprotect): Vulnerable Writable text segments : Vulnerable Anonymous mapping randomisation test : 9 bits (guessed) Heap randomisation test (ET_EXEC): 13 bits (guessed) Heap randomisation test (PIE): 16 bits (guessed) Main executable randomisation (ET_EXEC) : No randomisation Main executable randomisation (PIE) : 8 bits (guessed) Shared library randomisation test: 10 bits (guessed) Stack randomisation test (SEGMEXEC) : 19 bits (guessed) Stack randomisation test (PAGEEXEC) : 19 bits (guessed) Return to function (strcpy) : Vulnerable Return to function (memcpy) : Vulnerable Return to function (strcpy, PIE) : Vulnerable Return to function (memcpy, PIE) : Vulnerable Looking online for paxtest, I found the following debian-security discussion mirroring this, from 2011: https://lists.debian.org/debian-security/2011/09/msg00012.html A followup there links to the following bug, linux-2.6: [RFC] Add a grsec featureset to Debian kernels: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=605090 Perhaps patching a vanilla kernel would yield better results for me. Cheers, Andrew -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive:
Re: finding a process that bind a spcific port
I believe it's better for rkhunter to be initialised on a fresh install, but I think it also checks for the existence of files known to be part of a rootkit. Admittedly of minor value. The thing *not* to do with an infected system is initialise the rkhunter db. Lesley Yes but this is only the case when rkhunter was active before. AFAIK rkhunter itself has no signatures, it generates the initial checksumms on first start. Mit freundlichen Grüßen / best regards, Kevin Olbrich. Web: http://kevin-olbrich.de/ -- *Diese E-Mail enthält vertrauliche und/oder rechtlich geschützte Informationen. Wenn Sie nicht der richtige Adressat sind und/oder diese E-Mail irrtümlich erhalten haben, informieren Sie bitte sofort den Absender und vernichten Sie diese Mail. Das unerlaubte Kopieren sowie die unbefugte Weitergabe dieser Mail ist nicht gestattet.* Am 23.01.2014 um 00:22 schrieb NOKUBI Takatsugu k...@daionet.gr.jp: At Wed, 22 Jan 2014 19:47:27 +0700, Andika Triwidada wrote: On Wed, Jan 22, 2014 at 7:37 PM, Nico Angenon n...@creaweb.fr wrote: the same...no output could be hidden by rootkit :( I think so too. Could you try to use debsum and rkhunter? It would find cracked commands. -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/87ob3338mc.wl%k...@daionet.gr.jp
