[sf-lug] followup on my "interlopers" posting

Rick Moen rick at linuxmafia.com
Thu Jul 19 00:52:52 PDT 2007


Quoting Alex Kleider (a_kleider at yahoo.com):

> I discovered that "linux" is NOT the kernel and was able to dump my
> interlopers by issuing a kill command for each instance of the linux
> program:
> # kill -9 18509
> # kill -9 9870
> I have sent a polite email to one of the entities suggesting that we
> could cooperate to prevent such a connection in the future.
> I am still completely baffled as to what those connections really
> represented and the mechanism by which they were established.
> Does anyone know what the "linux" process is? 
> Nothing came of issuing 
> # type linux
> Last time I got rid of these guys by rebooting but they started to
> reappear after a few days so I suspect they'll be back again. I can get
> rid of them as they appear now that I've learned about the ability to
> kill the linux process(es) but what I'd really like is to learn what's
> happening and how I can prevent the connection.

I'm afraid I probably did not correctly understood your original posting --
and I'm not at all sure I understand your current one.

What I _thought_ you were saying in your earlier posting was that you
were noticing incoming ssh connections, ones not from you ("others have
established connections").  You added that "the process [...]  that
seems to be making the connection (port) is called linx" (spelling was
much later connected to "linux"), but I had essentially no idea what you
meant by that, so I pretty much ignored it.

As far as I could tell, you were alarmed over someone merely attempting
ssh connections, and thus having transient sockets to your SSH ports
that last only long enough to fail login and get dropped.  It's very
common for people to get panic attacks about such things, especially if
they've just installed a log-analyser like "logcheck".  Automated
attempts to try a list of "joe accounts" on arbitrary IPs are a
many-times-daily occurrence on the Internet, and should not be worried
about.

It now seems more likely that you are talking about something radically
different.  It now seems likely that you were trying to call our
attention to your netstat output, and to local process "linux".

Anyhow, it's your machine:  You should be the top authority on what's
running on it and why.  If that's not the case, then that's your first
problem to fix.  

I note, in passing, that you seemed at the time to be using IRC on an
EasyNews.com host.  I'd make a Silly Wild-Assed Guess (SWAG) that you're 
seeing just the usual sort of return connection to IRC clients for,
e.g., doing an identd check to make sure you're not a bot.

Anyway, "lsof" and "ps" with appropriate options should help you figure
out what's really running on your system and why.  Of course, if your
system _is_ compromised, then you cannot trust those or any other
program -- a standard gotcha of computer security.  See also:
http://linuxgazette.net/issue98/moen.html





More information about the sf-lug mailing list