Page 1 of 3 123 LastLast
Results 1 to 10 of 27

Thread: Searching to understand some system modifications

  1. #1
    Join Date
    Jan 2009
    Location
    Somewhere in Fictionland
    Posts
    1,645

    Question Searching to understand some system modifications

    I had some problems in the past with people loving very much to go in and out of my machine. So this time when I noted strange behavior, I went through \var\log\messages and found:
    Code:
    Feb  2 17:10:44 linux-2c5j avahi-daemon[3218]: Loading service file /etc/avahi/services/sftp-ssh.service.
    Feb  2 17:10:44 linux-2c5j avahi-daemon[3218]: Loading service file /etc/avahi/services/ssh.service.
    Feb  2 17:10:44 linux-2c5j avahi-daemon[3218]: Network interface enumeration completed.
    Feb  2 17:10:44 linux-2c5j avahi-daemon[3218]: Registering HINFO record with values 'I686'/'LINUX'.
    Feb  2 17:10:44 linux-2c5j avahi-daemon[3218]: Server startup complete. Host name is linux-2c5j.local. Local service cookie is 974136706.
    Feb  2 17:10:44 linux-2c5j avahi-daemon[3218]: Service "linux-2c5j" (/etc/avahi/services/ssh.service) successfully established.
    Feb  2 17:10:44 linux-2c5j avahi-daemon[3218]: Service "SFTP File Transfer on linux-2c5j" (/etc/avahi/services/sftp-ssh.service) successfully established.
    Feb  2 17:10:44 linux-2c5j modem-manager: Loaded plugin Sierra
    Now I did not activate SFTP server or ssh server on my machine. Are they normally activated? Which program could be the one that activates these services, given a normal install. I had also suddenly following alterations on the machine. privoxy was deactivated, tor was deactivated.
    The day before, umtsmon was crashing repeatedly. Unlike normally when it crashes (cellphone 3G attached) there was no interruption of the Internet - connection, like I would have expected.
    Another anomaly was that although I did use luks encrypted home partition, the dm-crypt asks to input the password to access sda4 in order to access the drive, but if I cancel, I do not have any problem to access my data (as I would have expected, since I did input the right password at boot). All this leaves my a bit unsatisfied and not really reassured.

    Is there any way to see if somebody goes in and out here?
    Thanks.

    This is a 11.1, 32 bit.

  2. #2
    Join Date
    Jun 2008
    Location
    Netherlands
    Posts
    14,737

    Default Re: Searching to understand some system modifications

    1) it is probably /var/log/messages and not \var\log\messages you are looking in.

    2) if you want to know if an FTP server is running in your system do
    Code:
    pa -ef | grep ftpd
    and see what it shows.

    3) if you want to know if an SSH server is running do
    Code:
    ps -ef | grep sshd
    and see what it shows.

    4) if you want to know on which ports servers are listening do
    Code:
    netstat -ltp
    and look if ftp and ssh are amongst them.

    You can also go to YaST > System > System services (runlevel) and see what is configured to run. And do not forget to check the xinetd configuration.
    Henk van Velden

  3. #3
    Join Date
    Jan 2009
    Location
    Somewhere in Fictionland
    Posts
    1,645

    Default Re: Searching to understand some system modifications

    Code:
    usr@linux-2c5j:~> pa -ef | grep ftpd
    bash: pa: command not found
    user@linux-2c5j:~> pa -ef | grep ftpd
    bash: pa: command not found
    user@linux-2c5j:~> ps -ef | grep ftpd
    user      5590  3866  0 18:02 pts/1    00:00:00 grep ftpd
    user@linux-2c5j:~> ps -ef | grep sshd
    user     5594  3866  0 18:03 pts/1    00:00:00 grep sshd
    user@linux-2c5j:~> netstat -ltp
    (Not all processes could be identified, non-owned process info
     will not be shown, you would have to be root to see it all.)
    Active Internet connections (only servers)
    Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
    tcp        0      0 localhost:privoxy       *:*                     LISTEN      -
    tcp        0      0 localhost:ipp           *:*                     LISTEN      -
    tcp        0      0 localhost:9050          *:*                     LISTEN      -
    tcp        0      0 localhost:ipp           *:*                     LISTEN      -
    My settings in runlevel:
    sshd : NO
    xinetd: NO
    cups: YES
    tor: YES*
    Privoxy: YES
    (these 3 I did activate them, my printer does actually not print without cups). There where activated before the problem occurred but I did found them deactivated yesterday.
    I do not understand why these servers are active. I have also trouble understanding what is pts/1.

    No ftp server is setup in the runlevels.....but apparently it runs.

  4. #4
    Join Date
    Jun 2008
    Location
    Netherlands
    Posts
    14,737

    Default Re: Searching to understand some system modifications

    Sorry about my typo: it is ps not pa, but yoy did find out that allready.

    It seems that avahi is doing things. When you do not use the zero conf network (and when you have no Windows systems in the LAN that is pretty sure), you can switch off both avahi services in YaST > Systems > Systemserviceservices (runlevel).

    There is no ftp deamon running because:
    a) there is no process with a name that ends on ftpd (like sftpd)
    b) more important, there is no program listening on port 21 (ftp) or 22 (ssh), thus there can be no ftp client ot ssh client make a connection to your system.

    BTW you have a very clean list of open ports, only four, where one is for privoxy and two for cups (ipp). When you do the same netstat as root, you will see which program listens on the 9050 port. Looks very secure to me.
    Henk van Velden

  5. #5
    Join Date
    Jan 2009
    Location
    Somewhere in Fictionland
    Posts
    1,645

    Default Re: Searching to understand some system modifications

    I "should" be very secure, but I have had really several troubles. Besides, this is what I do not understand: avahi IS deactivated. No zeroconf should be active. I had also trouble with the firewall. Automatically start the firewall was deactivated but the firewall was running. The command under root gives:
    Code:
    linux-2c5j:~ # netstat -ltp                                                                                      
    Active Internet connections (only servers)                                                                       
    Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
    tcp        0      0 localhost:privoxy       *:*                     LISTEN      3201/privoxy
    tcp        0      0 localhost:ipp           *:*                     LISTEN      3211/cupsd
    tcp        0      0 localhost:9050          *:*                     LISTEN      3206/tor
    tcp        0      0 localhost:ipp           *:*                     LISTEN      3211/cupsd

  6. #6
    Join Date
    Aug 2008
    Location
    Behind the 8 ball
    Posts
    116

    Default Re: Searching to understand some system modifications

    Code:
    user@linux-2c5j:~> ps -ef | grep ftpd
    user      5590  3866  0 18:02 pts/1    00:00:00 grep ftpd
    Your grep statement did not find an FTP process, it found your grep command.

    Try this
    Code:
    ps aux | grep ft[p]
    It should show nothing

  7. #7
    Join Date
    Jun 2008
    Location
    Netherlands
    Posts
    14,737

    Default Re: Searching to understand some system modifications

    This again looks very good. But I am with you that the loging you show in the first post above is very strange then indeed. Did you check if avahi is running with ps?
    Henk van Velden

  8. #8
    Join Date
    Jun 2008
    Location
    Netherlands
    Posts
    14,737

    Default Re: Searching to understand some system modifications

    Quote Originally Posted by jthiatt08 View Post
    Code:
    user@linux-2c5j:~> ps -ef | grep ftpd
    user      5590  3866  0 18:02 pts/1    00:00:00 grep ftpd
    Your grep statement did not find an FTP process, it found your grep command.

    Try this
    Code:
    ps aux | grep ft[p]
    It should show nothing
    We do understand that. You can read from our diiscussion that we concluded allready that no ftp and/or ssh daemon is running.
    Henk van Velden

  9. #9
    Join Date
    Jun 2008
    Location
    Groningen, Netherlands
    Posts
    13,975
    Blog Entries
    12

    Default Re: Searching to understand some system modifications

    I'm with Henk. If someone does come in, you should find an entry in /var/log/messages. At least one, if the attacker managed to disable log entries. Or, in the compressed bz file containing the old messages entries.

    BTW, @stakanov: you know your 11.1 is past it's life's end? If your concern about your security still is as high as I remember, I suggest you upgrade to 11.3 or 11.4, that would at least give you an up to date system with the latest security features.
    - Athlon X6 3.6 GHz, 16 GB DDR3, 30 GB SSD, 3 TB of disks, GT540, openSUSE 12.2 x86_64 + KDE 4.10 + GNOME 3
    - ASUS A73SD, Intel + GT610M Optimus, 6 GB, 120 GB SSD, openSUSE Tumbleweed

    Anything that can go wrong.... will teach us

    http://en.opensuse.org/User:Knurpht
    http://nl.opensuse.org/Gebruiker:Knurpht

  10. #10
    Join Date
    Jan 2009
    Location
    Somewhere in Fictionland
    Posts
    1,645

    Default Re: Searching to understand some system modifications

    Code:
    linux-2c5j:~ # ps aux | grep avahi{p]
    root      8251  0.0  0.0   2312   424 pts/1    S+   20:31   0:00 grep avahi{p]
    This is what I get under root. As user account no.

Page 1 of 3 123 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •