intrusion detected
MrKnisely
mrknisely at mrknisely.is-a-geek.org
Thu Aug 11 02:33:37 UTC 2005
J.Markoll wrote:
> Matt Patterson a écrit :
>
>> I did indeed mean "the". I type a lot and tend to get lazy when
>> chatting and writing email.
>
> I searched too complicated. There are plenty other 'hte running
> processes' on forums. (Search key words)
>
>> As for checking your process list, you can use things like "System
>> Monitor" or just start a terminal and do "ps -A". The best way to
>> figure out what is supposed to be running on a hoary system is to do
>> take inventory before the machine is ever connected to the network.
>
>
>> Here is my process list (pretty sure my machine is clean):
>
>
>> mpatterson at mattrp:~ $ ps -A
>> PID TTY TIME CMD
>> 1 ? 00:00:00 init
>> 2 ? 00:00:00 migration/0
>> 3 ? 00:00:00 ksoftirqd/0
>> 4 ? 00:00:00 migration/1
>> 5 ? 00:00:00 ksoftirqd/1
>> 6 ? 00:00:00 events/0
>> 7 ? 00:00:00 events/1
>> 8 ? 00:00:00 khelper
>> 21 ? 00:00:00 kacpid
>> 84 ? 00:00:01 kblockd/0
>> 85 ? 00:00:01 kblockd/1
>> 119 ? 00:00:03 pdflush
>> 120 ? 00:00:02 pdflush
>> 122 ? 00:00:00 aio/0
>> 123 ? 00:00:00 aio/1
>> 121 ? 00:00:27 kswapd0
>> 710 ? 00:00:00 kseriod
>> 1122 ? 00:00:21 kjournald
>> 1147 ? 00:00:00 udevd
>> 4023 ? 00:00:00 kjournald
>> 4024 ? 00:00:00 kjournald
>> 4852 ? 00:00:00 khubd
>> 6768 ? 00:00:00 portmap
>> 7139 ? 00:00:00 dd
>> 7141 ? 00:00:00 klogd
>> 7155 ? 00:00:01 apcupsd
>> 7162 ? 00:00:00 gdm
>> 7171 ? 00:00:00 gdm
>> 7398 ? 05:46:49 Xorg
>> 7913 ? 00:00:00 dbus-daemon-1
>> 7925 ? 00:03:42 hald
>> 7942 ? 00:00:00 inetd
>> 8140 ? 00:00:00 nfsd
>> 8141 ? 00:00:00 nfsd
>> 8142 ? 00:00:00 nfsd
>> 8143 ? 00:00:00 nfsd
>> 8144 ? 00:00:00 nfsd
>> 8145 ? 00:00:00 nfsd
>> 8146 ? 00:00:00 nfsd
>> 8147 ? 00:00:00 nfsd
>> 8149 ? 00:00:00 lockd
>> 8150 ? 00:00:00 rpciod
>> 8153 ? 00:00:00 rpc.mountd
>> 8215 ? 00:00:00 master
>> 8226 ? 00:00:00 qmgr
>> 8370 ? 00:00:00 nmbd
>> 8372 ? 00:00:00 smbd
>> 8382 ? 00:00:00 smbd
>> 8388 ? 00:00:00 sshd
>> 8403 ? 00:00:00 rpc.statd
>> 8421 ? 00:00:01 ntpd
>> 8448 ? 00:00:00 atd
>> 8459 ? 00:00:00 cron
>> 8532 ? 00:00:00 vmnet-bridge
>> 8542 ? 00:00:00 apache
>> 8558 tty1 00:00:00 getty
>> 8559 tty2 00:00:00 getty
>> 8560 tty3 00:00:00 getty
>> 8561 tty4 00:00:00 getty
>> 8562 tty5 00:00:00 getty
>> 8563 tty6 00:00:00 getty
>> 8664 ? 00:00:00 miniserv.pl
>> 8668 ? 00:00:09 gnome-session
>> 8715 ? 00:00:00 gpg-agent
>> 8718 ? 00:00:00 ssh-agent
>> 8721 ? 00:00:00 dbus-launch
>> 8722 ? 00:00:00 dbus-daemon-1
>> 8724 ? 00:00:02 gconfd-2
>> 8727 ? 00:00:00 gnome-keyring-d
>> 8729 ? 00:02:52 esd
>> 8731 ? 00:00:00 bonobo-activati
>> 8733 ? 00:00:43 gnome-settings-
>> 8736 ? 00:00:10 gam_server
>> 8748 ? 00:02:16 xscreensaver
>> 8773 ? 00:00:17 gnome-smproxy
>> 8775 ? 00:01:32 metacity
>> 8777 ? 00:00:07 gnome-volume-ma
>> 8779 ? 00:00:44 nautilus
>> 8781 ? 00:00:32 gnome-panel
>> 8785 ? 00:02:37 gnome-cups-icon
>> 8789 ? 00:02:24 xmms
>> 8796 ? 00:00:00 gnome-vfs-daemo
>> 8797 ? 00:01:29 ksensors
>> 8806 ? 00:01:44 wnck-applet
>> 8807 ? 00:00:00 kdeinit
>> 8811 ? 00:00:00 dcopserver
>> 8814 ? 00:00:00 mapping-daemon
>> 8815 ? 00:00:00 klauncher
>> 8826 ? 00:00:19 kded
>> 8834 ? 00:00:04 korgac
>> 8841 ? 00:00:10 trashapplet
>> 8848 ? 00:00:15 mixer_applet2
>> 8850 ? 00:00:06 notification-ar
>> 8852 ? 00:00:16 clock-applet
>> 8854 ? 00:00:10 mini_commander_
>> 9141 ? 00:11:17 xemacs
>> 9204 ? 00:01:02 gnome-terminal
>> 9205 ? 00:00:00 gnome-pty-helpe
>> 9206 pts/0 00:00:00 bash
>> 9213 ? 00:00:00 ssh-agent
>> 9358 ? 00:00:00 gksudo
>> 9361 ? 00:00:00 sudo
>> 9362 ? 00:16:58 vmware
>> 9368 ? 07:04:48 vmware-vmx
>> 9369 ? 00:00:00 vmware-vmx
>> 9405 ? 00:18:00 smbd
>> 9512 ? 03:34:04 firefox-bin
>> 10805 pts/1 00:00:00 bash
>> 13615 ? 00:02:12 xemacs
>> 13731 ? 00:00:57 python
>> 24945 ? 00:08:58 gaim
>> 30366 ? 00:00:00 mozilla-thunder
>> 30397 ? 00:00:00 run-mozilla.sh
>> 30402 ? 00:08:12 mozilla-thunder
>> 14303 ? 00:04:25 java_vm
>> 15856 ? 00:00:00 acpid
>> 15906 ? 00:00:00 apache
>> 15907 ? 00:00:00 apache
>> 19961 ? 00:05:08 smbd
>> 3058 ? 00:00:17 cupsd
>> 3496 ? 00:00:00 syslogd
>> 6191 ? 00:00:00 apache
>> 11097 ? 00:00:14 soffice.bin
>> 11652 ? 00:00:00 evolution-data-
>> 11655 ? 00:00:00 evolution-excha
>> 11906 ? 00:00:00 pickup
>> 11916 pts/2 00:00:00 bash
>> 11919 pts/2 00:00:00 ps
>
>
>> Obviously I do a little more than the average joe with my machine.
>> But things to look at are, nfsd, apache, smbd, nmbd, sshd, ftpd. If
>> you havent installed those but yet they are running, something might
>> be wrong.
>
> And sshd is the SSH Daemon, while ssh-agent is ? what can it be ?
>
>> You can also do an nmap scan on your machine:
>> mpatterson at mattrp:~ $ nmap localhost
>>
>> Starting nmap 3.75 ( http://www.insecure.org/nmap/ ) at 2005-08-08
>> 17:53 EDT
>> Interesting ports on localhost.localdomain (127.0.0.1):
>> (The 1652 ports scanned but not shown below are in state: closed)
>> PORT STATE SERVICE
>> 22/tcp open ssh
>> 25/tcp open smtp
>> 80/tcp open http
>> 111/tcp open rpcbind
>> 139/tcp open netbios-ssn
>> 445/tcp open microsoft-ds
>> 631/tcp open ipp
>> 700/tcp open unknown
>> 953/tcp open rndc
>> 2049/tcp open nfs
>> 10000/tcp open snet-sensor-mgmt
>
>
>> Nmap run completed -- 1 IP address (1 host up) scanned in 0.228 seconds
>
>
>> I can account for every port that is open on my machine, so I feel
>> reasonably safe.
>> Matt
>
> joyce at papillon:~$ nmap localhost
>
> Starting nmap 3.75 ( http://www.insecure.org/nmap/ ) at 2005-08-09
> 07:18 CEST
> Interesting ports on localhost.localdomain (127.0.0.1):
> (The 1660 ports scanned but not shown below are in state: closed)
> PORT STATE SERVICE
> 25/tcp open smtp
> 631/tcp open ipp
> 783/tcp open hp-alarm-mgr
>
> Nmap run completed -- 1 IP address (1 host up) scanned in 0.211 seconds
> joyce at papillon:~$
>
> Port 25 for outgoing mails, 631 for the printer, 783 maybe the clock I
> configured a few days ago to be synchronized with Ntp ? or ?
>
> I asked one other question, although it seems almost obvious:
> is a zombie installed in a muchine always a trojan like program ?
>
> Let's go for a 'ps -A', I installed a few unuseful applications these
> days, to see how it goes :))
>
> joyce at papillon:~$ ps -A
> PID TTY TIME CMD
> 1 ? 00:00:00 init
> 2 ? 00:00:00 ksoftirqd/0
> 3 ? 00:00:00 events/0
> 4 ? 00:00:00 khelper
> 22 ? 00:00:00 kacpid
> 108 ? 00:00:00 kblockd/0
> 146 ? 00:00:00 pdflush
> 147 ? 00:00:00 pdflush
> 149 ? 00:00:00 aio/0
> 148 ? 00:00:00 kswapd0
> 736 ? 00:00:00 kseriod
> 1109 ? 00:00:00 kjournald
> 1138 ? 00:00:00 udevd
> 2427 ? 00:00:00 kjournald
> 2428 ? 00:00:00 kjournald
> 2429 ? 00:00:00 kjournald
> 4068 ? 00:00:00 ata/0
> 4093 ? 00:00:00 scsi_eh_0
> 4094 ? 00:00:00 scsi_eh_1
> 4257 ? 00:00:00 khubd
> 6060 ? 00:00:00 dd
> 6062 ? 00:00:00 klogd
> 6089 ? 00:00:00 gdm
> 6099 ? 00:00:00 gdm
> 6137 ? 00:00:46 Xorg
> 6410 ? 00:00:00 ptal-mlcd
> 6415 ? 00:00:00 ptal-printd
> 6496 ? 00:00:00 spamd
> 6722 ? 00:00:00 spamd
> 6723 ? 00:00:00 spamd
> 6724 ? 00:00:00 spamd
> 6725 ? 00:00:00 spamd
> 6805 ? 00:00:00 acpid
> 6867 ? 00:00:00 dbus-daemon-1
> 6879 ? 00:00:02 hald
> 6893 ? 00:00:00 dhcpd
> 7021 ? 00:00:00 inetd
> 7078 ? 00:00:00 master
> 7240 ? 00:00:00 ntpd
> 7304 ? 00:00:00 ntpd
> 7306 ? 00:00:00 atd
> 7317 ? 00:00:00 cron
> 7359 tty1 00:00:00 getty
> 7360 tty2 00:00:00 getty
> 7361 tty3 00:00:00 getty
> 7362 tty4 00:00:00 getty
> 7363 tty5 00:00:00 getty
> 7364 tty6 00:00:00 getty
> 7457 ? 00:00:00 x-session-manag
> 7502 ? 00:00:00 ssh-agent
> 7505 ? 00:00:00 dbus-launch
> 7506 ? 00:00:00 dbus-daemon-1
> 7508 ? 00:00:00 gconfd-2
> 7511 ? 00:00:00 gnome-keyring-d
> 7513 ? 00:00:00 esd
> 7515 ? 00:00:00 bonobo-activati
> 7517 ? 00:00:01 gnome-settings-
> 7520 ? 00:00:00 gam_server
> 7528 ? 00:00:00 xscreensaver
> 7555 ? 00:00:03 metacity
> 7557 ? 00:00:01 gnome-panel
> 7559 ? 00:00:01 nautilus
> 7561 ? 00:00:00 gnome-volume-ma
> 7563 ? 00:00:02 gnome-cups-icon
> 7565 ? 00:00:00 update-notifier
> 7567 ? 00:00:00 evolution-alarm
> 7575 ? 00:00:02 wnck-applet
> 7577 ? 00:00:00 trashapplet
> 7580 ? 00:00:00 gnome-vfs-daemo
> 7582 ? 00:00:00 evolution-data-
> 7589 ? 00:00:00 evolution-excha
> 7596 ? 00:00:00 mapping-daemon
> 7618 ? 00:00:00 notification-ar
> 7620 ? 00:00:00 mixer_applet2
> 7622 ? 00:00:00 clock-applet
> 7693 ttyS0 00:00:00 pppd
> 7970 ? 00:00:00 qmgr
> 8171 ? 00:00:02 cupsd
> 8286 ? 00:00:00 syslogd
> 8750 ? 00:00:01 gnome-terminal
> 8751 ? 00:00:00 gnome-pty-helpe
> 8752 pts/0 00:00:00 bash
> 9682 ? 00:00:00 pickup
> 9881 ? 00:00:00 spamd
> 9899 ? 00:00:00 mozilla-thunder
> 9933 ? 00:00:00 run-mozilla.sh
> 9938 ? 00:00:16 mozilla-thunder
> 10043 pts/0 00:00:00 ps
> joyce at papillon:~$
>
> I find it very difficult to see if some unusual process is running.
> Mostly I'm used to see them (I use qps which is lighter than the
> monitor system installed)
> many I don't know what the system uses them for, several I know I'm
> using them. Maybe I could wonder what application processes are
> 7970 ? 00:00:00 qmgr
> 7620 ? 00:00:00 mixer_applet2
>
> otherwise I'm not going to ask about what is this or this one process
> belonging to the system. I don't have time to start studying this part
> of Linux now so I won't browse the web at once, and I ignore most of
> them, in fact. (getty are the 6 terminals from tty1 to tty6, the rest
> I can guess one here and there)
>
> So, to see if a machine is zombiesed, until an answer, I suppose it's
> like a trojan, then you said it gets the system to be slow, and make
> many popups appear.
> The struggle anyhow looks the same as for trojans.
> Thanks, J.Markoll.
>
>
25 is listening... it is your local mailserver waiting for connections
from your mail client, or from the system itself. It is NOT for
outgoing email. Outgoing email would use a high level port and connect
into another server on 25.
Mike K.
More information about the ubuntu-users
mailing list