Are Linux boxes vulnerable to be used by botnets?

Erich Newell erich.newell at gmail.com
Mon Mar 17 13:40:40 MST 2008


You should be mostly concerned with what is in your startup scripts and
init.d directory. Do a "netstat -antu" and start with those. Look for
anything "LISTEN"ing on a non-loopback interface. Do you know what they all
are and why they are running? If not, then figure out what they are and
eliminate them.

99.9999967% of systems should only be listening on 22, 80 and 443. FTP is
also good for file distribution situations that require no security...but in
these instances I still recommend bit torrent and seeding. Its more
"net-friendly".


On Mon, Mar 17, 2008 at 1:33 PM, Josef Lowder <joe at actionline.com> wrote:

> .
> On Mon, 17 Mar 2008 09:17, Matt Graham wrote (in part)
> > After a long battle with technology, Josef Lowder wrote:
> > > This is all very interesting ... and confusing for my simple mind.
> > > It sounds like most of the replies to my question pertain to
> > > boxes that are used as "servers" and not just "regular users."
> > > Or are we all "servers"?
> >
> > If you're running sshd/apache/smbd/postfix/sendmail/exim/telnetd/
> > anything like that, then you are a server.
>
> As far as I know, I am not running any of those things.
>
> > > How can I determine if one of my computers has had something
> > > like this done?
> >
> > "chkrootkit" is a starting point. tripwire is another
>
> I don't have either of those ... and again it sounds like those
> have something to do with checking things on a server box.
>
> My system seems to have slowed down quite a bit (even when I don't
> have any programs running) and I can't figure out why.
>
> When I run 'top' I can only see the top 50 or so entries on my monitor
> and I don't know how to see what else might be there farther down the
> list.
>
> And when I do 'ps -ef' (see the list below) how can I tell which,
> if any, of those processes could be or should be eliminated ...
> and how to do that?
>
> -------------------------------------
> root         1     0  0 Mar07 ?        00:00:03 init [5]
> root         2     1  0 Mar07 ?        00:00:00 [ksoftirqd/0]
> root         3     1  0 Mar07 ?        00:00:03 [events/0]
> root         4     1  0 Mar07 ?        00:00:00 [khelper]
> root         5     1  0 Mar07 ?        00:00:00 [kthread]
> root         7     5  0 Mar07 ?        00:00:00 [kacpid]
> root        81     5  0 Mar07 ?        00:00:00 [kblockd/0]
> root       113     5  0 Mar07 ?        00:00:00 [pdflush]
> root       114     5  0 Mar07 ?        00:00:01 [pdflush]
> root       116     5  0 Mar07 ?        00:00:00 [aio/0]
> root       115     1  0 Mar07 ?        00:00:09 [kswapd0]
> root       704     1  0 Mar07 ?        00:00:00 [kseriod]
> root       796     1  0 Mar07 ?        00:00:02 [kjournald]
> root       938     1  0 Mar07 ?        00:00:00 udevd -d
> root      1192     1  0 Mar07 ?        00:00:00 [khubd]
> root      1577     1  0 Mar07 ?        00:00:12 [kjournald]
> root      1583     1  0 Mar07 ?        00:00:00 [kjournald]
> root      2359     1  0 Mar07 ?        00:00:40 /sbin/ifplugd -b -i eth0
> rpc       2442     1  0 Mar07 ?        00:00:00 portmap
> root      2466     1  0 Mar07 ?        00:00:00 syslogd -m 0
> root      2483     1  0 Mar07 ?        00:00:00 klogd -2
> root      2515     1  0 Mar07 ?        00:00:00 /usr/sbin/acpid
> root      2551     1  0 Mar07 ?        00:00:00 rpc.statd
> root      2635     1  0 Mar07 ?        00:00:03 cupsd
> root      2780     1  0 Mar07 ?        00:00:00 [kgameportd]
> root      2814     1  0 Mar07 ?        00:00:00 dhclient -1 -q -lf
> /var/lib/dhcp/dhclient-eth0.leases -pf /var/run/dhc
> xfs       3003     1  0 Mar07 ?        00:00:00 xfs -port -1 -daemon
> -droppriv
> -user xfs
> 71        3018     1  0 Mar07 ?        00:00:00 dbus-daemon-1 --system
> root      3033     1  0 Mar07 ?        00:05:21 hald
> root      3180     1  0 Mar07 ?        00:00:00 /usr/bin/kdm -nodaemon
> root      3189  3180 69 Mar07 tty7     7-01:53:38 /etc/X11/X -deferglyphs
> 16
> :0 -auth /var/run/xauth/A:0-K9voZd
> root      3190     1  0 Mar07 ?        00:01:00 nifd -n
> nobody    3252     1  0 Mar07 ?        00:00:00 mDNSResponder
> daemon    3268     1  0 Mar07 ?        00:00:00 /usr/sbin/atd
> root      3322     1  0 Mar07 ?        00:00:00 xinetd -stayalive -reuse
> -pidfile /var/run/xinetd.pid
> root      3699     1  0 Mar07 ?        00:00:00 /opt/win4lin/bin/vnetd
> clamav    3775     1  0 Mar07 ?        00:00:08 /usr/bin/freshclam
> --config-file=/etc/freshclam.conf --quiet --daemon
> root      3791     1  0 Mar07 ?        00:00:00 crond
> root      3861     1  0 Mar07 ?        00:00:00 /usr/bin/lisa -c
> /etc/lisarc
> root      3900     1  0 Mar07 tty1     00:00:00 /sbin/mingetty tty1
> root      3901     1  0 Mar07 tty2     00:00:00 /sbin/mingetty tty2
> root      3902     1  0 Mar07 tty3     00:00:00 /sbin/mingetty tty3
> root      3903     1  0 Mar07 ?        00:00:00 login -- root
> root      3904     1  0 Mar07 tty5     00:00:00 /sbin/mingetty tty5
> root      3905     1  0 Mar07 tty6     00:00:00 /sbin/mingetty tty6
> joe       4071     1  0 Mar07 ?        00:01:37 /usr/lib/gam_server
> root      7763  3903  0 Mar10 tty4     00:00:00 -bash
> joe      21126     1  0 Mar15 ?        00:00:00 /usr/lib/gconfd-2 13
> root     17244  3180  0 12:24 ?        00:00:00 -:0
> joe      17264 17244  0 12:24 ?        00:00:00 /bin/sh /usr/bin/startkde
> joe      17325 17264  0 12:24 ?        00:00:00 /usr/bin/perl
> /usr/bin/mdkapplet
> joe      17336 17264  0 12:24 ?        00:00:00 /usr/bin/perl
> /usr/bin/net_applet
> joe      17349     1  0 12:24 ?        00:00:00 s2u --daemon=yes
> joe      17370 17264  0 12:24 ?        00:00:00 /bin/sh /usr/bin/startkde
> joe      17371 17370  0 12:24 ?        00:00:00 gnome-volume-manager
> joe      17390     1  0 12:24 ?        00:00:00 kdeinit Running...
> joe      17393     1  0 12:24 ?        00:00:00 dcopserver [kdeinit]
> --nosid
> joe      17395 17390  0 12:24 ?        00:00:00 klauncher [kdeinit]
> joe      17398     1  0 12:24 ?        00:00:00 kded [kdeinit]
> joe      17410 17390  0 12:24 ?        00:00:00 /usr/bin/artsd -F 10 -S
> 4096
> -s 60 -m artsmessage -c drkonqi -l 3 -f
> joe      17412     1  0 12:24 ?        00:00:00 kaccess [kdeinit]
> joe      17413 17264  0 12:24 ?        00:00:00 kwrapper ksmserver
> joe      17415     1  0 12:24 ?        00:00:00 ksmserver [kdeinit]
> joe      17417 17390  0 12:24 ?        00:00:00 kwin [kdeinit] -session
> 1014cd7d2d4000120328531400000141940000_1205781
> joe      17419     1  0 12:24 ?        00:00:00 kdesktop [kdeinit]
> joe      17422     1  0 12:24 ?        00:00:02 kicker [kdeinit]
> joe      17424 17390  0 12:24 ?        00:00:00 xsettings-kde
> joe      17426     1  0 12:24 ?        00:00:00 korgac --miniicon
> korganizer
> joe      17427     1  0 12:24 ?        00:00:00 krandrtray -session
> 1014cd7d2d4000115565379600000042880006_1205781767_
> joe      17429     1  0 12:24 ?        00:00:00 knotify [kdeinit]
> joe      17554 17390  0 12:29 ?        00:00:00 kio_file [kdeinit] file
> /home/joe/tmp/ksocket-joe/klauncherFALPab.slav
> joe      17556     1  0 12:29 ?        00:00:00 kio_uiserver [kdeinit]
> joe      17864 17390  1 12:33 ?        00:00:00 konsole [kdeinit]
> joe      17865 17864  0 12:34 pts/1    00:00:00 /bin/bash
> joe      17910 17865  0 12:34 pts/1    00:00:00 ps -ef
>
>
> ---------------------------------------------------
> PLUG-discuss mailing list - PLUG-discuss at lists.plug.phoenix.az.us
> To subscribe, unsubscribe, or to change your mail settings:
> http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
>



-- 
"A man is defined by the questions that he asks; and the way he goes about
finding the answers to those questions is the way he goes through life."
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.PLUG.phoenix.az.us/pipermail/plug-discuss/attachments/20080317/efc16ec3/attachment.htm 


More information about the PLUG-discuss mailing list