Are Linux boxes vulnerable to be used by botnets?

Matt Graham danceswithcrows at usa.net
Mon Mar 17 16:06:56 MST 2008 

After a long battle with technology, Erich Newell wrote:

Please don't top-post, and trim your posts.  Fixed:

> On Mon, Mar 17, 2008 at 1:33 PM, Josef Lowder <joe at actionline.com> wrote:
>> My system seems to have slowed down quite a bit (even when I don't
>> have any programs running) and I can't figure out why.

You'll have to quantify this and be specific for anyone to help you.  There 
are always *a lot* of processes running on any modern box.

>> When I run 'top' I can only see the top 50 or so entries on my monitor
>> and I don't know how to see what else might be there farther down the
>> list.

"man top" for starters.

>> And when I do 'ps -ef', how can I tell which, if any, of those processes
>> could or should be eliminated?

Basically, if it's init, a kernel thread, X, or your WM/DE, you don't want to 
kill it.  "ps auxw" provides more info in a better way then "ps -ef" IMHO.  
Take a look at the %CPU, %MEM, and RSS columns in ps auxw output to see how 
much CPU, total RAM, and how much of that memory is Resident for each 
process.

>> xfs       3003     1  0 Mar07 ?        00:00:00 xfs -port -1 -daemon
>> -droppriv -user xfs

Font server.  In general, you shouldn't need this, but some distros start one 
up for hysterical raisins.  This doesn't use much in the way of resources.

>> root      3033     1  0 Mar07 ?        00:05:21 hald

hald.  Right.

>> root      3189  3180 69 Mar07 tty7     7-01:53:38 /etc/X11/X -deferglyphs
>> 16 :0 -auth /var/run/xauth/A:0-K9voZd

Look how much CPU time X has used.  This is actually normal since X does a 
lot, but there are some distros with buggy X where X calls gettimeofday() 
over and over and over again for no reason.  You can see this by attaching 
strace to X for a little while and eyeball-grepping the output.  Or by 
restarting X and seeing if X suddenly gets a lot faster.

>> root      3190     1  0 Mar07 ?        00:01:00 nifd -n
>> nobody    3252     1  0 Mar07 ?        00:00:00 mDNSResponder

Interesting.  There's no ebuild matching "nifd" here....

>> root      3699     1  0 Mar07 ?        00:00:00 /opt/win4lin/bin/vnetd
>> clamav    3775     1  0 Mar07 ?        00:00:08 /usr/bin/freshclam
>> --config-file=/etc/freshclam.conf --quiet --daemon

win4lin?  Are you using that?  Also, you probably don't need to run clamav if 
your box isn't running SMTP/POP services.

>> joe      17264 17244  0 12:24 ?        00:00:00 /bin/sh /usr/bin/startkde
>> joe      17371 17370  0 12:24 ?        00:00:00 gnome-volume-manager

Why have both KDE and GNOME at the same time?  Also, you need to figure out 
whether you want to solve security problems first or solve WM/DE slowdowns 
first.  They're probably totally orthogonal.

> FTP is also good for file distribution situations that require no
> security...but in these instances I still recommend bit torrent and seeding.
> Its more "net-friendly".

...unless your ISP has throttled all torrent traffic to 0.1% of available 
bandwidth to FIGHT TEH P1R4TES, because the only people using torrents are 
downloading pr0n and w4r3z.  Seriously, I tried to download Planeshift (Free 
game, freely distributable, etcetera) using their torrents a few months back, 
and despite multiple seeders, got less than 1M downloaded over 8 hours.  Lots 
of ISPs now hate torrent traffic and throttle it.  FTP gets a free pass.  
Torrents are more technically friendly, but right now, FTP is more socially 
friendly.

-- 
  "Bother," said Pooh.  "Eeyore, ready two photon torpedoes and lock
  phasers on the Heffalump; Piglet, meet me in transporter room three."
  My blog and resume: http://crow202.dyndns.org:8080/wordpress/
Matt G|There is no Darkness in Eternity/But only Light too dim for us to see

More information about the PLUG-discuss mailing list