intrusion detected

J.Markoll j.markoll at free.fr
Tue Aug 9 05:47:45 UTC 2005


Matt Patterson a écrit :
> I did indeed mean "the". I type a lot and tend to get lazy when chatting 
> and writing email.
I searched too complicated. There are plenty other 'hte running 
processes' on forums. (Search key words)

> As for checking your process list, you can use things like "System 
> Monitor" or just start a terminal and do "ps -A". The best way to figure 
> out what is supposed to be running on a hoary system is to do take 
> inventory before the machine is ever connected to the network.

> Here is my process list (pretty sure my machine is clean):

> mpatterson at mattrp:~ $ ps -A
>  PID TTY          TIME CMD
>    1 ?        00:00:00 init
>    2 ?        00:00:00 migration/0
>    3 ?        00:00:00 ksoftirqd/0
>    4 ?        00:00:00 migration/1
>    5 ?        00:00:00 ksoftirqd/1
>    6 ?        00:00:00 events/0
>    7 ?        00:00:00 events/1
>    8 ?        00:00:00 khelper
>   21 ?        00:00:00 kacpid
>   84 ?        00:00:01 kblockd/0
>   85 ?        00:00:01 kblockd/1
>  119 ?        00:00:03 pdflush
>  120 ?        00:00:02 pdflush
>  122 ?        00:00:00 aio/0
>  123 ?        00:00:00 aio/1
>  121 ?        00:00:27 kswapd0
>  710 ?        00:00:00 kseriod
> 1122 ?        00:00:21 kjournald
> 1147 ?        00:00:00 udevd
> 4023 ?        00:00:00 kjournald
> 4024 ?        00:00:00 kjournald
> 4852 ?        00:00:00 khubd
> 6768 ?        00:00:00 portmap
> 7139 ?        00:00:00 dd
> 7141 ?        00:00:00 klogd
> 7155 ?        00:00:01 apcupsd
> 7162 ?        00:00:00 gdm
> 7171 ?        00:00:00 gdm
> 7398 ?        05:46:49 Xorg
> 7913 ?        00:00:00 dbus-daemon-1
> 7925 ?        00:03:42 hald
> 7942 ?        00:00:00 inetd
> 8140 ?        00:00:00 nfsd
> 8141 ?        00:00:00 nfsd
> 8142 ?        00:00:00 nfsd
> 8143 ?        00:00:00 nfsd
> 8144 ?        00:00:00 nfsd
> 8145 ?        00:00:00 nfsd
> 8146 ?        00:00:00 nfsd
> 8147 ?        00:00:00 nfsd
> 8149 ?        00:00:00 lockd
> 8150 ?        00:00:00 rpciod
> 8153 ?        00:00:00 rpc.mountd
> 8215 ?        00:00:00 master
> 8226 ?        00:00:00 qmgr
> 8370 ?        00:00:00 nmbd
> 8372 ?        00:00:00 smbd
> 8382 ?        00:00:00 smbd
> 8388 ?        00:00:00 sshd
> 8403 ?        00:00:00 rpc.statd
> 8421 ?        00:00:01 ntpd
> 8448 ?        00:00:00 atd
> 8459 ?        00:00:00 cron
> 8532 ?        00:00:00 vmnet-bridge
> 8542 ?        00:00:00 apache
> 8558 tty1     00:00:00 getty
> 8559 tty2     00:00:00 getty
> 8560 tty3     00:00:00 getty
> 8561 tty4     00:00:00 getty
> 8562 tty5     00:00:00 getty
> 8563 tty6     00:00:00 getty
> 8664 ?        00:00:00 miniserv.pl
> 8668 ?        00:00:09 gnome-session
> 8715 ?        00:00:00 gpg-agent
> 8718 ?        00:00:00 ssh-agent
> 8721 ?        00:00:00 dbus-launch
> 8722 ?        00:00:00 dbus-daemon-1
> 8724 ?        00:00:02 gconfd-2
> 8727 ?        00:00:00 gnome-keyring-d
> 8729 ?        00:02:52 esd
> 8731 ?        00:00:00 bonobo-activati
> 8733 ?        00:00:43 gnome-settings-
> 8736 ?        00:00:10 gam_server
> 8748 ?        00:02:16 xscreensaver
> 8773 ?        00:00:17 gnome-smproxy
> 8775 ?        00:01:32 metacity
> 8777 ?        00:00:07 gnome-volume-ma
> 8779 ?        00:00:44 nautilus
> 8781 ?        00:00:32 gnome-panel
> 8785 ?        00:02:37 gnome-cups-icon
> 8789 ?        00:02:24 xmms
> 8796 ?        00:00:00 gnome-vfs-daemo
> 8797 ?        00:01:29 ksensors
> 8806 ?        00:01:44 wnck-applet
> 8807 ?        00:00:00 kdeinit
> 8811 ?        00:00:00 dcopserver
> 8814 ?        00:00:00 mapping-daemon
> 8815 ?        00:00:00 klauncher
> 8826 ?        00:00:19 kded
> 8834 ?        00:00:04 korgac
> 8841 ?        00:00:10 trashapplet
> 8848 ?        00:00:15 mixer_applet2
> 8850 ?        00:00:06 notification-ar
> 8852 ?        00:00:16 clock-applet
> 8854 ?        00:00:10 mini_commander_
> 9141 ?        00:11:17 xemacs
> 9204 ?        00:01:02 gnome-terminal
> 9205 ?        00:00:00 gnome-pty-helpe
> 9206 pts/0    00:00:00 bash
> 9213 ?        00:00:00 ssh-agent
> 9358 ?        00:00:00 gksudo
> 9361 ?        00:00:00 sudo
> 9362 ?        00:16:58 vmware
> 9368 ?        07:04:48 vmware-vmx
> 9369 ?        00:00:00 vmware-vmx
> 9405 ?        00:18:00 smbd
> 9512 ?        03:34:04 firefox-bin
> 10805 pts/1    00:00:00 bash
> 13615 ?        00:02:12 xemacs
> 13731 ?        00:00:57 python
> 24945 ?        00:08:58 gaim
> 30366 ?        00:00:00 mozilla-thunder
> 30397 ?        00:00:00 run-mozilla.sh
> 30402 ?        00:08:12 mozilla-thunder
> 14303 ?        00:04:25 java_vm
> 15856 ?        00:00:00 acpid
> 15906 ?        00:00:00 apache
> 15907 ?        00:00:00 apache
> 19961 ?        00:05:08 smbd
> 3058 ?        00:00:17 cupsd
> 3496 ?        00:00:00 syslogd
> 6191 ?        00:00:00 apache
> 11097 ?        00:00:14 soffice.bin
> 11652 ?        00:00:00 evolution-data-
> 11655 ?        00:00:00 evolution-excha
> 11906 ?        00:00:00 pickup
> 11916 pts/2    00:00:00 bash
> 11919 pts/2    00:00:00 ps

> Obviously I do a little more than the average joe with my machine. But 
> things to look at are, nfsd, apache, smbd, nmbd, sshd, ftpd. If you 
> havent installed those but yet they are running, something might be wrong.
And sshd is the SSH Daemon, while ssh-agent is ? what can it be ?

> You can also do an nmap scan on your machine:
> mpatterson at mattrp:~ $ nmap localhost
> 
> Starting nmap 3.75 ( http://www.insecure.org/nmap/ ) at 2005-08-08 17:53 
> EDT
> Interesting ports on localhost.localdomain (127.0.0.1):
> (The 1652 ports scanned but not shown below are in state: closed)
> PORT      STATE SERVICE
> 22/tcp    open  ssh
> 25/tcp    open  smtp
> 80/tcp    open  http
> 111/tcp   open  rpcbind
> 139/tcp   open  netbios-ssn
> 445/tcp   open  microsoft-ds
> 631/tcp   open  ipp
> 700/tcp   open  unknown
> 953/tcp   open  rndc
> 2049/tcp  open  nfs
> 10000/tcp open  snet-sensor-mgmt

> Nmap run completed -- 1 IP address (1 host up) scanned in 0.228 seconds

> I can account for every port that is open on my machine, so I feel 
> reasonably safe.
> Matt
joyce at papillon:~$ nmap localhost

Starting nmap 3.75 ( http://www.insecure.org/nmap/ ) at 2005-08-09 07:18 
CEST
Interesting ports on localhost.localdomain (127.0.0.1):
(The 1660 ports scanned but not shown below are in state: closed)
PORT    STATE SERVICE
25/tcp  open  smtp
631/tcp open  ipp
783/tcp open  hp-alarm-mgr

Nmap run completed -- 1 IP address (1 host up) scanned in 0.211 seconds
joyce at papillon:~$

Port 25 for outgoing mails, 631 for the printer, 783 maybe the clock I 
configured a few days ago to be synchronized with Ntp ? or ?

I asked one other question, although it seems almost obvious:
is a zombie installed in a muchine always a trojan like program ?

Let's go for a 'ps -A', I installed a few unuseful applications these 
days, to see how it goes :))

joyce at papillon:~$ ps -A
   PID TTY          TIME CMD
     1 ?        00:00:00 init
     2 ?        00:00:00 ksoftirqd/0
     3 ?        00:00:00 events/0
     4 ?        00:00:00 khelper
    22 ?        00:00:00 kacpid
   108 ?        00:00:00 kblockd/0
   146 ?        00:00:00 pdflush
   147 ?        00:00:00 pdflush
   149 ?        00:00:00 aio/0
   148 ?        00:00:00 kswapd0
   736 ?        00:00:00 kseriod
  1109 ?        00:00:00 kjournald
  1138 ?        00:00:00 udevd
  2427 ?        00:00:00 kjournald
  2428 ?        00:00:00 kjournald
  2429 ?        00:00:00 kjournald
  4068 ?        00:00:00 ata/0
  4093 ?        00:00:00 scsi_eh_0
  4094 ?        00:00:00 scsi_eh_1
  4257 ?        00:00:00 khubd
  6060 ?        00:00:00 dd
  6062 ?        00:00:00 klogd
  6089 ?        00:00:00 gdm
  6099 ?        00:00:00 gdm
  6137 ?        00:00:46 Xorg
  6410 ?        00:00:00 ptal-mlcd
  6415 ?        00:00:00 ptal-printd
  6496 ?        00:00:00 spamd
  6722 ?        00:00:00 spamd
  6723 ?        00:00:00 spamd
  6724 ?        00:00:00 spamd
  6725 ?        00:00:00 spamd
  6805 ?        00:00:00 acpid
  6867 ?        00:00:00 dbus-daemon-1
  6879 ?        00:00:02 hald
  6893 ?        00:00:00 dhcpd
  7021 ?        00:00:00 inetd
  7078 ?        00:00:00 master
  7240 ?        00:00:00 ntpd
  7304 ?        00:00:00 ntpd
  7306 ?        00:00:00 atd
  7317 ?        00:00:00 cron
  7359 tty1     00:00:00 getty
  7360 tty2     00:00:00 getty
  7361 tty3     00:00:00 getty
  7362 tty4     00:00:00 getty
  7363 tty5     00:00:00 getty
  7364 tty6     00:00:00 getty
  7457 ?        00:00:00 x-session-manag
  7502 ?        00:00:00 ssh-agent
  7505 ?        00:00:00 dbus-launch
  7506 ?        00:00:00 dbus-daemon-1
  7508 ?        00:00:00 gconfd-2
  7511 ?        00:00:00 gnome-keyring-d
  7513 ?        00:00:00 esd
  7515 ?        00:00:00 bonobo-activati
  7517 ?        00:00:01 gnome-settings-
  7520 ?        00:00:00 gam_server
  7528 ?        00:00:00 xscreensaver
  7555 ?        00:00:03 metacity
  7557 ?        00:00:01 gnome-panel
  7559 ?        00:00:01 nautilus
  7561 ?        00:00:00 gnome-volume-ma
  7563 ?        00:00:02 gnome-cups-icon
  7565 ?        00:00:00 update-notifier
  7567 ?        00:00:00 evolution-alarm
  7575 ?        00:00:02 wnck-applet
  7577 ?        00:00:00 trashapplet
  7580 ?        00:00:00 gnome-vfs-daemo
  7582 ?        00:00:00 evolution-data-
  7589 ?        00:00:00 evolution-excha
  7596 ?        00:00:00 mapping-daemon
  7618 ?        00:00:00 notification-ar
  7620 ?        00:00:00 mixer_applet2
  7622 ?        00:00:00 clock-applet
  7693 ttyS0    00:00:00 pppd
  7970 ?        00:00:00 qmgr
  8171 ?        00:00:02 cupsd
  8286 ?        00:00:00 syslogd
  8750 ?        00:00:01 gnome-terminal
  8751 ?        00:00:00 gnome-pty-helpe
  8752 pts/0    00:00:00 bash
  9682 ?        00:00:00 pickup
  9881 ?        00:00:00 spamd
  9899 ?        00:00:00 mozilla-thunder
  9933 ?        00:00:00 run-mozilla.sh
  9938 ?        00:00:16 mozilla-thunder
10043 pts/0    00:00:00 ps
joyce at papillon:~$

I find it very difficult to see if some unusual process is running.
Mostly I'm used to see them (I use qps which is lighter than the monitor 
system installed)
many I don't know what the system uses them for, several I know I'm 
using them. Maybe I could wonder what application processes are
  7970 ?        00:00:00 qmgr
  7620 ?        00:00:00 mixer_applet2

otherwise I'm not going to ask about what is this or this one process
belonging to the system. I don't have time to start studying this part
of Linux now so I won't browse the web at once, and I ignore most of 
them, in fact. (getty are the 6 terminals from tty1 to tty6, the rest I 
can guess one here and there)

So, to see if a machine is zombiesed, until an answer, I suppose it's 
like a trojan, then you said it gets the system to be slow, and make 
many popups appear.
The struggle anyhow looks the same as for trojans.
Thanks, J.Markoll.


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 256 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/ubuntu-users/attachments/20050809/10dd602d/attachment.sig>


More information about the ubuntu-users mailing list