# Is my machine pwnd?

## runningwithscissors

This morning, I saw the lights on my router blinking like crazy so I ran a netstat and there were a few connections being established to one particular addresses. I immediately banned the address, and all the connections died. However, I am not sure if my linux machine is pwnt or the older one behind the Linux machine that runs Windows.

ps ax shows this.

```

  PID TTY      STAT   TIME COMMAND

    1 ?        Ss     0:00 init [3]

    2 ?        S<     0:00 [kthreadd]

    3 ?        RN     0:00 [ksoftirqd/0]

    4 ?        S<     0:00 [watchdog/0]

    5 ?        S<     0:00 [events/0]

    6 ?        S<     0:00 [khelper]

   66 ?        S<     0:00 [kblockd/0]

   67 ?        S<     0:00 [kacpid]

   68 ?        S<     0:00 [kacpi_notify]

  205 ?        S<     0:00 [ata/0]

  206 ?        S<     0:00 [ata_aux]

  207 ?        S<     0:00 [ksuspend_usbd]

  210 ?        S<     0:00 [khubd]

  212 ?        S<     0:00 [kseriod]

  242 ?        S      0:00 [pdflush]

  243 ?        S      0:00 [pdflush]

  244 ?        S<     0:00 [kswapd0]

  245 ?        S<     0:00 [aio/0]

  246 ?        S<     0:00 [cifsoplockd]

  247 ?        S<     0:00 [cifsdnotifyd]

  248 ?        S<     0:00 [jfsIO]

  249 ?        S<     0:00 [jfsCommit]

  250 ?        S<     0:00 [jfsSync]

  251 ?        S<     0:00 [xfslogd/0]

  252 ?        S<     0:00 [xfsdatad/0]

  253 ?        S<     0:00 [v9fs/0]

  929 ?        S<     0:00 [scsi_eh_0]

  931 ?        S<     0:00 [scsi_eh_1]

  933 ?        S<     0:00 [scsi_eh_2]

  935 ?        S<     0:00 [scsi_eh_3]

  985 ?        S<     0:00 [kpsmoused]

  990 ?        S<     0:00 [kondemand/0]

  999 ?        S<     0:00 [kjournald]

 1090 ?        S<s    0:00 /sbin/udevd --daemon

 2489 ?        S<     0:00 [kjournald]

 2490 ?        S<     0:00 [kjournald]

 2491 ?        S<     0:00 [kjournald]

 2492 ?        S<     0:00 [kjournald]

 3317 ?        Ss     0:00 /usr/sbin/gpm -m /dev/input/mice -t imps2 -l "a-zA-Z0

 4257 ?        Ss     0:00 /usr/sbin/syslog-ng

 5910 ?        Sl     0:00 /usr/sbin/pdnsd -s -t -d -p /var/run/pdnsd.pid

 6040 ?        Ss     0:00 /usr/sbin/sshd

 6161 ?        Ss     0:00 /usr/bin/postmaster -D /var/lib/postgresql/data --sil

 6243 ?        Ss     0:00 postgres: logger process

 6245 ?        Ss     0:00 postgres: writer process

 6246 ?        Ss     0:00 postgres: stats collector process

 6315 ?        Ss     0:00 /usr/sbin/smbd -D

 6319 ?        S      0:00 /usr/sbin/smbd -D

 6325 ?        Ss     0:00 /usr/sbin/nmbd -D

 6400 tty2     Ss     0:00 /bin/login --

 6401 tty3     Ss+    0:00 /sbin/agetty 38400 tty3 linux

 6402 tty4     Ss+    0:00 /sbin/agetty 38400 tty4 linux

 6403 tty5     Ss+    0:00 /sbin/agetty 38400 tty5 linux

 6404 tty6     Ss+    0:00 /sbin/agetty 38400 tty6 linux

 6492 tty1     Ss     0:00 /bin/login --

 6499 tty1     S+     0:00 -bash

 6733 tty1     S      0:00 /bin/sh /usr/bin/startx

 6749 tty1     S      0:00 xinit /home/user/.xinitrc -- -nolisten tcp -br -auth

 6750 tty7     SLs+   0:53 X :0 -nolisten tcp -br -auth /home/xxxx/.serverauth.6

 6754 tty1     S      0:00 /bin/sh /usr/kde/3.5/bin/startkde

 6780 tty1     S      0:00 /usr/bin/dbus-launch --sh-syntax --exit-with-session

 6781 ?        Ss     0:00 /usr/bin/dbus-daemon --fork --print-pid 4 --print-add

 6800 tty1     S      0:00 start_kdeinit --new-startup +kcminit_startup

 6801 ?        Ss     0:00 kdeinit Running...

 6804 ?        S      0:00 dcopserver [kdeinit] --nosid

 6806 ?        S      0:00 klauncher [kdeinit] --new-startup

 6808 ?        S      0:01 kded [kdeinit] --new-startup

 6813 tty1     S      0:00 kwrapper ksmserver

 6815 ?        S      0:00 ksmserver [kdeinit]

 6816 ?        S      0:00 kwin [kdeinit] -session 10c9d6d8740001171188734000001

 6818 ?        S      0:00 kdesktop [kdeinit]

 6820 ?        S      0:00 kicker [kdeinit]

 6822 ?        S      0:00 kio_uiserver [kdeinit]

 6832 ?        S      0:00 kaccess [kdeinit]

 6834 ?        S      0:01 yakuake -session 10c9d6d87400011903112510000006391000

 6835 ?        S      0:03 gkrellm --sm-client-id 10c9d6d87400011896218540000007

 6842 pts/1    Ss     0:00 /bin/bash

 6847 ?        S      0:00 knotify [kdeinit]

 6926 tty2     S      0:00 -bash

 6932 tty2     S+     0:00 /bin/sh /usr/bin/startx -- :1

 6948 tty2     S+     0:00 xinit /home/tiku/.xinitrc -- :1 -auth /home/xxxx/.ser

 6949 tty8     SLs+   0:15 X :1 -auth /home/tiku/.serverauth.6932 -deferglyphs 1

 6953 tty2     S      0:00 /bin/sh /usr/kde/3.5/bin/startkde

 6979 tty2     S      0:00 /usr/bin/dbus-launch --sh-syntax --exit-with-session

 6980 ?        Ss     0:00 /usr/bin/dbus-daemon --fork --print-pid 4 --print-add

 6996 tty2     S      0:00 start_kdeinit --new-startup +kcminit_startup

 6997 ?        Ss     0:00 kdeinit Running...

 7000 ?        S      0:00 dcopserver [kdeinit] --nosid

 7002 ?        S      0:00 klauncher [kdeinit] --new-startup

 7004 ?        S      0:00 kded [kdeinit] --new-startup

 7009 tty2     S      0:00 kwrapper ksmserver

 7011 ?        S      0:00 ksmserver [kdeinit]

 7012 ?        S      0:00 kwin [kdeinit] -session 10c9d6d8740001159287680000001

 7014 ?        S      0:02 kdesktop [kdeinit]

 7016 ?        S      0:00 kicker [kdeinit]

 7018 ?        S      0:00 kio_file [kdeinit] file /tmp/ksocket-tiku/klauncherYX

 7025 ?        S      0:00 kaccess [kdeinit]

 7026 ?        S      0:00 yakuake -session 10c9d6d87400011831891970000006387001

 7027 ?        S      0:04 gkrellm2 --sm-client-id 10c9d6d8740001172644070000002

 7033 pts/3    Ss+    0:00 /bin/bash

 7038 ?        S      0:00 knotify [kdeinit]

 7363 ?        S      0:00 kio_file [kdeinit] file /tmp/ksocket-user/klauncher3L

12054 pts/5    Ss+    0:00 /bin/bash

12167 pts/1    S      0:00 /bin/sh /usr/sbin/pppoe-connect /dev/fd/63

12179 ?        Ss     0:00 /usr/sbin/pppd pty /usr/sbin/pppoe -p /var/run/-pppoe

12180 ?        S      0:00 /usr/sbin/pppoe -p /var/run/-pppoe.pid.pppoe -I eth0

12658 pts/1    S      0:00 su

12663 pts/1    S+     0:00 bash

16643 ?        Ss     0:00 sshd: xxxxx [priv]

16648 ?        S      0:00 sshd: xxxxx@pts/6

16649 pts/6    Ss     0:00 -bash

16670 pts/6    S      0:00 su

16673 pts/6    S      0:00 bash

16839 ?        S      0:00 /usr/sbin/lighttpd -f /etc/lighttpd/lighttpd.conf

16840 ?        Ss     0:00 /usr/bin/php-cgi

16844 ?        S      0:00 /usr/bin/php-cgi

16845 ?        Ss     0:00 /usr/bin/php-cgi

16848 ?        S      0:00 /usr/bin/php-cgi

16855 ?        Ss     0:00 /usr/bin/php-cgi

16856 ?        S      0:00 /usr/bin/php-cgi

16857 ?        Ss     0:00 /usr/bin/php-cgi

16858 ?        S      0:00 /usr/bin/php-cgi

16902 pts/6    R+     0:00 ps ax
```

Can you spot anything irregular? I am not much of a sysadmin, so... I can't.

----------

## justwantstohelp

all those kde processes look suspicious

----------

## Pithlit

He started 2 kde sessions, that's why there's so many of them.

Other than that there's no way of telling with this little info. Did you start 2 sessions? Did you start lighttpd? Why do you even suspect you're getting "pwned"? etc etc...

----------

## petrjanda

you should have saved a tcpdump before you cut those connections, that way we could identify what kind of trafic was being transfered, whether it was a threat or not.

----------

## bunder

Security related, moved from Off the Wall to Networking & Security.

have you considered installing rkhunter or chrootkit?  i don't see anything out of the ordinary, but if you're paranoid, it's probably a good start along with tcpdump.

cheers

----------

## runningwithscissors

 *Pithlit wrote:*   

> He started 2 kde sessions, that's why there's so many of them.

 Yes. But you don't need to pay attention to those.

 *Pithlit wrote:*   

> Other than that there's no way of telling with this little info.

 I understand. But,

 *runningwithscissors wrote:*   

> I am not much of a sysadmin

 A reminder.  :Smile: 

 *Pithlit wrote:*   

> Did you start 2 sessions?

 Yes, I did. Also, I don't know why an attacker would start a kde session.

 *Pithlit wrote:*   

> Did you start lighttpd?

 Yes. But those weren't connections to the webserver. Also,  postgres was started by me and it's not available outside my local network. Only ssh, http and https are, but none of the connections were on ports 22, 80 or 443. Which makes me suspicious that one of my two machines may have been taken over.

I suppose it would be wise for me to invest some time in reading up about iptables' connection tracking.

 *Pithlit wrote:*   

> Why do you even suspect you're getting "pwned"? etc etc...

 Bunch of connections to a foreign address on non-standard ports.

 *petrjanda wrote:*   

> you should have saved a tcpdump before you cut those connections, that way we could identify what kind of trafic was being transfered, whether it was a threat or not.

 Thanks. That's something that didn't occur to me at all. Like I said, not much of a sysadmin.

I'll just try and be more careful in the future.

 *bunder wrote:*   

> have you considered installing rkhunter or chrootkit? i don't see anything out of the ordinary, but if you're paranoid, it's probably a good start along with tcpdump.

 Have both installed. rkhunter says everything is okay. Except for eth1 being in promiscuous mode, but that is part of a local bridge. And it didn't occur to me to use tcpdump. I use it regularly while setting up other services on my machine.

EDIT: I realise that the information provided is too little to conclude anything. Thanks for all your help.

----------

## cokey

well you have 2 X sessions which is probably the 2 KDE sessions, JFS being loaded up by the kernel so i hope that is your fs. 

There is one thing that stands out to me and that is the two ssh sessions. Either you have started both or that is someone else starting one and allowing another to be brought it by way of rootkit and discovering/changing passwords but without a packet dump you won't know what is being sent.

Be safe and run a packet sniffer for the next couple of days and if you see anything strange log the times and post it

----------

## Hu

If you remember the foreign address or the ports involved, please post those.  Also, please show us your iptables rules.  You can print them all by running iptables-save -c.  Consider modifying the rules which banned the suspicious hosts so that you get log records for any future contact.  Use -d suspicious-foreign-host -m limit --limit 5/min -j LOG --log-prefix "FW-LOG-suspicious " --log-ip-options --log-tcp-options in the chains where you have a DROP rule.  Then watch your firewall logs for anything with that prefix.

You might also find net-analyzer/iptstate useful.  It shows both connections originating from the box (like netstat) and connections forwarded through the box.

----------

## runningwithscissors

 *Hu wrote:*   

> If you remember the foreign address or the ports involved, please post those.

 

The foreign address was: 116.90.184.41

I didn't make a note of the ports involved, sadly. However, they weren't the ports that I've left open to the internet (22, 80 and 443).

 *Hu wrote:*   

> Also, please show us your iptables rules.  You can print them all by running iptables-save -c. 

 

```
# Generated by iptables-save v1.3.8 on Mon Oct 22 01:32:59 2007

*raw

:PREROUTING ACCEPT [48196461:41061699019]

:OUTPUT ACCEPT [48261228:32541021623]

COMMIT

# Completed on Mon Oct 22 01:32:59 2007

# Generated by iptables-save v1.3.8 on Mon Oct 22 01:32:59 2007

*nat

:PREROUTING ACCEPT [34:6342]

:POSTROUTING ACCEPT [23:4012]

:OUTPUT ACCEPT [75:7195]

[0:0] -A POSTROUTING -o ppp0 -j MASQUERADE

COMMIT

# Completed on Mon Oct 22 01:32:59 2007

# Generated by iptables-save v1.3.8 on Mon Oct 22 01:32:59 2007

*mangle

:PREROUTING ACCEPT [804:580326]

:INPUT ACCEPT [803:580283]

:FORWARD ACCEPT [0:0]

:OUTPUT ACCEPT [818:140941]

:POSTROUTING ACCEPT [868:147615]

COMMIT

# Completed on Mon Oct 22 01:32:59 2007

# Generated by iptables-save v1.3.8 on Mon Oct 22 01:32:59 2007

*filter

:INPUT ACCEPT [6:774]

:FORWARD ACCEPT [0:0]

:OUTPUT ACCEPT [6:324]

[0:0] -A INPUT -i eth1 -j ACCEPT

[0:0] -A INPUT -i br0 -j ACCEPT

[0:0] -A INPUT -i lo -j ACCEPT

[0:0] -A INPUT -s 116.90.184.41 -j DROP

[0:0] -A INPUT -i ppp0 -p tcp -m tcp --dport 22 -j ACCEPT

[0:0] -A INPUT -i ppp0 -p tcp -m tcp --dport 80 -j ACCEPT

[0:0] -A INPUT -i ppp0 -p tcp -m tcp --dport 443 -j ACCEPT

[0:0] -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j DROP

[0:0] -A FORWARD -d xxx.xxx.xxx.xxx -i br0 -j DROP

[0:0] -A FORWARD -s xxx.xxx.xxx.xxx -i br0 -j ACCEPT

[0:0] -A FORWARD -d xxx.xxx.xxx.xxx -i ppp0 -j ACCEPT

[0:0] -A OUTPUT -d 116.90.184.41 -j DROP

COMMIT

# Completed on Mon Oct 22 01:32:59 2007
```

ppp0 is the internet interface. eth1 is the LAN and br0 is a bridge I've created for any VMs I run to be available through the LAN.

I know those aren't the tightest set of rules you can come up with. For starters they don't pay much attention to non tcp traffic. I'll fix them soon.

 *Hu wrote:*   

> Consider modifying the rules which banned the suspicious hosts so that you get log records for any future contact.  Use -d suspicious-foreign-host -m limit --limit 5/min -j LOG --log-prefix "FW-LOG-suspicious " --log-ip-options --log-tcp-options in the chains where you have a DROP rule.  Then watch your firewall logs for anything with that prefix.

 Thanks for the tip. I'll do that.

 *Hu wrote:*   

> You might also find net-analyzer/iptstate useful.  It shows both connections originating from the box (like netstat) and connections forwarded through the box.

 Thanks. I'll give that program a go.

----------

## Hu

 *runningwithscissors wrote:*   

> 
> 
> I know those aren't the tightest set of rules you can come up with. For starters they don't pay much attention to non tcp traffic. I'll fix them soon.

 

If you want assistance tightening the rules, or if you want a critique after you make your planned changes, feel free to ask.

----------

