Are Linux boxes vulnerable to be used by botnets?

Ben azlobo73 at gmail.com
Tue Mar 18 13:12:24 MST 2008


Bottom line, for client / workstation installs, your run-of-the-mill
standard install with a firewall turned on will suffice, but its a
good idea to look and see to make sure.  as root, run 'lsof -i -n -P'
as well as 'iptables -L -n' .  The first cmd list open ports and the
owning user/process (lists both listening and established, etc ports,
from servers as well as client processes such as firefox or an IM
client) in a nice and tidy report on screen.  The second lists the
firewall state - what is allows and what it denies.  Comparing the
output of these two commands is a good start on seeing what's
available to be vulnerable to the outside world.

If you tell us what distribution of Linux you're running, then we can
give you tips on: how to make sure your firewall is on and what it
does or doesn't allow through, how to install/upgrade packages (such
as chrootkit assuming your distribution has a package built for it in
its standard repository), and how to disable services not needed to be
running (update-rc.d on debian and ubuntu, chkconfig on redhat/fedora,
and yast2 for SuSe - all these also have GUI alternatives for at least
most of these functions).

One final consideration (and not the least important one) is to be
aware that network ports and services are not the only things to worry
about.  Just like on Windows, running malicious code even as a
non-privileged user can open your system up to potentially being
owned.  Not as likely/easy as in Windows, but by no means implies its
impossible (ref: the recent privilege escalation vulnerability in
2.6.17+ kernels).   Reverse shells (common on Windows for bypassing
firewalls) is no less possible on Linux/Unix, if a user is tricked
into executing code on the remote client.  What an attacker can do
from the inside after that though is somewhat limited, baring
escalation vulnerabilities to exploit to gain root privileges (again,
not 100% impossible, regardless of platform choice).

Erich is right - don't assume your safe because your platform is not
on top of the hit list.  But then again, youe're a lot better off than
most, by a long shot :-)

Ben

On Mon, Mar 17, 2008 at 1:33 PM, Josef Lowder <joe at actionline.com> wrote:
> .
>  On Mon, 17 Mar 2008 09:17, Matt Graham wrote (in part)
>
> > After a long battle with technology, Josef Lowder wrote:
>  > > This is all very interesting ... and confusing for my simple mind.
>  > > It sounds like most of the replies to my question pertain to
>  > > boxes that are used as "servers" and not just "regular users."
>  > > Or are we all "servers"?
>  >
>  > If you're running sshd/apache/smbd/postfix/sendmail/exim/telnetd/
>  > anything like that, then you are a server.
>
>  As far as I know, I am not running any of those things.
>
>
>  > > How can I determine if one of my computers has had something
>  > > like this done?
>  >
>  > "chkrootkit" is a starting point. tripwire is another
>
>  I don't have either of those ... and again it sounds like those
>  have something to do with checking things on a server box.
>
>  My system seems to have slowed down quite a bit (even when I don't
>  have any programs running) and I can't figure out why.
>
>  When I run 'top' I can only see the top 50 or so entries on my monitor
>  and I don't know how to see what else might be there farther down the
>  list.
>
>  And when I do 'ps -ef' (see the list below) how can I tell which,
>  if any, of those processes could be or should be eliminated ...
>  and how to do that?
>
>  -------------------------------------
>  root         1     0  0 Mar07 ?        00:00:03 init [5]
>  root         2     1  0 Mar07 ?        00:00:00 [ksoftirqd/0]
>  root         3     1  0 Mar07 ?        00:00:03 [events/0]
>  root         4     1  0 Mar07 ?        00:00:00 [khelper]
>  root         5     1  0 Mar07 ?        00:00:00 [kthread]
>  root         7     5  0 Mar07 ?        00:00:00 [kacpid]
>  root        81     5  0 Mar07 ?        00:00:00 [kblockd/0]
>  root       113     5  0 Mar07 ?        00:00:00 [pdflush]
>  root       114     5  0 Mar07 ?        00:00:01 [pdflush]
>  root       116     5  0 Mar07 ?        00:00:00 [aio/0]
>  root       115     1  0 Mar07 ?        00:00:09 [kswapd0]
>  root       704     1  0 Mar07 ?        00:00:00 [kseriod]
>  root       796     1  0 Mar07 ?        00:00:02 [kjournald]
>  root       938     1  0 Mar07 ?        00:00:00 udevd -d
>  root      1192     1  0 Mar07 ?        00:00:00 [khubd]
>  root      1577     1  0 Mar07 ?        00:00:12 [kjournald]
>  root      1583     1  0 Mar07 ?        00:00:00 [kjournald]
>  root      2359     1  0 Mar07 ?        00:00:40 /sbin/ifplugd -b -i eth0
>  rpc       2442     1  0 Mar07 ?        00:00:00 portmap
>  root      2466     1  0 Mar07 ?        00:00:00 syslogd -m 0
>  root      2483     1  0 Mar07 ?        00:00:00 klogd -2
>  root      2515     1  0 Mar07 ?        00:00:00 /usr/sbin/acpid
>  root      2551     1  0 Mar07 ?        00:00:00 rpc.statd
>  root      2635     1  0 Mar07 ?        00:00:03 cupsd
>  root      2780     1  0 Mar07 ?        00:00:00 [kgameportd]
>  root      2814     1  0 Mar07 ?        00:00:00 dhclient -1 -q -lf
>  /var/lib/dhcp/dhclient-eth0.leases -pf /var/run/dhc
>  xfs       3003     1  0 Mar07 ?        00:00:00 xfs -port -1 -daemon -droppriv
>  -user xfs
>  71        3018     1  0 Mar07 ?        00:00:00 dbus-daemon-1 --system
>  root      3033     1  0 Mar07 ?        00:05:21 hald
>  root      3180     1  0 Mar07 ?        00:00:00 /usr/bin/kdm -nodaemon
>  root      3189  3180 69 Mar07 tty7     7-01:53:38 /etc/X11/X -deferglyphs 16
>  :0 -auth /var/run/xauth/A:0-K9voZd
>  root      3190     1  0 Mar07 ?        00:01:00 nifd -n
>  nobody    3252     1  0 Mar07 ?        00:00:00 mDNSResponder
>  daemon    3268     1  0 Mar07 ?        00:00:00 /usr/sbin/atd
>  root      3322     1  0 Mar07 ?        00:00:00 xinetd -stayalive -reuse
>  -pidfile /var/run/xinetd.pid
>  root      3699     1  0 Mar07 ?        00:00:00 /opt/win4lin/bin/vnetd
>  clamav    3775     1  0 Mar07 ?        00:00:08 /usr/bin/freshclam
>  --config-file=/etc/freshclam.conf --quiet --daemon
>  root      3791     1  0 Mar07 ?        00:00:00 crond
>  root      3861     1  0 Mar07 ?        00:00:00 /usr/bin/lisa -c /etc/lisarc
>  root      3900     1  0 Mar07 tty1     00:00:00 /sbin/mingetty tty1
>  root      3901     1  0 Mar07 tty2     00:00:00 /sbin/mingetty tty2
>  root      3902     1  0 Mar07 tty3     00:00:00 /sbin/mingetty tty3
>  root      3903     1  0 Mar07 ?        00:00:00 login -- root
>  root      3904     1  0 Mar07 tty5     00:00:00 /sbin/mingetty tty5
>  root      3905     1  0 Mar07 tty6     00:00:00 /sbin/mingetty tty6
>  joe       4071     1  0 Mar07 ?        00:01:37 /usr/lib/gam_server
>  root      7763  3903  0 Mar10 tty4     00:00:00 -bash
>  joe      21126     1  0 Mar15 ?        00:00:00 /usr/lib/gconfd-2 13
>  root     17244  3180  0 12:24 ?        00:00:00 -:0
>  joe      17264 17244  0 12:24 ?        00:00:00 /bin/sh /usr/bin/startkde
>  joe      17325 17264  0 12:24 ?        00:00:00 /usr/bin/perl /usr/bin/mdkapplet
>  joe      17336 17264  0 12:24 ?        00:00:00 /usr/bin/perl /usr/bin/net_applet
>  joe      17349     1  0 12:24 ?        00:00:00 s2u --daemon=yes
>  joe      17370 17264  0 12:24 ?        00:00:00 /bin/sh /usr/bin/startkde
>  joe      17371 17370  0 12:24 ?        00:00:00 gnome-volume-manager
>  joe      17390     1  0 12:24 ?        00:00:00 kdeinit Running...
>  joe      17393     1  0 12:24 ?        00:00:00 dcopserver [kdeinit] --nosid
>  joe      17395 17390  0 12:24 ?        00:00:00 klauncher [kdeinit]
>  joe      17398     1  0 12:24 ?        00:00:00 kded [kdeinit]
>  joe      17410 17390  0 12:24 ?        00:00:00 /usr/bin/artsd -F 10 -S 4096
>  -s 60 -m artsmessage -c drkonqi -l 3 -f
>  joe      17412     1  0 12:24 ?        00:00:00 kaccess [kdeinit]
>  joe      17413 17264  0 12:24 ?        00:00:00 kwrapper ksmserver
>  joe      17415     1  0 12:24 ?        00:00:00 ksmserver [kdeinit]
>  joe      17417 17390  0 12:24 ?        00:00:00 kwin [kdeinit] -session
>  1014cd7d2d4000120328531400000141940000_1205781
>  joe      17419     1  0 12:24 ?        00:00:00 kdesktop [kdeinit]
>  joe      17422     1  0 12:24 ?        00:00:02 kicker [kdeinit]
>  joe      17424 17390  0 12:24 ?        00:00:00 xsettings-kde
>  joe      17426     1  0 12:24 ?        00:00:00 korgac --miniicon korganizer
>  joe      17427     1  0 12:24 ?        00:00:00 krandrtray -session
>  1014cd7d2d4000115565379600000042880006_1205781767_
>  joe      17429     1  0 12:24 ?        00:00:00 knotify [kdeinit]
>  joe      17554 17390  0 12:29 ?        00:00:00 kio_file [kdeinit] file
>  /home/joe/tmp/ksocket-joe/klauncherFALPab.slav
>  joe      17556     1  0 12:29 ?        00:00:00 kio_uiserver [kdeinit]
>  joe      17864 17390  1 12:33 ?        00:00:00 konsole [kdeinit]
>  joe      17865 17864  0 12:34 pts/1    00:00:00 /bin/bash
>  joe      17910 17865  0 12:34 pts/1    00:00:00 ps -ef
>
>
>
>
>  ---------------------------------------------------
>  PLUG-discuss mailing list - PLUG-discuss at lists.plug.phoenix.az.us
>  To subscribe, unsubscribe, or to change your mail settings:
>  http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
>


More information about the PLUG-discuss mailing list