<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> <html> <head> <meta content="text/html; charset=UTF-8" http-equiv="Content-Type"> <title></title> </head> <body text="#000000" bgcolor="#ffffff"> I am not a security expert but would like to give my suggestions. On 02/10/2011 06:07 AM, Ramnarayan.K wrote: <blockquote cite="mid:AANLkTimSnu=TFNKeERwq=46OTVAcPv1ZpBXAdp929ceT@mail.gmail.com" type="cite"> <pre wrap="">Hi Some days back i posted a problem / warnings reported by chkrootkit A port 4000 came up with this error message Checking `bindshell'... INFECTED (PORTS: 4000) </pre> </blockquote> You can check your system if some service is listening to the port 4000, or check all listening ports netstat -tua t for tcp u or udp <blockquote cite="mid:AANLkTimSnu=TFNKeERwq=46OTVAcPv1ZpBXAdp929ceT@mail.gmail.com" type="cite"> <pre wrap=""> I also ran rkhunter these were the "warnings" i got [11:03:54] /usr/sbin/unhide [ Warning ] [11:03:54] Warning: The file '/usr/sbin/unhide' exists on the system, but it is not present in the rkhunter.dat file. [11:03:55] /usr/sbin/unhide-linux26 [ Warning ] [11:03:55] Warning: The file '/usr/sbin/unhide-linux26' exists on the system, but it is not present in the rkhunter.dat file. </pre> </blockquote> I don't think these 2 are prblems to be worried of. if you have doubt, find the md5sum, install a new virtual os, install and find md5sum. I guess there are other ways to find file integrity like tripwire. <blockquote cite="mid:AANLkTimSnu=TFNKeERwq=46OTVAcPv1ZpBXAdp929ceT@mail.gmail.com" type="cite"> <pre wrap=""> and the following [11:06:53] Checking /dev for suspicious file types [ Warning ] [11:06:53] Warning: Suspicious file types found in /dev: [11:06:53] /dev/shm/pulse-shm-2140383202: data [11:06:53] /dev/shm/pulse-shm-3707541799: data [11:06:53] /dev/shm/pulse-shm-797584089: data [11:06:54] /dev/shm/pulse-shm-1322839818: data [11:06:54] /dev/shm/pulse-shm-1033208539: data [11:06:54] /dev/shm/pulse-shm-2106326488: data [11:06:54] /dev/shm/pulse-shm-743709925: data [11:06:54] /dev/shm/pulse-shm-351083088: data [11:06:54] /dev/shm/pulse-shm-1331942024: data [11:06:54] /dev/shm/pulse-shm-1912260521: data [11:06:54] /dev/shm/mono.2443: data [11:06:54] /dev/shm/mono.2467: data [11:06:54] /dev/shm/pulse-shm-2905615276: data [11:06:54] /dev/shm/pulse-shm-1210813197: data [11:06:54] /dev/shm/pulse-shm-289830629: data [11:06:54] /dev/shm/pulse-shm-4191095999: data [11:06:54] Checking for hidden files and directories [ Warning ] [11:06:54] Warning: Hidden directory found: /etc/.java [11:06:54] Warning: Hidden directory found: /dev/.udev [11:06:54] Warning: Hidden directory found: /dev/.initramfs [11:07:05] </pre> </blockquote> Even i got these warning, should not be problem I guess, .java doesn't have any content in it. No comments <blockquote cite="mid:AANLkTimSnu=TFNKeERwq=46OTVAcPv1ZpBXAdp929ceT@mail.gmail.com" type="cite"> <pre wrap="">[11:07:05] Checking application versions... [11:07:05] Checking version of GnuPG [ Warning ] [11:07:05] Warning: Application 'gpg', version '1.4.9', is out of date, and possibly a security risk. [11:07:06] Checking version of OpenSSL [ Warning ] [11:07:06] Warning: Application 'openssl', version '0.9.8g', is out of date, and possibly a security risk. I don't use opengpg and openssl so i guess thats ok </pre> </blockquote> You should worry about these, definitely. If opengpg-server is installed, service will be listening to outside connections. since openssl is a library, some applications might use it, probably like firefox(i found it doesn't), openjdk, thunderbird. Who knows your favorite application might ise openssl. <blockquote cite="mid:AANLkTimSnu=TFNKeERwq=46OTVAcPv1ZpBXAdp929ceT@mail.gmail.com" type="cite"> <pre wrap=""> but whats the trip with the hiddenn files i .java /.udev an .initramfs ?? </pre> </blockquote> my call, just forget about those. Most importantly monitor your network connections, there is no otherway one can access your system. Also make sure network monitor tool is not compromised :P <blockquote cite="mid:AANLkTimSnu=TFNKeERwq=46OTVAcPv1ZpBXAdp929ceT@mail.gmail.com" type="cite"> <pre wrap=""> ** one suggestion i got was to deny inbound traffic how does one do that in firestarter it only provides options to allow inbound traffic not deny ?? and from Ubuntu forums (thread <a class="moz-txt-link-freetext" href="http://ubuntuforums.org/showthread.php?t=1674668">http://ubuntuforums.org/showthread.php?t=1674668</a>) i was suggested this ( Quote" did you update your firewall rules? (in any case block everything inbound "sudo ufw deny in from any" , "sudo ufw default deny")" how does one do this because i get any error when applying "sudo ufw deny in from any" , while this works but asks me to update m firewall rules "sudo ufw default deny" </pre> </blockquote> your system must have been using old firewall rules, since you are still in 9.10 update them at the least. <blockquote cite="mid:AANLkTimSnu=TFNKeERwq=46OTVAcPv1ZpBXAdp929ceT@mail.gmail.com" type="cite"> <pre wrap=""> ** Am running 9.10 am wondering if older versions are more vulnerble to being attacked ?? </pre> </blockquote> Definitely you have to update to newer operating system. <blockquote cite="mid:AANLkTimSnu=TFNKeERwq=46OTVAcPv1ZpBXAdp929ceT@mail.gmail.com" type="cite"> <pre wrap=""> look forward to responses and advice ram </pre> </blockquote> </body> </html>