Re: Strange capture of my eth0 interface.
From: Doug Laidlaw (laidlaws_at_myaccess.com.au)
Date: 03/24/05
- Next message: Douglas O'Neal: "Re: Five Myths of Linux Security...."
- Previous message: Ross M. Greenberg: "Re: Five Myths of Linux Security...."
- In reply to: Moe Trin: "Re: Strange capture of my eth0 interface."
- Next in thread: Moe Trin: "Re: Strange capture of my eth0 interface."
- Reply: Moe Trin: "Re: Strange capture of my eth0 interface."
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Thu, 24 Mar 2005 22:17:24 +1100
Thanks. They haven't been back since about the time i installed Shorewall,
but I doubt if there is any connection. They seem to have generally messed
things up, so I did a fresh install.
There is a chkrootkit ver 0.43 RPM available for Mandrake in the "contrib"
repository, and I think that the most recent release from the site is 0.45.
Doug.
Moe Trin wrote:
> In article <aci4h2-2g7.ln1@dougshost.mydomain.org.au>, Doug Laidlaw wrote:
>
>>I have reinstalled Iptables before I read the first part of your reply.
>>I have installed Shorewall with the standard one-interface rules, while
>>I read up the docs.
>
> If you have tested the package manager for sanity (by moving a file and
> thus not screwing up the time stamps, substituting some other file, and
> then seeing that the package manager does indeed detect the switch - don't
> forget to put the moved file back where it belongs immediately after doing
> the test), you can use rpm to check the files and packages that is knows
> how to check. The syntax as root is 'rpm -Va > files.to.check' and it may
> take a few minutes to run. Don't be surprised to find some files listed
> in 'files.to.check' - generally ownership and permission changes. Also be
> aware that rpm can't test everything. Package managers can only test those
> packages that they have installed, and as yet, I haven't heard about a
> r00tkit-3.1.i386.rpm or the equivalent Debian package, so they won't be
> detected/tested.
>
> [compton ~]$ rpm -Vf /etc/passwd
> S.5....T c /etc/hosts.allow
> S.5....T c /etc/hosts.deny
> S.5....T c /etc/printcap
> S.5....T c /etc/profile
> ..?..... c /etc/securetty
> S.5....T c /etc/services
> [compton ~]$
>
> Here, I wasn't root (so /etc/securetty could not be tested), but I told
> rpm
> to test the package that /etc/passwd belongs to. Notice that it did not
> say anything about /etc/passwd (or /etc/group), but you _know_ those files
> can't be in "out-of-box" condition - or does Mandrake include my account
> name on your distribution too?
>
>>lsat points out that I don't have ALL:ALL in my hosts.deny. It seems to
>>be a fundamental thing to do, but it isn't put there by default.
>
> Please scan the man page for 'hosts_access(5)' (man 5 hosts_access). The
> hosts.allow and hosts.deny files are only consulted by those applications
> that are using tcp_wrappers or have been compiled with libwrap support.
> Not very many packages do. Yes, /etc/hosts.deny should exist (note that
> it's part of a specific package as noted above), and it should only have
> that single line (other than comments) that says "ALL: ALL", but it's not
> the panacea.
>
>>I will try the tests on that port number next time they catch me (with
>>updated numbers, if need be.)
>
> Port numbers are like telephones. Port numbers from zero to 1023 are
> basically used for incoming services. These are the "well known ports"
> that you'll find listed in http://www.iana.org/assignments/port-numbers
> (a simplified copy of which in included with 'nmap' if you have that
> installed). Because *nix restricts access to ports below 1024 (only
> root can bind processes to them), you will almost never see an _outgoing_
> connection _from_ these ports. Ports above 1023 are userland ports -
> meaning that anyone can use them. While the IANA or nmap port list
> includes a large number of ports above 1023:
>
> [compton ~]$ zcat rfcs/port-numbers.gz | sed -n '/1024\/tcp/,/49151/p' |
> grep -Ev '(Reserved|Unassigned)' | grep -c tcp
> 3666
> [compton ~]$
>
> not many services are run from these ports. The purpose of "well known
> ports" is so that you can _find_ them - if your news tool didn't know to
> connect to port 119 on the news server, how do you think it would find it?
> If or when you see a portnumber above 1024 that is not commonly known,
> then it's odds on to be a user trying to connect to something out there.
> Thus, your connection from (your) 32771 to someone else's 80 is _highly_
> unlikely to be initiated from the other system. It's not impossible, but
> I'd certainly be looking to see what initiated the connection on your end
> long before I'd think that the remote box started things.
>
>>The file finder is working OK now. I must have something using up
>>resources, and the GUI loses its detail.
>
> GUIs are able to do what the author considered. If some condition or task
> is
> not what the author planned for, the GUI may be unable to help. As for
> what is using the resources, 'top', 'ps auxw | sort -n +2' (for CPU use,
> +3 for memory use) and 'pstree' will show that's going on.
>
>>I am on a DHCP connection to my ISP, but the address seems to be the same
>>pretty well every time I boot and connect.
>
> That's not uncommon. In your copious free time (wait, you're retired,
> aren't you), another document is
>
> 212647 Jul 22 2002 DSL-HOWTO
>
> though it covers some of the same ground as the Security-Quickstart-HOWTO.
> As a home user, I would not expect you to be running any services (other
> than 113/tcp - the ident or auth server that might be required by your ISP
> or mail server), so even the fundamental 'netstat -tupan' shouldn't show
> much if anything open to the world. Your firewall should be rejecting (or
> denying) all "new" connections (except perhaps to 113/tcp if needed) to
> everything except your loopback.
>
> Old guy
--
ICQ Number 178748389. Registered Linux User No. 277548.
As you grow older, you'll discover that you have two hands: one for helping
yourself, the second for helping others.
- Author Unknown (Attributed to Audrey Hepburn).
- Next message: Douglas O'Neal: "Re: Five Myths of Linux Security...."
- Previous message: Ross M. Greenberg: "Re: Five Myths of Linux Security...."
- In reply to: Moe Trin: "Re: Strange capture of my eth0 interface."
- Next in thread: Moe Trin: "Re: Strange capture of my eth0 interface."
- Reply: Moe Trin: "Re: Strange capture of my eth0 interface."
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
