Linux Question: Could I have become compromised?

Ok, wanted to try Mandriva Spring (via Torrent) so I changed from Wireless to a wired network and forgot to alter the settings in Firestarter accordingly.

The good news is I was running behind a router the whole time and I think it's properly configured.

I ran chkrootkit...showed nothing.

Installed Avast AV and ran it...no detection.

Computer seems fine.

Linux is pretty impregnable out of the box.

The IP tables will have kicked in...right?

Firestarter is only a frontend for IP Tables in any case.

My own view is that it's highly unlikely but I'd like to hear the opinions of people who are more experienced than myself.

BTW, I'm running Gutsy.

 

I didn't want to chance the wireless connection lapsing for a moment as it sometimes does.

 

@Riverrun

How about testing your combined firewalls (iptables and router) in the configuration you used for downloading via the ShieldsUp tests at grc.com? Are all ports stealthed or closed?

To check your router:
(1) shut down iptables via the "stop firewall" command button on the Firestarter GUI
(2) open a terminal window and type this command:

$ sudo iptables -L

The output of the command should look like this with iptables shut down:

Chain INPUT (policy accept)
target prot opt source destination

Chain FORWARD (policy accept)
target prot opt source destination

Chain OUTPUT (policy accept)
target prot opt source destination

(3) Open your browser and run the ShieldsUp tests at grc.com now that iptables is shut down. Are all ports stealthed or closed?
(4) Restart iptables via the "start firewall" command button on the Firestarter GUI

To check your existing iptable rules:
Open a terminal window and type this command:

$ sudo iptables -L

Hopefully they are not the same as when iptables are shut down. If they are, you will need to configure iptables via the Firestarter GUI.

 

Hello,

First, you changed the network ... okay ... what is the difference between your wired and wireless network and firewall rules? Second, where did you do this, home or public spot?

You mentioned a router. Have you ever checked this router, for example on GRC? Are both your wired and wireless network behind router? What distro were you running when "this" happened?

Finally, assuming the worst - no firewall, no router, nothing, just you and the net, why do you still think you should have been compromised?

If your distro is fully patched ... chances are minimal. If your distro has no open ports and vulnerable services, the chances are zero.

Mrk

 

Did all the tests and everything seems OK, thanks for the help

 

1. I'm using Firestarter in Gutsy, fully patched and I forgot to change from eth1 to eth0 in Firestarter (Preferences>Network Settings)

2. This was at home.

3. Had checked the router a few weeks ago at GRC when I first bought it and it was fine then.

Just checked again with both Wired and Wireless and all ports were stealthed.

4. Checked the specific ports I used for the download under the same conditions as I made the download and again all was stealthed.

It looks like all is well.

That's a relief.

Thanks for the help bkt11 and Mrkvonic

 

To sum up:

1. I was using a fully patched distro

2. The Shields-Up test shows that the firewall on the router did its job

Fully patched with no open ports plus Gutsy seems perfectly normal, downloading a Linux torrent at the time, chances of being compromised are infinitesimally small.

I'm ok.

 

Hello,
BTW, Gutsy ships with no open ports. So even if you used no firewall and no router, you were and are in no danger.
Mrk

 

It's good to know that in case I do the same thing again. Gutsy is very secure, I know that because I've been using it since October with zero problems. Still, I've always had the firewall running before this and though I wasn't unduly worried it's great to get this kind of assurance.

 

"BTW, Gutsy ships with no open ports. So even if you used no firewall and no router, you were and are in no danger.

I am using Ubuntu 7.04 and have run both nmap and lsof with the following results:

$ sudo nmap -sT -O localhost

Starting Nmap 4.20 ( http://insecure.org ) at 2008-04-02 11:19 MDT
Interesting ports on localhost (127.0.0.1):
Not shown: 1695 closed ports
PORT STATE SERVICE
25/tcp open smtp
631/tcp open ipp
Device type: general purpose
Running: Linux 2.6.X
OS details: Linux 2.6.17-10.33 (Ubuntu)
Uptime: 0.007 days (since Wed Apr 2 11:09:32 200
Network Distance: 0 hops

OS detection performed. Please report any incorrect results at http://insecure.org/nmap/submit/ .
Nmap finished: 1 IP address (1 host up) scanned in 1.563 seconds

$ sudo lsof -i -n

COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME
avahi-dae 4465 avahi 13u IPv4 14454 UDP *:mdns
avahi-dae 4465 avahi 14u IPv4 14455 UDP *:32768
dhclient 4553 dhcp 6u IPv4 14864 UDP *:bootpc
hpiod 4625 root 0u IPv4 14898 TCP 127.0.0.1:2208 (LISTEN)
python 4634 hplip 4u IPv4 14948 TCP 127.0.0.1:2207 (LISTEN)
exim4 4778 Debian-exim 3u IPv4 15185 TCP 127.0.0.1:smtp (LISTEN)
cupsd 5428 cupsys 1u IPv4 17151 TCP 127.0.0.1:ipp (LISTEN)

The ipp service is the Internet Printing Protocol and is a Ubuntu default on my PC.

The smtp service is used by exim4 mail transfer agent and is NOT A UBUNTU DEFAULT. It was installed as a dependency of rkhunter to enable reporting of daily scans via mail.

As long as Ubuntu is fully patched (and it is), even though this service is listening, there will be no risk? What if there is a 0-day? Could there a risk in the time it takes for a patch to be made known to the developers, implemented by the developers, made available for download and installed? With regard to smtp/exim4, is there a possiblity that this machine could become a spambot?

Just for the record, on this Ubuntu install I am using iptable rules configured by the lokkit "high security" option. In addition, I have installed and configure tcpd to limit access to services.