Are Linux boxes vulnerable to be used by botnets?
Ben
azlobo73 at gmail.com
Tue Mar 18 13:12:24 MST 2008
Bottom line, for client / workstation installs, your run-of-the-mill
standard install with a firewall turned on will suffice, but its a
good idea to look and see to make sure. as root, run 'lsof -i -n -P'
as well as 'iptables -L -n' . The first cmd list open ports and the
owning user/process (lists both listening and established, etc ports,
from servers as well as client processes such as firefox or an IM
client) in a nice and tidy report on screen. The second lists the
firewall state - what is allows and what it denies. Comparing the
output of these two commands is a good start on seeing what's
available to be vulnerable to the outside world.
If you tell us what distribution of Linux you're running, then we can
give you tips on: how to make sure your firewall is on and what it
does or doesn't allow through, how to install/upgrade packages (such
as chrootkit assuming your distribution has a package built for it in
its standard repository), and how to disable services not needed to be
running (update-rc.d on debian and ubuntu, chkconfig on redhat/fedora,
and yast2 for SuSe - all these also have GUI alternatives for at least
most of these functions).
One final consideration (and not the least important one) is to be
aware that network ports and services are not the only things to worry
about. Just like on Windows, running malicious code even as a
non-privileged user can open your system up to potentially being
owned. Not as likely/easy as in Windows, but by no means implies its
impossible (ref: the recent privilege escalation vulnerability in
2.6.17+ kernels). Reverse shells (common on Windows for bypassing
firewalls) is no less possible on Linux/Unix, if a user is tricked
into executing code on the remote client. What an attacker can do
from the inside after that though is somewhat limited, baring
escalation vulnerabilities to exploit to gain root privileges (again,
not 100% impossible, regardless of platform choice).
Erich is right - don't assume your safe because your platform is not
on top of the hit list. But then again, youe're a lot better off than
most, by a long shot :-)
Ben
On Mon, Mar 17, 2008 at 1:33 PM, Josef Lowder <joe at actionline.com> wrote:
> .
> On Mon, 17 Mar 2008 09:17, Matt Graham wrote (in part)
>
> > After a long battle with technology, Josef Lowder wrote:
> > > This is all very interesting ... and confusing for my simple mind.
> > > It sounds like most of the replies to my question pertain to
> > > boxes that are used as "servers" and not just "regular users."
> > > Or are we all "servers"?
> >
> > If you're running sshd/apache/smbd/postfix/sendmail/exim/telnetd/
> > anything like that, then you are a server.
>
> As far as I know, I am not running any of those things.
>
>
> > > How can I determine if one of my computers has had something
> > > like this done?
> >
> > "chkrootkit" is a starting point. tripwire is another
>
> I don't have either of those ... and again it sounds like those
> have something to do with checking things on a server box.
>
> My system seems to have slowed down quite a bit (even when I don't
> have any programs running) and I can't figure out why.
>
> When I run 'top' I can only see the top 50 or so entries on my monitor
> and I don't know how to see what else might be there farther down the
> list.
>
> And when I do 'ps -ef' (see the list below) how can I tell which,
> if any, of those processes could be or should be eliminated ...
> and how to do that?
>
> -------------------------------------
> root 1 0 0 Mar07 ? 00:00:03 init [5]
> root 2 1 0 Mar07 ? 00:00:00 [ksoftirqd/0]
> root 3 1 0 Mar07 ? 00:00:03 [events/0]
> root 4 1 0 Mar07 ? 00:00:00 [khelper]
> root 5 1 0 Mar07 ? 00:00:00 [kthread]
> root 7 5 0 Mar07 ? 00:00:00 [kacpid]
> root 81 5 0 Mar07 ? 00:00:00 [kblockd/0]
> root 113 5 0 Mar07 ? 00:00:00 [pdflush]
> root 114 5 0 Mar07 ? 00:00:01 [pdflush]
> root 116 5 0 Mar07 ? 00:00:00 [aio/0]
> root 115 1 0 Mar07 ? 00:00:09 [kswapd0]
> root 704 1 0 Mar07 ? 00:00:00 [kseriod]
> root 796 1 0 Mar07 ? 00:00:02 [kjournald]
> root 938 1 0 Mar07 ? 00:00:00 udevd -d
> root 1192 1 0 Mar07 ? 00:00:00 [khubd]
> root 1577 1 0 Mar07 ? 00:00:12 [kjournald]
> root 1583 1 0 Mar07 ? 00:00:00 [kjournald]
> root 2359 1 0 Mar07 ? 00:00:40 /sbin/ifplugd -b -i eth0
> rpc 2442 1 0 Mar07 ? 00:00:00 portmap
> root 2466 1 0 Mar07 ? 00:00:00 syslogd -m 0
> root 2483 1 0 Mar07 ? 00:00:00 klogd -2
> root 2515 1 0 Mar07 ? 00:00:00 /usr/sbin/acpid
> root 2551 1 0 Mar07 ? 00:00:00 rpc.statd
> root 2635 1 0 Mar07 ? 00:00:03 cupsd
> root 2780 1 0 Mar07 ? 00:00:00 [kgameportd]
> root 2814 1 0 Mar07 ? 00:00:00 dhclient -1 -q -lf
> /var/lib/dhcp/dhclient-eth0.leases -pf /var/run/dhc
> xfs 3003 1 0 Mar07 ? 00:00:00 xfs -port -1 -daemon -droppriv
> -user xfs
> 71 3018 1 0 Mar07 ? 00:00:00 dbus-daemon-1 --system
> root 3033 1 0 Mar07 ? 00:05:21 hald
> root 3180 1 0 Mar07 ? 00:00:00 /usr/bin/kdm -nodaemon
> root 3189 3180 69 Mar07 tty7 7-01:53:38 /etc/X11/X -deferglyphs 16
> :0 -auth /var/run/xauth/A:0-K9voZd
> root 3190 1 0 Mar07 ? 00:01:00 nifd -n
> nobody 3252 1 0 Mar07 ? 00:00:00 mDNSResponder
> daemon 3268 1 0 Mar07 ? 00:00:00 /usr/sbin/atd
> root 3322 1 0 Mar07 ? 00:00:00 xinetd -stayalive -reuse
> -pidfile /var/run/xinetd.pid
> root 3699 1 0 Mar07 ? 00:00:00 /opt/win4lin/bin/vnetd
> clamav 3775 1 0 Mar07 ? 00:00:08 /usr/bin/freshclam
> --config-file=/etc/freshclam.conf --quiet --daemon
> root 3791 1 0 Mar07 ? 00:00:00 crond
> root 3861 1 0 Mar07 ? 00:00:00 /usr/bin/lisa -c /etc/lisarc
> root 3900 1 0 Mar07 tty1 00:00:00 /sbin/mingetty tty1
> root 3901 1 0 Mar07 tty2 00:00:00 /sbin/mingetty tty2
> root 3902 1 0 Mar07 tty3 00:00:00 /sbin/mingetty tty3
> root 3903 1 0 Mar07 ? 00:00:00 login -- root
> root 3904 1 0 Mar07 tty5 00:00:00 /sbin/mingetty tty5
> root 3905 1 0 Mar07 tty6 00:00:00 /sbin/mingetty tty6
> joe 4071 1 0 Mar07 ? 00:01:37 /usr/lib/gam_server
> root 7763 3903 0 Mar10 tty4 00:00:00 -bash
> joe 21126 1 0 Mar15 ? 00:00:00 /usr/lib/gconfd-2 13
> root 17244 3180 0 12:24 ? 00:00:00 -:0
> joe 17264 17244 0 12:24 ? 00:00:00 /bin/sh /usr/bin/startkde
> joe 17325 17264 0 12:24 ? 00:00:00 /usr/bin/perl /usr/bin/mdkapplet
> joe 17336 17264 0 12:24 ? 00:00:00 /usr/bin/perl /usr/bin/net_applet
> joe 17349 1 0 12:24 ? 00:00:00 s2u --daemon=yes
> joe 17370 17264 0 12:24 ? 00:00:00 /bin/sh /usr/bin/startkde
> joe 17371 17370 0 12:24 ? 00:00:00 gnome-volume-manager
> joe 17390 1 0 12:24 ? 00:00:00 kdeinit Running...
> joe 17393 1 0 12:24 ? 00:00:00 dcopserver [kdeinit] --nosid
> joe 17395 17390 0 12:24 ? 00:00:00 klauncher [kdeinit]
> joe 17398 1 0 12:24 ? 00:00:00 kded [kdeinit]
> joe 17410 17390 0 12:24 ? 00:00:00 /usr/bin/artsd -F 10 -S 4096
> -s 60 -m artsmessage -c drkonqi -l 3 -f
> joe 17412 1 0 12:24 ? 00:00:00 kaccess [kdeinit]
> joe 17413 17264 0 12:24 ? 00:00:00 kwrapper ksmserver
> joe 17415 1 0 12:24 ? 00:00:00 ksmserver [kdeinit]
> joe 17417 17390 0 12:24 ? 00:00:00 kwin [kdeinit] -session
> 1014cd7d2d4000120328531400000141940000_1205781
> joe 17419 1 0 12:24 ? 00:00:00 kdesktop [kdeinit]
> joe 17422 1 0 12:24 ? 00:00:02 kicker [kdeinit]
> joe 17424 17390 0 12:24 ? 00:00:00 xsettings-kde
> joe 17426 1 0 12:24 ? 00:00:00 korgac --miniicon korganizer
> joe 17427 1 0 12:24 ? 00:00:00 krandrtray -session
> 1014cd7d2d4000115565379600000042880006_1205781767_
> joe 17429 1 0 12:24 ? 00:00:00 knotify [kdeinit]
> joe 17554 17390 0 12:29 ? 00:00:00 kio_file [kdeinit] file
> /home/joe/tmp/ksocket-joe/klauncherFALPab.slav
> joe 17556 1 0 12:29 ? 00:00:00 kio_uiserver [kdeinit]
> joe 17864 17390 1 12:33 ? 00:00:00 konsole [kdeinit]
> joe 17865 17864 0 12:34 pts/1 00:00:00 /bin/bash
> joe 17910 17865 0 12:34 pts/1 00:00:00 ps -ef
>
>
>
>
> ---------------------------------------------------
> PLUG-discuss mailing list - PLUG-discuss at lists.plug.phoenix.az.us
> To subscribe, unsubscribe, or to change your mail settings:
> http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
>
More information about the PLUG-discuss
mailing list