You should be mostly concerned with what is in your startup scripts and init.d directory. Do a "netstat -antu" and start with those. Look for anything "LISTEN"ing on a non-loopback interface. Do you know what they all are and why they are running? If not, then figure out what they are and eliminate them. 99.9999967% of systems should only be listening on 22, 80 and 443. FTP is also good for file distribution situations that require no security...but in these instances I still recommend bit torrent and seeding. Its more "net-friendly". On Mon, Mar 17, 2008 at 1:33 PM, Josef Lowder wrote: > . > On Mon, 17 Mar 2008 09:17, Matt Graham wrote (in part) > > After a long battle with technology, Josef Lowder wrote: > > > This is all very interesting ... and confusing for my simple mind. > > > It sounds like most of the replies to my question pertain to > > > boxes that are used as "servers" and not just "regular users." > > > Or are we all "servers"? > > > > If you're running sshd/apache/smbd/postfix/sendmail/exim/telnetd/ > > anything like that, then you are a server. > > As far as I know, I am not running any of those things. > > > > How can I determine if one of my computers has had something > > > like this done? > > > > "chkrootkit" is a starting point. tripwire is another > > I don't have either of those ... and again it sounds like those > have something to do with checking things on a server box. > > My system seems to have slowed down quite a bit (even when I don't > have any programs running) and I can't figure out why. > > When I run 'top' I can only see the top 50 or so entries on my monitor > and I don't know how to see what else might be there farther down the > list. > > And when I do 'ps -ef' (see the list below) how can I tell which, > if any, of those processes could be or should be eliminated ... > and how to do that? > > ------------------------------------- > root 1 0 0 Mar07 ? 00:00:03 init [5] > root 2 1 0 Mar07 ? 00:00:00 [ksoftirqd/0] > root 3 1 0 Mar07 ? 00:00:03 [events/0] > root 4 1 0 Mar07 ? 00:00:00 [khelper] > root 5 1 0 Mar07 ? 00:00:00 [kthread] > root 7 5 0 Mar07 ? 00:00:00 [kacpid] > root 81 5 0 Mar07 ? 00:00:00 [kblockd/0] > root 113 5 0 Mar07 ? 00:00:00 [pdflush] > root 114 5 0 Mar07 ? 00:00:01 [pdflush] > root 116 5 0 Mar07 ? 00:00:00 [aio/0] > root 115 1 0 Mar07 ? 00:00:09 [kswapd0] > root 704 1 0 Mar07 ? 00:00:00 [kseriod] > root 796 1 0 Mar07 ? 00:00:02 [kjournald] > root 938 1 0 Mar07 ? 00:00:00 udevd -d > root 1192 1 0 Mar07 ? 00:00:00 [khubd] > root 1577 1 0 Mar07 ? 00:00:12 [kjournald] > root 1583 1 0 Mar07 ? 00:00:00 [kjournald] > root 2359 1 0 Mar07 ? 00:00:40 /sbin/ifplugd -b -i eth0 > rpc 2442 1 0 Mar07 ? 00:00:00 portmap > root 2466 1 0 Mar07 ? 00:00:00 syslogd -m 0 > root 2483 1 0 Mar07 ? 00:00:00 klogd -2 > root 2515 1 0 Mar07 ? 00:00:00 /usr/sbin/acpid > root 2551 1 0 Mar07 ? 00:00:00 rpc.statd > root 2635 1 0 Mar07 ? 00:00:03 cupsd > root 2780 1 0 Mar07 ? 00:00:00 [kgameportd] > root 2814 1 0 Mar07 ? 00:00:00 dhclient -1 -q -lf > /var/lib/dhcp/dhclient-eth0.leases -pf /var/run/dhc > xfs 3003 1 0 Mar07 ? 00:00:00 xfs -port -1 -daemon > -droppriv > -user xfs > 71 3018 1 0 Mar07 ? 00:00:00 dbus-daemon-1 --system > root 3033 1 0 Mar07 ? 00:05:21 hald > root 3180 1 0 Mar07 ? 00:00:00 /usr/bin/kdm -nodaemon > root 3189 3180 69 Mar07 tty7 7-01:53:38 /etc/X11/X -deferglyphs > 16 > :0 -auth /var/run/xauth/A:0-K9voZd > root 3190 1 0 Mar07 ? 00:01:00 nifd -n > nobody 3252 1 0 Mar07 ? 00:00:00 mDNSResponder > daemon 3268 1 0 Mar07 ? 00:00:00 /usr/sbin/atd > root 3322 1 0 Mar07 ? 00:00:00 xinetd -stayalive -reuse > -pidfile /var/run/xinetd.pid > root 3699 1 0 Mar07 ? 00:00:00 /opt/win4lin/bin/vnetd > clamav 3775 1 0 Mar07 ? 00:00:08 /usr/bin/freshclam > --config-file=/etc/freshclam.conf --quiet --daemon > root 3791 1 0 Mar07 ? 00:00:00 crond > root 3861 1 0 Mar07 ? 00:00:00 /usr/bin/lisa -c > /etc/lisarc > root 3900 1 0 Mar07 tty1 00:00:00 /sbin/mingetty tty1 > root 3901 1 0 Mar07 tty2 00:00:00 /sbin/mingetty tty2 > root 3902 1 0 Mar07 tty3 00:00:00 /sbin/mingetty tty3 > root 3903 1 0 Mar07 ? 00:00:00 login -- root > root 3904 1 0 Mar07 tty5 00:00:00 /sbin/mingetty tty5 > root 3905 1 0 Mar07 tty6 00:00:00 /sbin/mingetty tty6 > joe 4071 1 0 Mar07 ? 00:01:37 /usr/lib/gam_server > root 7763 3903 0 Mar10 tty4 00:00:00 -bash > joe 21126 1 0 Mar15 ? 00:00:00 /usr/lib/gconfd-2 13 > root 17244 3180 0 12:24 ? 00:00:00 -:0 > joe 17264 17244 0 12:24 ? 00:00:00 /bin/sh /usr/bin/startkde > joe 17325 17264 0 12:24 ? 00:00:00 /usr/bin/perl > /usr/bin/mdkapplet > joe 17336 17264 0 12:24 ? 00:00:00 /usr/bin/perl > /usr/bin/net_applet > joe 17349 1 0 12:24 ? 00:00:00 s2u --daemon=yes > joe 17370 17264 0 12:24 ? 00:00:00 /bin/sh /usr/bin/startkde > joe 17371 17370 0 12:24 ? 00:00:00 gnome-volume-manager > joe 17390 1 0 12:24 ? 00:00:00 kdeinit Running... > joe 17393 1 0 12:24 ? 00:00:00 dcopserver [kdeinit] > --nosid > joe 17395 17390 0 12:24 ? 00:00:00 klauncher [kdeinit] > joe 17398 1 0 12:24 ? 00:00:00 kded [kdeinit] > joe 17410 17390 0 12:24 ? 00:00:00 /usr/bin/artsd -F 10 -S > 4096 > -s 60 -m artsmessage -c drkonqi -l 3 -f > joe 17412 1 0 12:24 ? 00:00:00 kaccess [kdeinit] > joe 17413 17264 0 12:24 ? 00:00:00 kwrapper ksmserver > joe 17415 1 0 12:24 ? 00:00:00 ksmserver [kdeinit] > joe 17417 17390 0 12:24 ? 00:00:00 kwin [kdeinit] -session > 1014cd7d2d4000120328531400000141940000_1205781 > joe 17419 1 0 12:24 ? 00:00:00 kdesktop [kdeinit] > joe 17422 1 0 12:24 ? 00:00:02 kicker [kdeinit] > joe 17424 17390 0 12:24 ? 00:00:00 xsettings-kde > joe 17426 1 0 12:24 ? 00:00:00 korgac --miniicon > korganizer > joe 17427 1 0 12:24 ? 00:00:00 krandrtray -session > 1014cd7d2d4000115565379600000042880006_1205781767_ > joe 17429 1 0 12:24 ? 00:00:00 knotify [kdeinit] > joe 17554 17390 0 12:29 ? 00:00:00 kio_file [kdeinit] file > /home/joe/tmp/ksocket-joe/klauncherFALPab.slav > joe 17556 1 0 12:29 ? 00:00:00 kio_uiserver [kdeinit] > joe 17864 17390 1 12:33 ? 00:00:00 konsole [kdeinit] > joe 17865 17864 0 12:34 pts/1 00:00:00 /bin/bash > joe 17910 17865 0 12:34 pts/1 00:00:00 ps -ef > > > --------------------------------------------------- > PLUG-discuss mailing list - PLUG-discuss@lists.plug.phoenix.az.us > To subscribe, unsubscribe, or to change your mail settings: > http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss > -- "A man is defined by the questions that he asks; and the way he goes about finding the answers to those questions is the way he goes through life."