Re: [newbie] Strange Activity
On Mon, 2004-05-24 at 17:48, Frank wrote: Checking `bindshell'... not infected Checking `lkm'... You have 2 process hidden for readdir command You have 2 process hidden for ps command Warning: Possible LKM Trojan installed Checking `rexedcs'... not found Er, have you RTFM the README files from chkrootkit? stephen kuhn - owner == illawarra computer services a kuhn media australia company http://kma.0catch.com -- * This message was composed on a 100% Microsoft free computer * We expressly refuse to utilise Microsoft DRM encoded documents -- Brain fried -- Core dumped Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com Join the Club : http://www.mandrakeclub.com
Re: [newbie] Strange Activity
On Sat, 2004-05-22 at 15:18, Josenildo Marques wrote: On Sat, 2004-05-22 at 13:18, JoeHill wrote: ...betcha gotta be root to access eth0, most net traffic monitors I've used were like that. Absolutely right ! Thanks ! Nice twist in the right direction, Joe. :) LX Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com Join the Club : http://www.mandrakeclub.com
Re: [newbie] Strange Activity
On Sun, 23 May 2004 03:30:06 -0400 Lyvim Xaphir disseminated the following: ...betcha gotta be root to access eth0, most net traffic monitors I've used were like that. Absolutely right ! Thanks ! Nice twist in the right direction, Joe. :) Hey, even brainwashed socialist idiots get it right once in awhile... -- JoeHill RLU #282046 / www.orderinchaos.org +++ President Bush is asking Congress for $80 billion dollars to rebuild Iraq. And when you make out that check, remember there are two L's in Halliburton. -- David Letterman Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com Join the Club : http://www.mandrakeclub.com
Re: [newbie] Strange Activity
On Sun, 2004-05-23 at 10:22, JoeHill wrote: On Sun, 23 May 2004 03:30:06 -0400 Lyvim Xaphir disseminated the following: ...betcha gotta be root to access eth0, most net traffic monitors I've used were like that. Absolutely right ! Thanks ! Nice twist in the right direction, Joe. :) Hey, even brainwashed socialist idiots get it right once in awhile... Don't be so hard on yourself, Joe. ;) It's the dawn of a new era, hopefully. A more cerebral one. LX Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com Join the Club : http://www.mandrakeclub.com
Re: [newbie] Strange Activity
On Saturday 22 May 2004 8:18 pm, Josenildo Marques wrote: On Sat, 2004-05-22 at 13:18, JoeHill wrote: ...betcha gotta be root to access eth0, most net traffic monitors I've used were like that. Absolutely right ! Thanks ! If you're running 2.6 kernel there might be a better way by setting the capability bits on the executable. I don't know if the tools are in place yet to set it up though. -- Richard Urwin Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com Join the Club : http://www.mandrakeclub.com
Re: [newbie] Strange Activity
Even tho i run linux I still want to keep my guard upYou are right i do want to know whats coming in or trying to come in to my box is netwatch hard to set up and where do i get it thanks gregLyvim Xaphir [EMAIL PROTECTED] wrote: On Fri, 2004-05-21 at 01:37, Len Lawrence wrote: On Fri, 21 May 2004 00:27:33 -0400 [EMAIL PROTECTED] (Greg) wrote: Lyvim Xaphir [EMAIL PROTECTED] wrote: On Thu, 2004-05-20 at 23:23, Greg wrote: - snip - Is there any way to monitor network traffic Greg You could try /usr/sbin/net_monitor. However I don't think that's what Greg had in mind, since I *think* he wants something to monitor incoming possible attacks. net_monitor merely monitors throughput and doesn't offer specifics on who is connecting to your firewall. Netwatch does, tho. LX -- Linux Mandrake Rules __ Introducing the New Netscape Internet Service. Only $9.95 a month -- Sign up today at http://isp.netscape.com/register Netscape. Just the Net You Need. New! Netscape Toolbar for Internet Explorer Search from anywhere on the Web and block those annoying pop-ups. Download now at http://channels.netscape.com/ns/search/install.jsp Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com Join the Club : http://www.mandrakeclub.com
Re: [newbie] Strange Activity
Me too Thanks for the info You just have to love linux and this group Greg Kaj Haulrich [EMAIL PROTECTED] wrote: On Friday 21 May 2004 04:51, Lyvim Xaphir wrote: snip The thing to remember is that if you are on a workstation, you shouldn't need to run xinetd for the reasons listed. And if you *do* need to dynamically activate services, don't use xinetd to do that, use Dan Bernstein's Tcpserver program, available on Vincent Danen's site, rpmhelp.net. No vulns that I'm aware of have ever been detected either in vanilla qmail or tcpserver. LX /snip Lyvim, as everything coming from your keyboard : excellent ! Right now, I've stopped xinetd for good. Regards Kaj Haulrich. -- * Sent from a 100 % Microsoft-free computer * * running Linux kernel 2.6.4 on Mandrake 10.0 * -- Linux Mandrake Rules __ Introducing the New Netscape Internet Service. Only $9.95 a month -- Sign up today at http://isp.netscape.com/register Netscape. Just the Net You Need. New! Netscape Toolbar for Internet Explorer Search from anywhere on the Web and block those annoying pop-ups. Download now at http://channels.netscape.com/ns/search/install.jsp Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com Join the Club : http://www.mandrakeclub.com
Re: [newbie] Strange Activity
On Sat, 2004-05-22 at 02:29, Greg wrote: Me too Thanks for the info You just have to love linux and this group Greg Well, that's exactly why I post. Messages like this. Pretty much all the payment I need. :)) How about you, Kaj? You need any money? :) Kaj Haulrich [EMAIL PROTECTED] wrote: On Friday 21 May 2004 04:51, Lyvim Xaphir wrote: snip The thing to remember is that if you are on a workstation, you shouldn't need to run xinetd for the reasons listed. And if you *do* need to dynamically activate services, don't use xinetd to do that, use Dan Bernstein's Tcpserver program, available on Vincent Danen's site, rpmhelp.net. No vulns that I'm aware of have ever been detected either in vanilla qmail or tcpserver. LX /snip Lyvim, as everything coming from your keyboard : excellent ! Right now, I've stopped xinetd for good. Regards Kaj Haulrich. -- * Sent from a 100 % Microsoft-free computer * * running Linux kernel 2.6.4 on Mandrake 10.0 * Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com Join the Club : http://www.mandrakeclub.com
Re: [newbie] Strange Activity
On Sat, 2004-05-22 at 02:25, Greg wrote: Even tho i run linux I still want to keep my guard up You are right i do want to know whats coming in or trying to come in to my box is netwatch hard to set up and where do i get it thanks greg http://rpm.pbone.net/index.php3/stat/4/idpl/1170735/com/netwatch-1.0b-0.pre3.1mdk.i586.rpm.html Grab that, log in as root, and do rpm -ivh netwatch-1.0b-0.pre3.1mdk.i586.rpm Took me awhile to find that. It was tough, I couldn't remember how I got it last time. It's the same version as the one on my system here, so although the site above does not disclose the version of Mandrake that this rpm is targeted to, I assume it will work. You will have to have ncurses installed in order to use this rpm; I think it's on the distro cd's. LX Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com Join the Club : http://www.mandrakeclub.com
Re: [newbie] Strange Activity
On Saturday 22 May 2004 16:30, JoeHill wrote: On Sat, 22 May 2004 12:20:59 +0200 Kaj Haulrich disseminated the following: How about you, Kaj? You need any money? :) Sure, but if someone feels an obligation to pay a little dough, I suggest a donation to the Free Software Foundation : http://member.fsf.org/ Makes one sleep better, laugh louder and cry less. I bought a Silver Club membership, does that count? Absolutely, Joe. Kaj Haulrich. -- * Sent from a 100 % Microsoft-free computer * * running Linux kernel 2.6.4 on Mandrake 10.0 * Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com Join the Club : http://www.mandrakeclub.com
Re: [newbie] Strange Activity
On Saturday 22 May 2004 10:54 am, Kaj Haulrich wrote: On Saturday 22 May 2004 16:30, JoeHill wrote: On Sat, 22 May 2004 12:20:59 +0200 Kaj Haulrich disseminated the following: How about you, Kaj? You need any money? :) Sure, but if someone feels an obligation to pay a little dough, I suggest a donation to the Free Software Foundation : http://member.fsf.org/ Makes one sleep better, laugh louder and cry less. I bought a Silver Club membership, does that count? Absolutely, Joe. Kaj Haulrich. Joe, when did you buy that membership? durring the first part of May? Can you check the account the funds were drawn on? Mandrake had a fsck from NATEXIS BANQUE POPULAIRES (who handles the visa payment to North America) where the account was over debited 100x (oops,,, what decimel point?), so that silver membership might have wiped out your reserve. Good for you tho, a silver membership does help Mandrakesoft as much as almost anything you can do, and it is worth it in discounts too, if you consider the early ISOs, and stuff like the AMD64 ISOs. well this is what was posted to the club, about the problem I mentioned. 1. Natexis, our payment platform provider, is responsible for the software bug that essentially multiplied the amount due by 100 for some orders. 2. The bug is fixed now and the platform is once again safe and operational since Monday May 17. 3. To our knowledge, this bug affected about 250 customers who paid by Visa card essentially in North America during the month of May 2004. 4. At no point, was the wrongfully debited amount credited to Mandrakesoft, we always received only the correct amount (which partly explains why it took us some time to notice the problem). 5. Natexis gave us yesterday (Tuesday, May 18) a set of files from which we have identified the affected customers. The information provided by Natexis in those files is not of great quality (they were not able to provide us the transaction number). So it is possible that some customers we believe affected are not (which would be good) and that some customers we do not know have been affected (which would be bad). 6. Natexis tells us that they have contacted Visa and your bank on Monday the 17th. They will credit the amount wrongfully debited from the customer account, then will debit again the correct amount. This process should happen ?within one or two days?. 7. We have sent an e-mail to all the customers we believe have been affected. So if you had billing problems and did not receive an e-mail from us, please write to us at [EMAIL PROTECTED], with information about your order. 8. We apologize for the inconvenience suffered by our customers and will keep working on this untill all problems are solved. -- linux counter #167806 Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com Join the Club : http://www.mandrakeclub.com
Re: [newbie] Strange Activity
On Sat, 2004-05-22 at 03:29, Greg wrote: Me too Thanks for the info You just have to love linux and this group Greg And I just have to second that !!! -- josenildo marques icq #289971493 homepage http://cyb.ezdir.net registered linux user #341648 * A televiso a maior maravilha da cincia a servio da imbecilidade humana. Baro de Itarar Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com Join the Club : http://www.mandrakeclub.com
Re: [newbie] Strange Activity
On Sat, 2004-05-22 at 05:57, Lyvim Xaphir wrote: On Sat, 2004-05-22 at 02:25, Greg wrote: Even tho i run linux I still want to keep my guard up You are right i do want to know whats coming in or trying to come in to my box is netwatch hard to set up and where do i get it thanks greg http://rpm.pbone.net/index.php3/stat/4/idpl/1170735/com/netwatch-1.0b-0.pre3.1mdk.i586.rpm.html Grab that, log in as root, and do rpm -ivh netwatch-1.0b-0.pre3.1mdk.i586.rpm Took me awhile to find that. It was tough, I couldn't remember how I got it last time. It's the same version as the one on my system here, so although the site above does not disclose the version of Mandrake that this rpm is targeted to, I assume it will work. You will have to have ncurses installed in order to use this rpm; I think it's on the distro cd's. LX Thanks a lot, Lyvim. I installed it on my 9.2 box without any problem or dependency. However, it can't find eth0. [EMAIL PROTECTED] cyb]$ netwatch NO eth0 Interface to work on!! And portmap was disabled. Thanks again. -- josenildo marques icq #289971493 homepage http://cyb.ezdir.net registered linux user #341648 * Para ser grande, s inteiro. Nada teu exagera ou exclui. S todo em cada coisa. Pe quanto s no mnimo que fazes. Assim em cada lago a lua toda brilha, porque alta vive. Fernando Pessoa Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com Join the Club : http://www.mandrakeclub.com
Re: [newbie] Strange Activity
On Sat, 22 May 2004 11:35:14 -0400 et disseminated the following: I bought a Silver Club membership, does that count? Absolutely, Joe. Kaj Haulrich. Joe, when did you buy that membership? durring the first part of May? Can you check the account the funds were drawn on? Mandrake had a fsck from NATEXIS BANQUE POPULAIRES (who handles the visa payment to North America) where the account was over debited 100x (oops,,, what decimel point?), so that silver membership might have wiped out your reserve. I didn't buy it til 2 days ago, and according to their bulletin on this the problem was fixed on the 17th. I figger I been using a great OS for a few years now, it's about time. If anything, I still owe them a few bones. -- JoeHill RLU #282046 / www.orderinchaos.org Kernel 2.4.22-21.tmb.1mdk Mandrake Linux release 9.2 (FiveStar) for i586 +++ 12:05:31 up 3 days, 45 min, 11 users, load average: 1.48, 1.47, 1.30 +++ Athens built the Acropolis. Corinth was a commercial city, interested in purely materialistic things. Today we admire Athens, visit it, preserve the old temples, yet we hardly ever set foot in Corinth. -- Dr. Harold Urey, Nobel Laureate in chemistry Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com Join the Club : http://www.mandrakeclub.com
Re: [newbie] Strange Activity
On Sat, 22 May 2004 12:46:10 -0300 Josenildo Marques disseminated the following: Took me awhile to find that. It was tough, I couldn't remember how I got it last time. It's the same version as the one on my system here, so although the site above does not disclose the version of Mandrake that this rpm is targeted to, I assume it will work. You will have to have ncurses installed in order to use this rpm; I think it's on the distro cd's. LX Thanks a lot, Lyvim. I installed it on my 9.2 box without any problem or dependency. However, it can't find eth0. [EMAIL PROTECTED] cyb]$ netwatch NO eth0 Interface to work on!! And portmap was disabled. Thanks again. ...betcha gotta be root to access eth0, most net traffic monitors I've used were like that. -- JoeHill RLU #282046 / www.orderinchaos.org Kernel 2.4.22-21.tmb.1mdk Mandrake Linux release 9.2 (FiveStar) for i586 +++ 12:17:33 up 3 days, 57 min, 11 users, load average: 1.31, 1.24, 1.24 +++ Wealth is the relentless enemy of understanding. -- John Kenneth Galbraith Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com Join the Club : http://www.mandrakeclub.com
Re: [newbie] Strange Activity
On Saturday 22 May 2004 03:57 am, Lyvim Xaphir wrote: On Sat, 2004-05-22 at 02:25, Greg wrote: Even tho i run linux I still want to keep my guard up You are right i do want to know whats coming in or trying to come in to my box is netwatch hard to set up and where do i get it thanks greg http://rpm.pbone.net/index.php3/stat/4/idpl/1170735/com/netwatch-1.0b-0.p re3.1mdk.i586.rpm.html There was a new source file uploaded last night http://www.slctech.org/~mackay/netwatch-1.0bplay.tgz I was having problems installing the previous version, Gordon came up with a fix immediately. -- Chris Registered Linux User 283774 http://counter.li.org 12:56pm up 1 day, 18:17, 1 user, load average: 0.14, 0.22, 0.96 It's God. No, not Richard Stallman, or Linus Torvalds, but God. (By Matt Welsh) Live - From Virgin Radio U.K. Bob Marley - No woman no cry Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com Join the Club : http://www.mandrakeclub.com
Re: [newbie] Strange Activity
On Sat, 2004-05-22 at 14:00, Chris wrote: On Saturday 22 May 2004 03:57 am, Lyvim Xaphir wrote: On Sat, 2004-05-22 at 02:25, Greg wrote: Even tho i run linux I still want to keep my guard up You are right i do want to know whats coming in or trying to come in to my box is netwatch hard to set up and where do i get it thanks greg http://rpm.pbone.net/index.php3/stat/4/idpl/1170735/com/netwatch-1.0b-0.p re3.1mdk.i586.rpm.html There was a new source file uploaded last night http://www.slctech.org/~mackay/netwatch-1.0bplay.tgz I was having problems installing the previous version, Gordon came up with a fix immediately. How's that for service? ;) Gordon is awesome. You can't help but love the guy. In a brother type way, of course. What did he charge you? grin LX Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com Join the Club : http://www.mandrakeclub.com
Re: [newbie] Strange Activity
On Saturday 22 May 2004 05:20 am, Kaj Haulrich wrote: Sure, but if someone feels an obligation to pay a little dough, I suggest a donation to the Free Software Foundation : http://member.fsf.org/ Makes one sleep better, laugh louder and cry less. Kaj Haulrich. Been an associate member for years. Money well spent. I see Novell, RedHat, and particularly IBM are helpin with GPL defense/ enforcement too -- Tom Brinkman Corpus Christi, Texas Proud to be an American Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com Join the Club : http://www.mandrakeclub.com
Re: [newbie] Strange Activity
On Sat, 2004-05-22 at 13:18, JoeHill wrote: ...betcha gotta be root to access eth0, most net traffic monitors I've used were like that. Absolutely right ! Thanks ! -- josenildo marques icq #289971493 homepage http://cyb.ezdir.net registered linux user #341648 * Well begun is half done. Aristotle Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com Join the Club : http://www.mandrakeclub.com
Re: [newbie] Strange Activity
On Saturday 22 May 2004 01:33 pm, Lyvim Xaphir wrote: There was a new source file uploaded last night http://www.slctech.org/~mackay/netwatch-1.0bplay.tgz I was having problems installing the previous version, Gordon came up with a fix immediately. How's that for service? ;) Gordon is awesome. You can't help but love the guy. In a brother type way, of course. What did he charge you? grin LX Nothing of course, I think he felt sorry for me since I borked the changes he asked me to make in the C source of the previous verson last night. :) -- Chris Registered Linux User 283774 http://counter.li.org 3:56pm up 1 day, 21:17, 1 user, load average: 0.26, 0.14, 0.18 ..you could spend *all day* customizing the title bar. Believe me. I speak from experience. (By Matt Welsh) Live - From Virgin Radio U.K. The Doors - Riders On The Storm Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com Join the Club : http://www.mandrakeclub.com
Re: [newbie] Strange Activity
On Fri, 2004-05-21 at 00:13, Lanman wrote: Lyvim Xaphir wrote: My problem was corrected when I updated to the latest slew of updates and also replaced the secure kernel with the latest version. have not seen that problem since then. Lyvim; How ya doin' Buddy? I found another way to fix the problem. Can you say Bastille? Killed Shorewall, copied over my Bastille files, ran the command and voila! No more shorewall data on my console, and the firewall is running fine (actually runs a bit faster)! Hello, Immortal One. ;) Good to see that you are still your old indefatigable and irrepressible self. grin I may go the Bastille route. But I had an immense success story getting shorewall to run an internal Neverwinter Nights server not too long ago, and now I'm sort of loath to give it up just yet. I think my problem is just a matter of editing the right config files in shorewall, maybe the zone conf file isn't set up right, or something like that...I figure between the Shorewall mailing lists and the great documentation on Tom Estep's site, it's a matter of time before I lick it. Also, is there a Bind Guru here somewhere? I can't get rndc to behave itself. It keeps giving me an error that states - rndc: connect failed: connection refused Even though Bind seems to start up without errors, and even though port 53 is open on my firewall for DNS authentication, port scans keep stating that the port is closed. You're running shorewall on the firewall, correct? ;) I've been encountering the same problems with both qmail and bind. LX RNDC problem is still happening though. Because of that, my DNS server still appears closed in a firewall scan. I checked at Bind's website, and they say that it's usually due to silly things like the server's hostname ( mine's good ), or the fact that there's no rndc-key located in named.conf or rndc.conf ( which is there in both files on this machine), so I'm not sure what to do. The DNS port is open on the firewall, but the service is not fully starting. The funny thing is that my email server (postfix) runs like a charm, and so does everything else. So right now, it's more of an annoyance than anything, but I'd like to solve it. Still open to suggestions. Lanman Don't have any yet, but I can tell you this; when the email server problem gets resolved, the DNS problem will quickly follow, and when it does I'll send you the results. The difference between the NWN server and the firewall problem is that while the NWN server ports were being directed to another box on the internal net, the ports for DNS/Email on the firewall are not; because of it needing to be a fully qualified domain name with respect to Qmail. Qmail is picky about stuff like that. Keep it straight up buddy.. :) LX Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com Join the Club : http://www.mandrakeclub.com
Re: [newbie] Strange Activity
On Fri, 2004-05-21 at 00:27, Greg wrote: Lyvim Xaphir [EMAIL PROTECTED] wrote: On Thu, 2004-05-20 at 23:23, Greg wrote: Is there any way to monitor network traffic Greg Yes, run netwatch on eth0. It beats netstat for monitoring connections. Netstat's place in the overall scheme of things is to monitor ALL (and I mean all) incoming connections to your firewall. Or to your workstation, if it's directly connected. Netstat can show you the bytes in, bytes out, port address, protocol used (udp or tcp), ip address or the FQDN of the incoming connection, the type of service that uses that particular port, all selectable with the arrow keys. Netstat can also log all this information to a file for legal purposes. Anybody that taps one of your ports is recorded in the Netwatch status screen. It's a great tool for monitoring your firewall. The only thing it doesnt do is actually record or analyze incoming packets for what they are actually for; this is an entirely different job and should be done by a util such as snort. If you like netwatch and would like to see it as a part of the contribs given with Mandrake 9.2, please take the time to go to your Mandrakeclub RPM voting page and cast your vote for this great utility so that someone will package it specifically for Mandrake. Right now it's just available as a 386 rpm. The author is Gordon MacKay, this is his website: http://www.slctech.org/~mackay/netwatch.html If you like what you see, email him with some thanks. Not enough people thank the developers these days for their hard work. Firewalls generally should not be running X, therefore it is great that Netwatch uses an ncurses interface. This makes it runnable from the console. There does seem to be a Mandrake rpm available, but this link only offers it for Mandrake version 10 http://rpm.pbone.net/index.php3/stat/2/simple/2 I've got a request in for a contributor to package it for 9.2 but I don't think it's been done yet. LX Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com Join the Club : http://www.mandrakeclub.com
Re: [newbie] Strange Activity
On Friday 21 May 2004 04:51, Lyvim Xaphir wrote: snip The thing to remember is that if you are on a workstation, you shouldn't need to run xinetd for the reasons listed. And if you *do* need to dynamically activate services, don't use xinetd to do that, use Dan Bernstein's Tcpserver program, available on Vincent Danen's site, rpmhelp.net. No vulns that I'm aware of have ever been detected either in vanilla qmail or tcpserver. LX /snip Lyvim, as everything coming from your keyboard : excellent ! Right now, I've stopped xinetd for good. Regards Kaj Haulrich. -- * Sent from a 100 % Microsoft-free computer * * running Linux kernel 2.6.4 on Mandrake 10.0 * Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com Join the Club : http://www.mandrakeclub.com
Re: [newbie] Strange Activity
On Fri, 2004-05-21 at 01:37, Len Lawrence wrote: On Fri, 21 May 2004 00:27:33 -0400 [EMAIL PROTECTED] (Greg) wrote: Lyvim Xaphir [EMAIL PROTECTED] wrote: On Thu, 2004-05-20 at 23:23, Greg wrote: - snip - Is there any way to monitor network traffic Greg You could try /usr/sbin/net_monitor. However I don't think that's what Greg had in mind, since I *think* he wants something to monitor incoming possible attacks. net_monitor merely monitors throughput and doesn't offer specifics on who is connecting to your firewall. Netwatch does, tho. LX Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com Join the Club : http://www.mandrakeclub.com
Re: [newbie] Strange Activity
On Fri, 2004-05-21 at 03:13, Aron Smith wrote: I have been getting a *Lot8 of disk activity around 7:00 am the output from dmesg looks something like this -Shorewall:net2all:DROP:IN=eth0 OUT= MAC=00:07:95:fc:2d:40:00:90:1a:40:aa:4d:08:00 SRC=24.202.47.169 DST=64.81.53.247 LEN=48 TOS=0x00 PREC=0x00 TTL=108 ID=30226 DF PROTO=TCP SPT=2296 DPT=5554 WINDOW=64240 RES=0x00 SYN URGP=0 Shorewall:net2all:DROP:IN=eth0 OUT= MAC=00:07:95:fc:2d:40:00:90:1a:40:aa:4d:08:00 SRC=24.202.47.169 DST=64.81.53.247 LEN=48 TOS=0x00 PREC=0x00 TTL=108 ID=30480 DF PROTO=TCP SPT=2544 DPT=9898 WINDOW=64240 RES=0x00 SYN URGP=0 Shorewall:net2all:DROP:IN=eth0 OUT= MAC=00:07:95:fc:2d:40:00:90:1a:40:aa:4d:08:00 SRC=83.64.20.224 DST=64.81.53.247 LEN=52 TOS=0x10 PREC=0x00 TTL=106 ID=11550 DF PROTO=TCP SPT=4200 DPT=21 WINDOW=65535 RES=0x00 SYN URGP=0 Shorewall:net2all:DROP:IN=eth0 OUT= MAC=00:07:95:fc:2d:40:00:90:1a:40:aa:4d:08:00 SRC=83.64.20.224 DST=64.81.53.247 LEN=52 TOS=0x10 PREC=0x00 TTL=106 ID=12990 DF PROTO=TCP SPT=4200 DPT=21 WINDOW=65535 RES=0x00 SYN URGP=0 Shorewall:net2all:DROP:IN=eth0 OUT= MAC=00:07:95:fc:2d:40:00:90:1a:40:aa:4d:08:00 SRC=64.78.124.187 DST=64.81.53.247 LEN=48 TOS=0x00 PREC=0x00 TTL=112 ID=1830 DF PROTO=TCP SPT=4887 DPT=5000 WINDOW=64240 RES=0x00 SYN URGP=0 [EMAIL PROTECTED] aronsmith]$ - have I been hacked? Thanks in advance smitty Have you run a chkrootkit on this box yet? stephen kuhn - owner == illawarra computer services a kuhn media australia company http://kma.0catch.com -- * This message was composed on a 100% Microsoft free computer * We expressly refuse to utilise Microsoft DRM encoded documents -- FORTUNE'S FUN FACTS TO KNOW AND TELL: #44 Zebras are colored with dark stripes on a light background. Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com Join the Club : http://www.mandrakeclub.com
Re: [newbie] Strange Activity
On Thursday 20 May 2004 10:26 am, Stephen Kuhn wrote: On Fri, 2004-05-21 at 03:13, Aron Smith wrote: I have been getting a *Lot8 of disk activity around 7:00 am the output from dmesg looks something like this -Shorewal l:net2all:DROP:IN=eth0 OUT= MAC=00:07:95:fc:2d:40:00:90:1a:40:aa:4d:08:00 SRC=24.202.47.169 DST=64.81.53.247 LEN=48 TOS=0x00 PREC=0x00 TTL=108 ID=30226 DF PROTO=TCP SPT=2296 DPT=5554 WINDOW=64240 RES=0x00 SYN URGP=0 Shorewall:net2all:DROP:IN=eth0 OUT= MAC=00:07:95:fc:2d:40:00:90:1a:40:aa:4d:08:00 SRC=24.202.47.169 DST=64.81.53.247 LEN=48 TOS=0x00 PREC=0x00 TTL=108 ID=30480 DF PROTO=TCP SPT=2544 DPT=9898 WINDOW=64240 RES=0x00 SYN URGP=0 Shorewall:net2all:DROP:IN=eth0 OUT= MAC=00:07:95:fc:2d:40:00:90:1a:40:aa:4d:08:00 SRC=83.64.20.224 DST=64.81.53.247 LEN=52 TOS=0x10 PREC=0x00 TTL=106 ID=11550 DF PROTO=TCP SPT=4200 DPT=21 WINDOW=65535 RES=0x00 SYN URGP=0 Shorewall:net2all:DROP:IN=eth0 OUT= MAC=00:07:95:fc:2d:40:00:90:1a:40:aa:4d:08:00 SRC=83.64.20.224 DST=64.81.53.247 LEN=52 TOS=0x10 PREC=0x00 TTL=106 ID=12990 DF PROTO=TCP SPT=4200 DPT=21 WINDOW=65535 RES=0x00 SYN URGP=0 Shorewall:net2all:DROP:IN=eth0 OUT= MAC=00:07:95:fc:2d:40:00:90:1a:40:aa:4d:08:00 SRC=64.78.124.187 DST=64.81.53.247 LEN=48 TOS=0x00 PREC=0x00 TTL=112 ID=1830 DF PROTO=TCP SPT=4887 DPT=5000 WINDOW=64240 RES=0x00 SYN URGP=0 [EMAIL PROTECTED] aronsmith]$ - have I been hacked? Thanks in advance smitty Have you run a chkrootkit on this box yet? Yes seems to be ok nothing detected results [EMAIL PROTECTED] aronsmith]# chkrootkit ROOTDIR is `/' Checking `amd'... not found Checking `basename'... not infected Checking `biff'... not found Checking `chfn'... not infected Checking `chsh'... not infected Checking `cron'... not infected Checking `date'... not infected Checking `du'... not infected Checking `dirname'... not infected Checking `echo'... not infected Checking `egrep'... not infected Checking `env'... not infected Checking `find'... not infected Checking `fingerd'... not found Checking `gpm'... not found Checking `grep'... not infected Checking `hdparm'... not infected Checking `su'... not infected Checking `ifconfig'... not infected Checking `inetd'... not tested Checking `inetdconf'... not found Checking `identd'... not found Checking `init'... not infected Checking `killall'... not infected Checking `ldsopreload'... not infected Checking `login'... not infected Checking `ls'... not infected Checking `lsof'... not infected Checking `mail'... not infected Checking `mingetty'... not infected Checking `netstat'... not infected Checking `named'... not found Checking `passwd'... not infected Checking `pidof'... not infected Checking `pop2'... not found Checking `pop3'... not found Checking `ps'... not infected Checking `pstree'... not infected Checking `rpcinfo'... not infected Checking `rlogind'... not found Checking `rshd'... not found Checking `slogin'... not infected Checking `sendmail'... not found Checking `sshd'... not found Checking `syslogd'... not infected Checking `tar'... not infected Checking `tcpd'... not infected Checking `tcpdump'... not infected Checking `top'... not infected Checking `telnetd'... not found Checking `timed'... not found Checking `traceroute'... not infected Checking `vdir'... not infected Checking `w'... not infected Checking `write'... not infected Checking `aliens'... no suspect files Searching for sniffer's logs, it may take a while... nothing found Searching for HiDrootkit's default dir... nothing found Searching for t0rn's default files and dirs... nothing found Searching for t0rn's v8 defaults... nothing found Searching for Lion Worm default files and dirs... nothing found Searching for RSHA's default files and dir... nothing found Searching for RH-Sharpe's default files... nothing found Searching for Ambient's rootkit (ark) default files and dirs... nothing found Searching for suspicious files and dirs, it may take a while... nothing found Searching for LPD Worm files and dirs... nothing found Searching for Ramen Worm files and dirs... nothing found Searching for Maniac files and dirs... nothing found Searching for RK17 files and dirs... nothing found Searching for Ducoci rootkit... nothing found Searching for Adore Worm... nothing found Searching for ShitC Worm... nothing found Searching for Omega Worm... nothing found Searching for Sadmind/IIS Worm... nothing found Searching for MonKit... nothing found Searching for Showtee... nothing found Searching for OpticKit... nothing found Searching for T.R.K... nothing found Searching for Mithra... nothing found Searching for OBSD rk v1... nothing found Searching for LOC rootkit ... nothing found Searching for Romanian rootkit ... nothing found Searching for HKRK rootkit ... nothing found
Re: [newbie] Strange Activity
Aron Smith [EMAIL PROTECTED] said: I have been getting a *Lot8 of disk activity around 7:00 am the output from dmesg looks something like this -Shorewall :net2all:DROP:IN=eth0 OUT= MAC=00:07:95:fc:2d:40:00:90:1a:40:aa:4d:08:00 SRC=24.202.47.169 DST=64.81.53.247 LEN=48 TOS=0x00 PREC=0x00 TTL=108 ID=30226 DF PROTO=TCP SPT=2296 DPT=5554 WINDOW=64240 RES=0x00 SYN URGP=0 Shorewall:net2all:DROP:IN=eth0 OUT= MAC=00:07:95:fc:2d:40:00:90:1a:40:aa:4d:08:00 SRC=24.202.47.169 DST=64.81.53.247 LEN=48 TOS=0x00 PREC=0x00 TTL=108 ID=30480 DF PROTO=TCP SPT=2544 DPT=9898 WINDOW=64240 RES=0x00 SYN URGP=0 Shorewall:net2all:DROP:IN=eth0 OUT= MAC=00:07:95:fc:2d:40:00:90:1a:40:aa:4d:08:00 SRC=83.64.20.224 DST=64.81.53.247 LEN=52 TOS=0x10 PREC=0x00 TTL=106 ID=11550 DF PROTO=TCP SPT=4200 DPT=21 WINDOW=65535 RES=0x00 SYN URGP=0 Shorewall:net2all:DROP:IN=eth0 OUT= MAC=00:07:95:fc:2d:40:00:90:1a:40:aa:4d:08:00 SRC=83.64.20.224 DST=64.81.53.247 LEN=52 TOS=0x10 PREC=0x00 TTL=106 ID=12990 DF PROTO=TCP SPT=4200 DPT=21 WINDOW=65535 RES=0x00 SYN URGP=0 Shorewall:net2all:DROP:IN=eth0 OUT= MAC=00:07:95:fc:2d:40:00:90:1a:40:aa:4d:08:00 SRC=64.78.124.187 DST=64.81.53.247 LEN=48 TOS=0x00 PREC=0x00 TTL=112 ID=1830 DF PROTO=TCP SPT=4887 DPT=5000 WINDOW=64240 RES=0x00 SYN URGP=0 [EMAIL PROTECTED] aronsmith]$ -- --- have I been hacked? Thanks in advance smitty The log activity you posted doesn't indicate it. Those are all network packets that Shorewall dropped -- that didn't get in.. it's normal to have this activity, generated either by hackers checking for security holes or worms and whatnot. Asa Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com Join the Club : http://www.mandrakeclub.com
Re: [newbie] Strange Activity
On Thursday 20 May 2004 05:11 pm, Asa Rossoff wrote: Aron Smith [EMAIL PROTECTED] said: I have been getting a *Lot8 of disk activity around 7:00 am the output from dmesg looks something like this - Huge snip -- Thanks all it had me worried don't want to become somones Spam relay bitch. Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com Join the Club : http://www.mandrakeclub.com
Re: [newbie] Strange Activity
Lyvim Xaphir [EMAIL PROTECTED] wrote: On Thu, 2004-05-20 at 15:33, Aron Smith wrote: On Thursday 20 May 2004 12:02 pm, Lyvim Xaphir wrote: On Thu, 2004-05-20 at 13:13, Aron Smith wrote: I have been getting a *Lot8 of disk activity around 7:00 am the output from dmesg looks something like this Thanks in advance smitty Are you running xinetd, if so why, and what other services do you have running. Also are you updated to kernel 2.4.22-30mdk ? Using kernel 2.6 here is output from top --- 9449 root 25 0 2172 1048 1964 R 91.1 0.2 1:11.94 top 4962 root 15 0 23304 11m 13m S 6.3 1.8 108:31.45 X 9471 aronsmit 15 0 27956 15m 25m S 2.0 2.5 0:01.19 kdeinit 6195 aronsmit 15 0 39112 27m 31m S 0.3 4.4 0:06.43 kdeinit 9506 aronsmit 17 0 2172 1048 1964 R 0.3 0.2 0:00.11 top 1 root 16 0 1580 516 1424 S 0.0 0.1 0:03.42 init 2 root 34 19 000 S 0.0 0.0 0:00.00 ksoftirqd/0 3 root 5 -10 000 S 0.0 0.0 0:00.09 events/0 4 root 5 -10 000 S 0.0 0.0 0:00.06 kblockd/0 5 root 15 0 000 S 0.0 0.0 0:00.01 kapmd 6 root 25 0 000 S 0.0 0.0 0:00.00 pdflush 7 root 15 0 000 S 0.0 0.0 0:00.07 pdflush 8 root 25 0 000 S 0.0 0.0 0:00.00 kswapd0 9 root 10 -10 000 S 0.0 0.0 0:00.00 aio/0 11 root 20 0 000 S 0.0 0.0 0:00.00 kseriod 15 root 15 0 000 S 0.0 0.0 0:00.07 kjournald 121 root 17 0 2036 1208 1588 S 0.0 0.2 0:00.85 devfsd 245 root 15 0 000 S 0.0 0.0 0:00.06 khubd 562 root 15 0 000 S 0.0 0.0 0:00.08 kjournald 565 root 15 0 000 S 0.0 0.0 0:00.03 kjournald 827 root -2 0 1628 1628 1468 S 0.0 0.3 0:00.03 watchdog 2755 rpc 15 0 1712 580 1540 S 0.0 0.1 0:00.00 portmap 2779 root 16 0 1640 608 1468 S 0.0 0.1 0:00.09 syslogd 2787 root 15 0 2592 1536 1416 S 0.0 0.2 0:00.16 klogd 2846 root 18 0 1712 712 1540 S 0.0 0.1 0:00.00 rpc.statd 3243 xfs 16 0 5384 3756 2512 S 0.0 0.6 0:00.16 xfs 3268 root 18 0 1604 540 1448 S 0.0 0.1 0:00.00 hcid 3279 root 10 -10 000 S 0.0 0.0 0:00.00 krfcommd 4869 root 16 0 1588 536 1428 S 0.0 0.1 0:00.00 apmd 4910 root 16 0 2688 692 2504 S 0.0 0.1 0:00.00 mdkkdm -- Why is portmap running? Are you using NFS? LX What is portmap and should it be running Greg -- Linux Mandrake Rules __ Introducing the New Netscape Internet Service. Only $9.95 a month -- Sign up today at http://isp.netscape.com/register Netscape. Just the Net You Need. New! Netscape Toolbar for Internet Explorer Search from anywhere on the Web and block those annoying pop-ups. Download now at http://channels.netscape.com/ns/search/install.jsp Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com Join the Club : http://www.mandrakeclub.com
Re: [newbie] Strange Activity
Stephen Kuhn [EMAIL PROTECTED] wrote: On Fri, 2004-05-21 at 03:13, Aron Smith wrote: I have been getting a *Lot8 of disk activity around 7:00 am the output from dmesg looks something like this -Shorewall:net2all:DROP:IN=eth0 OUT= MAC=00:07:95:fc:2d:40:00:90:1a:40:aa:4d:08:00 SRC=24.202.47.169 DST=64.81.53.247 LEN=48 TOS=0x00 PREC=0x00 TTL=108 ID=30226 DF PROTO=TCP SPT=2296 DPT=5554 WINDOW=64240 RES=0x00 SYN URGP=0 Shorewall:net2all:DROP:IN=eth0 OUT= MAC=00:07:95:fc:2d:40:00:90:1a:40:aa:4d:08:00 SRC=24.202.47.169 DST=64.81.53.247 LEN=48 TOS=0x00 PREC=0x00 TTL=108 ID=30480 DF PROTO=TCP SPT=2544 DPT=9898 WINDOW=64240 RES=0x00 SYN URGP=0 Shorewall:net2all:DROP:IN=eth0 OUT= MAC=00:07:95:fc:2d:40:00:90:1a:40:aa:4d:08:00 SRC=83.64.20.224 DST=64.81.53.247 LEN=52 TOS=0x10 PREC=0x00 TTL=106 ID=11550 DF PROTO=TCP SPT=4200 DPT=21 WINDOW=65535 RES=0x00 SYN URGP=0 Shorewall:net2all:DROP:IN=eth0 OUT= MAC=00:07:95:fc:2d:40:00:90:1a:40:aa:4d:08:00 SRC=83.64.20.224 DST=64.81.53.247 LEN=52 TOS=0x10 PREC=0x00 TTL=106 ID=12990 DF PROTO=TCP SPT=4200 DPT=21 WINDOW=65535 RES=0x00 SYN URGP=0 Shorewall:net2all:DROP:IN=eth0 OUT= MAC=00:07:95:fc:2d:40:00:90:1a:40:aa:4d:08:00 SRC=64.78.124.187 DST=64.81.53.247 LEN=48 TOS=0x00 PREC=0x00 TTL=112 ID=1830 DF PROTO=TCP SPT=4887 DPT=5000 WINDOW=64240 RES=0x00 SYN URGP=0 [EMAIL PROTECTED] aronsmith]$ - have I been hacked? Thanks in advance smitty Have you run a chkrootkit on this box yet? stephen kuhn - owner == illawarra computer services a kuhn media australia company http://kma.0catch.com -- * This message was composed on a 100% Microsoft free computer * We expressly refuse to utilise Microsoft DRM encoded documents -- FORTUNE'S FUN FACTS TO KNOW AND TELL: #44 Zebras are colored with dark stripes on a light background. how do you run chkrootkit Thanks Greg -- Linux Mandrake Rules __ Introducing the New Netscape Internet Service. Only $9.95 a month -- Sign up today at http://isp.netscape.com/register Netscape. Just the Net You Need. New! Netscape Toolbar for Internet Explorer Search from anywhere on the Web and block those annoying pop-ups. Download now at http://channels.netscape.com/ns/search/install.jsp Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com Join the Club : http://www.mandrakeclub.com
Re: [newbie] Strange Activity
Asa Rossoff wrote: The log activity you posted doesn't indicate it. Those are all network packets that Shorewall dropped -- that didn't get in.. it's normal to have this activity, generated either by hackers checking for security holes or worms and whatnot. Asa On Mandrake 9.2, installed on a server which isn't running X, I'm getting this exact type of data appearing on my display, even before anyone logs onto the server - locally OR remotely! Is there any way to stop this, or is this a warning that my system's been hit? This is a fresh install which I finished this morning, so I'd appreciate any thoughts before I start depending on it. Also, is there a Bind Guru here somewhere? I can't get rndc to behave itself. It keeps giving me an error that states - rndc: connect failed: connection refused Even though Bind seems to start up without errors, and even though port 53 is open on my firewall for DNS authentication, port scans keep stating that the port is closed. This is the first time I've ever had these two problems, and I'm curious to find out what's different between this 9.2 install, and the hundreds I've done before! TIA Lanman Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com Join the Club : http://www.mandrakeclub.com
Re: [newbie] Strange Activity
On Thu, 2004-05-20 at 18:28, Kaj Haulrich wrote: Kaj, Excellent to hear from you again. On Thursday 20 May 2004 22:31, Aron Smith wrote: snip Not using NFS purwe linux systen rieserFS on some partitions how can I shut portmap off ? /snip You can stop portmap (or any service) by typing (as root) : service portmap stop or don't start it at all. Go to System -- Configuration -- Configure Your Computer -- System -- Services. Alternatively you can use the excellent command line utility chkconfig from the command line. Like this to list all services: chkconfig --list | sort (which sorts the list alphabetically for your convenience) Or like this to unilaterally shut portmap down across all runlevels: chkconfig --level 2345 portmap off All from a root console, btw. And, to return to your original question about the output from dmesg : I have lots of those too. When doing a whois on most of those IP addresses, I see totally unknown hosts from all around the globe with no clue whatsoever about who they are and why they pop up on my humble PC. So, I figure that what we see are all those script-kiddies, worms, viruses and trojans looking for Windows. Fortunately, it seems that Shorewall stops them all although it doesn't really matter anyway, what with us running linux. And to Lyvim : Until now, I had xinetd running. What is the downside of stopping it ? Kaj Haulrich. OK. The sole purpose of xinetd is to dynamically start and stop services that you would not want running on a continual basis. Such as ftp, or sshd, or any of the other server type services listed by chkconfig. It is supposed to bring the service up on demand and shut it down when not being used. On a linux workstation, like mine or yours or most people here, xinetd is useless because we arent using the box as a server and we are trying to keep people out rather than letting them in. Most peeps have cheap 486 or pentium 1 hardware set aside for ftp purposes, and even then alot of peeps just run ftp or sshd or whatever continuously, instead of using xinetd to start the service up on demand. Xinetd had a good idea, which was to save resources by keeping processes down when not being used, and calling them up when their port (ftp 21 or sshd 22 for example) is tapped or knocked on from the outside. Where xinetd comes in weak is that it is basically a single access point from which you can start up any internal service inside YOUR machine from the outside, that has not been specifically denied by the config files in etc. In other words, hackers can tap or knock on ports to see if a service will start up, and then they start checking that service for version vulnerabilities. In other words, xinetd is serving no other purpose than to allow outside people to start up services on YOUR box. From the outside. But it doesn't stop there. At one time, xinetd was *itself* vulnerable to DOS attacks. They have worked on that problem and have corrected it to some degree, but usually security problems are not endemic of the code, but of the architecture that the code is written toward. Witness: Sendmail. Postfix. Exim. Check it out in the Bugtraq archives. All victims of a self flagellating trend towards single root run executables when a simple change in architecture (such as the architecture exhibited by qmail) would be a step in the right direction. A root run single executable service such as those above are nearly always vulnerable to buffer overflow attacks, at some time or another. but I digress. The thing to remember is that if you are on a workstation, you shouldn't need to run xinetd for the reasons listed. And if you *do* need to dynamically activate services, don't use xinetd to do that, use Dan Bernstein's Tcpserver program, available on Vincent Danen's site, rpmhelp.net. No vulns that I'm aware of have ever been detected either in vanilla qmail or tcpserver. HTH?? LX Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com Join the Club : http://www.mandrakeclub.com
Re: [newbie] Strange Activity
On Thu, 2004-05-20 at 21:45, Greg wrote: Lyvim Xaphir [EMAIL PROTECTED] wrote: On Thu, 2004-05-20 at 15:33, Aron Smith wrote: On Thursday 20 May 2004 12:02 pm, Lyvim Xaphir wrote: On Thu, 2004-05-20 at 13:13, Aron Smith wrote: I have been getting a *Lot8 of disk activity around 7:00 am the output from dmesg looks something like this Thanks in advance smitty Are you running xinetd, if so why, and what other services do you have running. Also are you updated to kernel 2.4.22-30mdk ? Using kernel 2.6 here is output from top --- 9449 root 25 0 2172 1048 1964 R 91.1 0.2 1:11.94 top 4962 root 15 0 23304 11m 13m S 6.3 1.8 108:31.45 X 9471 aronsmit 15 0 27956 15m 25m S 2.0 2.5 0:01.19 kdeinit 6195 aronsmit 15 0 39112 27m 31m S 0.3 4.4 0:06.43 kdeinit 9506 aronsmit 17 0 2172 1048 1964 R 0.3 0.2 0:00.11 top 1 root 16 0 1580 516 1424 S 0.0 0.1 0:03.42 init 2 root 34 19 000 S 0.0 0.0 0:00.00 ksoftirqd/0 3 root 5 -10 000 S 0.0 0.0 0:00.09 events/0 4 root 5 -10 000 S 0.0 0.0 0:00.06 kblockd/0 5 root 15 0 000 S 0.0 0.0 0:00.01 kapmd 6 root 25 0 000 S 0.0 0.0 0:00.00 pdflush 7 root 15 0 000 S 0.0 0.0 0:00.07 pdflush 8 root 25 0 000 S 0.0 0.0 0:00.00 kswapd0 9 root 10 -10 000 S 0.0 0.0 0:00.00 aio/0 11 root 20 0 000 S 0.0 0.0 0:00.00 kseriod 15 root 15 0 000 S 0.0 0.0 0:00.07 kjournald 121 root 17 0 2036 1208 1588 S 0.0 0.2 0:00.85 devfsd 245 root 15 0 000 S 0.0 0.0 0:00.06 khubd 562 root 15 0 000 S 0.0 0.0 0:00.08 kjournald 565 root 15 0 000 S 0.0 0.0 0:00.03 kjournald 827 root -2 0 1628 1628 1468 S 0.0 0.3 0:00.03 watchdog 2755 rpc 15 0 1712 580 1540 S 0.0 0.1 0:00.00 portmap 2779 root 16 0 1640 608 1468 S 0.0 0.1 0:00.09 syslogd 2787 root 15 0 2592 1536 1416 S 0.0 0.2 0:00.16 klogd 2846 root 18 0 1712 712 1540 S 0.0 0.1 0:00.00 rpc.statd 3243 xfs 16 0 5384 3756 2512 S 0.0 0.6 0:00.16 xfs 3268 root 18 0 1604 540 1448 S 0.0 0.1 0:00.00 hcid 3279 root 10 -10 000 S 0.0 0.0 0:00.00 krfcommd 4869 root 16 0 1588 536 1428 S 0.0 0.1 0:00.00 apmd 4910 root 16 0 2688 692 2504 S 0.0 0.1 0:00.00 mdkkdm -- Why is portmap running? Are you using NFS? LX What is portmap and should it be running Greg It's a service generally used for NFS and for some reason is enabled by default on Mandrake installs; I don't use NFS, I tend to use samba more; I think the aussies have made it more secure than NFS. Portmap uses the rpc protocol, which is notoriously insecure and notoriously famous with crackers for being entryways into unsecured boxes. Especially since portmap is enabled BY DEFAULT on Mandrake boxes. If you don't run NFS, shut it down on all runlevels. LX Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com Join the Club : http://www.mandrakeclub.com
Re: [newbie] Strange Activity
Lyvim Xaphir [EMAIL PROTECTED] wrote: On Thu, 2004-05-20 at 21:45, Greg wrote: Lyvim Xaphir [EMAIL PROTECTED] wrote: On Thu, 2004-05-20 at 15:33, Aron Smith wrote: On Thursday 20 May 2004 12:02 pm, Lyvim Xaphir wrote: On Thu, 2004-05-20 at 13:13, Aron Smith wrote: I have been getting a *Lot8 of disk activity around 7:00 am the output from dmesg looks something like this Thanks in advance smitty Are you running xinetd, if so why, and what other services do you have running. Also are you updated to kernel 2.4.22-30mdk ? Using kernel 2.6 here is output from top --- 9449 root 25 0 2172 1048 1964 R 91.1 0.2 1:11.94 top 4962 root 15 0 23304 11m 13m S 6.3 1.8 108:31.45 X 9471 aronsmit 15 0 27956 15m 25m S 2.0 2.5 0:01.19 kdeinit 6195 aronsmit 15 0 39112 27m 31m S 0.3 4.4 0:06.43 kdeinit 9506 aronsmit 17 0 2172 1048 1964 R 0.3 0.2 0:00.11 top 1 root 16 0 1580 516 1424 S 0.0 0.1 0:03.42 init 2 root 34 19 000 S 0.0 0.0 0:00.00 ksoftirqd/0 3 root 5 -10 000 S 0.0 0.0 0:00.09 events/0 4 root 5 -10 000 S 0.0 0.0 0:00.06 kblockd/0 5 root 15 0 000 S 0.0 0.0 0:00.01 kapmd 6 root 25 0 000 S 0.0 0.0 0:00.00 pdflush 7 root 15 0 000 S 0.0 0.0 0:00.07 pdflush 8 root 25 0 000 S 0.0 0.0 0:00.00 kswapd0 9 root 10 -10 000 S 0.0 0.0 0:00.00 aio/0 11 root 20 0 000 S 0.0 0.0 0:00.00 kseriod 15 root 15 0 000 S 0.0 0.0 0:00.07 kjournald 121 root 17 0 2036 1208 1588 S 0.0 0.2 0:00.85 devfsd 245 root 15 0 000 S 0.0 0.0 0:00.06 khubd 562 root 15 0 000 S 0.0 0.0 0:00.08 kjournald 565 root 15 0 000 S 0.0 0.0 0:00.03 kjournald 827 root -2 0 1628 1628 1468 S 0.0 0.3 0:00.03 watchdog 2755 rpc 15 0 1712 580 1540 S 0.0 0.1 0:00.00 portmap 2779 root 16 0 1640 608 1468 S 0.0 0.1 0:00.09 syslogd 2787 root 15 0 2592 1536 1416 S 0.0 0.2 0:00.16 klogd 2846 root 18 0 1712 712 1540 S 0.0 0.1 0:00.00 rpc.statd 3243 xfs 16 0 5384 3756 2512 S 0.0 0.6 0:00.16 xfs 3268 root 18 0 1604 540 1448 S 0.0 0.1 0:00.00 hcid 3279 root 10 -10 000 S 0.0 0.0 0:00.00 krfcommd 4869 root 16 0 1588 536 1428 S 0.0 0.1 0:00.00 apmd 4910 root 16 0 2688 692 2504 S 0.0 0.1 0:00.00 mdkkdm -- Why is portmap running? Are you using NFS? LX What is portmap and should it be running Greg It's a service generally used for NFS and for some reason is enabled by default on Mandrake installs; I don't use NFS, I tend to use samba more; I think the aussies have made it more secure than NFS. Portmap uses the rpc protocol, which is notoriously insecure and notoriously famous with crackers for being entryways into unsecured boxes. Especially since portmap is enabled BY DEFAULT on Mandrake boxes. If you don't run NFS, shut it down on all runlevels. LX So how do I shut down all run levels and even know if they are running I did not see it in top Just what should be running for a basic linux box I may have some weak spots in my system and I want to find them before some one else does Thanks Greg -- Linux Mandrake Rules __ Introducing the New Netscape Internet Service. Only $9.95 a month -- Sign up today at http://isp.netscape.com/register Netscape. Just the Net You Need. New! Netscape Toolbar for Internet Explorer Search from anywhere on the Web and block those annoying pop-ups. Download now at http://channels.netscape.com/ns/search/install.jsp Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com Join the Club : http://www.mandrakeclub.com
Re: [newbie] Strange Activity
On Thu, 2004-05-20 at 22:23, Lanman wrote: Asa Rossoff wrote: The log activity you posted doesn't indicate it. Those are all network packets that Shorewall dropped -- that didn't get in.. it's normal to have this activity, generated either by hackers checking for security holes or worms and whatnot. Asa On Mandrake 9.2, installed on a server which isn't running X, I'm getting this exact type of data appearing on my display, even before anyone logs onto the server - locally OR remotely! As a matter of fact, when I saw Aron's output on the screen, that's exactly what I thought was happening, because I have had the exact same experience as yourself. On a firewall (pre-update) running the secure kernel (the first release) I started seeing shorewall output on either the first or second consoles. Usually you are supposed to be able to do alt-F12 and get this information (F12 console is set aside for that purpose by default), but the information for some reason started being shunted to the first or second consoles on my firewall. This occurred after some heavy scanning of my box from the net, which led me to believe that someone was exploiting a buffer overflow vuln in the early 9.2 kernels. This was unlikely, given that I was using the secure kernel, but I had no other explanation. Is there any way to stop this, or is this a warning that my system's been hit? This is a fresh install which I finished this morning, so I'd appreciate any thoughts before I start depending on it. My problem was corrected when I updated to the latest slew of updates and also replaced the secure kernel with the latest version. have not seen that problem since then. Aron should know though,that if he does see this kind of output on a console screen (usually one that's logged in) he should start to worry. Also, is there a Bind Guru here somewhere? I can't get rndc to behave itself. It keeps giving me an error that states - rndc: connect failed: connection refused Even though Bind seems to start up without errors, and even though port 53 is open on my firewall for DNS authentication, port scans keep stating that the port is closed. You're running shorewall on the firewall, correct? ;) I've been encountering the same problems with both qmail and bind. This is the first time I've ever had these two problems, and I'm curious to find out what's different between this 9.2 install, and the hundreds I've done before! TIA Lanman LX Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com Join the Club : http://www.mandrakeclub.com
Re: [newbie] Strange Activity
On Thu, 2004-05-20 at 23:23, Greg wrote: If you don't run NFS, shut it down on all runlevels. LX So how do I shut down all run levels and even know if they are running I did not see it in top Just what should be running for a basic linux box I may have some weak spots in my system and I want to find them before some one else does Thanks Greg Find services that are enabled and put them in alphabet order: chkconfig --list | sort Disable services on all runlevels that are resource hogs, security risks, and not needed for workstation purposes: chkconfig --level 2345 portmap off Enable service that you disabled by mistake or that you just want on: chkconfig --level 2345 yourservice on Learn about the chkconfig command: man chkconfig HTH LX Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com Join the Club : http://www.mandrakeclub.com
Re: [newbie] Strange Activity
Lyvim Xaphir wrote: My problem was corrected when I updated to the latest slew of updates and also replaced the secure kernel with the latest version. have not seen that problem since then. Lyvim; How ya doin' Buddy? I found another way to fix the problem. Can you say Bastille? Killed Shorewall, copied over my Bastille files, ran the command and voila! No more shorewall data on my console, and the firewall is running fine (actually runs a bit faster)! Also, is there a Bind Guru here somewhere? I can't get rndc to behave itself. It keeps giving me an error that states - rndc: connect failed: connection refused Even though Bind seems to start up without errors, and even though port 53 is open on my firewall for DNS authentication, port scans keep stating that the port is closed. You're running shorewall on the firewall, correct? ;) I've been encountering the same problems with both qmail and bind. LX RNDC problem is still happening though. Because of that, my DNS server still appears closed in a firewall scan. I checked at Bind's website, and they say that it's usually due to silly things like the server's hostname ( mine's good ), or the fact that there's no rndc-key located in named.conf or rndc.conf ( which is there in both files on this machine), so I'm not sure what to do. The DNS port is open on the firewall, but the service is not fully starting. The funny thing is that my email server (postfix) runs like a charm, and so does everything else. So right now, it's more of an annoyance than anything, but I'd like to solve it. Still open to suggestions. Lanman Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com Join the Club : http://www.mandrakeclub.com
Re: [newbie] Strange Activity
Lyvim Xaphir [EMAIL PROTECTED] wrote: On Thu, 2004-05-20 at 23:23, Greg wrote: If you don't run NFS, shut it down on all runlevels. LX So how do I shut down all run levels and even know if they are running I did not see it in top Just what should be running for a basic linux box I may have some weak spots in my system and I want to find them before some one else does Thanks Greg Find services that are enabled and put them in alphabet order: chkconfig --list | sort Disable services on all runlevels that are resource hogs, security risks, and not needed for workstation purposes: chkconfig --level 2345 portmap off Enable service that you disabled by mistake or that you just want on: chkconfig --level 2345 yourservice on Learn about the chkconfig command: man chkconfig HTH LX Is there any way to monitor network traffic Greg -- Linux Mandrake Rules __ Introducing the New Netscape Internet Service. Only $9.95 a month -- Sign up today at http://isp.netscape.com/register Netscape. Just the Net You Need. New! Netscape Toolbar for Internet Explorer Search from anywhere on the Web and block those annoying pop-ups. Download now at http://channels.netscape.com/ns/search/install.jsp Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com Join the Club : http://www.mandrakeclub.com
Re: [newbie] Strange Activity
On Fri, 21 May 2004 00:27:33 -0400 [EMAIL PROTECTED] (Greg) wrote: Lyvim Xaphir [EMAIL PROTECTED] wrote: On Thu, 2004-05-20 at 23:23, Greg wrote: - snip - Is there any way to monitor network traffic Greg You could try /usr/sbin/net_monitor. -- Len Lawrence -- The two things that can get you into trouble quicker than anything else are fast women and slow horses. -- Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com Join the Club : http://www.mandrakeclub.com
