Linux Question: Could I have become compromised?

Discussion in 'all things UNIX' started by Riverrun, Apr 1, 2008.

Thread Status:
Not open for further replies.
  1. Riverrun

    Riverrun Registered Member

    Joined:
    Feb 19, 2007
    Posts:
    376
    Location:
    ~
    Ok, wanted to try Mandriva Spring (via Torrent) so I changed from Wireless to a wired network and forgot to alter the settings in Firestarter accordingly.

    The good news is I was running behind a router the whole time and I think it's properly configured.

    I ran chkrootkit...showed nothing.

    Installed Avast AV and ran it...no detection.

    Computer seems fine.

    Linux is pretty impregnable out of the box.

    The IP tables will have kicked in...right?

    Firestarter is only a frontend for IP Tables in any case.

    My own view is that it's highly unlikely but I'd like to hear the opinions of people who are more experienced than myself.

    BTW, I'm running Gutsy.
     
  2. Riverrun

    Riverrun Registered Member

    Joined:
    Feb 19, 2007
    Posts:
    376
    Location:
    ~
    I didn't want to chance the wireless connection lapsing for a moment as it sometimes does.
     
  3. bktII

    bktII Registered Member

    Joined:
    Apr 12, 2006
    Posts:
    224
    @Riverrun

    How about testing your combined firewalls (iptables and router) in the configuration you used for downloading via the ShieldsUp tests at grc.com? Are all ports stealthed or closed?

    To check your router:
    (1) shut down iptables via the "stop firewall" command button on the Firestarter GUI
    (2) open a terminal window and type this command:

    $ sudo iptables -L

    The output of the command should look like this with iptables shut down:

    Chain INPUT (policy accept)
    target prot opt source destination

    Chain FORWARD (policy accept)
    target prot opt source destination

    Chain OUTPUT (policy accept)
    target prot opt source destination

    (3) Open your browser and run the ShieldsUp tests at grc.com now that iptables is shut down. Are all ports stealthed or closed?
    (4) Restart iptables via the "start firewall" command button on the Firestarter GUI

    To check your existing iptable rules:
    Open a terminal window and type this command:

    $ sudo iptables -L

    Hopefully they are not the same as when iptables are shut down. If they are, you will need to configure iptables via the Firestarter GUI.
     
  4. Mrkvonic

    Mrkvonic Linux Systems Expert

    Joined:
    May 9, 2005
    Posts:
    8,695
    Hello,

    First, you changed the network ... okay ... what is the difference between your wired and wireless network and firewall rules? Second, where did you do this, home or public spot?

    You mentioned a router. Have you ever checked this router, for example on GRC? Are both your wired and wireless network behind router? What distro were you running when "this" happened?

    Finally, assuming the worst - no firewall, no router, nothing, just you and the net, why do you still think you should have been compromised?

    If your distro is fully patched ... chances are minimal. If your distro has no open ports and vulnerable services, the chances are zero.

    Mrk
     
  5. Riverrun

    Riverrun Registered Member

    Joined:
    Feb 19, 2007
    Posts:
    376
    Location:
    ~
    Did all the tests and everything seems OK, thanks for the help
     
  6. Riverrun

    Riverrun Registered Member

    Joined:
    Feb 19, 2007
    Posts:
    376
    Location:
    ~

    1. I'm using Firestarter in Gutsy, fully patched and I forgot to change from eth1 to eth0 in Firestarter (Preferences>Network Settings)

    2. This was at home.

    3. Had checked the router a few weeks ago at GRC when I first bought it and it was fine then.

    Just checked again with both Wired and Wireless and all ports were stealthed.

    4. Checked the specific ports I used for the download under the same conditions as I made the download and again all was stealthed.

    It looks like all is well.

    That's a relief.

    Thanks for the help bkt11 and Mrkvonic
     
  7. Riverrun

    Riverrun Registered Member

    Joined:
    Feb 19, 2007
    Posts:
    376
    Location:
    ~
    To sum up:

    1. I was using a fully patched distro

    2. The Shields-Up test shows that the firewall on the router did its job

    Fully patched with no open ports plus Gutsy seems perfectly normal, downloading a Linux torrent at the time, chances of being compromised are infinitesimally small.

    I'm ok.
     
  8. Mrkvonic

    Mrkvonic Linux Systems Expert

    Joined:
    May 9, 2005
    Posts:
    8,695
    Hello,
    BTW, Gutsy ships with no open ports. So even if you used no firewall and no router, you were and are in no danger.
    Mrk
     
  9. Riverrun

    Riverrun Registered Member

    Joined:
    Feb 19, 2007
    Posts:
    376
    Location:
    ~

    It's good to know that in case I do the same thing again. Gutsy is very secure, I know that because I've been using it since October with zero problems. Still, I've always had the firewall running before this and though I wasn't unduly worried it's great to get this kind of assurance.
     
  10. bktII

    bktII Registered Member

    Joined:
    Apr 12, 2006
    Posts:
    224
    "BTW, Gutsy ships with no open ports. So even if you used no firewall and no router, you were and are in no danger.

    I am using Ubuntu 7.04 and have run both nmap and lsof with the following results:

    $ sudo nmap -sT -O localhost

    Starting Nmap 4.20 ( http://insecure.org ) at 2008-04-02 11:19 MDT
    Interesting ports on localhost (127.0.0.1):
    Not shown: 1695 closed ports
    PORT STATE SERVICE
    25/tcp open smtp
    631/tcp open ipp
    Device type: general purpose
    Running: Linux 2.6.X
    OS details: Linux 2.6.17-10.33 (Ubuntu)
    Uptime: 0.007 days (since Wed Apr 2 11:09:32 200:cool:
    Network Distance: 0 hops

    OS detection performed. Please report any incorrect results at http://insecure.org/nmap/submit/ .
    Nmap finished: 1 IP address (1 host up) scanned in 1.563 seconds

    $ sudo lsof -i -n

    COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME
    avahi-dae 4465 avahi 13u IPv4 14454 UDP *:mdns
    avahi-dae 4465 avahi 14u IPv4 14455 UDP *:32768
    dhclient 4553 dhcp 6u IPv4 14864 UDP *:bootpc
    hpiod 4625 root 0u IPv4 14898 TCP 127.0.0.1:2208 (LISTEN)
    python 4634 hplip 4u IPv4 14948 TCP 127.0.0.1:2207 (LISTEN)
    exim4 4778 Debian-exim 3u IPv4 15185 TCP 127.0.0.1:smtp (LISTEN)
    cupsd 5428 cupsys 1u IPv4 17151 TCP 127.0.0.1:ipp (LISTEN)

    The ipp service is the Internet Printing Protocol and is a Ubuntu default on my PC.

    The smtp service is used by exim4 mail transfer agent and is NOT A UBUNTU DEFAULT. It was installed as a dependency of rkhunter to enable reporting of daily scans via mail.

    As long as Ubuntu is fully patched (and it is), even though this service is listening, there will be no risk? What if there is a 0-day? Could there a risk in the time it takes for a patch to be made known to the developers, implemented by the developers, made available for download and installed? With regard to smtp/exim4, is there a possiblity that this machine could become a spambot?

    Just for the record, on this Ubuntu install I am using iptable rules configured by the lokkit "high security" option. In addition, I have installed and configure tcpd to limit access to services.
     
Loading...
Thread Status:
Not open for further replies.