intrusion detected
J.Markoll
j.markoll at free.fr
Tue Aug 9 05:47:45 UTC 2005
Matt Patterson a écrit :
> I did indeed mean "the". I type a lot and tend to get lazy when chatting
> and writing email.
I searched too complicated. There are plenty other 'hte running
processes' on forums. (Search key words)
> As for checking your process list, you can use things like "System
> Monitor" or just start a terminal and do "ps -A". The best way to figure
> out what is supposed to be running on a hoary system is to do take
> inventory before the machine is ever connected to the network.
> Here is my process list (pretty sure my machine is clean):
> mpatterson at mattrp:~ $ ps -A
> PID TTY TIME CMD
> 1 ? 00:00:00 init
> 2 ? 00:00:00 migration/0
> 3 ? 00:00:00 ksoftirqd/0
> 4 ? 00:00:00 migration/1
> 5 ? 00:00:00 ksoftirqd/1
> 6 ? 00:00:00 events/0
> 7 ? 00:00:00 events/1
> 8 ? 00:00:00 khelper
> 21 ? 00:00:00 kacpid
> 84 ? 00:00:01 kblockd/0
> 85 ? 00:00:01 kblockd/1
> 119 ? 00:00:03 pdflush
> 120 ? 00:00:02 pdflush
> 122 ? 00:00:00 aio/0
> 123 ? 00:00:00 aio/1
> 121 ? 00:00:27 kswapd0
> 710 ? 00:00:00 kseriod
> 1122 ? 00:00:21 kjournald
> 1147 ? 00:00:00 udevd
> 4023 ? 00:00:00 kjournald
> 4024 ? 00:00:00 kjournald
> 4852 ? 00:00:00 khubd
> 6768 ? 00:00:00 portmap
> 7139 ? 00:00:00 dd
> 7141 ? 00:00:00 klogd
> 7155 ? 00:00:01 apcupsd
> 7162 ? 00:00:00 gdm
> 7171 ? 00:00:00 gdm
> 7398 ? 05:46:49 Xorg
> 7913 ? 00:00:00 dbus-daemon-1
> 7925 ? 00:03:42 hald
> 7942 ? 00:00:00 inetd
> 8140 ? 00:00:00 nfsd
> 8141 ? 00:00:00 nfsd
> 8142 ? 00:00:00 nfsd
> 8143 ? 00:00:00 nfsd
> 8144 ? 00:00:00 nfsd
> 8145 ? 00:00:00 nfsd
> 8146 ? 00:00:00 nfsd
> 8147 ? 00:00:00 nfsd
> 8149 ? 00:00:00 lockd
> 8150 ? 00:00:00 rpciod
> 8153 ? 00:00:00 rpc.mountd
> 8215 ? 00:00:00 master
> 8226 ? 00:00:00 qmgr
> 8370 ? 00:00:00 nmbd
> 8372 ? 00:00:00 smbd
> 8382 ? 00:00:00 smbd
> 8388 ? 00:00:00 sshd
> 8403 ? 00:00:00 rpc.statd
> 8421 ? 00:00:01 ntpd
> 8448 ? 00:00:00 atd
> 8459 ? 00:00:00 cron
> 8532 ? 00:00:00 vmnet-bridge
> 8542 ? 00:00:00 apache
> 8558 tty1 00:00:00 getty
> 8559 tty2 00:00:00 getty
> 8560 tty3 00:00:00 getty
> 8561 tty4 00:00:00 getty
> 8562 tty5 00:00:00 getty
> 8563 tty6 00:00:00 getty
> 8664 ? 00:00:00 miniserv.pl
> 8668 ? 00:00:09 gnome-session
> 8715 ? 00:00:00 gpg-agent
> 8718 ? 00:00:00 ssh-agent
> 8721 ? 00:00:00 dbus-launch
> 8722 ? 00:00:00 dbus-daemon-1
> 8724 ? 00:00:02 gconfd-2
> 8727 ? 00:00:00 gnome-keyring-d
> 8729 ? 00:02:52 esd
> 8731 ? 00:00:00 bonobo-activati
> 8733 ? 00:00:43 gnome-settings-
> 8736 ? 00:00:10 gam_server
> 8748 ? 00:02:16 xscreensaver
> 8773 ? 00:00:17 gnome-smproxy
> 8775 ? 00:01:32 metacity
> 8777 ? 00:00:07 gnome-volume-ma
> 8779 ? 00:00:44 nautilus
> 8781 ? 00:00:32 gnome-panel
> 8785 ? 00:02:37 gnome-cups-icon
> 8789 ? 00:02:24 xmms
> 8796 ? 00:00:00 gnome-vfs-daemo
> 8797 ? 00:01:29 ksensors
> 8806 ? 00:01:44 wnck-applet
> 8807 ? 00:00:00 kdeinit
> 8811 ? 00:00:00 dcopserver
> 8814 ? 00:00:00 mapping-daemon
> 8815 ? 00:00:00 klauncher
> 8826 ? 00:00:19 kded
> 8834 ? 00:00:04 korgac
> 8841 ? 00:00:10 trashapplet
> 8848 ? 00:00:15 mixer_applet2
> 8850 ? 00:00:06 notification-ar
> 8852 ? 00:00:16 clock-applet
> 8854 ? 00:00:10 mini_commander_
> 9141 ? 00:11:17 xemacs
> 9204 ? 00:01:02 gnome-terminal
> 9205 ? 00:00:00 gnome-pty-helpe
> 9206 pts/0 00:00:00 bash
> 9213 ? 00:00:00 ssh-agent
> 9358 ? 00:00:00 gksudo
> 9361 ? 00:00:00 sudo
> 9362 ? 00:16:58 vmware
> 9368 ? 07:04:48 vmware-vmx
> 9369 ? 00:00:00 vmware-vmx
> 9405 ? 00:18:00 smbd
> 9512 ? 03:34:04 firefox-bin
> 10805 pts/1 00:00:00 bash
> 13615 ? 00:02:12 xemacs
> 13731 ? 00:00:57 python
> 24945 ? 00:08:58 gaim
> 30366 ? 00:00:00 mozilla-thunder
> 30397 ? 00:00:00 run-mozilla.sh
> 30402 ? 00:08:12 mozilla-thunder
> 14303 ? 00:04:25 java_vm
> 15856 ? 00:00:00 acpid
> 15906 ? 00:00:00 apache
> 15907 ? 00:00:00 apache
> 19961 ? 00:05:08 smbd
> 3058 ? 00:00:17 cupsd
> 3496 ? 00:00:00 syslogd
> 6191 ? 00:00:00 apache
> 11097 ? 00:00:14 soffice.bin
> 11652 ? 00:00:00 evolution-data-
> 11655 ? 00:00:00 evolution-excha
> 11906 ? 00:00:00 pickup
> 11916 pts/2 00:00:00 bash
> 11919 pts/2 00:00:00 ps
> Obviously I do a little more than the average joe with my machine. But
> things to look at are, nfsd, apache, smbd, nmbd, sshd, ftpd. If you
> havent installed those but yet they are running, something might be wrong.
And sshd is the SSH Daemon, while ssh-agent is ? what can it be ?
> You can also do an nmap scan on your machine:
> mpatterson at mattrp:~ $ nmap localhost
>
> Starting nmap 3.75 ( http://www.insecure.org/nmap/ ) at 2005-08-08 17:53
> EDT
> Interesting ports on localhost.localdomain (127.0.0.1):
> (The 1652 ports scanned but not shown below are in state: closed)
> PORT STATE SERVICE
> 22/tcp open ssh
> 25/tcp open smtp
> 80/tcp open http
> 111/tcp open rpcbind
> 139/tcp open netbios-ssn
> 445/tcp open microsoft-ds
> 631/tcp open ipp
> 700/tcp open unknown
> 953/tcp open rndc
> 2049/tcp open nfs
> 10000/tcp open snet-sensor-mgmt
> Nmap run completed -- 1 IP address (1 host up) scanned in 0.228 seconds
> I can account for every port that is open on my machine, so I feel
> reasonably safe.
> Matt
joyce at papillon:~$ nmap localhost
Starting nmap 3.75 ( http://www.insecure.org/nmap/ ) at 2005-08-09 07:18
CEST
Interesting ports on localhost.localdomain (127.0.0.1):
(The 1660 ports scanned but not shown below are in state: closed)
PORT STATE SERVICE
25/tcp open smtp
631/tcp open ipp
783/tcp open hp-alarm-mgr
Nmap run completed -- 1 IP address (1 host up) scanned in 0.211 seconds
joyce at papillon:~$
Port 25 for outgoing mails, 631 for the printer, 783 maybe the clock I
configured a few days ago to be synchronized with Ntp ? or ?
I asked one other question, although it seems almost obvious:
is a zombie installed in a muchine always a trojan like program ?
Let's go for a 'ps -A', I installed a few unuseful applications these
days, to see how it goes :))
joyce at papillon:~$ ps -A
PID TTY TIME CMD
1 ? 00:00:00 init
2 ? 00:00:00 ksoftirqd/0
3 ? 00:00:00 events/0
4 ? 00:00:00 khelper
22 ? 00:00:00 kacpid
108 ? 00:00:00 kblockd/0
146 ? 00:00:00 pdflush
147 ? 00:00:00 pdflush
149 ? 00:00:00 aio/0
148 ? 00:00:00 kswapd0
736 ? 00:00:00 kseriod
1109 ? 00:00:00 kjournald
1138 ? 00:00:00 udevd
2427 ? 00:00:00 kjournald
2428 ? 00:00:00 kjournald
2429 ? 00:00:00 kjournald
4068 ? 00:00:00 ata/0
4093 ? 00:00:00 scsi_eh_0
4094 ? 00:00:00 scsi_eh_1
4257 ? 00:00:00 khubd
6060 ? 00:00:00 dd
6062 ? 00:00:00 klogd
6089 ? 00:00:00 gdm
6099 ? 00:00:00 gdm
6137 ? 00:00:46 Xorg
6410 ? 00:00:00 ptal-mlcd
6415 ? 00:00:00 ptal-printd
6496 ? 00:00:00 spamd
6722 ? 00:00:00 spamd
6723 ? 00:00:00 spamd
6724 ? 00:00:00 spamd
6725 ? 00:00:00 spamd
6805 ? 00:00:00 acpid
6867 ? 00:00:00 dbus-daemon-1
6879 ? 00:00:02 hald
6893 ? 00:00:00 dhcpd
7021 ? 00:00:00 inetd
7078 ? 00:00:00 master
7240 ? 00:00:00 ntpd
7304 ? 00:00:00 ntpd
7306 ? 00:00:00 atd
7317 ? 00:00:00 cron
7359 tty1 00:00:00 getty
7360 tty2 00:00:00 getty
7361 tty3 00:00:00 getty
7362 tty4 00:00:00 getty
7363 tty5 00:00:00 getty
7364 tty6 00:00:00 getty
7457 ? 00:00:00 x-session-manag
7502 ? 00:00:00 ssh-agent
7505 ? 00:00:00 dbus-launch
7506 ? 00:00:00 dbus-daemon-1
7508 ? 00:00:00 gconfd-2
7511 ? 00:00:00 gnome-keyring-d
7513 ? 00:00:00 esd
7515 ? 00:00:00 bonobo-activati
7517 ? 00:00:01 gnome-settings-
7520 ? 00:00:00 gam_server
7528 ? 00:00:00 xscreensaver
7555 ? 00:00:03 metacity
7557 ? 00:00:01 gnome-panel
7559 ? 00:00:01 nautilus
7561 ? 00:00:00 gnome-volume-ma
7563 ? 00:00:02 gnome-cups-icon
7565 ? 00:00:00 update-notifier
7567 ? 00:00:00 evolution-alarm
7575 ? 00:00:02 wnck-applet
7577 ? 00:00:00 trashapplet
7580 ? 00:00:00 gnome-vfs-daemo
7582 ? 00:00:00 evolution-data-
7589 ? 00:00:00 evolution-excha
7596 ? 00:00:00 mapping-daemon
7618 ? 00:00:00 notification-ar
7620 ? 00:00:00 mixer_applet2
7622 ? 00:00:00 clock-applet
7693 ttyS0 00:00:00 pppd
7970 ? 00:00:00 qmgr
8171 ? 00:00:02 cupsd
8286 ? 00:00:00 syslogd
8750 ? 00:00:01 gnome-terminal
8751 ? 00:00:00 gnome-pty-helpe
8752 pts/0 00:00:00 bash
9682 ? 00:00:00 pickup
9881 ? 00:00:00 spamd
9899 ? 00:00:00 mozilla-thunder
9933 ? 00:00:00 run-mozilla.sh
9938 ? 00:00:16 mozilla-thunder
10043 pts/0 00:00:00 ps
joyce at papillon:~$
I find it very difficult to see if some unusual process is running.
Mostly I'm used to see them (I use qps which is lighter than the monitor
system installed)
many I don't know what the system uses them for, several I know I'm
using them. Maybe I could wonder what application processes are
7970 ? 00:00:00 qmgr
7620 ? 00:00:00 mixer_applet2
otherwise I'm not going to ask about what is this or this one process
belonging to the system. I don't have time to start studying this part
of Linux now so I won't browse the web at once, and I ignore most of
them, in fact. (getty are the 6 terminals from tty1 to tty6, the rest I
can guess one here and there)
So, to see if a machine is zombiesed, until an answer, I suppose it's
like a trojan, then you said it gets the system to be slow, and make
many popups appear.
The struggle anyhow looks the same as for trojans.
Thanks, J.Markoll.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 256 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/ubuntu-users/attachments/20050809/10dd602d/attachment.sig>
More information about the ubuntu-users
mailing list