[sf-lug] Interlopers/intrusion/linux security (continuation of "interlopers"

Alex Kleider a_kleider at yahoo.com
Fri Jul 20 23:17:38 PDT 2007

> Do I correctly guess that this is a single-user box you're inquiring
> about?  (I'm not sure you said, exactly.) 
Yes indeed, mine is a single user box
(with a few "users" for whom I've set up accounts just to expand my
familiarity with system administration but they don't actually use the
machine and they are trusted.)

Yes, I DO KNOW that no AUTHORIZED user was using  IRC.

If I had sensitive data on my computer I would shut it down as you
suggest but unless you strongly advise to the contrary, I'm inclined to
wait and see what happens in the hopes of learning more about all of
this. They still haven't come back: by the way- if you look back at the
netstat results you'll see that there were many, 6 or 7, intruders (or
perhaps more accurately stated: "intrusions.")

Again thank you Rick for the input you've taken the time to provide.
I've been reading a lot about security and am reading about
firewalling/iptables: I plan in the not to distant future to set up my
own firewall, initially for experience on only one (this) machine and
perhaps if it works out, to replace my linksys router and use a
dedicated ("hardened") linux box to protect my home network.

> A pair of classic write-ups:
> http://www.cert.org/tech_tips/root_compromise.html
> http://www.cert.org/tech_tips/intruder_detection_checklist.html

thanks for these references: I'll check them out.

> What do you do if, after some careful study, you're pretty sure there
> has been no root compromise?  In that case, I suppose you find out
> which
> local user the dodgy activity is running as, track down whatever that
> user has, or is doing, that makes that possible, and deep-six
> whatever
> that is.
So far my only clue is the "linux" process as reported by the netstat
output as I've mentioned but I'm at a dead end trying to make use of
that information.

> The most common signalling channel for those computer criminals to
> give
> commands to the zombie hosts is... IRC.
This is worrysome because many of the interlopers have IRC as part of
their ID so this may be a clue as to what they are doing.
> > identd seems to generate no output.
I thought that you had suggested identd as a method of getting info to
help with fact finding. I must have gotten mixed up with something

> From: Asheesh Laroia <asheesh at asheesh.org>
Thanks, Asheesh for your interest and willingness to help.
> You're probably not a real target; instead,
> the 
> guy just wants computers for his bot network as Rick described.
> Sorry you got attacked!  Let's see if we can avoid that in the
> future. 
Thanks for this sympathetic response.
> Can you tell me the distribution and release number that you have 
> installed, and what services you are running?
I'm running Debian Etch and have been doing updates regularly.
Output of the uname -a command returns
Linux belmont 2.6.18-4-686 #1 SMP ....

> If you don't know what services you run, an easy way to find out is
> to do 
> "nmap localhost" (you may need to install the nmap package from your 
> distribution).
I've installed and run nmap and it has given me some interesting
results , some surprises and some things I don't understand.
I'd like to show you the  output. Do you know how I can get the output
into this email that I am running using iceweasel under Xwindow? I can
send the output to a file but I don't know if I can attach a file to a
posting to this system.

thanks again.

alex at kleider.net

Luggage? GPS? Comic books? 
Check out fitting gifts for grads at Yahoo! Search

More information about the sf-lug mailing list