Your system is running an ips attack.........???

Blocked because of IPS attack

An attack was detected, originating from your system. Please contact the system administrator.

This message was given during a login to a local wifi. I was denied then several times to login. I did run with chkhunter and he gave me just this line of suspicious outcome:

! root 3279 tty7 /usr/bin/Xorg -br :0 vt7 -nolisten tcp -auth /var/lib/xdm/authdir/authfiles/A:0-3pWgAa 

Which did not really help me. Since I have the feeling that the system behaves oddly, I do run now a scan with ClamAV and will probably reinstall to be sure. This happend after a third person had physical access to the PC by plugging an external USB HDD to my machine. He then stated (and this of course I could not know) that his PC (Windows) has no Antivirus (because it always nag him for being full of virus - what a logic!!!) and his hdd was full of exe files he did not know of. I did not pay too much attention but this ips warning today did ring quite more then a bell. File permissions where on secure, the whole machine updated and no file was opened. So if I have any problem it must be (obligatorily) an exploit using the USB function. Yast showed malfunctioning thereafter and also strangely enough calling yast on a console…opened firefox. Curious.
Anyway, I wanted to know if I have full paranoia (and there is a known problem with server software stating that you are running IPS attacks or if this seems to be a real problem.
Posted it here, because, since the problem is absolutely exotic on a laptop machine, we do not have a group to host this request.
Logging in on the same network this afternoon does not give he error any more.

On 2010-10-01 14:36, stakanov wrote:
>
>> Blocked because of IPS attack
>>
>>
>> An attack was detected, originating from your system. Please contact
>> the system administrator.
>
> This message was given during a login to a local wifi. I was denied
> then several times to login.

I do not understand that message; and as you mention you had no problem to connect today, it was
probably false.

You should contact the administrator of that system and ask him to specify what attack exactly he
was referring to.

I searched for “IPS attack” in the wikipedia, and found none. IPS stands for “Intrusion-prevention
systems”, it is not an attack.

<http://en.wikipedia.org/wiki/Denial-of-service_attack#IPS_based_prevention>
<http://en.wikipedia.org/wiki/Intrusion-prevention_system>

IPS is the system that server uses to detect attacks from others - but they have to tell you what
attack it was.

While searching for this in google, I just accidentally went to a page that claimed to be scanning
my system for viruses, and finding them, in C:\ - which I don’t have. It is obviously faking it all.
It claims to have found viruses, and triggers download and open of a “packupdate107_2204.exe” -
which I’m sure it is a trojan, but clamav does not detect it. Antivir does (TR/Dropper.Gen).

No problem

> Which did not really help me. Since I have the feeling that the system
> behaves oddly, I do run now a scan with ClamAV and will probably
> reinstall to be sure.

Don’t reinstall.

> This happend after a third person had physical
> access to the PC by plugging an external USB HDD to my machine. He then
> stated (and this of course I could not know) that his PC (Windows) has
> no Antivirus (because it always nag him for being full of virus - what a
> logic!!!) and his hdd was full of exe files he did not know of.

Notice that “exes” can not run in linux, even if you “open” them.

I have a directory with some viruses. I “open” them with ease of mind, they are innocuous for me.
They don’t “run”.

The only way they can harm you is if you intentionally open them with wine, or load them into a
virtual machine with windows.

–
Cheers / Saludos,

Carlos E. R.
(from 11.2 x86_64 “Emerald” at Telcontar)

As Carlos has said, it’s probably a lame attempt to dupe an unsuspecting windows person into installing a trojan onto their machine. What you got doesn’t make sense because the IPS intercepts bad traffic and attempts to remove the harmful part and report the details about the attack to the sys admin. It would not send the offender a message about them sending an IPS attack but may trigger the server to send out a flat Site unavailable or unreachable response

Rick

A lot of IPS systems report false-positive. So, don’t worry.
Also, I am pretty much sure that a Windoze machine can not inject a virus into your machine via a USB stick.

Hello everybody and thanks to all.
I was somehow worried because the system behaved oddly afterwards. Still it is true that I do not know of a usb-wise attacks. I will however change to a policy to do exchanges of files only over the internet with my productive machine. I do somehow not trust the usb-port (on my machine is still running HAL and I do not know how maintained it is).

@Carlos: kind of you to remind me, in fact I always state that there is no need for a antivirus (as there is only a very few malware implementations around). However, I have to admitt to my dismay that I have sometimes to do with very creepy people trying to do me some “surprise” to say the minor. And they do not have written on their front: “I am one of the bad boys”. So I was worried of something quite “personalized”.

Besides: does anybody know the function of this line?

! root 3279 tty7 /usr/bin/Xorg -br :0 vt7 -nolisten tcp -auth /var/lib/xdm/authdir/authfiles/A:0-3pWgAa

chkrootkithunter complained about it and asked I shall look after. With other words it did not expect to find that line of code. Apparently it is a root process, running with autorisation running on tcp? I would just like to understand the procedure that it is running and why. I did not even know that I have configured tty7…

That is for X. It occupies tty7.

stakanov wrote:
> Still it is true that I do not know of a usb-wise attacks.

attacking via removable devices is old as the hills…back in the
early 90’s the easiest way to get infected was to insert an infected
floppy and bingo, your machine was infected and it would infect
every floppy inserted (that was not write protected)…

and, the latest cyber warfare virus was created to infect via USB, see:

http://www.google.com/search?q=Stuxnet+USB

that it targeted Windows machines is known…but, with some thinking i
don’t see why it couldn’t be an attack vector for the unsuspecting
Linux user…just package some evil in an RPM, give’em a USB key and
tell’em install the new game/application/etc with YaST…bingo!

–
DenverD
CAVEAT: http://is.gd/bpoMD [posted via NNTP w/openSUSE 10.3]
When it comes to chocolate, resistance is futile.

On 2010-10-02 13:06, stakanov wrote:
>
> Hello everybody and thanks to all.
> I was somehow worried because the system behaved oddly afterwards.
> Still it is true that I do not know of a usb-wise attacks. I will
> however change to a policy to do exchanges of files only over the
> internet with my productive machine. I do somehow not trust the usb-port
> (on my machine is still running HAL and I do not know how maintained it
> is).

HAL is not a problem. The content on the disk, might. Just make sure that the desktop is set to
mount the device, open it in a file browser, but not open files by default. Even less try to run files.

That’s all.

If the computer behaves oddly, then investigate.

Actually, I would trust more a usb disk than an internet connection. Even if it comes from a
doubtful source.

> @Carlos: kind of you to remind me, in fact I always state that there is
> no need for a antivirus (as there is only a very few malware
> implementations around). However, I have to admitt to my dismay that I
> have sometimes to do with very creepy people trying to do me some
> “surprise” to say the minor. And they do not have written on their
> front: “I am one of the bad boys”. So I was worried of something quite
> “personalized”.

Personalized malware can be a real danger. If you are the target of such things… uff

> Besides: does anybody know the function of this line?
>
> Code:
> --------------------
> ! root 3279 tty7 /usr/bin/Xorg -br :0 vt7 -nolisten tcp -auth /var/lib/xdm/authdir/authfiles/A:0-3pWgAa
> --------------------
>
>
> chkrootkithunter complained about it and asked I shall look after. With
> other words it did not expect to find that line of code. Apparently it
> is a root process, running with autorisation running on tcp? I would
> just like to understand the procedure that it is running and why. I did
> not even know that I have configured tty7…

I don’t have it. I have the directory, not the file (11.2, gnome). I think that file could
appear/disappear on circumstances.

–
Cheers / Saludos,

Carlos E. R.
(from 11.2 x86_64 “Emerald” at Telcontar)

On 2010-10-02 14:46, DenverD wrote:
> stakanov wrote:

>> Still it is true that I do not know of a usb-wise attacks.
>
> attacking via removable devices is old as the hills…back in the
> early 90’s the easiest way to get infected was to insert an infected
> floppy and bingo, your machine was infected and it would infect
> every floppy inserted (that was not write protected)…

Not exactly.

You had to reboot the computer with that floppy inside, and you had to have “boot from floppy”
active in the computer. That applies for the boot sector virus, the first one that appeared. I knew
it quite well, I wrote an antivirus for it

For the other type of virus, you needed to run one of the infected programs in the floppy, something
we soon learned not to do. I cleaned one or two of those with my bare hands, I mean, with a debugger
and hex editors.

Those were simple times

Then some people started making a lot of money writing antiviruses. I’ll never be a sucesfull
business man… :-}

But the basics remains the same: connecting a floppy or an usb hard disk alone is not enough to
contaminate a computer.

> and, the latest cyber warfare virus was created to infect via USB, see:
>
> http://www.google.com/search?q=Stuxnet+USB
>
> that it targeted Windows machines is known…but, with some thinking i
> don’t see why it couldn’t be an attack vector for the unsuspecting
> Linux user…just package some evil in an RPM, give’em a USB key and
> tell’em install the new game/application/etc with YaST…bingo!

That’s would be a trojan, not a virus >:-)

About stuxnet:

<http://www.dw-world.de/dw/article/0,,6069500,00.html>

] The virus has so far infected computers in Indonesia, India, the United States, Australia,
Britain, Malaysia and Pakistan. The biggest target, however, has been Iran and some believe the
virus was designed to attack Iran’s nuclear facilities.
]
] The malware spreads via infected USB thumb drive memory sticks, exploiting vulnerabilities in the
Microsoft Windows operating system.

I assume windows loads it automatically and runs something on it, automatically as well. Cute.

]
] The super-virus attacks software programs that run on Supervisory Control and Data Acquisition, or
SCADA, systems, a product developed by Siemens and sold around the world, including to Iran. SCADA
is used to manage water supplies, oil rigs, power plants and other industrial facilities.

That’s a targeted malware. I don’t think scada was designed for security. I worked for a small
business that did control things, and we did not design for security. Our gadgets were not
networked, we used isolated computers. Now everything is networked… and that’s a huge danger.

By the way, the first virus, “la pelotita”, the bouncing ball, was said to be created as an
antitheft measure, for people that stole certain game copying it (pirating).

–
Cheers / Saludos,

Carlos E. R.
(from 11.2 x86_64 “Emerald” at Telcontar)

The #one rule for security is don’t connect it to a network, put it in a locked room and don’t turn it on and even then you might not be safe.

People trying to exploit Linux boxes go after rooting servers hte payoff is much higher. Most of them don’t even bother with Linux since Microsoft is just more numerous and easier to exploit and profit by.

Are you safe running Linux on the desktop? Nothing is 100% safe but you are certainly safer than you would be on a Windows box.