Searching to understand some system modifications

I had some problems in the past with people loving very much to go in and out of my machine. So this time when I noted strange behavior, I went through \var\log\messages and found:

Feb  2 17:10:44 linux-2c5j avahi-daemon[3218]: Loading service file /etc/avahi/services/sftp-ssh.service.
Feb  2 17:10:44 linux-2c5j avahi-daemon[3218]: Loading service file /etc/avahi/services/ssh.service.
Feb  2 17:10:44 linux-2c5j avahi-daemon[3218]: Network interface enumeration completed.
Feb  2 17:10:44 linux-2c5j avahi-daemon[3218]: Registering HINFO record with values 'I686'/'LINUX'.
Feb  2 17:10:44 linux-2c5j avahi-daemon[3218]: Server startup complete. Host name is linux-2c5j.local. Local service cookie is 974136706.
Feb  2 17:10:44 linux-2c5j avahi-daemon[3218]: Service "linux-2c5j" (/etc/avahi/services/ssh.service) successfully established.
Feb  2 17:10:44 linux-2c5j avahi-daemon[3218]: Service "SFTP File Transfer on linux-2c5j" (/etc/avahi/services/sftp-ssh.service) successfully established.
Feb  2 17:10:44 linux-2c5j modem-manager: Loaded plugin Sierra

Now I did not activate SFTP server or ssh server on my machine. Are they normally activated? Which program could be the one that activates these services, given a normal install. I had also suddenly following alterations on the machine. privoxy was deactivated, tor was deactivated.
The day before, umtsmon was crashing repeatedly. Unlike normally when it crashes (cellphone 3G attached) there was no interruption of the Internet - connection, like I would have expected.
Another anomaly was that although I did use luks encrypted home partition, the dm-crypt asks to input the password to access sda4 in order to access the drive, but if I cancel, I do not have any problem to access my data (as I would have expected, since I did input the right password at boot). All this leaves my a bit unsatisfied and not really reassured.

Is there any way to see if somebody goes in and out here?
Thanks.

This is a 11.1, 32 bit.

1. it is probably * /var/log/messages *and not * \var\log\messages *you are looking in.

2. if you want to know if an FTP server is running in your system do

pa -ef | grep ftpd

and see what it shows.

3. if you want to know if an SSH server is running do

ps -ef | grep sshd

and see what it shows.

4. if you want to know on which ports servers are listening do

netstat -ltp

and look if ftp and ssh are amongst them.

You can also go to YaST > System > System services (runlevel) and see what is configured to run. And do not forget to check the xinetd configuration.

usr@linux-2c5j:~> pa -ef | grep ftpd
bash: pa: command not found
user@linux-2c5j:~> pa -ef | grep ftpd
bash: pa: command not found
user@linux-2c5j:~> ps -ef | grep ftpd
user      5590  3866  0 18:02 pts/1    00:00:00 grep ftpd
user@linux-2c5j:~> ps -ef | grep sshd
user     5594  3866  0 18:03 pts/1    00:00:00 grep sshd
user@linux-2c5j:~> netstat -ltp
(Not all processes could be identified, non-owned process info
 will not be shown, you would have to be root to see it all.)
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
tcp        0      0 localhost:privoxy       *:*                     LISTEN      -
tcp        0      0 localhost:ipp           *:*                     LISTEN      -
tcp        0      0 localhost:9050          *:*                     LISTEN      -
tcp        0      0 localhost:ipp           *:*                     LISTEN      -

My settings in runlevel:
sshd : NO
xinetd: NO
cups: YES
tor: YES*
Privoxy: YES
(these 3 I did activate them, my printer does actually not print without cups). There where activated before the problem occurred but I did found them deactivated yesterday.
I do not understand why these servers are active. I have also trouble understanding what is pts/1.

No ftp server is setup in the runlevels…but apparently it runs.

Sorry about my typo: it is ps not pa, but yoy did find out that allready.

It seems that avahi is doing things. When you do not use the zero conf network (and when you have no Windows systems in the LAN that is pretty sure), you can switch off both avahi services in YaST > Systems > Systemserviceservices (runlevel).

There is no ftp deamon running because:
a) there is no process with a name that ends on ftpd (like sftpd)
b) more important, there is no program listening on port 21 (ftp) or 22 (ssh), thus there can be no ftp client ot ssh client make a connection to your system.

BTW you have a very clean list of open ports, only four, where one is for privoxy and two for cups (ipp). When you do the same netstat as root, you will see which program listens on the 9050 port. Looks very secure to me.

I “should” be very secure, but I have had really several troubles. Besides, this is what I do not understand: avahi IS deactivated. No zeroconf should be active. I had also trouble with the firewall. Automatically start the firewall was deactivated but the firewall was running. The command under root gives:

linux-2c5j:~ # netstat -ltp                                                                                      
Active Internet connections (only servers)                                                                       
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
tcp        0      0 localhost:privoxy       *:*                     LISTEN      3201/privoxy
tcp        0      0 localhost:ipp           *:*                     LISTEN      3211/cupsd
tcp        0      0 localhost:9050          *:*                     LISTEN      3206/tor
tcp        0      0 localhost:ipp           *:*                     LISTEN      3211/cupsd

user@linux-2c5j:~> ps -ef | grep ftpd
user      5590  3866  0 18:02 pts/1    00:00:00 grep ftpd

Your grep statement did not find an FTP process, it found your grep command.

Try this

ps aux | grep ft[p]

It should show nothing

This again looks very good. But I am with you that the loging you show in the first post above is very strange then indeed. Did you check if avahi is running with ps?

We do understand that. You can read from our diiscussion that we concluded allready that no ftp and/or ssh daemon is running.

I’m with Henk. If someone does come in, you should find an entry in /var/log/messages. At least one, if the attacker managed to disable log entries. Or, in the compressed bz file containing the old messages entries.

BTW, @stakanov: you know your 11.1 is past it’s life’s end? If your concern about your security still is as high as I remember, I suggest you upgrade to 11.3 or 11.4, that would at least give you an up to date system with the latest security features.

linux-2c5j:~ # ps aux | grep avahi{p]
root      8251  0.0  0.0   2312   424 pts/1    S+   20:31   0:00 grep avahi{p]

This is what I get under root. As user account no.

11.4 is on the plan after the last days as you can immagine. But I will not be able to do it right away when it comes out (due to organizational problems).

You are using a curly brace { and then a bracket ]
You should use an open bracket and a closed bracket ]

If that’s too confusing use an inverted match like so

ps aux | grep avahi | grep -v grep

Please repeat this without the silly {p] at the end.
It should give the same under root as under a normal user, looking in the process table is not restricted to root.

And what about YaST > System > Systemservices (runlevel)? Are the two avahi services switched on there? Then switch them off.

LOL, no, it is that at this time of the day on a 12’’ I have a sight problem, so I did not mean to use a curly one, sorry. With the user account I did actually not repeat the error. Maybe I need glasses…or a bigger screen.

ps aux | grep avahi[p]

as root gives nothing (which is good)

PLEASE, I asked you to leave out the {p], not to replace it by [p] or something else!

And why did you not answer my second question about the YaST runlevel config?

linux-2c5j:~ # ps aux | grep avahi
root      8499  0.0  0.0   2312   420 pts/1    S+   21:31   0:00 grep avahi

For what is the runlevel. I thought I would have answered the question in post nr 3.
Zeroconf is NO

 8518  0.0  0.0   3312   732 pts/1    S+   21:34   0:00 grep avahi

under normal user.

Thanks for the output. It shows that avahi does not run.

My second question was not about the runlevel you use but:

And what about YaST > System > Systemservices (runlevel)? Are the two avahi services switched on there? Then switch them off.

It is just an extra check, it should show both avahi services as off because we just proved that it is not running.

When avahi is off (as we showed now) I do not understand at all why you have avahi messages in the loging.

Yes, I know. This was the reason why I got … surprised.

Understatement

I am closing down for today. Maybe the night brings some insight

On 2011-02-24 17:36, stakanov wrote:
>
> I had some problems in the past with people loving very much to go in
> and out of my machine. So this time when I noted strange behavior, I
> went through \var\log\messages and found:
>
> Code:
> --------------------
> Feb 2 17:10:44 linux-2c5j avahi-daemon[3218]: Loading service file /etc/avahi/services/sftp-ssh.service.
> Feb 2 17:10:44 linux-2c5j avahi-daemon[3218]: Loading service file /etc/avahi/services/ssh.service.
> Feb 2 17:10:44 linux-2c5j avahi-daemon[3218]: Network interface enumeration completed.
> Feb 2 17:10:44 linux-2c5j avahi-daemon[3218]: Registering HINFO record with values ‘I686’/‘LINUX’.
> Feb 2 17:10:44 linux-2c5j avahi-daemon[3218]: Server startup complete. Host name is linux-2c5j.local. Local service cookie is 974136706.
> Feb 2 17:10:44 linux-2c5j avahi-daemon[3218]: Service “linux-2c5j” (/etc/avahi/services/ssh.service) successfully established.
> Feb 2 17:10:44 linux-2c5j avahi-daemon[3218]: Service “SFTP File Transfer on linux-2c5j” (/etc/avahi/services/sftp-ssh.service) successfully established.
> Feb 2 17:10:44 linux-2c5j modem-manager: Loaded plugin Sierra
> --------------------
>
>
> Now I did not activate SFTP server or ssh server on my machine.

The SFTP I think stands for secure ftp, and thus it depends on the sshd
daemon. And obviously, avahi was running at that time, maybe you stopped
those services later. Probably it does not means that sshd/sftpd are
running, but that avahi awareness of them is enabled.

Run this as root:

for I in avahi-daemon avahi-dnsconfd sshd ; do chkconfig $I ; done

avahi-daemon is a difficult service to remove, the system will insist on
re-enabling/reinstalling it.

> Another anomaly was that although I did use luks encrypted home
> partition, the dm-crypt asks to input the password to access sda4 in
> order to access the drive, but if I cancel, I do not have any problem to
> access my data (as I would have expected, since I did input the right
> password at boot). All this leaves my a bit unsatisfied and not really
> reassured.

I don’t understand this. Could you explain again, please?

Let me see… I think you mean that the system asks for the password to
encrypted sda4, during the boot-up sequence. Later on something asks again
for the password, you cancel, and still you can access sda4.

Is that it? That would be a bug (not dangerous), which will not be solved
as 11.1 is EOL. The bug is that it does not verify that the partition is
already accessible.

–
Cheers / Saludos,

Carlos E. R.
(from 11.2 x86_64 “Emerald” at Telcontar)