intrusion detected

Matt Patterson matt at v8zman.com
Sun Aug 21 15:25:45 UTC 2005


Thanks for the reminder. I installed it to do some apache admin, but in 
the end decided to just do it all by hand since I had some old config 
files laying around. I simply forgot to uninstall it. Gone now!

Matt



MrKnisely wrote:

> Matt Patterson wrote:
>
>> I did indeed mean "the". I type a lot and tend to get lazy when 
>> chatting and writing email.
>>
>> As for checking your process list, you can use things like "System 
>> Monitor" or just start a terminal and do "ps -A". The best way to 
>> figure out what is supposed to be running on a hoary system is to do 
>> take inventory before the machine is ever connected to the network.
>>
>>
>> Here is my process list (pretty sure my machine is clean):
>>
>> mpatterson at mattrp:~ $ ps -A
>>  PID TTY          TIME CMD
>>    1 ?        00:00:00 init
>>    2 ?        00:00:00 migration/0
>>    3 ?        00:00:00 ksoftirqd/0
>>    4 ?        00:00:00 migration/1
>>    5 ?        00:00:00 ksoftirqd/1
>>    6 ?        00:00:00 events/0
>>    7 ?        00:00:00 events/1
>>    8 ?        00:00:00 khelper
>>   21 ?        00:00:00 kacpid
>>   84 ?        00:00:01 kblockd/0
>>   85 ?        00:00:01 kblockd/1
>>  119 ?        00:00:03 pdflush
>>  120 ?        00:00:02 pdflush
>>  122 ?        00:00:00 aio/0
>>  123 ?        00:00:00 aio/1
>>  121 ?        00:00:27 kswapd0
>>  710 ?        00:00:00 kseriod
>> 1122 ?        00:00:21 kjournald
>> 1147 ?        00:00:00 udevd
>> 4023 ?        00:00:00 kjournald
>> 4024 ?        00:00:00 kjournald
>> 4852 ?        00:00:00 khubd
>> 6768 ?        00:00:00 portmap
>> 7139 ?        00:00:00 dd
>> 7141 ?        00:00:00 klogd
>> 7155 ?        00:00:01 apcupsd
>> 7162 ?        00:00:00 gdm
>> 7171 ?        00:00:00 gdm
>> 7398 ?        05:46:49 Xorg
>> 7913 ?        00:00:00 dbus-daemon-1
>> 7925 ?        00:03:42 hald
>> 7942 ?        00:00:00 inetd
>> 8140 ?        00:00:00 nfsd
>> 8141 ?        00:00:00 nfsd
>> 8142 ?        00:00:00 nfsd
>> 8143 ?        00:00:00 nfsd
>> 8144 ?        00:00:00 nfsd
>> 8145 ?        00:00:00 nfsd
>> 8146 ?        00:00:00 nfsd
>> 8147 ?        00:00:00 nfsd
>> 8149 ?        00:00:00 lockd
>> 8150 ?        00:00:00 rpciod
>> 8153 ?        00:00:00 rpc.mountd
>> 8215 ?        00:00:00 master
>> 8226 ?        00:00:00 qmgr
>> 8370 ?        00:00:00 nmbd
>> 8372 ?        00:00:00 smbd
>> 8382 ?        00:00:00 smbd
>> 8388 ?        00:00:00 sshd
>> 8403 ?        00:00:00 rpc.statd
>> 8421 ?        00:00:01 ntpd
>> 8448 ?        00:00:00 atd
>> 8459 ?        00:00:00 cron
>> 8532 ?        00:00:00 vmnet-bridge
>> 8542 ?        00:00:00 apache
>> 8558 tty1     00:00:00 getty
>> 8559 tty2     00:00:00 getty
>> 8560 tty3     00:00:00 getty
>> 8561 tty4     00:00:00 getty
>> 8562 tty5     00:00:00 getty
>> 8563 tty6     00:00:00 getty
>> 8664 ?        00:00:00 miniserv.pl
>> 8668 ?        00:00:09 gnome-session
>> 8715 ?        00:00:00 gpg-agent
>> 8718 ?        00:00:00 ssh-agent
>> 8721 ?        00:00:00 dbus-launch
>> 8722 ?        00:00:00 dbus-daemon-1
>> 8724 ?        00:00:02 gconfd-2
>> 8727 ?        00:00:00 gnome-keyring-d
>> 8729 ?        00:02:52 esd
>> 8731 ?        00:00:00 bonobo-activati
>> 8733 ?        00:00:43 gnome-settings-
>> 8736 ?        00:00:10 gam_server
>> 8748 ?        00:02:16 xscreensaver
>> 8773 ?        00:00:17 gnome-smproxy
>> 8775 ?        00:01:32 metacity
>> 8777 ?        00:00:07 gnome-volume-ma
>> 8779 ?        00:00:44 nautilus
>> 8781 ?        00:00:32 gnome-panel
>> 8785 ?        00:02:37 gnome-cups-icon
>> 8789 ?        00:02:24 xmms
>> 8796 ?        00:00:00 gnome-vfs-daemo
>> 8797 ?        00:01:29 ksensors
>> 8806 ?        00:01:44 wnck-applet
>> 8807 ?        00:00:00 kdeinit
>> 8811 ?        00:00:00 dcopserver
>> 8814 ?        00:00:00 mapping-daemon
>> 8815 ?        00:00:00 klauncher
>> 8826 ?        00:00:19 kded
>> 8834 ?        00:00:04 korgac
>> 8841 ?        00:00:10 trashapplet
>> 8848 ?        00:00:15 mixer_applet2
>> 8850 ?        00:00:06 notification-ar
>> 8852 ?        00:00:16 clock-applet
>> 8854 ?        00:00:10 mini_commander_
>> 9141 ?        00:11:17 xemacs
>> 9204 ?        00:01:02 gnome-terminal
>> 9205 ?        00:00:00 gnome-pty-helpe
>> 9206 pts/0    00:00:00 bash
>> 9213 ?        00:00:00 ssh-agent
>> 9358 ?        00:00:00 gksudo
>> 9361 ?        00:00:00 sudo
>> 9362 ?        00:16:58 vmware
>> 9368 ?        07:04:48 vmware-vmx
>> 9369 ?        00:00:00 vmware-vmx
>> 9405 ?        00:18:00 smbd
>> 9512 ?        03:34:04 firefox-bin
>> 10805 pts/1    00:00:00 bash
>> 13615 ?        00:02:12 xemacs
>> 13731 ?        00:00:57 python
>> 24945 ?        00:08:58 gaim
>> 30366 ?        00:00:00 mozilla-thunder
>> 30397 ?        00:00:00 run-mozilla.sh
>> 30402 ?        00:08:12 mozilla-thunder
>> 14303 ?        00:04:25 java_vm
>> 15856 ?        00:00:00 acpid
>> 15906 ?        00:00:00 apache
>> 15907 ?        00:00:00 apache
>> 19961 ?        00:05:08 smbd
>> 3058 ?        00:00:17 cupsd
>> 3496 ?        00:00:00 syslogd
>> 6191 ?        00:00:00 apache
>> 11097 ?        00:00:14 soffice.bin
>> 11652 ?        00:00:00 evolution-data-
>> 11655 ?        00:00:00 evolution-excha
>> 11906 ?        00:00:00 pickup
>> 11916 pts/2    00:00:00 bash
>> 11919 pts/2    00:00:00 ps
>>
>> Obviously I do a little more than the average joe with my machine. 
>> But things to look at are, nfsd, apache, smbd, nmbd, sshd, ftpd. If 
>> you havent installed those but yet they are running, something might 
>> be wrong.
>>
>>
>>
>> You can also do an nmap scan on your machine:
>>
>> mpatterson at mattrp:~ $ nmap localhost
>>
>> Starting nmap 3.75 ( http://www.insecure.org/nmap/ ) at 2005-08-08 
>> 17:53 EDT
>> Interesting ports on localhost.localdomain (127.0.0.1):
>> (The 1652 ports scanned but not shown below are in state: closed)
>> PORT      STATE SERVICE
>> 22/tcp    open  ssh
>> 25/tcp    open  smtp
>> 80/tcp    open  http
>> 111/tcp   open  rpcbind
>> 139/tcp   open  netbios-ssn
>> 445/tcp   open  microsoft-ds
>> 631/tcp   open  ipp
>> 700/tcp   open  unknown
>> 953/tcp   open  rndc
>> 2049/tcp  open  nfs
>> 10000/tcp open  snet-sensor-mgmt
>>
>> Nmap run completed -- 1 IP address (1 host up) scanned in 0.228 seconds
>>
>> I can account for every port that is open on my machine, so I feel 
>> reasonably safe.
>>
>> Matt
>>
>>
>>
>>
>> Peter Garrett wrote:
>>
>>> On Mon, 08 Aug 2005 20:13:16 +0200
>>> "J.Markoll" <j.markoll at free.fr> wrote:
>>>
>>>  
>>>
>>>> Matt Patterson a écrit :
>>>>  
>>>>
>>>>> The best tools for checking zombifying is just looking at hte 
>>>>> running processes.     
>>>>
>>>>
>>>> Please, what does 'hte' here means ? I looked in 5 or 6 
>>>> dictionnaries on line and don't find any logical answer in the 
>>>> context here. It does not mean 'High-temperature electrolysis' for 
>>>> sure ?
>>>>   
>>>
>>>
>>>
>>> I think it was meant to be "the" ;-)
>>>
>>>  
>>>
>>
>>
> Running Webmin I see... what do you manage with webmin?
>
> Mike K.
>





More information about the ubuntu-users mailing list