On Wed, Apr 23, 2014 at 06:29:53PM -0700, dean germeten wrote:
> Hi Lesley:
>
> Thanks for your reply. Apart from the issues mentioned I'm hobbled by my own
> ignorance about Linux terminal commands or even methodologies, I'm not a
> programmer or even an aspirant, but Linux
> does demand some technical proficiency of the user to make it go.
>
> Well your point about port scanners is well-taken. RKHunter gave me
> three warnings about an app "PortSentry" that is "using" 3 ports and
> listed them as possible intrusions. PortSentry isn't listed among the
> currently installed or even available apps, it took me a while to find
> it, is an older program from 2002. I don't have permissions and it
> doesn't want to run from terminal, telling me to "read the documentation"
> first, not where to find them, and no further
> instructions. I think I could probably just delete the app (if it lets me.)
> The program seems not to be installed or detectable by search, and
> yet it's running, or doing something, according to RKHunter.
>
Hi Dean
Please reply-to list in future, thanks.
Port scanning is not the same as watching traffic cross an interface. Two
different activities. Fortunately Linux machines can be scanned from
themselves to detect what ports are open and you could use nmap for that.
apt-cache show nmap
will show you information about the nmap package.
sudo apt-get-install nmap
will install it for you.
The 'man' command, short for manual is useful. Once you have installed nmap
you'll be able to read the manual by typing
man nmap
at the command line.
PortSentry is a viable package in Ubuntu and is a portscan detector - so it
should detect a portscan and raise an alarm. Try
sudo apt-cache show portsentry
to see information about the portsentry package.
You may have installed portsentry as a dependency from another package. The
command
aptitude why portsentry
will tell you what depends on portsentry.
>
> My local internet provider said there are logs of spam coming from
> my IP but I have no such software installed and I don't do email
> campaigns, beyond forwarding a message to a friend now & then.
> Unsure if the above could be related to that or not.
Your ISP says there is spam coming from your machine.
I interpret that as saying there is junk mail being generated from your
machine.
Given you have
(a) left root login open under sshd
(b) probably not used a secure password for root or any other user on your
system
I would suggest you may well have a root compromise on your system which means
that a script kiddie has broached your machine and has put software in place to
perform this unwanted activity.
A recent assessment of a root compromise on someone else's server showed,
amongst other compromises, things like
i. The shell /bin/bash had been overwritten with the hacker's own shell
ii. The sshd binary had been overwritten with the hacker's own version.
iii. A whole directory of code had been installed in /var/html and was being
used to do god knows what but it involved throwing a lot of stuff out
over the http port which is virtually impossible to shut down on a
server.
iv. The hacker had set the immutable attribute on key software and changed
chattr so that it couldn't be altered.
Effectively, the hacker had complete control of the machine and was merely
permitting the people responsible for that machine to continue their business
on it so that he/she could continue to do their work on it.
Your safest bet is still to wipe your machine clean and re-install. There is
no magic bullet to clear this up.
Here's some links on secure passwords
http://xkcd.com/936/
http://strongpasswordgenerator.com/
https://howsecureismypassword.net/
The sshd config file at /etc/ssh/sshd_config allows root to login because
sometimes that may be required during installation. The proper thing to do is
to set
PermitRootLogin no
in /etc/ssh/sshd_config immediately after installation.
Best of luck
Lesley
------------------------------------------------------------------------------
Start Your Social Network Today - Download eXo Platform
Build your Enterprise Intranet with eXo Platform Software
Java Based Open Source Intranet - Social, Extensible, Cloud Ready
Get Started Now And Turn Your Intranet Into A Collaboration Platform
http://p.sf.net/sfu/ExoPlatform
_______________________________________________
Rkhunter-users mailing list
Rkhunter-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/rkhunter-users
