riseringseeker Posted November 6, 2006 Report Share Posted November 6, 2006 (edited) I recently have setup a ssh server that I will/am/should be able to access from anywhere in the world (I travel a lot! I also got a domain name from https://www.dyndns.com/ to be able to follow my dynamic IP. Since I have done so I have seen quite a few attempts to log in from various parts of the world Pakistan, India, China, Korea. Until yesterday I believed the attempts to be unsuccessful. Looking at the logs yesterday and today though makes me wonder if I need to do something else to keep hackers off my computer. Todays logs are much like yesterdays, with the exception noted at the bottom of the list. Another concern is that is as far back as I can view - logs prior to 11/05 are not there at all! I don't know if that is because the files were dropped normally as part of keeping them a reasonable size, or if it's something more nefarious. clipped from todays logs (I was not on the system at all during this period of time): Nov 6 04:13:20 localhost logger: Security Warning: There are modifications for port listening on your machine :Nov 6 04:13:20 localhost logger: - Opened ports : tcp 0 0 localhost.homelinux.org:2208 *:* LISTEN 2031/hpiod Nov 6 04:13:20 localhost logger: - Opened ports : tcp 0 0 *:swat *:* LISTEN 3365/xinetd Nov 6 04:13:20 localhost logger: - Opened ports : tcp 0 0 *:nut *:* LISTEN 2941/upsd Nov 6 04:13:20 localhost logger: - Opened ports : tcp 0 0 *:48071 *:* LISTEN - Nov 6 04:13:20 localhost logger: - Opened ports : tcp 0 0 localhost.homelinux.or:10026 *:* LISTEN 4120/master Nov 6 04:13:20 localhost logger: - Opened ports : tcp 0 0 *:netbios-ssn *:* LISTEN 3652/smbd Nov 6 04:13:20 localhost logger: - Opened ports : tcp 0 0 *:34444 *:* LISTEN 3481/rpc.statd Nov 6 04:13:20 localhost logger: - Opened ports : tcp 0 0 *:sunrpc *:* LISTEN 3198/portmap Nov 6 04:13:20 localhost logger: - Opened ports : tcp 0 0 *:x11 *:* LISTEN 3759/X Nov 6 04:13:20 localhost logger: - Opened ports : tcp 0 0 *:849 *:* LISTEN 3641/rpc.mountd Nov 6 04:13:20 localhost logger: - Opened ports : tcp 0 0 192.168.2.2:ssh *:* LISTEN 3530/sshd Nov 6 04:13:20 localhost logger: - Opened ports : tcp 0 0 *:ipp *:* LISTEN 2514/cupsd Nov 6 04:13:20 localhost logger: - Opened ports : tcp 0 0 localhost.homelinux.org:smtp *:* LISTEN 4120/master Nov 6 04:13:20 localhost logger: - Opened ports : tcp 0 0 localhost.homelinux.or:52378 *:* LISTEN 2454/python Nov 6 04:13:20 localhost logger: - Opened ports : tcp 0 0 *:7741 *:* LISTEN 5559/lisa Nov 6 04:13:20 localhost logger: - Opened ports : tcp 0 0 *:microsoft-ds *:* LISTEN 3652/smbd Nov 6 04:13:20 localhost logger: - Opened ports : udp 0 0 *:32769 *:* 3401/avahi-daemon: Nov 6 04:13:20 localhost logger: - Opened ports : udp 0 0 *:32772 *:* 3481/rpc.statd Nov 6 04:13:20 localhost logger: - Opened ports : udp 0 0 192.168.2.2:netbios-ns *:* 3716/nmbd Nov 6 04:13:20 localhost logger: - Opened ports : udp 0 0 *:netbios-ns *:* 3716/nmbd Nov 6 04:13:20 localhost logger: - Opened ports : udp 0 0 192.168.2.2:netbios-dgm *:* 3716/nmbd Nov 6 04:13:20 localhost logger: - Opened ports : udp 0 0 *:netbios-dgm *:* 3716/nmbd Nov 6 04:13:20 localhost logger: - Opened ports : udp 0 0 *:689 *:* 3481/rpc.statd Nov 6 04:13:20 localhost logger: - Opened ports : udp 0 0 *:7741 *:* 5559/lisa Nov 6 04:13:20 localhost logger: - Opened ports : udp 0 0 *:846 *:* 3641/rpc.mountd Nov 6 04:13:20 localhost logger: - Opened ports : udp 0 0 *:5353 *:* 3401/avahi-daemon: Nov 6 04:13:20 localhost logger: - Opened ports : udp 0 0 *:sunrpc *:* 3198/portmap Nov 6 04:13:20 localhost logger: - Opened ports : udp 0 0 *:ipp *:* 2514/cupsd Nov 6 04:13:20 localhost logger: - Opened ports : udp 0 0 192.168.2.2:ntp *:* 3775/ntpd Nov 6 04:13:20 localhost logger: - Opened ports : udp 0 0 localhost.homelinux.org:ntp *:* 3775/ntpd Nov 6 04:13:20 localhost logger: - Opened ports : udp 0 0 *:ntp *:* 3775/ntpd Nov 6 04:13:20 localhost logger: - Opened ports : raw 0 0 *:icmp *:* 7 5559/lisa Nov 6 04:13:20 localhost logger: - Closed ports : tcp 0 0 localhost.homelinux.org:2208 *:* LISTEN 2046/hpiod Nov 6 04:13:20 localhost logger: - Closed ports : tcp 0 0 *:swat *:* LISTEN 3441/xinetd Nov 6 04:13:20 localhost logger: - Closed ports : tcp 0 0 *:nut *:* LISTEN 2981/upsd Nov 6 04:13:20 localhost logger: - Closed ports : tcp 0 0 *:58089 *:* LISTEN 3542/rpc.statd Nov 6 04:13:20 localhost logger: - Closed ports : tcp 0 0 localhost.homelinux.or:10026 *:* LISTEN 4099/master Nov 6 04:13:20 localhost logger: - Closed ports : tcp 0 0 *:33386 *:* LISTEN - Nov 6 04:13:20 localhost logger: - Closed ports : tcp 0 0 *:netbios-ssn *:* LISTEN 3689/smbd Nov 6 04:13:20 localhost logger: - Closed ports : tcp 0 0 localhost.homelinux.or:43918 *:* LISTEN 2490/python Nov 6 04:13:20 localhost logger: - Closed ports : tcp 0 0 *:sunrpc *:* LISTEN 3268/portmap Nov 6 04:13:20 localhost logger: - Closed ports : tcp 0 0 *:x11 *:* LISTEN 3743/X Nov 6 04:13:20 localhost logger: - Closed ports : tcp 0 0 192.168.2.2:ssh *:* LISTEN 3605/sshd Nov 6 04:13:20 localhost logger: - Closed ports : tcp 0 0 *:ipp *:* LISTEN 2570/cupsd Nov 6 04:13:20 localhost logger: - Closed ports : tcp 0 0 localhost.homelinux.org:smtp *:* LISTEN 4099/master Nov 6 04:13:20 localhost logger: - Closed ports : tcp 0 0 *:954 *:* LISTEN 3756/rpc.mountd Nov 6 04:13:20 localhost logger: - Closed ports : tcp 0 0 *:7741 *:* LISTEN 5580/lisa Nov 6 04:13:20 localhost logger: - Closed ports : tcp 0 0 *:microsoft-ds *:* LISTEN 3689/smbd Nov 6 04:13:20 localhost logger: - Closed ports : udp 0 0 *:32768 *:* 3528/avahi-daemon: Nov 6 04:13:20 localhost logger: - Closed ports : udp 0 0 *:32770 *:* 3542/rpc.statd Nov 6 04:13:20 localhost logger: - Closed ports : udp 0 0 192.168.2.2:netbios-ns *:* 3841/nmbd Nov 6 04:13:20 localhost logger: - Closed ports : udp 0 0 *:netbios-ns *:* 3841/nmbd Nov 6 04:13:20 localhost logger: - Closed ports : udp 0 0 192.168.2.2:netbios-dgm *:* 3841/nmbd Nov 6 04:13:20 localhost logger: - Closed ports : udp 0 0 *:netbios-dgm *:* 3841/nmbd Nov 6 04:13:20 localhost logger: - Closed ports : udp 0 0 *:951 *:* 3756/rpc.mountd Nov 6 04:13:20 localhost logger: - Closed ports : udp 0 0 *:7741 *:* 5580/lisa Nov 6 04:13:20 localhost logger: - Closed ports : udp 0 0 *:5353 *:* 3528/avahi-daemon: Nov 6 04:13:20 localhost logger: - Closed ports : udp 0 0 *:kerberos-iv *:* 3542/rpc.statd Nov 6 04:13:20 localhost logger: - Closed ports : udp 0 0 *:sunrpc *:* 3268/portmap Nov 6 04:13:20 localhost logger: - Closed ports : udp 0 0 *:ipp *:* 2570/cupsd Nov 6 04:13:20 localhost logger: - Closed ports : udp 0 0 192.168.2.2:ntp *:* 3779/ntpd Nov 6 04:13:20 localhost logger: - Closed ports : udp 0 0 localhost.homelinux.org:ntp *:* 3779/ntpd Nov 6 04:13:20 localhost logger: - Closed ports : udp 0 0 *:ntp *:* 3779/ntpd Nov 6 04:13:20 localhost logger: - Closed ports : raw 0 0 *:icmp *:* 7 5580/lisa Nov 6 04:13:24 localhost logger: Security Warning: World Writable files found : Nov 6 04:13:24 localhost logger: - /home/karl/Funnies/Greatest_Movie_Line_Ever.wmv Nov 6 04:13:24 localhost logger: - /home/karl/Funnies/Kosovo music video.wmv Nov 6 04:13:24 localhost logger: - /tmp/.ICE-unix Nov 6 04:13:24 localhost logger: - /tmp/.X11-unix Nov 6 04:13:24 localhost logger: - /tmp/.X11-unix/X0 Nov 6 04:13:24 localhost logger: - /tmp/.font-unix Nov 6 04:13:24 localhost logger: - /tmp/.font-unix/fs-1 Nov 6 04:13:24 localhost logger: - /var/lib/clamav/clamd.socket Nov 6 04:13:24 localhost logger: - /var/lib/lock/sane Nov 6 04:13:24 localhost logger: - /var/lib/texmf Nov 6 04:13:24 localhost logger: - /var/lib/texmf/ls-R Nov 6 04:13:24 localhost logger: - /var/run/acpid.socket Nov 6 04:13:24 localhost logger: - /var/run/avahi-daemon/socket Nov 6 04:13:24 localhost logger: - /var/run/dbus/system_dbus_socket Nov 6 04:13:24 localhost logger: - /var/run/xdmctl/dmctl-:0/socket Nov 6 04:13:24 localhost logger: - /var/run/xdmctl/dmctl/socket Nov 6 04:13:24 localhost logger: - /var/spool/postfix/dev/log Nov 6 04:13:24 localhost logger: - /var/spool/postfix/private/anvil Nov 6 04:13:24 localhost logger: - /var/spool/postfix/private/bounce Nov 6 04:13:24 localhost logger: - /var/spool/postfix/private/cyrus Nov 6 04:13:24 localhost logger: - /var/spool/postfix/private/cyrus-chroot Nov 6 04:13:24 localhost logger: - /var/spool/postfix/private/cyrus-deliver Nov 6 04:13:24 localhost logger: - /var/spool/postfix/private/cyrus-inet Nov 6 04:13:24 localhost logger: - /var/spool/postfix/private/defer Nov 6 04:13:24 localhost logger: - /var/spool/postfix/private/discard Nov 6 04:13:24 localhost logger: - /var/spool/postfix/private/error Nov 6 04:13:24 localhost logger: - /var/spool/postfix/private/lmtp Nov 6 04:13:24 localhost logger: - /var/spool/postfix/private/lmtp-filter Nov 6 04:13:24 localhost logger: - /var/spool/postfix/private/local Nov 6 04:13:24 localhost logger: - /var/spool/postfix/private/maildrop Nov 6 04:13:24 localhost logger: - /var/spool/postfix/private/proxymap Nov 6 04:13:24 localhost logger: - /var/spool/postfix/private/relay Nov 6 04:13:24 localhost logger: - /var/spool/postfix/private/rewrite Nov 6 04:13:24 localhost logger: - /var/spool/postfix/private/scache Nov 6 04:13:24 localhost logger: - /var/spool/postfix/private/smtp Nov 6 04:13:24 localhost logger: - /var/spool/postfix/private/smtp-filter Nov 6 04:13:24 localhost logger: - /var/spool/postfix/private/tlsmgr Nov 6 04:13:24 localhost logger: - /var/spool/postfix/private/trace Nov 6 04:13:24 localhost logger: - /var/spool/postfix/private/uucp Nov 6 04:13:24 localhost logger: - /var/spool/postfix/private/verify Nov 6 04:13:24 localhost logger: - /var/spool/postfix/private/virtual Nov 6 04:13:24 localhost logger: - /var/spool/postfix/public/cleanup Nov 6 04:13:24 localhost logger: - /var/spool/postfix/public/flush Nov 6 04:13:24 localhost logger: - /var/spool/postfix/public/pickup Nov 6 04:13:24 localhost logger: - /var/spool/postfix/public/qmgr Nov 6 04:13:24 localhost logger: - /var/spool/postfix/public/showq Nov 6 04:13:24 localhost logger: - /var/spool/samba Nov 6 04:13:24 localhost logger: Security Warning: /etc/shadow check : Nov 6 04:13:24 localhost logger: - /etc/shadow:30: User "guest" has no password ! Nov 6 04:13:24 localhost logger: Security Warning: These files belonging to packages are modified on the system : Nov 6 04:13:24 localhost logger: - /boot/message-graphic Nov 6 04:13:24 localhost logger: - /usr/lib/gconv/gconv- modules.cache Nov 6 04:13:24 localhost logger: - /usr/lib/nvu-1.0/chrome/overlayinfo/editor/content/overlays.rdf Nov 6 04:13:24 localhost logger: - /usr/share/X11/icewm/menu Nov 6 04:13:24 localhost logger: - /usr/share/a2ps/afm/fonts.map Nov 6 04:13:24 localhost logger: - /usr/share/applications/defaults.list Nov 6 04:13:24 localhost logger: - /usr/share/applications/gaim.desktop Nov 6 04:13:24 localhost logger: - /usr/share/doc/HTML/index.html Nov 6 04:13:24 localhost logger: - /usr/share/fonts/100dpi/fonts.dir Nov 6 04:13:24 localhost logger: - /usr/share/fonts/100dpi/fonts.scale Nov 6 04:13:24 localhost logger: - /usr/share/fonts/75dpi/fonts.dir Nov 6 04:13:24 localhost logger: - /usr/share/fonts/75dpi/fonts.scale Nov 6 04:13:24 localhost logger: - /usr/share/fonts/OTF/fonts.dir Nov 6 04:13:24 localhost logger: - /usr/share/fonts/OTF/fonts.scale Nov 6 04:13:24 localhost logger: - /usr/share/fonts/Speedo/fonts.dir Nov 6 04:13:24 localhost logger: - /usr/share/fonts/Speedo/fonts.scale Nov 6 04:13:24 localhost logger: - /usr/share/fonts/TTF/fonts.dir Nov 6 04:13:24 localhost logger: - /usr/share/fonts/TTF/fonts.scale Nov 6 04:13:24 localhost logger: - /usr/share/fonts/Type1/fonts.dir Nov 6 04:13:24 localhost logger: - /usr/share/fonts/Type1/fonts.scale Nov 6 04:13:24 localhost logger: - /usr/share/fonts/cyrillic/fonts.dir Nov 6 04:13:24 localhost logger: - /usr/share/fonts/cyrillic/fonts.scale Nov 6 04:13:24 localhost logger: - /usr/share/fonts/misc/fonts.dir Nov 6 04:13:24 localhost logger: - /usr/share/fonts/misc/fonts.scale Nov 6 04:13:24 localhost logger: - /usr/share/texmf/ls-R Nov 6 04:13:24 localhost logger: - /var/lib/mandriva/kde-profiles/common/share/config/kdesktoprc Nov 6 04:13:24 localhost logger: - /var/lib/mandriva/kde-profiles/common/share/config/konquerorrc Nov 6 04:13:24 localhost logger: Security Warning: These config files belonging to packages are modified on the system : Nov 6 04:13:24 localhost logger: - /etc/X11/fs/config Nov 6 04:13:24 localhost logger: - /etc/X11/imwheel/startup.conf Nov 6 04:13:24 localhost logger: - /etc/cups/cupsd.conf Nov 6 04:13:24 localhost logger: - /etc/exports Nov 6 04:13:24 localhost logger: - /etc/firefox.cfg Nov 6 04:13:24 localhost logger: - /etc/host.conf Nov 6 04:13:24 localhost logger: - /etc/info-dir Nov 6 04:13:24 localhost logger: - /etc/inittab Nov 6 04:13:24 localhost logger: - /etc/kde/kdm/kdmrc Nov 6 04:13:24 localhost logger: - /etc/kderc Nov 6 04:13:24 localhost logger: - /etc/login.defs Nov 6 04:13:24 localhost logger: - /etc/modprobe.conf Nov 6 04:13:24 localhost logger: - /etc/modprobe.preload Nov 6 04:13:24 localhost logger: - /etc/mozpluggerrc Nov 6 04:13:24 localhost logger: - /etc/mtools.conf Nov 6 04:13:24 localhost logger: - /etc/ntp.conf Nov 6 04:13:24 localhost logger: - /etc/pam.d/system-auth Nov 6 04:13:24 localhost logger: - /etc/printcap Nov 6 04:13:24 localhost logger: - /etc/qtrc Nov 6 04:13:24 localhost logger: - /etc/rpm/macros Nov 6 04:13:24 localhost logger: - /etc/samba/smb.conf Nov 6 04:13:24 localhost logger: - /etc/sane.d/dll.conf Nov 6 04:13:24 localhost logger: - /etc/shells Nov 6 04:13:24 localhost logger: - /etc/shorewall/interfaces Nov 6 04:13:24 localhost logger: - /etc/shorewall/policy Nov 6 04:13:24 localhost logger: - /etc/shorewall/rules Nov 6 04:13:24 localhost logger: - /etc/shorewall/start Nov 6 04:13:24 localhost logger: - /etc/shorewall/stop Nov 6 04:13:24 localhost logger: - /etc/shorewall/zones Nov 6 04:13:24 localhost logger: - /etc/ssh/ssh_config Nov 6 04:13:24 localhost logger: - /etc/ssh/sshd_config Nov 6 04:13:24 localhost logger: - /etc/sudoers Nov 6 04:13:24 localhost logger: - /etc/sysconfig/bootsplash Nov 6 04:13:24 localhost logger: - /etc/sysconfig/firstboot Nov 6 04:13:24 localhost logger: - /etc/sysconfig/harddrake2/kernel Nov 6 04:13:24 localhost logger: - /etc/sysconfig/harddrake2/previous_hw Nov 6 04:13:24 localhost logger: - /etc/sysconfig/msec Nov 6 04:13:24 localhost logger: - /etc/sysconfig/syslog Nov 6 04:13:24 localhost logger: - /etc/sysconfig/usb Nov 6 04:13:24 localhost logger: - /etc/sysctl.conf Nov 6 04:13:24 localhost logger: - /etc/syslog.conf Nov 6 04:13:24 localhost logger: - /etc/ups/ups.conf Nov 6 04:13:24 localhost logger: - /etc/xinetd.d/saned Nov 6 04:13:24 localhost logger: - /etc/xinetd.d/swat Nov 6 04:13:24 localhost logger: - /etc/xml/catalog Nov 6 04:13:24 localhost logger: - /usr/share/sgml/docbook/xmlcatalog Nov 6 04:13:24 localhost logger: - /var/lib/clamav/daily.cvd Nov 6 04:13:24 localhost logger: - /var/lib/clamav/main.cvd Nov 6 04:13:24 localhost logger: Chkrootkit report: Nov 6 04:13:24 localhost logger: ROOTDIR is `/' Nov 6 04:13:24 localhost logger: Checking `amd'... not found Nov 6 04:13:24 localhost logger: Checking `basename'... not infected Nov 6 04:13:24 localhost logger: Checking `biff'... not found Nov 6 04:13:24 localhost logger: Checking `chfn'... not infected Nov 6 04:13:24 localhost logger: Checking `chsh'... not infected Nov 6 04:13:24 localhost logger: Checking `cron'... not infected Nov 6 04:13:24 localhost logger: Checking `date'... not infected Nov 6 04:13:24 localhost logger: Checking `du'... not infected Nov 6 04:13:24 localhost logger: Checking `dirname'... not infected Nov 6 04:13:24 localhost logger: Checking `echo'... not infected Nov 6 04:13:24 localhost logger: Checking `egrep'... not infected Nov 6 04:13:24 localhost logger: Checking `env'... not infected Nov 6 04:13:24 localhost logger: Checking `find'... not infected Nov 6 04:13:24 localhost logger: Checking `fingerd'... not found Nov 6 04:13:24 localhost logger: Checking `gpm'... not found Nov 6 04:13:24 localhost logger: Checking `grep'... not infected Nov 6 04:13:24 localhost logger: Checking `hdparm'... not infected Nov 6 04:13:24 localhost logger: Checking `su'... not infected Nov 6 04:13:24 localhost logger: Checking `ifconfig'... not infected Nov 6 04:13:24 localhost logger: Checking `inetd'... not tested Nov 6 04:13:24 localhost logger: Checking `inetdconf'... not found Nov 6 04:13:24 localhost logger: Checking `identd'... not found Nov 6 04:13:24 localhost logger: Checking `init'... not infected Nov 6 04:13:24 localhost logger: Checking `killall'... not infected Nov 6 04:13:24 localhost logger: Checking `ldsopreload'... not infected Nov 6 04:13:24 localhost logger: Checking `login'... not infected Nov 6 04:13:24 localhost logger: Checking `ls'... not infected Nov 6 04:13:24 localhost logger: Checking `lsof'... not infected Nov 6 04:13:24 localhost logger: Checking `mail'... not infected Nov 6 04:13:24 localhost logger: Checking `mingetty'... not infected Nov 6 04:13:24 localhost logger: Checking `netstat'... not infected Nov 6 04:13:24 localhost logger: Checking `named'... not found Nov 6 04:13:24 localhost logger: Checking `passwd'... not infected Nov 6 04:13:24 localhost logger: Checking `pidof'... not infected Nov 6 04:13:24 localhost logger: Checking `pop2'... not found Nov 6 04:13:24 localhost logger: Checking `pop3'... not found Nov 6 04:13:24 localhost logger: Checking `ps'... not infected Nov 6 04:13:24 localhost logger: Checking `pstree'... not infected Nov 6 04:13:24 localhost logger: Checking `rpcinfo'... not infected Nov 6 04:13:24 localhost logger: Checking `rlogind'... not found Nov 6 04:13:24 localhost logger: Checking `rshd'... not found Nov 6 04:13:24 localhost logger: Checking `slogin'... not infected Nov 6 04:13:24 localhost logger: Checking `sendmail'... not infected Nov 6 04:13:24 localhost logger: Checking `sshd'... not infected Nov 6 04:13:24 localhost logger: Checking `syslogd'... not infected Nov 6 04:13:24 localhost logger: Checking `tar'... not infected Nov 6 04:13:24 localhost logger: Checking `tcpd'... not infected Nov 6 04:13:24 localhost logger: Checking `tcpdump'... not infected Nov 6 04:13:24 localhost logger: Checking `top'... not infected Nov 6 04:13:24 localhost logger: Checking `telnetd'... not found Nov 6 04:13:24 localhost logger: Checking `timed'... not found Nov 6 04:13:24 localhost logger: Checking `traceroute'... not infected Nov 6 04:13:24 localhost logger: Checking `vdir'... not infected Nov 6 04:13:24 localhost logger: Checking `w'... not infected Nov 6 04:13:24 localhost logger: Checking `write'... not infected Nov 6 04:13:24 localhost logger: Checking `aliens'... no suspect files Nov 6 04:13:24 localhost logger: Searching for sniffer's logs, it may take a while... nothing found Nov 6 04:13:24 localhost logger: Searching for HiDrootkit's default dir... nothing found Nov 6 04:13:24 localhost logger: Searching for t0rn's default files and dirs... nothing found Nov 6 04:13:24 localhost logger: Searching for t0rn's v8 defaults... nothing found Nov 6 04:13:24 localhost logger: Searching for Lion Worm default files and dirs... nothing found Nov 6 04:13:24 localhost logger: Searching for RSHA's default files and dir... nothing found Nov 6 04:13:24 localhost logger: Searching for RH-Sharpe's default files... nothing found Nov 6 04:13:24 localhost logger: Searching for Ambient's rootkit (ark) default files and dirs... nothing found Nov 6 04:13:24 localhost logger: Searching for suspicious files and dirs, it may take a while... Nov 6 04:13:24 localhost logger: /usr/lib/ooo- 2.0/program/.testtoolrc Nov 6 04:13:24 localhost logger: Searching for LPD Worm files and dirs... nothing found Nov 6 04:13:24 localhost logger: Searching for Ramen Worm files and dirs... nothing found Nov 6 04:13:24 localhost logger: Searching for Maniac files and dirs... nothing found Nov 6 04:13:24 localhost logger: Searching for RK17 files and dirs... nothing found Nov 6 04:13:24 localhost logger: Searching for Ducoci rootkit... nothing found Nov 6 04:13:24 localhost logger: Searching for Adore Worm... nothing found Nov 6 04:13:24 localhost logger: Searching for ShitC Worm... nothing found Nov 6 04:13:24 localhost logger: Searching for Omega Worm... nothing found Nov 6 04:13:24 localhost logger: Searching for Sadmind/IIS Worm... nothing found Nov 6 04:13:24 localhost logger: Searching for MonKit... nothing found Nov 6 04:13:24 localhost logger: Searching for Showtee... nothing found Nov 6 04:13:24 localhost logger: Searching for OpticKit... nothing found Nov 6 04:13:24 localhost logger: Searching for T.R.K... nothing found Nov 6 04:13:24 localhost logger: Searching for Mithra... nothing found Nov 6 04:13:24 localhost logger: Searching for OBSD rk v1... nothing found Nov 6 04:13:24 localhost logger: Searching for LOC rootkit... nothing found Nov 6 04:13:24 localhost logger: Searching for Romanian rootkit... nothing found Nov 6 04:13:24 localhost logger: Searching for HKRK rootkit... nothing found Nov 6 04:13:24 localhost logger: Searching for Suckit rootkit... nothing found Nov 6 04:13:24 localhost logger: Searching for Volc rootkit... nothing found Nov 6 04:13:24 localhost logger: Searching for Gold2 rootkit... nothing found Nov 6 04:13:24 localhost logger: Searching for TC2 Worm default files and dirs... nothing found Nov 6 04:13:24 localhost logger: Searching for Anonoying rootkit default files and dirs... nothing found Nov 6 04:13:24 localhost logger: Searching for ZK rootkit default files and dirs... nothing found Nov 6 04:13:24 localhost logger: Searching for ShKit rootkit default files and dirs... nothing found Nov 6 04:13:24 localhost logger: Searching for AjaKit rootkit default files and dirs... nothing found Nov 6 04:13:24 localhost logger: Searching for zaRwT rootkit default files and dirs... nothing found Nov 6 04:13:24 localhost logger: Searching for Madalin rootkit default files... nothing found Nov 6 04:13:24 localhost logger: Searching for Fu rootkit default files... nothing found Nov 6 04:13:24 localhost logger: Searching for ESRK rootkit default files... nothing found Nov 6 04:13:24 localhost logger: Searching for rootedoor... nothing found Nov 6 04:13:24 localhost logger: Searching for anomalies in shell history files... nothing found Nov 6 04:13:24 localhost logger: Checking `asp'... not infected Nov 6 04:13:24 localhost logger: Checking `bindshell'... not infected Nov 6 04:13:24 localhost logger: Checking `lkm'... Checking `rexedcs'... not found Nov 6 04:13:24 localhost logger: Checking `sniffer'... eth0: not promisc and no PF_PACKET sockets Nov 6 04:13:24 localhost logger: Checking `w55808'... not infected Nov 6 04:13:24 localhost logger: Checking `wted'... chkwtmp: nothing deleted Nov 6 04:13:24 localhost logger: Checking `scalper'... not infected Nov 6 04:13:24 localhost logger: Checking `slapper'... not infected Nov 6 04:13:24 localhost logger: Checking `z2'... chklastlog: nothing deleted Nov 6 04:13:24 localhost logger: Checking `chkutmp'... The tty of the following user process(es) were not found Nov 6 04:13:24 localhost logger: in /var/run/utmp ! Nov 6 04:13:24 localhost logger: ! RUID PID TTY CMD Nov 6 04:13:24 localhost logger: ! root 3759 tty7 /etc/X11/X -br -deferglyphs 16 :0 vt7 -auth /var/run/xauth/A:0-ZgK1i3 Nov 6 04:13:24 localhost logger: chkutmp: nothing deleted The odd thing about yesterdays logs were numerous entries like this: Nov 5 04:14:16 localhost postfix/smtp[17094]: connect to gmail-smtp-in.l.google.com[64.233.167.114]: Connection timed out (port 25) Nov 5 04:14:19 localhost postfix/smtp[18311]: connect to gmail-smtp-in.l.google.com[64.233.167.114]: Connection timed out (port 25) Nov 5 04:14:46 localhost postfix/smtp[17094]: connect to gmail-smtp-in.l.google.com[64.233.167.27]: Connection timed out (port 25) Nov 5 04:14:49 localhost postfix/smtp[18311]: connect to gmail-smtp-in.l.google.com[64.233.167.27]: Connection timed out (port 25) Nov 5 04:15:16 localhost postfix/smtp[17094]: connect to alt2.gmail-smtp-in.l.google.com[66.249.93.114]: Connection timed out (port 25) Nov 5 04:15:19 localhost postfix/smtp[18311]: connect to alt1.gmail-smtp-in.l.google.com[66.249.83.114]: Connection timed out (port 25) Nov 5 04:15:46 localhost postfix/smtp[17094]: connect to alt1.gmail-smtp-in.l.google.com[66.249.83.27]: Connection timed out (port 25) Nov 5 04:15:49 localhost postfix/smtp[18311]: connect to alt1.gmail-smtp-in.l.google.com[66.249.83.27]: Connection timed out (port 25) Nov 5 04:16:16 localhost postfix/smtp[17094]: connect to alt2.gmail-smtp-in.l.google.com[66.249.93.27]: Connection timed out (port 25) Nov 5 04:16:16 localhost postfix/smtp[17094]: 213B969C95: to=<riseringseeker@gmail.com>, relay=none, delay=150, Any ideas anyone? Edited November 7, 2006 by riseringseeker Quote Link to comment Share on other sites More sharing options...
ianw1974 Posted November 6, 2006 Report Share Posted November 6, 2006 Your logs should be rotated by a job in /etc/cron.daily called logrotate. This is maybe why you cannot see prior to a certain date. However, you should see examples of the same logfile with .1, .2, .3 at the end and so on. These are normally archives of tar.gz or something. Those last entries seem to be postfix - your smtp server trying to send emails to your gmail account but failing to connect. As for sshd, see if it's running with: netstat -tan and look for port 22. Quote Link to comment Share on other sites More sharing options...
riseringseeker Posted November 6, 2006 Author Report Share Posted November 6, 2006 Your logs should be rotated by a job in /etc/cron.daily called logrotate. This is maybe why you cannot see prior to a certain date. However, you should see examples of the same logfile with .1, .2, .3 at the end and so on. These are normally archives of tar.gz or something. OK, found those, not sure how to set to keep logs viewable in mcc any longer than they are, but at least that is one concern down! Those last entries seem to be postfix - your smtp server trying to send emails to your gmail account but failing to connect. Now that I think of it, I do have it set to send e-mail in the event of evil things happening to my system. I guess I need to change e-mail addresses which it sends to, or figure out how to get that one to work. As for sshd, see if it's running with: netstat -tan and look for port 22. Yes, it's running, out put at the moment is: Active Internet connections (servers and established)Proto Recv-Q Send-Q Local Address Foreign Address State tcp 0 0 127.0.0.1:2208 0.0.0.0:* LISTEN tcp 0 0 0.0.0.0:2049 0.0.0.0:* LISTEN tcp 0 0 0.0.0.0:901 0.0.0.0:* LISTEN tcp 0 0 0.0.0.0:3493 0.0.0.0:* LISTEN tcp 0 0 0.0.0.0:48071 0.0.0.0:* LISTEN tcp 0 0 127.0.0.1:10026 0.0.0.0:* LISTEN tcp 0 0 0.0.0.0:139 0.0.0.0:* LISTEN tcp 0 0 0.0.0.0:34444 0.0.0.0:* LISTEN tcp 0 0 0.0.0.0:111 0.0.0.0:* LISTEN tcp 0 0 0.0.0.0:6000 0.0.0.0:* LISTEN tcp 0 0 0.0.0.0:849 0.0.0.0:* LISTEN tcp 0 0 192.168.2.2:22 0.0.0.0:* LISTEN tcp 0 0 0.0.0.0:631 0.0.0.0:* LISTEN tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN tcp 0 0 127.0.0.1:52378 0.0.0.0:* LISTEN tcp 0 0 0.0.0.0:7741 0.0.0.0:* LISTEN tcp 0 0 0.0.0.0:445 0.0.0.0:* LISTEN tcp 0 0 192.168.2.2:33644 64.233.163.83:80 ESTABLISHED tcp 1 0 127.0.0.1:53907 127.0.0.1:631 CLOSE_WAIT tcp 1 0 127.0.0.1:40544 127.0.0.1:631 CLOSE_WAIT tcp 1 0 127.0.0.1:40549 127.0.0.1:631 CLOSE_WAIT tcp 1 0 127.0.0.1:59550 127.0.0.1:631 CLOSE_WAIT tcp 1 0 127.0.0.1:59545 127.0.0.1:631 CLOSE_WAIT tcp 0 0 :::6000 :::* LISTEN tcp 0 0 :::631 :::* LISTEN My intention is to be able to ssh (from the CLI, or using putty) into my system from where ever, and be able to print from my roaming laptop to the printer at home. Also of course, have the ability to surf the web, print locally and d/l from the desktop. (The machine the logs above are from) Quote Link to comment Share on other sites More sharing options...
ianw1974 Posted November 6, 2006 Report Share Posted November 6, 2006 Hmm, your port 22 looks different to mine: [ian@esprit ~]$ netstat -tan Active Internet connections (servers and established) Proto Recv-Q Send-Q Local Address Foreign Address State tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN tcp 0 0 127.0.0.1:631 0.0.0.0:* LISTEN tcp 0 0 10.1.1.2:48144 72.14.205.83:80 ESTABLISHED mine is listening on all, yours is listening restricted on your IP address only. Although that shouldn't be a problem. Have you tried using ssh locally and does it work OK? Can you connect without problems? Quote Link to comment Share on other sites More sharing options...
tyme Posted November 6, 2006 Report Share Posted November 6, 2006 ian: i don't think he has a problem with SSH working, if I read the OP correctly it seems he's concerned about intruders. To help secure your ssh I would follow these steps. I would check you sshd logs in /var/logs, it will show attempts to access your system via ssh and whether they failed or were successful, just search for successes since isn't the easiest to parse through. This has some helpful tips too. Especially about using keys instead of username/password. You can carry your key on a usb drive so where ever you are you have it. ian: you should specify an IP address in sshd_config, don't use 0.0.0.0 - see my first link for information on it. Quote Link to comment Share on other sites More sharing options...
riseringseeker Posted November 6, 2006 Author Report Share Posted November 6, 2006 Hmm, your port 22 looks different to mine: [ian@esprit ~]$ netstat -tan Active Internet connections (servers and established) Proto Recv-Q Send-Q Local Address Foreign Address State tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN tcp 0 0 127.0.0.1:631 0.0.0.0:* LISTEN tcp 0 0 10.1.1.2:48144 72.14.205.83:80 ESTABLISHED mine is listening on all, yours is listening restricted on your IP address only. Although that shouldn't be a problem. Have you tried using ssh locally and does it work OK? Can you connect without problems? It works both locally, and over the internet for listed users. Being on the local network I have not been able log in using the domain name, or the "real" IP address, but a friend who also uses Linux, and for whom I have setup an account has been able to connet from various places. My concern isn't that it isn't working, but that it is not secure enough to keep the bad guys out. ian: i don't think he has a problem with SSH working, if I read the OP correctly it seems he's concerned about intruders. Correct. To help secure your ssh I would follow these steps. I would check you sshd logs in /var/logs, it will show attempts to access your system via ssh and whether they failed or were successful, just search for successes since isn't the easiest to parse through. I'll look at the link you provided when I get back from running errands, thanks This has some helpful tips too. Especially about using keys instead of username/password. You can carry your key on a usb drive so where ever you are you have it. Have an "authorized_keys2" on the laptop, and am not interested in accessing the home computer from elsewhere, though I do have a usb jump drive in case that ever is needed. Quote Link to comment Share on other sites More sharing options...
ianw1974 Posted November 7, 2006 Report Share Posted November 7, 2006 Ah ok, I must have read it as being a problem when I posted yesterday. Sorry :D Quote Link to comment Share on other sites More sharing options...
riseringseeker Posted November 7, 2006 Author Report Share Posted November 7, 2006 Ah ok, I must have read it as being a problem when I posted yesterday. Sorry :D Not a problem. I have been told by a source I trust that nothing in the file looked overly suspicious to him, and he probed the ports that were open on my system with nmap, and saw nothing out of the ordinary. nmap <IP_address> So I am marking this one solved. though I still need to figure out why my system is unable to send mail to alert me to problems. Quote Link to comment Share on other sites More sharing options...
ianw1974 Posted November 7, 2006 Report Share Posted November 7, 2006 Maybe port 25 is blocked by your isp. This can happen. Quote Link to comment Share on other sites More sharing options...
tyme Posted November 7, 2006 Report Share Posted November 7, 2006 Maybe port 25 is blocked by your isp. This can happen.mail from your system to your system doesn't leave your system ;) - and if you are sending the e-mail to a different address (not localhost), outbound ports usually aren't blocked by ISP's - especially e-mail, since it's such a common tool. probably opening up a terminal and running the command "mail" as user (or root, depending on your settings) may reveal some information...mandriva usually drops the email in a local mailbox by default, usually either your user or root. Quote Link to comment Share on other sites More sharing options...
ianw1974 Posted November 7, 2006 Report Share Posted November 7, 2006 Ah, but it is cos he's sending it to google ;) Nov 5 04:14:16 localhost postfix/smtp[17094]: connect to gmail-smtp-in.l.google.com[64.233.167.114]: Connection timed out (port 25)Nov 5 04:14:19 localhost postfix/smtp[18311]: connect to gmail-smtp-in.l.google.com[64.233.167.114]: Connection timed out (port 25) Nov 5 04:14:46 localhost postfix/smtp[17094]: connect to gmail-smtp-in.l.google.com[64.233.167.27]: Connection timed out (port 25) Nov 5 04:14:49 localhost postfix/smtp[18311]: connect to gmail-smtp-in.l.google.com[64.233.167.27]: Connection timed out (port 25) Nov 5 04:15:16 localhost postfix/smtp[17094]: connect to alt2.gmail-smtp-in.l.google.com[66.249.93.114]: Connection timed out (port 25) Nov 5 04:15:19 localhost postfix/smtp[18311]: connect to alt1.gmail-smtp-in.l.google.com[66.249.83.114]: Connection timed out (port 25) Nov 5 04:15:46 localhost postfix/smtp[17094]: connect to alt1.gmail-smtp-in.l.google.com[66.249.83.27]: Connection timed out (port 25) Nov 5 04:15:49 localhost postfix/smtp[18311]: connect to alt1.gmail-smtp-in.l.google.com[66.249.83.27]: Connection timed out (port 25) Nov 5 04:16:16 localhost postfix/smtp[17094]: connect to alt2.gmail-smtp-in.l.google.com[66.249.93.27]: Connection timed out (port 25) Nov 5 04:16:16 localhost postfix/smtp[17094]: 213B969C95: to=<riseringseeker@gmail.com>, relay=none, delay=150, and some isp's don't allow you to run your own smtp server ;) I've found this myself unfortunately. Quote Link to comment Share on other sites More sharing options...
tyme Posted November 7, 2006 Report Share Posted November 7, 2006 Well that's retarded, because port 25 is necessary to send e-mail, even if you aren't running your own smtp server! Anytime you send e-mail (even from a simple e-mail client), it connects to port 25 of an smtp server somewhere in the world. Otherwise you wouldn't be able to send any e-mail. Quote Link to comment Share on other sites More sharing options...
ianw1974 Posted November 7, 2006 Report Share Posted November 7, 2006 I know, I've tried running my own smtp server and it wouldn't send out to the internet, and it was configured perfectly fine. Yet, my clients would work using an smtp server out on the internet. My isp obviously somehow knows I'm trying to run my own smtp server, and blocks it, than if I connect to one over the internet - be it my isp's smtp server, or my hosting providers smtp server. So I don't know exactly how they manage to do it, but they do I have a feeling it's something that's blocked on my broadband connection to the ISP, whereas anything outside of this connection is OK. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.