You are not logged in.

#1 2008-06-29 21:38:39

hunterthomson
Member
Registered: 2008-06-22
Posts: 794
Website

I Think My Box Has Been CRACKED!!!

I hope I am wrong but I think I am wright:mad:

The shelds up web sight tells me that these ports are open:

111 sunrpc sun remote procedure call

769

After I first installed I whent there and none were open......
I have not installed any serveses stuff other then ktorrent, tor, privoxy???

rkhunter tells me the following:

Warning: The command '/usr/bin/ldd' has been replaced by a script: /usr/bin/ldd: Bourne-Again shell script text executable

Warning: The command '/usr/bin/whatis' has been replaced by a script: /usr/bin/whatis: POSIX shell script text executable
e
Warning: The command '/usr/sbin/adduser' has been replaced by a script: /usr/sbin/adduser: Bourne-Again shell script text execut$

Warning: The syslog daemon is running, but no configuration file can be found.

Warning: Hidden file found: /usr/man/man8/.isdnctrl_conf.8.gz: gzip compressed data, was ".isdnctrl_conf.8", from Unix, last mod$

And, not now but last time I "ls" the /etc things dealing with groop, user, syslog and sudoers were in RED boxes

What do you think? Should I panic and reinstall?
Or are the ports 111 769 no problem and were probaly opend by some program, just close them and I should not worry about them?

I'll read up on how to make a backup before I reinstall so I have a backup after I set my sys up....


OpenBSD-current Thinkpad X230, i7-3520M, 16GB CL9 Kingston, Samsung 830 256GB
Contributor: linux-grsec

Offline

#2 2008-06-29 22:07:15

hunterthomson
Member
Registered: 2008-06-22
Posts: 794
Website

Re: I Think My Box Has Been CRACKED!!!

now when I turn on firestarter it will wait forever to load ubuntuforums.org or the archlinux forums or gmail.... I have to turn it off and then the pages load up no problem?


OpenBSD-current Thinkpad X230, i7-3520M, 16GB CL9 Kingston, Samsung 830 256GB
Contributor: linux-grsec

Offline

#3 2008-06-29 22:49:44

dyscoria
Member
Registered: 2008-01-10
Posts: 1,007

Re: I Think My Box Has Been CRACKED!!!

I wouldn't always trust what rkhunter says, but I think it would be in your best interests to close those ports.

Check your firestarter settings and fiddle around. You must have a setting or checkbox blocking something you don't want blocked.


flack 2.0.6: menu-driven BASH script to easily tag FLAC files (AUR)
knock-once 1.2: BASH script to easily create/send one-time sequences for knockd (forum/AUR)

Offline

#4 2008-06-29 23:06:04

hunterthomson
Member
Registered: 2008-06-22
Posts: 794
Website

Re: I Think My Box Has Been CRACKED!!!

dyscoria wrote:

I wouldn't always trust what rkhunter says, but I think it would be in your best interests to close those ports.

Check your firestarter settings and fiddle around. You must have a setting or checkbox blocking something you don't want blocked.

Thank you for the fresh air:)

I -R firestarter and -S guarddog and now things are working as they should with ports 111 and 769 closed. I thought that the things changed to scripts was no big deal because I looked at the scripts and they seemed like they where no big deal i.e. had GNU licenses.


OpenBSD-current Thinkpad X230, i7-3520M, 16GB CL9 Kingston, Samsung 830 256GB
Contributor: linux-grsec

Offline

#5 2008-06-29 23:14:53

hunterthomson
Member
Registered: 2008-06-22
Posts: 794
Website

Re: I Think My Box Has Been CRACKED!!!

why dose "sudo" and "sudoedit" in /usr/bin keep shoing up in red? I'll look it up but my guess is that it changes every time I use the sudo comand???

Last edited by hunterthomson (2008-06-30 00:29:19)


OpenBSD-current Thinkpad X230, i7-3520M, 16GB CL9 Kingston, Samsung 830 256GB
Contributor: linux-grsec

Offline

#6 2008-06-30 01:44:31

Redroar
Member
Registered: 2008-03-17
Posts: 200

Re: I Think My Box Has Been CRACKED!!!

Red = setuid root. Absolutely nothing to worry about for sudo and sudoedit.


Stop looking at my signature. It betrays your nature.

Offline

#7 2008-06-30 03:30:22

hunterthomson
Member
Registered: 2008-06-22
Posts: 794
Website

Re: I Think My Box Has Been CRACKED!!!

Redroar wrote:

Red = setuid root. Absolutely nothing to worry about for sudo and sudoedit.

OK, so the colors are showing ownership.... Thankyou.

I have now wasted 2hrs trying to set up guarddog..... I hate that program! I set up everything the way it should be but ktorrent and tor where still not working so I -R guarddog ; -S firestarter and now I put firestarter in my daemons array. Restart and all is well according to https://www.grc.com/x/ne.dll?bh0bkyd2 .

Last edited by hunterthomson (2008-06-30 03:35:47)


OpenBSD-current Thinkpad X230, i7-3520M, 16GB CL9 Kingston, Samsung 830 256GB
Contributor: linux-grsec

Offline

#8 2008-06-30 08:58:26

wuischke
Member
From: Suisse Romande
Registered: 2007-01-06
Posts: 630

Re: I Think My Box Has Been CRACKED!!!

What daemons have you running? 111 is used by portmapper (for instance nfs needs this, iirc), but I don't think 789 is the standard port for anything.

Also try lsof -i to find out which program is listening on these ports.

Offline

#9 2008-06-30 09:07:55

Ramses de Norre
Member
From: Leuven - Belgium
Registered: 2007-03-27
Posts: 1,289

Re: I Think My Box Has Been CRACKED!!!

hunterthomson wrote:
Redroar wrote:

Red = setuid root. Absolutely nothing to worry about for sudo and sudoedit.

OK, so the colors are showing ownership.... Thankyou.

I have now wasted 2hrs trying to set up guarddog..... I hate that program! I set up everything the way it should be but ktorrent and tor where still not working so I -R guarddog ; -S firestarter and now I put firestarter in my daemons array. Restart and all is well according to https://www.grc.com/x/ne.dll?bh0bkyd2 .

A guide on setting up iptables manually, I think that's far more easier than any front-end. You might want to try it.

Offline

#10 2008-06-30 14:18:06

pelle.k
Member
From: Åre, Sweden (EU)
Registered: 2006-04-30
Posts: 667

Re: I Think My Box Has Been CRACKED!!!

All (most?) gui iptables frontends pretty much suck. I prefer shorewall or fireHOL. Easy peacy iptables configuration.


"Your beliefs can be like fences that surround you.
You must first see them or you will not even realize that you are not free, simply because you will not see beyond the fences.
They will represent the boundaries of your experience."

SETH / Jane Roberts

Offline

#11 2008-06-30 15:20:58

sniffles
Member
Registered: 2008-01-23
Posts: 275

Re: I Think My Box Has Been CRACKED!!!

pelle.k wrote:

All (most?) gui iptables frontends pretty much suck. I prefer shorewall or fireHOL. Easy peacy iptables configuration.

All (most?) iptables frontends pretty much suck.

Offline

#12 2008-06-30 18:03:28

broch
Banned
From: L.A. California
Registered: 2006-11-13
Posts: 975

Re: I Think My Box Has Been CRACKED!!!

Warning: The command '/usr/bin/ldd' has been replaced by a script: /usr/bin/ldd: Bourne-Again shell script text executable

rkhunter issue (Arch modified)

Warning: The command '/usr/bin/whatis' has been replaced by a script: /usr/bin/whatis: POSIX shell script text executable

rkhunter issue (Arch modified)

Warning: The command '/usr/sbin/adduser' has been replaced by a script: /usr/sbin/adduser: Bourne-Again shell script text execut$

rkhunter issue (Arch modified)

Warning: The syslog daemon is running, but no configuration file can be found.

it is up to you, either configure syslog, or ignore error

Warning: Hidden file found: /usr/man/man8/.isdnctrl_conf.8.gz: gzip compressed data, was ".isdnctrl_conf.8", from Unix, last mod$

don't know but does not look dangerous

remember that you will have to update rkhunter hashes db after each of the file scanned is updated by pacman otherwise you will see plenty of red marked files with hash issues

to update rkhunter hashes run
rkhunter --hashupd

obviously this makes sense only if yous system is just updated and you are sure that files downloaded/installed are safe.

Offline

#13 2008-06-30 18:36:14

pelle.k
Member
From: Åre, Sweden (EU)
Registered: 2006-04-30
Posts: 667

Re: I Think My Box Has Been CRACKED!!!

All (most?) iptables frontends pretty much suck.

blasphemy! smile
OK, shorewall isn't on the top of my list but it gets the job done. fireHOL on the other side, is a really nifty application. But each to his own.


"Your beliefs can be like fences that surround you.
You must first see them or you will not even realize that you are not free, simply because you will not see beyond the fences.
They will represent the boundaries of your experience."

SETH / Jane Roberts

Offline

#14 2008-07-01 05:46:51

hunterthomson
Member
Registered: 2008-06-22
Posts: 794
Website

Re: I Think My Box Has Been CRACKED!!!

Hey thanks all:)

The ubuntufourms are still faster but not vary good info.... I guess they are tyered of ansorying the same questions so now most people there just don't bother to read or think about what was written... I must have told 15~20 people how to install a driver with ndiswrapper... and I have a intel wireless card tongue

Anyway, I like the comand to see what serveses are running on the ports. That should come in handy. I plan on just running iptables form the shell now. F the bull GUI's.... I do everything from the shell now. I even wrote a bash script to ajust the speaker volumes for me and put it in rc.d/Daemons array. Now, I don't have to install a whole KDE package for the kmixer GUI.

Speaking of that...... I am haveing a hell of a time getting moblock OR iplist working on my 64arch. I was thinking about writing a Perl script to download ip blacklists / put them in one file / cut out the ip ranges / compare todays list with yesterdays list of ip's drop the matching ones / then run the standerd iptables comand to block each iprange.

Why, is there not a program that dose this anyway???? Why do they all use a new netfilter_queue module???? Would this like really slow down my kernel to block 54,000 ipranges through standered iptables rules???

Last edited by hunterthomson (2008-07-01 05:49:14)


OpenBSD-current Thinkpad X230, i7-3520M, 16GB CL9 Kingston, Samsung 830 256GB
Contributor: linux-grsec

Offline

#15 2008-07-01 07:42:30

hunterthomson
Member
Registered: 2008-06-22
Posts: 794
Website

Re: I Think My Box Has Been CRACKED!!!

OK,

I never found out what was running on 769 or 111 but now I have -R fierstarter and set up iptables:D

For the most part, I just followed the wiki.... I'll dive more into it when I have more time. But now I don't have any ports open and my passwords are 22 characters long of  asDF-234-><?". So, now the biggest threat at this point is Flash/ Java/ ARP posining/ Redirects/ Xsight scripting/....

Just for the fun of it I want to build a kernel with "grsecurity". That looks really kool cool Way better then SE. It really dose stuff other then be a pain in the ***. Owe, and I have also made a back up of my Root, Boot, and Home partitons.

Last edited by hunterthomson (2008-07-01 07:43:00)


OpenBSD-current Thinkpad X230, i7-3520M, 16GB CL9 Kingston, Samsung 830 256GB
Contributor: linux-grsec

Offline

#16 2008-07-01 15:08:08

pelle.k
Member
From: Åre, Sweden (EU)
Registered: 2006-04-30
Posts: 667

Re: I Think My Box Has Been CRACKED!!!

I am haveing a hell of a time getting moblock OR iplist working on my 64arch

iplist from AUR is incomplete, and not updated for quite some time sad
You have to use the iplist source modified for GCC 4.3 instead of whats in the old PKGBUILD.
Try this;

pkgname=iplist
pkgver=0.19
pkgrel=1
pkgdesc=" iplist is a list based packet handler which uses the netfilter netlink-queue library (kernel 2.6.14 or later)"
arch=('i686')
url="http://sourceforge.net/projects/iplist/"
license=('GPL')
depends=('libnetfilter_queue' 'gcc' 'libnfnetlink' 'zlib')
source=(iplist-0.19gcc43.tar.gz)
#md5sums=('4354594923444c7ef8f810cd343d34bc')

options=('docs')

build() {
  mkdir -p ${pkgdir}/usr/sbin
  mkdir -p ${pkgdir}/usr/share/java
  mkdir -p ${pkgdir}/etc
  mkdir -p ${pkgdir}/usr/share/applications


  mkdir -p ${pkgdir}/var/cache/iplist
  install -Dm 664 ${srcdir}/$pkgname-$pkgver/README.lists ${pkgdir}/usr/share/doc/iplist/README.lists

  cd ${srcdir}/$pkgname-$pkgver
  make || return 1
  make DESTDIR="${pkgdir}" install
}

"Your beliefs can be like fences that surround you.
You must first see them or you will not even realize that you are not free, simply because you will not see beyond the fences.
They will represent the boundaries of your experience."

SETH / Jane Roberts

Offline

#17 2008-07-02 05:25:49

hunterthomson
Member
Registered: 2008-06-22
Posts: 794
Website

Re: I Think My Box Has Been CRACKED!!!

pelle.k wrote:

I am haveing a hell of a time getting moblock OR iplist working on my 64arch

iplist from AUR is incomplete, and not updated for quite some time sad
You have to use the iplist source modified for GCC 4.3 instead of whats in the old PKGBUILD.
Try this;

pkgname=iplist
pkgver=0.19
pkgrel=1
pkgdesc=" iplist is a list based packet handler which uses the netfilter netlink-queue library (kernel 2.6.14 or later)"
arch=('i686')
url="http://sourceforge.net/projects/iplist/"
license=('GPL')
depends=('libnetfilter_queue' 'gcc' 'libnfnetlink' 'zlib')
source=(iplist-0.19gcc43.tar.gz)
#md5sums=('4354594923444c7ef8f810cd343d34bc')

options=('docs')

build() {
  mkdir -p ${pkgdir}/usr/sbin
  mkdir -p ${pkgdir}/usr/share/java
  mkdir -p ${pkgdir}/etc
  mkdir -p ${pkgdir}/usr/share/applications


  mkdir -p ${pkgdir}/var/cache/iplist
  install -Dm 664 ${srcdir}/$pkgname-$pkgver/README.lists ${pkgdir}/usr/share/doc/iplist/README.lists

  cd ${srcdir}/$pkgname-$pkgver
  make || return 1
  make DESTDIR="${pkgdir}" install
}

Could I just change the arch line like this?

arch=("i686" "x86_64")

????


OpenBSD-current Thinkpad X230, i7-3520M, 16GB CL9 Kingston, Samsung 830 256GB
Contributor: linux-grsec

Offline

#18 2008-07-02 17:51:33

pelle.k
Member
From: Åre, Sweden (EU)
Registered: 2006-04-30
Posts: 667

Re: I Think My Box Has Been CRACKED!!!

Sure you can. Also i noticed the source=() field is incomplete

source=('http://downloads.sourceforge.net/iplist/iplist-0.19gcc43.tar.gz')

don't forget, you have to do the PKGBUILDs for netfilter and nfnetlink first, as well.

Last edited by pelle.k (2008-07-02 17:54:24)


"Your beliefs can be like fences that surround you.
You must first see them or you will not even realize that you are not free, simply because you will not see beyond the fences.
They will represent the boundaries of your experience."

SETH / Jane Roberts

Offline

#19 2008-07-27 21:11:40

hunterthomson
Member
Registered: 2008-06-22
Posts: 794
Website

Re: I Think My Box Has Been CRACKED!!!

HEY big_smile

I just now did that and it worked!!! Thank you. You should update the Aur with your PKGBUILD.

Last edited by hunterthomson (2008-07-28 01:26:38)


OpenBSD-current Thinkpad X230, i7-3520M, 16GB CL9 Kingston, Samsung 830 256GB
Contributor: linux-grsec

Offline

Board footer

Powered by FluxBB