intrusion detected
Matt Patterson
matt at v8zman.com
Mon Aug 8 21:54:47 UTC 2005
I did indeed mean "the". I type a lot and tend to get lazy when chatting
and writing email.
As for checking your process list, you can use things like "System
Monitor" or just start a terminal and do "ps -A". The best way to figure
out what is supposed to be running on a hoary system is to do take
inventory before the machine is ever connected to the network.
Here is my process list (pretty sure my machine is clean):
mpatterson at mattrp:~ $ ps -A
PID TTY TIME CMD
1 ? 00:00:00 init
2 ? 00:00:00 migration/0
3 ? 00:00:00 ksoftirqd/0
4 ? 00:00:00 migration/1
5 ? 00:00:00 ksoftirqd/1
6 ? 00:00:00 events/0
7 ? 00:00:00 events/1
8 ? 00:00:00 khelper
21 ? 00:00:00 kacpid
84 ? 00:00:01 kblockd/0
85 ? 00:00:01 kblockd/1
119 ? 00:00:03 pdflush
120 ? 00:00:02 pdflush
122 ? 00:00:00 aio/0
123 ? 00:00:00 aio/1
121 ? 00:00:27 kswapd0
710 ? 00:00:00 kseriod
1122 ? 00:00:21 kjournald
1147 ? 00:00:00 udevd
4023 ? 00:00:00 kjournald
4024 ? 00:00:00 kjournald
4852 ? 00:00:00 khubd
6768 ? 00:00:00 portmap
7139 ? 00:00:00 dd
7141 ? 00:00:00 klogd
7155 ? 00:00:01 apcupsd
7162 ? 00:00:00 gdm
7171 ? 00:00:00 gdm
7398 ? 05:46:49 Xorg
7913 ? 00:00:00 dbus-daemon-1
7925 ? 00:03:42 hald
7942 ? 00:00:00 inetd
8140 ? 00:00:00 nfsd
8141 ? 00:00:00 nfsd
8142 ? 00:00:00 nfsd
8143 ? 00:00:00 nfsd
8144 ? 00:00:00 nfsd
8145 ? 00:00:00 nfsd
8146 ? 00:00:00 nfsd
8147 ? 00:00:00 nfsd
8149 ? 00:00:00 lockd
8150 ? 00:00:00 rpciod
8153 ? 00:00:00 rpc.mountd
8215 ? 00:00:00 master
8226 ? 00:00:00 qmgr
8370 ? 00:00:00 nmbd
8372 ? 00:00:00 smbd
8382 ? 00:00:00 smbd
8388 ? 00:00:00 sshd
8403 ? 00:00:00 rpc.statd
8421 ? 00:00:01 ntpd
8448 ? 00:00:00 atd
8459 ? 00:00:00 cron
8532 ? 00:00:00 vmnet-bridge
8542 ? 00:00:00 apache
8558 tty1 00:00:00 getty
8559 tty2 00:00:00 getty
8560 tty3 00:00:00 getty
8561 tty4 00:00:00 getty
8562 tty5 00:00:00 getty
8563 tty6 00:00:00 getty
8664 ? 00:00:00 miniserv.pl
8668 ? 00:00:09 gnome-session
8715 ? 00:00:00 gpg-agent
8718 ? 00:00:00 ssh-agent
8721 ? 00:00:00 dbus-launch
8722 ? 00:00:00 dbus-daemon-1
8724 ? 00:00:02 gconfd-2
8727 ? 00:00:00 gnome-keyring-d
8729 ? 00:02:52 esd
8731 ? 00:00:00 bonobo-activati
8733 ? 00:00:43 gnome-settings-
8736 ? 00:00:10 gam_server
8748 ? 00:02:16 xscreensaver
8773 ? 00:00:17 gnome-smproxy
8775 ? 00:01:32 metacity
8777 ? 00:00:07 gnome-volume-ma
8779 ? 00:00:44 nautilus
8781 ? 00:00:32 gnome-panel
8785 ? 00:02:37 gnome-cups-icon
8789 ? 00:02:24 xmms
8796 ? 00:00:00 gnome-vfs-daemo
8797 ? 00:01:29 ksensors
8806 ? 00:01:44 wnck-applet
8807 ? 00:00:00 kdeinit
8811 ? 00:00:00 dcopserver
8814 ? 00:00:00 mapping-daemon
8815 ? 00:00:00 klauncher
8826 ? 00:00:19 kded
8834 ? 00:00:04 korgac
8841 ? 00:00:10 trashapplet
8848 ? 00:00:15 mixer_applet2
8850 ? 00:00:06 notification-ar
8852 ? 00:00:16 clock-applet
8854 ? 00:00:10 mini_commander_
9141 ? 00:11:17 xemacs
9204 ? 00:01:02 gnome-terminal
9205 ? 00:00:00 gnome-pty-helpe
9206 pts/0 00:00:00 bash
9213 ? 00:00:00 ssh-agent
9358 ? 00:00:00 gksudo
9361 ? 00:00:00 sudo
9362 ? 00:16:58 vmware
9368 ? 07:04:48 vmware-vmx
9369 ? 00:00:00 vmware-vmx
9405 ? 00:18:00 smbd
9512 ? 03:34:04 firefox-bin
10805 pts/1 00:00:00 bash
13615 ? 00:02:12 xemacs
13731 ? 00:00:57 python
24945 ? 00:08:58 gaim
30366 ? 00:00:00 mozilla-thunder
30397 ? 00:00:00 run-mozilla.sh
30402 ? 00:08:12 mozilla-thunder
14303 ? 00:04:25 java_vm
15856 ? 00:00:00 acpid
15906 ? 00:00:00 apache
15907 ? 00:00:00 apache
19961 ? 00:05:08 smbd
3058 ? 00:00:17 cupsd
3496 ? 00:00:00 syslogd
6191 ? 00:00:00 apache
11097 ? 00:00:14 soffice.bin
11652 ? 00:00:00 evolution-data-
11655 ? 00:00:00 evolution-excha
11906 ? 00:00:00 pickup
11916 pts/2 00:00:00 bash
11919 pts/2 00:00:00 ps
Obviously I do a little more than the average joe with my machine. But
things to look at are, nfsd, apache, smbd, nmbd, sshd, ftpd. If you
havent installed those but yet they are running, something might be wrong.
You can also do an nmap scan on your machine:
mpatterson at mattrp:~ $ nmap localhost
Starting nmap 3.75 ( http://www.insecure.org/nmap/ ) at 2005-08-08 17:53 EDT
Interesting ports on localhost.localdomain (127.0.0.1):
(The 1652 ports scanned but not shown below are in state: closed)
PORT STATE SERVICE
22/tcp open ssh
25/tcp open smtp
80/tcp open http
111/tcp open rpcbind
139/tcp open netbios-ssn
445/tcp open microsoft-ds
631/tcp open ipp
700/tcp open unknown
953/tcp open rndc
2049/tcp open nfs
10000/tcp open snet-sensor-mgmt
Nmap run completed -- 1 IP address (1 host up) scanned in 0.228 seconds
I can account for every port that is open on my machine, so I feel
reasonably safe.
Matt
Peter Garrett wrote:
>On Mon, 08 Aug 2005 20:13:16 +0200
>"J.Markoll" <j.markoll at free.fr> wrote:
>
>
>
>>Matt Patterson a écrit :
>>
>>
>>>The best tools for checking zombifying is just looking at hte running
>>>processes.
>>>
>>>
>>Please, what does 'hte' here means ? I looked in 5 or 6 dictionnaries on
>>line and don't find any logical answer in the context here. It does not
>>mean 'High-temperature electrolysis' for sure ?
>>
>>
>
>I think it was meant to be "the" ;-)
>
>
>
More information about the ubuntu-users
mailing list