Are Linux boxes vulnerable to be used by botnets?
Erich Newell
erich.newell at gmail.com
Mon Mar 17 13:40:40 MST 2008
You should be mostly concerned with what is in your startup scripts and
init.d directory. Do a "netstat -antu" and start with those. Look for
anything "LISTEN"ing on a non-loopback interface. Do you know what they all
are and why they are running? If not, then figure out what they are and
eliminate them.
99.9999967% of systems should only be listening on 22, 80 and 443. FTP is
also good for file distribution situations that require no security...but in
these instances I still recommend bit torrent and seeding. Its more
"net-friendly".
On Mon, Mar 17, 2008 at 1:33 PM, Josef Lowder <joe at actionline.com> wrote:
> .
> On Mon, 17 Mar 2008 09:17, Matt Graham wrote (in part)
> > After a long battle with technology, Josef Lowder wrote:
> > > This is all very interesting ... and confusing for my simple mind.
> > > It sounds like most of the replies to my question pertain to
> > > boxes that are used as "servers" and not just "regular users."
> > > Or are we all "servers"?
> >
> > If you're running sshd/apache/smbd/postfix/sendmail/exim/telnetd/
> > anything like that, then you are a server.
>
> As far as I know, I am not running any of those things.
>
> > > How can I determine if one of my computers has had something
> > > like this done?
> >
> > "chkrootkit" is a starting point. tripwire is another
>
> I don't have either of those ... and again it sounds like those
> have something to do with checking things on a server box.
>
> My system seems to have slowed down quite a bit (even when I don't
> have any programs running) and I can't figure out why.
>
> When I run 'top' I can only see the top 50 or so entries on my monitor
> and I don't know how to see what else might be there farther down the
> list.
>
> And when I do 'ps -ef' (see the list below) how can I tell which,
> if any, of those processes could be or should be eliminated ...
> and how to do that?
>
> -------------------------------------
> root 1 0 0 Mar07 ? 00:00:03 init [5]
> root 2 1 0 Mar07 ? 00:00:00 [ksoftirqd/0]
> root 3 1 0 Mar07 ? 00:00:03 [events/0]
> root 4 1 0 Mar07 ? 00:00:00 [khelper]
> root 5 1 0 Mar07 ? 00:00:00 [kthread]
> root 7 5 0 Mar07 ? 00:00:00 [kacpid]
> root 81 5 0 Mar07 ? 00:00:00 [kblockd/0]
> root 113 5 0 Mar07 ? 00:00:00 [pdflush]
> root 114 5 0 Mar07 ? 00:00:01 [pdflush]
> root 116 5 0 Mar07 ? 00:00:00 [aio/0]
> root 115 1 0 Mar07 ? 00:00:09 [kswapd0]
> root 704 1 0 Mar07 ? 00:00:00 [kseriod]
> root 796 1 0 Mar07 ? 00:00:02 [kjournald]
> root 938 1 0 Mar07 ? 00:00:00 udevd -d
> root 1192 1 0 Mar07 ? 00:00:00 [khubd]
> root 1577 1 0 Mar07 ? 00:00:12 [kjournald]
> root 1583 1 0 Mar07 ? 00:00:00 [kjournald]
> root 2359 1 0 Mar07 ? 00:00:40 /sbin/ifplugd -b -i eth0
> rpc 2442 1 0 Mar07 ? 00:00:00 portmap
> root 2466 1 0 Mar07 ? 00:00:00 syslogd -m 0
> root 2483 1 0 Mar07 ? 00:00:00 klogd -2
> root 2515 1 0 Mar07 ? 00:00:00 /usr/sbin/acpid
> root 2551 1 0 Mar07 ? 00:00:00 rpc.statd
> root 2635 1 0 Mar07 ? 00:00:03 cupsd
> root 2780 1 0 Mar07 ? 00:00:00 [kgameportd]
> root 2814 1 0 Mar07 ? 00:00:00 dhclient -1 -q -lf
> /var/lib/dhcp/dhclient-eth0.leases -pf /var/run/dhc
> xfs 3003 1 0 Mar07 ? 00:00:00 xfs -port -1 -daemon
> -droppriv
> -user xfs
> 71 3018 1 0 Mar07 ? 00:00:00 dbus-daemon-1 --system
> root 3033 1 0 Mar07 ? 00:05:21 hald
> root 3180 1 0 Mar07 ? 00:00:00 /usr/bin/kdm -nodaemon
> root 3189 3180 69 Mar07 tty7 7-01:53:38 /etc/X11/X -deferglyphs
> 16
> :0 -auth /var/run/xauth/A:0-K9voZd
> root 3190 1 0 Mar07 ? 00:01:00 nifd -n
> nobody 3252 1 0 Mar07 ? 00:00:00 mDNSResponder
> daemon 3268 1 0 Mar07 ? 00:00:00 /usr/sbin/atd
> root 3322 1 0 Mar07 ? 00:00:00 xinetd -stayalive -reuse
> -pidfile /var/run/xinetd.pid
> root 3699 1 0 Mar07 ? 00:00:00 /opt/win4lin/bin/vnetd
> clamav 3775 1 0 Mar07 ? 00:00:08 /usr/bin/freshclam
> --config-file=/etc/freshclam.conf --quiet --daemon
> root 3791 1 0 Mar07 ? 00:00:00 crond
> root 3861 1 0 Mar07 ? 00:00:00 /usr/bin/lisa -c
> /etc/lisarc
> root 3900 1 0 Mar07 tty1 00:00:00 /sbin/mingetty tty1
> root 3901 1 0 Mar07 tty2 00:00:00 /sbin/mingetty tty2
> root 3902 1 0 Mar07 tty3 00:00:00 /sbin/mingetty tty3
> root 3903 1 0 Mar07 ? 00:00:00 login -- root
> root 3904 1 0 Mar07 tty5 00:00:00 /sbin/mingetty tty5
> root 3905 1 0 Mar07 tty6 00:00:00 /sbin/mingetty tty6
> joe 4071 1 0 Mar07 ? 00:01:37 /usr/lib/gam_server
> root 7763 3903 0 Mar10 tty4 00:00:00 -bash
> joe 21126 1 0 Mar15 ? 00:00:00 /usr/lib/gconfd-2 13
> root 17244 3180 0 12:24 ? 00:00:00 -:0
> joe 17264 17244 0 12:24 ? 00:00:00 /bin/sh /usr/bin/startkde
> joe 17325 17264 0 12:24 ? 00:00:00 /usr/bin/perl
> /usr/bin/mdkapplet
> joe 17336 17264 0 12:24 ? 00:00:00 /usr/bin/perl
> /usr/bin/net_applet
> joe 17349 1 0 12:24 ? 00:00:00 s2u --daemon=yes
> joe 17370 17264 0 12:24 ? 00:00:00 /bin/sh /usr/bin/startkde
> joe 17371 17370 0 12:24 ? 00:00:00 gnome-volume-manager
> joe 17390 1 0 12:24 ? 00:00:00 kdeinit Running...
> joe 17393 1 0 12:24 ? 00:00:00 dcopserver [kdeinit]
> --nosid
> joe 17395 17390 0 12:24 ? 00:00:00 klauncher [kdeinit]
> joe 17398 1 0 12:24 ? 00:00:00 kded [kdeinit]
> joe 17410 17390 0 12:24 ? 00:00:00 /usr/bin/artsd -F 10 -S
> 4096
> -s 60 -m artsmessage -c drkonqi -l 3 -f
> joe 17412 1 0 12:24 ? 00:00:00 kaccess [kdeinit]
> joe 17413 17264 0 12:24 ? 00:00:00 kwrapper ksmserver
> joe 17415 1 0 12:24 ? 00:00:00 ksmserver [kdeinit]
> joe 17417 17390 0 12:24 ? 00:00:00 kwin [kdeinit] -session
> 1014cd7d2d4000120328531400000141940000_1205781
> joe 17419 1 0 12:24 ? 00:00:00 kdesktop [kdeinit]
> joe 17422 1 0 12:24 ? 00:00:02 kicker [kdeinit]
> joe 17424 17390 0 12:24 ? 00:00:00 xsettings-kde
> joe 17426 1 0 12:24 ? 00:00:00 korgac --miniicon
> korganizer
> joe 17427 1 0 12:24 ? 00:00:00 krandrtray -session
> 1014cd7d2d4000115565379600000042880006_1205781767_
> joe 17429 1 0 12:24 ? 00:00:00 knotify [kdeinit]
> joe 17554 17390 0 12:29 ? 00:00:00 kio_file [kdeinit] file
> /home/joe/tmp/ksocket-joe/klauncherFALPab.slav
> joe 17556 1 0 12:29 ? 00:00:00 kio_uiserver [kdeinit]
> joe 17864 17390 1 12:33 ? 00:00:00 konsole [kdeinit]
> joe 17865 17864 0 12:34 pts/1 00:00:00 /bin/bash
> joe 17910 17865 0 12:34 pts/1 00:00:00 ps -ef
>
>
> ---------------------------------------------------
> PLUG-discuss mailing list - PLUG-discuss at lists.plug.phoenix.az.us
> To subscribe, unsubscribe, or to change your mail settings:
> http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
>
--
"A man is defined by the questions that he asks; and the way he goes about
finding the answers to those questions is the way he goes through life."
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.PLUG.phoenix.az.us/pipermail/plug-discuss/attachments/20080317/efc16ec3/attachment.htm
More information about the PLUG-discuss
mailing list