You are not logged in.
Hello,
There are two computers. Computer A uses openSuse and it is usually used for common tasks (not risk at all), suddenly, one day some "bookmarks" from Mozilla Firefox were modified but not by the legitimate users. The firewall rules were for the Eth0 (unique interface) in External zone, and the router is connected directly to the DSL line (no other computers in LAN). So, only legitimate users on one computer, they know how to change bookmarks, and they are pretty sure they didn't modified them.
I extract also here the iptables -L rules.
userA@computerA:~> sudo /usr/sbin/iptables -L
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere ctstate ESTABLISHED
ACCEPT icmp -- anywhere anywhere ctstate RELATED
input_ext all -- anywhere anywhere
LOG all -- anywhere anywhere limit: avg 3/min burst 5 LOG level warning tcp-options ip-options prefix "SFW2-IN-ILL-TARGET "
DROP all -- anywhere anywhere
Chain FORWARD (policy DROP)
target prot opt source destination
LOG all -- anywhere anywhere limit: avg 3/min burst 5 LOG level warning tcp-options ip-options prefix "SFW2-FWD-ILL-ROUTING "
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere
Chain forward_ext (0 references)
target prot opt source destination
Chain input_ext (1 references)
target prot opt source destination
DROP all -- anywhere anywhere PKTTYPE = broadcast
ACCEPT icmp -- anywhere anywhere icmp source-quench
ACCEPT icmp -- anywhere anywhere icmp echo-request
DROP all -- anywhere anywhere PKTTYPE = multicast
DROP all -- anywhere anywhere PKTTYPE = broadcast
LOG tcp -- anywhere anywhere limit: avg 3/min burst 5 tcpflags: FIN,SYN,RST,ACK/SYN LOG level warning tcp-options ip-options prefix "SFW2-INext-DROP-DEFLT "
LOG icmp -- anywhere anywhere limit: avg 3/min burst 5 LOG level warning tcp-options ip-options prefix "SFW2-INext-DROP-DEFLT "
LOG udp -- anywhere anywhere limit: avg 3/min burst 5 ctstate NEW LOG level warning tcp-options ip-options prefix "SFW2-INext-DROP-DEFLT "
DROP all -- anywhere anywhere
Chain reject_func (0 references)
target prot opt source destination
REJECT tcp -- anywhere anywhere reject-with tcp-reset
REJECT udp -- anywhere anywhere reject-with icmp-port-unreachable
REJECT all -- anywhere anywhere reject-with icmp-proto-unreachable
The modification in the bookmarks of Firefox is not possible to be done by us, is not so easy to do it by error, because the bookmarks where modified specifically in a tree of folders, deleting two URL markers and adding other two.
I know by the language and the context of the new URL that the "intruder" is from my nationality.
The problem is that the legitimate users of the computer just delete both fake URL and add the original ones. After that, they just continue using normally the computer. That day, none of that URL webpages where under attack (like DNS or sth like that and that maybe the auto-refresh - i don't know if it exists - of Firefox just updated both of them in the moment of the attack of the webpages). Also, they didn't say anything about a possible attack days after that. And because is in the bookmarks of Firefox (something that is locally stored) I thought was a direct and specified attack to the computer A and its users.
Question A: Was my supposition correct? Or there is still any possibility to be a general attack? I dismiss any possibility of popular worm/virus because the modification of the markers were really specific and on national context.
Question B: What is the best procedure to analyze the source of the attack and how to protect against it? How to know what things have been modified? I think it is weird that the intruder shows himself modified something in the system (like markers in Firefox), so, he/she wants to be known, like a threat.
I have installed and started the Clamav antivirus. I can show so far that there are:
Windows and Data NTFS partitions (Windows not really used, Data used from Linux):
- hundreds of [b]Heuristics.Encrypted.ZIP[/b] (or PDF, RAR), [b]Heuristics.Broken.Executable[/b]
- file .htm with [b]Exploit.HTML.MHTRedir.4n[/b]
- file .pdf with [b]Exploit.PDF-1745[/b]
- file .rar with [b]Trojan.W32.HotKeysHook.A[/b]
- 5 files .js with [b]Worm.JS.Redlof.A[/b]
Linux (normally used):
- /boot/vmlinux-3.1.10-1.16-desktop.gz Heuristics.Broken.Executable
- /home/userA/Applications/jDownloaders/JDownlaoder/libs/jna.jar Heuristics.Broken.Executable
- /home/userA/.jd/libs/jna.jar Heuristics.Broken.Executable
- /home/userA/.thunderbird/ct5dfrhd.default/training.dat Heuristics.Broken.Executable
- /lib/firmware/vxge/X3fw.ncf Heuristics.Encrypted.Zip
- /lib/firmware/vxge/X3fw-pxe.ncf Heuristics.Encrypted.Zip
In the time the detection was notified, Windows wasn't used in the days before. Therefore, Linux was the O.S. in the time of the intrusion. So, the files with Exploits, Trojan and Worm is really difficult (or pretty sure) to be executed the days before, because are really weird files and maybe used some months or years ago, not the last weeks, and for sure not from linux.
Now I have access to the main computerA, were the "intrusion" was done 2 weeks and half ago, but I really don't know what to do and how to proceed. At least I have installed clamav and I have shown the results above.
The problem is that I come with the computerB with ArchLinux, and I needed internet to start checking how to perform with all this. The problem is that after activate eth0 and send dhcp client to get the IP, I get the connection and just after that I saw a really weird behaviour. Suddenly, the computer got a little freeze, well, not really freeze, but slow for some moments, and when I check in terminal what happend, my prompt was modified.
Before was:
ussr@localhost
now:
ussr@unknown002454062846
That put my alarms on, so I quickly disconnect ethernet. Because I don't know how to proceed, and really scared of the situation, I just post the below "captures".
iptables of computerB ( I followed the Arch Linux Simple Stateful Firewall.... I think I got it correctly )
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere
DROP all -- anywhere anywhere ctstate INVALID
ACCEPT icmp -- anywhere anywhere icmp echo-request ctstate NEW
UDP udp -- anywhere anywhere ctstate NEW
TCP tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,ACK/SYN ctstate NEW
REJECT all -- anywhere anywhere reject-with icmp-proto-unreachable
icmp -- anywhere anywhere icmp echo-request recent: SET name: ping_limiter side: source mask: 255.255.255.255
DROP icmp -- anywhere anywhere icmp echo-request recent: UPDATE seconds: 4 hit_count: 6 name: ping_limiter side: source mask: 255.255.255.255
ACCEPT icmp -- anywhere anywhere icmp echo-request
REJECT tcp -- anywhere anywhere recent: SET name: TCP-PORTSCAN side: source mask: 255.255.255.255 reject-with tcp-reset
REJECT udp -- anywhere anywhere recent: SET name: UDP-PORTSCAN side: source mask: 255.255.255.255 reject-with icmp-port-unreachable
Chain FORWARD (policy DROP)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain TCP (1 references)
target prot opt source destination
REJECT tcp -- anywhere anywhere recent: UPDATE seconds: 60 name: TCP-PORTSCAN side: source mask: 255.255.255.255 reject-with tcp-reset
ACCEPT tcp -- anywhere anywhere tcp dpt:http
Chain UDP (1 references)
target prot opt source destination
REJECT udp -- anywhere anywhere recent: UPDATE seconds: 60 name: UDP-PORTSCAN side: source mask: 255.255.255.255 reject-with icmp-port-unreachable
ACCEPT udp -- anywhere anywhere udp dpt:domain
ls /var/log
[ussr@unknown002454062846 log]$ ls
auth.log btmp crond.log.3 daemon.log.3 errors.log.3 everything.log.4 kernel.log messages.log pacman.log syslog.log.3 user.log.4
auth.log.1 btmp.1 crond.log.4 daemon.log.4 errors.log.4 faillog kernel.log.1 messages.log.1 pm-powersave.log syslog.log.4 wtmp
auth.log.2 ConsoleKit cups dmesg.log everything.log httpd kernel.log.2 messages.log.2 speech-dispatcher user.log wtmp.1
auth.log.3 crond.log daemon.log errors.log everything.log.1 journal kernel.log.3 messages.log.3 syslog.log user.log.1 Xorg.0.log
auth.log.4 crond.log.1 daemon.log.1 errors.log.1 everything.log.2 kdm.log kernel.log.4 messages.log.4 syslog.log.1 user.log.2 Xorg.0.log.old
boot crond.log.2 daemon.log.2 errors.log.2 everything.log.3 kdm.log.1 lastlog old syslog.log.2 user.log.3 Xorg.1.log
sudo cat /var/log/auth.log
Mar 12 21:47:06 localhost polkitd[463]: Registered Authentication Agent for unix-session:1 (system bus name :1.19 [/usr/lib/kde4/libexec/polkit-kde-authentication-agent-1], object path /org/kde/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8)
Mar 12 21:56:16 localhost sudo: ussr : TTY=pts/2 ; PWD=/home/ussr ; USER=root ; COMMAND=/sbin/ifconfig eth0 up
Mar 12 21:56:16 localhost sudo: pam_unix(sudo:session): session opened for user root by ussr(uid=0)
Mar 12 21:56:16 localhost sudo: pam_unix(sudo:session): session closed for user root
Mar 12 21:58:03 localhost sudo: ussr : TTY=pts/2 ; PWD=/home/ussr ; USER=root ; COMMAND=/usr/sbin/dhcpcd
Mar 12 21:58:03 localhost sudo: pam_unix(sudo:session): session opened for user root by ussr(uid=0)
Mar 12 21:58:10 localhost sudo: pam_unix(sudo:session): session closed for user root
Mar 12 22:01:01 localhost crond[1185]: pam_unix(crond:session): session opened for user root by (uid=0)
Mar 12 22:01:01 localhost CROND[1185]: pam_unix(crond:session): session closed for user root
Mar 12 22:01:19 localhost systemd-logind[341]: New session 3 of user ussr.
Mar 12 22:01:16 localhost polkitd[463]: Unregistered Authentication Agent for unix-session:1 (system bus name :1.19, object path /org/kde/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8)
Mar 12 22:01:17 localhost kdm: :0[371]: pam_unix(kde:session): session closed for user ussr
Mar 12 22:01:19 localhost kdm: :0[1252]: pam_unix(kde:session): session opened for user ussr by (uid=0)
Mar 12 22:01:31 localhost polkitd[463]: Registered Authentication Agent for unix-session:3 (system bus name :1.45 [/usr/lib/kde4/libexec/polkit-kde-authentication-agent-1], object path /org/kde/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8)
Mar 12 22:02:41 localhost sudo: ussr : TTY=pts/2 ; PWD=/var/log ; USER=root ; COMMAND=/usr/bin/cat auth.log
Mar 12 22:02:41 localhost sudo: pam_unix(sudo:session): session opened for user root by ussr(uid=0)
Mar 12 22:02:41 localhost sudo: pam_unix(sudo:session): session closed for user root
Mar 12 22:05:08 localhost sudo: ussr : TTY=pts/2 ; PWD=/var/log ; USER=root ; COMMAND=/usr/bin/cat crond.log
Mar 12 22:05:08 localhost sudo: pam_unix(sudo:session): session opened for user root by ussr(uid=0)
Mar 12 22:05:09 localhost sudo: pam_unix(sudo:session): session closed for user root
Mar 12 22:06:08 localhost sudo: ussr : TTY=pts/2 ; PWD=/var/log ; USER=root ; COMMAND=/usr/bin/cat messages.log
Mar 12 22:06:08 localhost sudo: pam_unix(sudo:session): session opened for user root by ussr(uid=0)
Mar 12 22:06:09 localhost sudo: pam_unix(sudo:session): session closed for user root
sudo cat /var/log/crond.log
Mar 12 21:19:12 localhost crond[343]: (CRON) INFO (Syslog will be used instead of sendmail.)
Mar 12 21:19:12 localhost crond[343]: (CRON) INFO (running with inotify support)
Mar 12 21:46:15 localhost crond[339]: (CRON) INFO (Syslog will be used instead of sendmail.)
Mar 12 21:46:15 localhost crond[339]: (CRON) INFO (running with inotify support)
Mar 12 22:01:01 localhost CROND[1186]: (root) CMD (run-parts /etc/cron.hourly)
Mar 12 22:01:01 localhost anacron[1192]: Anacron started on 2013-03-12
Mar 12 22:01:01 localhost anacron[1192]: Normal exit (0 jobs run)
Mar 12 23:01:01 localhost CROND[1847]: (root) CMD (run-parts /etc/cron.hourly)
Mar 12 23:01:01 localhost anacron[1853]: Anacron started on 2013-03-12
Mar 12 23:01:01 localhost anacron[1853]: Normal exit (0 jobs run)
sudo cat /var/log/everything.log [more info maybe]
Mar 12 21:46:46 localhost dbus[340]: [system] Activating via systemd: service name='org.freedesktop.Avahi' unit='dbus-org.freedesktop.Avahi.service'
Mar 12 21:46:46 localhost dbus[340]: [system] Activation via systemd failed for unit 'dbus-org.freedesktop.Avahi.service': Unit dbus-org.freedesktop.Avahi.service failed to load: No such file or directory. See system logs and 'systemctl status dbus-org.freedesktop.Avahi.service' for details.
Mar 12 21:46:46 localhost dbus-daemon[340]: dbus[340]: [system] Activation via systemd failed for unit 'dbus-org.freedesktop.Avahi.service': Unit dbus-org.freedesktop.Avahi.service failed to load: No such file or directory. See system logs and 'systemctl status dbus-org.freedesktop.Avahi.service' for details.
Mar 12 21:46:55 localhost dbus-daemon[340]: dbus[340]: [system] Activating service name='org.kde.powerdevil.backlighthelper' (using servicehelper)
Mar 12 21:46:55 localhost dbus[340]: [system] Activating service name='org.kde.powerdevil.backlighthelper' (using servicehelper)
Mar 12 21:46:55 localhost org.kde.powerdevil.backlighthelper: QDBusConnection: system D-Bus connection created before QCoreApplication. Application may misbehave.
Mar 12 21:46:55 localhost dbus-daemon[340]: dbus[340]: [system] Successfully activated service 'org.kde.powerdevil.backlighthelper'
Mar 12 21:46:55 localhost dbus[340]: [system] Successfully activated service 'org.kde.powerdevil.backlighthelper'
Mar 12 21:50:43 localhost kernel: [ 282.346749] usb 4-1: USB disconnect, device number 2
Mar 12 21:50:44 localhost kernel: [ 283.346743] usb 1-1: USB disconnect, device number 2
Mar 12 21:50:46 localhost dbus-daemon[340]: dbus[340]: [system] Activating service name='org.kde.powerdevil.backlighthelper' (using servicehelper)
Mar 12 21:50:46 localhost dbus[340]: [system] Activating service name='org.kde.powerdevil.backlighthelper' (using servicehelper)
Mar 12 21:50:46 localhost org.kde.powerdevil.backlighthelper: QDBusConnection: system D-Bus connection created before QCoreApplication. Application may misbehave.
Mar 12 21:50:46 localhost dbus-daemon[340]: dbus[340]: [system] Successfully activated service 'org.kde.powerdevil.backlighthelper'
Mar 12 21:50:46 localhost dbus[340]: [system] Successfully activated service 'org.kde.powerdevil.backlighthelper'
Mar 12 21:50:46 localhost kernel: [ 284.773394] Monitor-Mwait will be used to enter C-3 state
Mar 12 21:50:46 localhost kernel: [ 285.600790] EXT4-fs (sda5): re-mounted. Opts: data=ordered,commit=600
Mar 12 21:51:46 localhost dbus-daemon[340]: dbus[340]: [system] Activating service name='org.kde.powerdevil.backlighthelper' (using servicehelper)
Mar 12 21:51:46 localhost dbus[340]: [system] Activating service name='org.kde.powerdevil.backlighthelper' (using servicehelper)
Mar 12 21:51:46 localhost org.kde.powerdevil.backlighthelper: QDBusConnection: system D-Bus connection created before QCoreApplication. Application may misbehave.
Mar 12 21:51:46 localhost dbus-daemon[340]: dbus[340]: [system] Successfully activated service 'org.kde.powerdevil.backlighthelper'
Mar 12 21:51:46 localhost dbus[340]: [system] Successfully activated service 'org.kde.powerdevil.backlighthelper'
Mar 12 21:52:03 localhost kernel: [ 361.720026] usb 4-1: new low-speed USB device number 3 using uhci_hcd
Mar 12 21:52:03 localhost kernel: [ 362.021197] input: USB Keyboard as /devices/pci0000:00/0000:00:1d.0/usb4/4-1/4-1:1.0/input/input15
Mar 12 21:52:03 localhost kernel: [ 362.021535] hid-generic 0003:05AF:0802.0004: input,hidraw0: USB HID v1.10 Keyboard [ USB Keyboard] on usb-0000:00:1d.0-1/input0
Mar 12 21:52:03 localhost kernel: [ 362.113907] input: USB Keyboard as /devices/pci0000:00/0000:00:1d.0/usb4/4-1/4-1:1.1/input/input16
Mar 12 21:52:03 localhost kernel: [ 362.114113] hid-generic 0003:05AF:0802.0005: input,hidraw1: USB HID v1.10 Device [ USB Keyboard] on usb-0000:00:1d.0-1/input1
Mar 12 21:52:03 localhost dbus-daemon[340]: dbus[340]: [system] Activating service name='org.kde.powerdevil.backlighthelper' (using servicehelper)
Mar 12 21:52:03 localhost dbus[340]: [system] Activating service name='org.kde.powerdevil.backlighthelper' (using servicehelper)
Mar 12 21:52:04 localhost org.kde.powerdevil.backlighthelper: QDBusConnection: system D-Bus connection created before QCoreApplication. Application may misbehave.
Mar 12 21:52:04 localhost dbus-daemon[340]: dbus[340]: [system] Successfully activated service 'org.kde.powerdevil.backlighthelper'
Mar 12 21:52:04 localhost dbus[340]: [system] Successfully activated service 'org.kde.powerdevil.backlighthelper'
Mar 12 21:53:36 localhost dbus-daemon[340]: dbus[340]: [system] Activating service name='org.kde.powerdevil.backlighthelper' (using servicehelper)
Mar 12 21:53:36 localhost dbus[340]: [system] Activating service name='org.kde.powerdevil.backlighthelper' (using servicehelper)
Mar 12 21:53:36 localhost org.kde.powerdevil.backlighthelper: QDBusConnection: system D-Bus connection created before QCoreApplication. Application may misbehave.
Mar 12 21:53:36 localhost dbus-daemon[340]: dbus[340]: [system] Successfully activated service 'org.kde.powerdevil.backlighthelper'
Mar 12 21:53:36 localhost dbus[340]: [system] Successfully activated service 'org.kde.powerdevil.backlighthelper'
Mar 12 21:53:36 localhost kernel: [ 455.631890] EXT4-fs (sda5): re-mounted. Opts: data=ordered,commit=0
Mar 12 21:54:15 localhost kernel: [ 494.630014] usb 1-1: new low-speed USB device number 3 using uhci_hcd
Mar 12 21:54:16 localhost kernel: [ 494.819169] input: Logitech USB Optical Mouse as /devices/pci0000:00/0000:00:1a.0/usb1/1-1/1-1:1.0/input/input17
Mar 12 21:54:16 localhost kernel: [ 494.819483] hid-generic 0003:046D:C05B.0006: input,hidraw2: USB HID v1.11 Mouse [Logitech USB Optical Mouse] on usb-0000:00:1a.0-1/input0
Mar 12 21:56:16 localhost kernel: [ 615.359568] sky2 0000:06:00.0 eth0: enabling interface
Mar 12 21:56:16 localhost kernel: [ 615.359925] IPv6: ADDRCONF(NETDEV_UP): eth0: link is not ready
Mar 12 21:56:18 localhost kernel: [ 617.200722] sky2 0000:06:00.0 eth0: Link is up at 100 Mbps, full duplex, flow control rx
Mar 12 21:56:18 localhost kernel: [ 617.200761] IPv6: ADDRCONF(NETDEV_CHANGE): eth0: link becomes ready
Mar 12 21:57:01 localhost kernel: [ 659.837395] sky2 0000:06:00.0 eth0: Link is down
Mar 12 21:57:03 localhost kernel: [ 662.485483] sky2 0000:06:00.0 eth0: Link is up at 100 Mbps, full duplex, flow control rx
Mar 12 21:58:03 localhost dhcpcd[1072]: version 5.6.4 starting
Mar 12 21:58:03 localhost kernel: [ 722.424132] IPv6: ADDRCONF(NETDEV_UP): wlan0: link is not ready
Mar 12 21:58:03 localhost dhcpcd[1072]: eth0: sending IPv6 Router Solicitation
Mar 12 21:58:03 localhost dhcpcd[1072]: eth0: broadcasting for a lease
Mar 12 21:58:03 localhost dhcpcd[1072]: wlan0: waiting for carrier
Mar 12 21:58:03 localhost dhcpcd[1072]: wlan0: carrier acquired
Mar 12 21:58:03 localhost dhcpcd[1072]: wlan0: carrier lost
Mar 12 21:58:03 localhost dhcpcd[1072]: wlan0: waiting for carrier
Mar 12 21:58:04 localhost dhcpcd[1072]: eth0: offered 192.168.1.35 from 192.168.1.1
Mar 12 21:58:04 localhost dhcpcd[1072]: eth0: acknowledged 192.168.1.35 from 192.168.1.1
Mar 12 21:58:04 localhost dhcpcd[1072]: eth0: checking for 192.168.1.35
Mar 12 21:58:07 localhost dhcpcd[1072]: eth0: sending IPv6 Router Solicitation
Mar 12 21:58:10 localhost dhcpcd[1072]: eth0: leased 192.168.1.35 for 43200 seconds
Mar 12 21:58:10 localhost dhcpcd[1072]: forked to background, child pid 1119
Mar 12 21:58:11 localhost dhcpcd[1119]: eth0: sending IPv6 Router Solicitation
Mar 12 21:58:15 localhost dhcpcd[1119]: eth0: sending IPv6 Router Solicitation
Mar 12 21:58:15 localhost dhcpcd[1119]: eth0: no IPv6 Routers available
Mar 12 21:59:33 localhost kernel: [ 812.425190] konsole[1156]: segfault at 84 ip b73128d4 sp bf9e00c0 error 4 in libkdeui.so.5.10.0[b6fcb000+42b000]
Mar 12 21:59:33 localhost systemd-coredump[1158]: Process 1156 (konsole) dumped core.
Mar 12 21:59:47 localhost kernel: [ 826.338582] konsole[1164]: segfault at 84 ip b761e8d4 sp bfb066b0 error 4 in libkdeui.so.5.10.0[b72d7000+42b000]
Mar 12 21:59:48 localhost systemd-coredump[1165]: Process 1164 (konsole) dumped core.
Mar 12 22:00:32 localhost kernel: [ 870.727165] konsole[1174]: segfault at 84 ip b761e8d4 sp bfb066b0 error 4 in libkdeui.so.5.10.0[b72d7000+42b000]
Mar 12 22:00:32 localhost systemd-coredump[1175]: Process 1174 (konsole) dumped core.
Mar 12 22:01:01 localhost systemd[1]: Starting Cleanup of Temporary Directories...
Mar 12 22:01:01 localhost CROND[1186]: (root) CMD (run-parts /etc/cron.hourly)
Mar 12 22:01:01 localhost anacron[1192]: Anacron started on 2013-03-12
Mar 12 22:01:01 localhost anacron[1192]: Normal exit (0 jobs run)
Mar 12 22:01:01 localhost systemd[1]: Started Cleanup of Temporary Directories.
Mar 12 22:01:04 localhost kernel: [ 902.743018] konsole[1196]: segfault at 84 ip b761e8d4 sp bfb066b0 error 4 in libkdeui.so.5.10.0[b72d7000+42b000]
Mar 12 22:01:04 localhost systemd-coredump[1197]: Process 1196 (konsole) dumped core.
Mar 12 22:01:21 localhost dbus[340]: [system] Activating service name='org.kde.powerdevil.backlighthelper' (using servicehelper)
Mar 12 22:01:21 localhost org.kde.powerdevil.backlighthelper: QDBusConnection: system D-Bus connection created before QCoreApplication. Application may misbehave.
Mar 12 22:01:21 localhost dbus[340]: [system] Successfully activated service 'org.kde.powerdevil.backlighthelper'
Mar 12 22:01:22 localhost dbus[340]: [system] Activating via systemd: service name='org.freedesktop.Avahi' unit='dbus-org.freedesktop.Avahi.service'
Mar 12 22:01:22 localhost dbus[340]: [system] Activation via systemd failed for unit 'dbus-org.freedesktop.Avahi.service': Unit dbus-org.freedesktop.Avahi.service failed to load: No such file or directory. See system logs and 'systemctl status dbus-org.freedesktop.Avahi.service' for details.
Mar 12 22:01:26 localhost dbus-daemon[340]: dbus[340]: [system] Activating service name='org.kde.powerdevil.backlighthelper' (using servicehelper)
Mar 12 22:01:26 localhost dbus-daemon[340]: dbus[340]: [system] Successfully activated service 'org.kde.powerdevil.backlighthelper'
Mar 12 22:01:26 localhost dbus-daemon[340]: dbus[340]: [system] Activating via systemd: service name='org.freedesktop.Avahi' unit='dbus-org.freedesktop.Avahi.service'
Mar 12 22:01:26 localhost dbus-daemon[340]: dbus[340]: [system] Activation via systemd failed for unit 'dbus-org.freedesktop.Avahi.service': Unit dbus-org.freedesktop.Avahi.service failed to load: No such file or directory. See system logs and 'systemctl status dbus-org.freedesktop.Avahi.service' for details.
Mar 12 22:01:46 localhost dhcpcd[1119]: eth0: carrier lost
Mar 12 22:01:46 localhost kernel: [ 945.353892] sky2 0000:06:00.0 eth0: Link is down
ps aux
[ussr@unknown002454062846 ~]$ ps aux
USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND
root 1 0.0 0.0 5040 2772 ? Ss 21:46 0:00 /bin/systemd
root 2 0.0 0.0 0 0 ? S 21:46 0:00 [kthreadd]
root 3 0.0 0.0 0 0 ? S 21:46 0:01 [ksoftirqd/0]
root 5 0.0 0.0 0 0 ? S< 21:46 0:00 [kworker/0:0H]
root 7 0.0 0.0 0 0 ? S< 21:46 0:00 [kworker/u:0H]
root 8 0.0 0.0 0 0 ? S 21:46 0:00 [migration/0]
root 9 0.0 0.0 0 0 ? S 21:46 0:01 [rcu_preempt]
root 10 0.0 0.0 0 0 ? S 21:46 0:00 [rcu_bh]
root 11 0.0 0.0 0 0 ? S 21:46 0:00 [rcu_sched]
root 12 0.0 0.0 0 0 ? S 21:46 0:00 [watchdog/0]
root 13 0.0 0.0 0 0 ? S 21:46 0:00 [watchdog/1]
root 14 0.0 0.0 0 0 ? S 21:46 0:01 [ksoftirqd/1]
root 15 0.0 0.0 0 0 ? S 21:46 0:00 [migration/1]
root 17 0.0 0.0 0 0 ? S< 21:46 0:00 [kworker/1:0H]
root 18 0.0 0.0 0 0 ? S< 21:46 0:00 [cpuset]
root 19 0.0 0.0 0 0 ? S< 21:46 0:00 [khelper]
root 20 0.0 0.0 0 0 ? S 21:46 0:00 [kdevtmpfs]
root 21 0.0 0.0 0 0 ? S< 21:46 0:00 [netns]
root 22 0.0 0.0 0 0 ? S 21:46 0:00 [bdi-default]
root 23 0.0 0.0 0 0 ? S< 21:46 0:00 [kblockd]
root 26 0.0 0.0 0 0 ? S 21:46 0:00 [khungtaskd]
root 27 0.0 0.0 0 0 ? S 21:46 0:00 [kswapd0]
root 28 0.0 0.0 0 0 ? SN 21:46 0:00 [ksmd]
root 29 0.0 0.0 0 0 ? SN 21:46 0:00 [khugepaged]
root 30 0.0 0.0 0 0 ? S 21:46 0:00 [fsnotify_mark]
root 31 0.0 0.0 0 0 ? S< 21:46 0:00 [crypto]
root 35 0.0 0.0 0 0 ? S< 21:46 0:00 [kthrotld]
root 37 0.0 0.0 0 0 ? S< 21:46 0:00 [deferwq]
root 82 0.0 0.0 0 0 ? S 21:46 0:00 [khubd]
root 83 0.0 0.0 0 0 ? S< 21:46 0:00 [ata_sff]
root 84 0.0 0.0 0 0 ? S 21:46 0:00 [scsi_eh_0]
root 85 0.0 0.0 0 0 ? S 21:46 0:00 [scsi_eh_1]
root 86 0.0 0.0 0 0 ? S 21:46 0:00 [scsi_eh_2]
root 87 0.0 0.0 0 0 ? S 21:46 0:00 [scsi_eh_3]
root 88 0.0 0.0 0 0 ? S 21:46 0:00 [scsi_eh_4]
root 89 0.0 0.0 0 0 ? S 21:46 0:00 [scsi_eh_5]
root 92 0.0 0.0 0 0 ? S 21:46 0:00 [kworker/u:4]
root 97 0.0 0.0 0 0 ? S< 21:46 0:00 [kworker/1:1H]
root 98 0.0 0.0 0 0 ? S< 21:46 0:00 [kworker/0:1H]
root 106 0.0 0.0 0 0 ? S 21:46 0:00 [jbd2/sda5-8]
root 107 0.0 0.0 0 0 ? S< 21:46 0:00 [ext4-dio-unwrit]
root 124 0.0 0.0 11032 1904 ? Ss 21:46 0:00 /usr/lib/systemd/systemd-udevd
root 134 0.9 0.8 118768 26528 ? Ss 21:46 1:04 /usr/lib/systemd/systemd-journald
root 145 0.0 0.0 0 0 ? S< 21:46 0:00 [iprt]
root 229 0.0 0.0 0 0 ? S< 21:46 0:00 [led_workqueue]
root 230 0.0 0.0 0 0 ? S< 21:46 0:00 [kpsmoused]
root 240 0.0 0.0 0 0 ? S< 21:46 0:00 [cfg80211]
root 242 0.0 0.0 0 0 ? S< 21:46 0:00 [ttm_swap]
root 304 0.0 0.0 0 0 ? S< 21:46 0:00 [hd-audio0]
root 327 0.0 0.0 0 0 ? S< 21:46 0:00 [hd-audio1]
root 331 0.0 0.0 4924 996 ? Ss 21:46 0:00 /usr/bin/mount.ntfs-3g /dev/sda4 /media/Datos -o rw,relatime
root 337 0.0 0.1 7608 3252 ? Ss 21:46 0:00 /usr/sbin/syslog-ng -F
root 339 0.0 0.0 4800 1280 ? Ss 21:46 0:00 /usr/sbin/crond -n
dbus 340 0.0 0.0 3384 1800 ? Ss 21:46 0:00 /usr/bin/dbus-daemon --system --address=systemd: --nofork --nopidfile --systemd-activation
root 341 0.0 0.0 3336 1568 ? Ss 21:46 0:00 /usr/lib/systemd/systemd-logind
root 347 0.0 0.0 3812 744 tty1 Ss+ 21:46 0:00 /sbin/agetty --noclear tty1 38400 linux
root 348 0.0 0.0 3968 1040 ? Ss 21:46 0:00 /usr/bin/kdm -nodaemon
root 455 0.0 0.2 29692 8296 ? Ssl 21:46 0:01 /usr/lib/upower/upowerd
polkitd 463 0.0 0.3 61912 11272 ? Ssl 21:46 0:00 /usr/lib/polkit-1/polkitd --no-debug
root 500 0.0 0.1 43028 4060 ? Ssl 21:46 0:01 /usr/lib/udisks2/udisksd --no-debug
root 1119 0.0 0.0 2420 348 ? Ss 21:58 0:00 dhcpcd
root 1248 0.4 1.1 86772 34320 tty7 Ssl+ 22:01 0:27 /usr/bin/X :0 vt7 -nolisten tcp -auth /var/run/xauth/A:0-WnL9Aa
root 1252 0.0 0.0 5468 2316 ? S 22:01 0:00 -:0
ussr 1267 0.0 0.0 5196 1624 ? Ss 22:01 0:00 /bin/sh /usr/bin/startkde
ussr 1278 0.0 0.0 3624 592 ? S 22:01 0:00 /usr/bin/dbus-launch --sh-syntax --exit-with-session
ussr 1279 0.0 0.0 4300 1848 ? Ss 22:01 0:01 /usr/bin/dbus-daemon --fork --print-pid 4 --print-address 6 --session
ussr 1305 0.0 0.0 4736 384 ? Ss 22:01 0:00 /usr/bin/gpg-agent -s --daemon --pinentry-program /usr/bin/pinentry-qt4 --write-env-file
ussr 1308 0.0 0.0 4216 424 ? Ss 22:01 0:00 /usr/bin/ssh-agent -s
root 1323 0.0 0.0 2032 56 ? S 22:01 0:00 /usr/lib/kde4/libexec/start_kdeinit +kcminit_startup
ussr 1324 0.0 0.5 129264 16476 ? Ss 22:01 0:00 kdeinit4: kdeinit4 Running...
ussr 1325 0.0 0.3 131292 11184 ? S 22:01 0:00 kdeinit4: klauncher [kdeinit] --fd=9
ussr 1327 0.0 1.0 215392 30976 ? Sl 22:01 0:01 kdeinit4: kded4 [kdeinit]
ussr 1334 0.0 0.6 146508 18616 ? S 22:01 0:00 kdeinit4: kglobalaccel [kdeinit]
ussr 1338 0.0 0.5 162384 17088 ? Sl 22:01 0:00 /usr/bin/kactivitymanagerd
ussr 1346 0.0 0.0 2168 284 ? S 22:01 0:00 kwrapper4 ksmserver
ussr 1347 0.0 0.6 155184 18500 ? Sl 22:01 0:00 kdeinit4: ksmserver [kdeinit]
ussr 1353 0.3 2.7 481808 83556 ? Sl 22:01 0:19 kwin -session 1014cd7d2d4000134981367400000006900000_1363122074_66050
ussr 1363 0.0 0.8 148664 26072 ? Sl 22:01 0:00 /usr/bin/knotify4
ussr 1367 0.4 4.5 466704 139528 ? Sl 22:01 0:27 kdeinit4: plasma-desktop [kdeinit]
ussr 1373 0.0 0.4 86180 15092 ? S 22:01 0:00 /usr/bin/kuiserver
ussr 1379 0.0 0.1 45584 5780 ? Sl 22:01 0:00 /usr/bin/akonadi_control
ussr 1381 0.0 0.3 204676 10096 ? Sl 22:01 0:00 akonadiserver
ussr 1384 0.0 1.2 241804 38312 ? Sl 22:01 0:01 /usr/bin/mysqld --defaults-file=/home/ussr/.local/share/akonadi/mysql.conf --datadir=/home/ussr/.local/
ussr 1418 0.0 0.5 85804 16604 ? Sl 22:01 0:00 /usr/bin/akonadi_agent_launcher akonadi_akonotes_resource akonadi_akonotes_resource_0
ussr 1419 0.0 0.9 158040 29748 ? S 22:01 0:00 /usr/bin/akonadi_archivemail_agent --identifier akonadi_archivemail_agent
ussr 1420 0.0 0.5 86000 16680 ? Sl 22:01 0:00 /usr/bin/akonadi_agent_launcher akonadi_ical_resource akonadi_ical_resource_0
ussr 1421 0.0 0.5 85940 16876 ? Sl 22:01 0:00 /usr/bin/akonadi_agent_launcher akonadi_maildir_resource akonadi_maildir_resource_0
ussr 1422 0.0 0.6 94976 19712 ? S 22:01 0:00 /usr/bin/akonadi_maildispatcher_agent --identifier akonadi_maildispatcher_agent
ussr 1423 0.0 0.9 158060 30048 ? S 22:01 0:00 /usr/bin/akonadi_mailfilter_agent --identifier akonadi_mailfilter_agent
ussr 1424 0.0 0.6 99780 18892 ? Sl 22:01 0:00 /usr/bin/akonadi_nepomuk_feeder --identifier akonadi_nepomuk_feeder
ussr 1446 0.0 0.3 129528 9488 ? S 22:01 0:00 kdeinit4: kio_http_cache_cleaner [kdeinit]
ussr 1456 0.0 0.3 73352 9880 ? Sl 22:01 0:00 /usr/bin/nepomukserver
ussr 1461 0.2 2.3 231052 71768 ? SNl 22:01 0:12 /usr/bin/nepomukservicestub nepomukstorage
ussr 1471 0.6 1.4 57668 44308 ? SNl 22:01 0:35 /usr/bin/virtuoso-t +foreground +configfile /tmp/virtuoso_ZT1461.ini +wait
ussr 1481 0.0 1.2 272872 37436 ? Sl 22:01 0:00 kdeinit4: krunner [kdeinit]
ussr 1484 0.0 0.7 241356 24124 ? Sl 22:01 0:00 kdeinit4: kmix [kdeinit] -session 1014cd7d2d400013498136850000
ussr 1488 0.0 0.4 87280 14960 ? S 22:01 0:00 /usr/bin/nepomukcontroller -session 1014cd7d2d4000134981368500000006900010_1363122074_36315
ussr 1490 0.0 0.7 111408 23264 ? Sl 22:01 0:04 yakuake -session 1014cd7d2d4000135280595900000005570044_1363122074_36424
ussr 1495 0.0 0.0 5360 2060 pts/0 Ss+ 22:01 0:00 /bin/bash
ussr 1503 0.0 0.5 97452 16812 ? Sl 22:01 0:00 /usr/lib/kde4/libexec/polkit-kde-authentication-agent-1
ussr 1504 0.0 0.5 105388 17392 ? S 22:01 0:00 /usr/bin/korgac --icon korgac
ussr 1516 0.0 0.5 145452 17504 ? S 22:01 0:00 kdeinit4: klipper [kdeinit]
ussr 1561 0.2 0.9 164820 27976 ? Rl 22:01 0:12 kdeinit4: konsole [kdeinit]
ussr 1563 0.0 0.0 5356 2112 pts/2 Ss 22:01 0:00 /bin/bash
ussr 1565 0.0 0.6 109208 19384 ? SNl 22:01 0:00 /usr/bin/nepomukservicestub nepomukfilewatch
ussr 1569 0.1 1.2 123320 37384 ? SNl 22:01 0:08 /usr/bin/nepomukservicestub nepomukfileindexer
root 1825 0.0 0.0 0 0 ? S 22:06 0:01 [kworker/1:1]
root 1837 0.0 0.0 0 0 ? S 22:21 0:00 [flush-8:0]
root 1859 0.0 0.0 0 0 ? S 23:10 0:00 [kworker/0:1]
root 1872 0.0 0.0 0 0 ? S 23:10 0:00 [scsi_eh_6]
root 1873 0.0 0.0 0 0 ? S 23:10 0:00 [usb-storage]
root 1876 0.0 0.0 0 0 ? S 23:10 0:00 [kworker/1:0]
root 1877 0.0 0.0 0 0 ? S 23:10 0:00 [kworker/u:0]
ussr 1919 0.0 0.0 35080 2892 ? Sl 23:11 0:00 /usr/lib/at-spi2-core/at-spi-bus-launcher
ussr 1974 0.0 0.0 3020 1356 ? S 23:12 0:00 /usr/bin/dbus-daemon --config-file=/etc/at-spi2/accessibility.conf --nofork --print-address 3
ussr 1977 0.0 0.1 17320 3152 ? Sl 23:12 0:00 /usr/lib/at-spi2-core/at-spi2-registryd --use-gnome-session
ussr 1980 0.0 0.0 8084 1968 ? S 23:12 0:00 /usr/lib/GConf/gconfd-2
root 2036 0.0 0.0 0 0 ? S 23:21 0:00 [kworker/0:0]
root 2044 0.0 0.0 0 0 ? S 23:31 0:00 [kworker/0:2]
root 2047 0.0 0.0 0 0 ? S 23:34 0:00 [flush-8:16]
ussr 2079 0.0 0.0 4676 1208 pts/2 R+ 23:36 0:00 ps aux
I have checked in .bashrc and the prompt is still:
PS1='[\u@\h \W]\$ '
And \h means hostname... And if I check in /etc/hosts:
127.0.0.1 localhost.localdomain localhost
::1 localhost.localdomain localhost
So, something is wrong..
I don't know how to proceed, nor in the computer A, neither in the computer B.
Question C: Is possible to have any mechanism to know every file that is modified, add or delete on the whole system? Something like the log but for every file? I think is the only way to know what is going on.
Any help? Please, I'm so lost in this area..
Offline
Computer A: This is not an Arch machine, so please do not dwell on it in these forums. What services are you running? sshd, telnet? ftp? Are the log in attempts in the logs legitimate, or were they at a time when you were not attempting to login?
Is your router wireless? Is it locked down? It could provide a way around the firewall in the router. Are you forwarding ports on the router? Which ones, and where to?
Are you certain that malware running in the browser did not change things? No chance that your users were phished? Java exploits?
Computer B: That really looks like it is just a host name configuration problem.
Quaestion C: Tripwire
Nothing is too wonderful to be true, if it be consistent with the laws of nature -- Michael Faraday
Sometimes it is the people no one can imagine anything of who do the things no one can imagine. -- Alan Turing
---
How to Ask Questions the Smart Way
Offline
So, firefox bookmarks have been added, and your DHCP needs more setup.
It would have to be a pretty stupid hacker, to change your hostname and bring such attention. Far more likely to be your mis-configuration.
Java, and Flash, are being heavily exploited - they might be responsible for the bookmarks, if it's not user error. But that's within firefox, so no evidence of breaking firefox's sandbox, or Linux security.
Some tips for the future:
1. Don't show us "iptables -L" - "iptables-save" is easier to read.
2. Install e.g. AppArmor (which is what I use and recommend). I had a good laugh at acroread creating a user file, which had its attempted write blocked, showing in my log:
apparmor="DENIED" operation="mknod" parent=1 profile="/usr/lib/firefox/firefox" name="/home/myusername/C:\nppdf32Log\debuglog.txt"
Offline
Ok, thank you for the answers.
Because I don't know about which computer you ask about the services, I write for both.
Computer A
uname -r
3.1.10-1.16-desktop
Processes (ps -Al)
USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND
root 1 0.0 0.0 5408 2536 ? Ss Mar12 0:02 /sbin/init showopts
root 2 0.0 0.0 0 0 ? S Mar12 0:00 [kthreadd]
root 3 0.0 0.0 0 0 ? S Mar12 0:00 [ksoftirqd/0]
root 6 0.0 0.0 0 0 ? S Mar12 0:00 [migration/0]
root 7 0.0 0.0 0 0 ? SN Mar12 0:16 [rcuc0]
root 8 0.0 0.0 0 0 ? S Mar12 0:00 [rcun0]
root 9 0.0 0.0 0 0 ? S Mar12 0:00 [rcub0]
root 10 0.0 0.0 0 0 ? S Mar12 0:00 [rcun1]
root 11 0.0 0.0 0 0 ? S Mar12 0:00 [rcub1]
root 12 0.0 0.0 0 0 ? S Mar12 0:00 [watchdog/0]
root 13 0.0 0.0 0 0 ? S Mar12 0:00 [migration/1]
root 15 0.0 0.0 0 0 ? SN Mar12 0:14 [rcuc1]
root 16 0.0 0.0 0 0 ? S Mar12 0:00 [ksoftirqd/1]
root 18 0.0 0.0 0 0 ? S Mar12 0:00 [watchdog/1]
root 19 0.0 0.0 0 0 ? S Mar12 0:00 [migration/2]
root 21 0.0 0.0 0 0 ? SN Mar12 0:12 [rcuc2]
root 22 0.0 0.0 0 0 ? S Mar12 0:00 [ksoftirqd/2]
root 23 0.0 0.0 0 0 ? S Mar12 0:00 [watchdog/2]
root 24 0.0 0.0 0 0 ? S Mar12 0:00 [migration/3]
root 26 0.0 0.0 0 0 ? SN Mar12 0:09 [rcuc3]
root 27 0.0 0.0 0 0 ? S Mar12 0:04 [ksoftirqd/3]
root 28 0.0 0.0 0 0 ? S Mar12 0:00 [watchdog/3]
root 29 0.0 0.0 0 0 ? S< Mar12 0:00 [cpuset]
root 30 0.0 0.0 0 0 ? S< Mar12 0:00 [khelper]
root 31 0.0 0.0 0 0 ? S Mar12 0:00 [kdevtmpfs]
root 32 0.0 0.0 0 0 ? S< Mar12 0:00 [netns]
root 33 0.0 0.0 0 0 ? S Mar12 0:00 [sync_supers]
root 34 0.0 0.0 0 0 ? S Mar12 0:00 [bdi-default]
root 35 0.0 0.0 0 0 ? S< Mar12 0:00 [kintegrityd]
root 36 0.0 0.0 0 0 ? S< Mar12 0:00 [kblockd]
root 37 0.0 0.0 0 0 ? S< Mar12 0:00 [ata_sff]
root 38 0.0 0.0 0 0 ? S Mar12 0:00 [khubd]
root 39 0.0 0.0 0 0 ? S< Mar12 0:00 [md]
root 41 0.0 0.0 0 0 ? S Mar12 0:00 [khungtaskd]
root 42 0.3 0.0 0 0 ? S Mar12 3:02 [kswapd0]
root 43 0.0 0.0 0 0 ? SN Mar12 0:00 [ksmd]
root 44 0.0 0.0 0 0 ? SN Mar12 0:02 [khugepaged]
root 45 0.0 0.0 0 0 ? S Mar12 0:00 [fsnotify_mark]
root 46 0.0 0.0 0 0 ? S< Mar12 0:00 [crypto]
root 50 0.0 0.0 0 0 ? S< Mar12 0:00 [kthrotld]
root 85 0.0 0.0 0 0 ? S Mar12 0:00 [scsi_eh_0]
root 86 0.0 0.0 0 0 ? S Mar12 0:00 [scsi_eh_1]
root 87 0.0 0.0 0 0 ? S Mar12 0:00 [scsi_eh_2]
root 88 0.0 0.0 0 0 ? S Mar12 0:00 [scsi_eh_3]
root 92 0.0 0.0 0 0 ? S Mar12 0:00 [kworker/u:3]
root 101 0.0 0.0 0 0 ? S< Mar12 0:00 [kpsmoused]
root 103 0.0 0.0 0 0 ? S Mar12 0:00 [scsi_eh_4]
root 104 0.0 0.0 0 0 ? S Mar12 0:03 [usb-storage]
root 106 0.0 0.0 0 0 ? S Mar12 0:00 [kworker/u:5]
root 141 0.0 0.0 0 0 ? S Mar12 0:00 [scsi_eh_5]
root 142 0.0 0.0 0 0 ? S Mar12 0:00 [scsi_eh_6]
root 143 0.0 0.0 0 0 ? S Mar12 0:00 [scsi_eh_7]
root 144 0.0 0.0 0 0 ? S Mar12 0:20 [usb-storage]
root 148 0.0 0.0 0 0 ? S Mar12 0:00 [scsi_eh_8]
root 149 0.0 0.0 0 0 ? S Mar12 0:00 [scsi_eh_9]
root 217 0.0 0.0 0 0 ? S< Mar12 0:00 [ttm_swap]
root 432 0.0 0.0 0 0 ? S Mar12 0:01 [jbd2/sda5-8]
root 433 0.0 0.0 0 0 ? S< Mar12 0:00 [ext4-dio-unwrit]
root 471 0.0 0.0 3236 348 ? Ss Mar12 0:00 /sbin/udevd
root 494 0.0 0.0 0 0 ? S Mar12 0:00 [kauditd]
root 495 0.0 0.0 2284 364 ? Ss Mar12 0:00 /lib/systemd/systemd-stdout-syslog-bridge
root 643 0.0 0.0 3148 256 ? S Mar12 0:00 /sbin/udevd
root 644 0.0 0.0 3148 244 ? S Mar12 0:00 /sbin/udevd
root 749 0.0 0.0 0 0 ? S< Mar12 0:00 [firewire]
root 782 0.0 0.0 0 0 ? S< Mar12 0:00 [hd-audio1]
root 824 0.0 0.0 0 0 ? S< Mar12 0:00 [hd-audio2]
root 881 0.8 0.0 12720 1580 ? Ss Mar12 7:49 /sbin/mount.ntfs-3g /dev/sdc1 /windows/datos -o rw,locale=es_ES.UTF-8
root 897 1.5 0.0 10540 2064 ? Ss Mar12 13:31 /sbin/mount.ntfs-3g /dev/sda3 /windows/othe -o rw,noexec,nosuid,nodev,users,gid=10
root 898 0.7 0.0 9780 1088 ? Ss Mar12 6:36 /sbin/mount.ntfs-3g /dev/sda4 /windows/caviarblue -o rw,locale=es_ES.UTF-8
root 903 0.0 0.0 0 0 ? S Mar12 0:12 [jbd2/sda6-8]
root 904 0.0 0.0 0 0 ? S< Mar12 0:00 [ext4-dio-unwrit]
root 963 0.0 0.0 3140 840 ? Ss Mar12 0:00 /lib/systemd/systemd-logind
root 988 0.0 0.0 40136 232 ? Sl Mar12 0:00 /sbin/rsyslogd -c 5 -f /etc/rsyslog.conf
root 994 0.0 0.0 1920 276 ? Ss Mar12 0:00 /sbin/acpid
avahi 1010 0.0 0.0 2940 676 ? Ss Mar12 0:00 avahi-daemon: running [linux-7sgr.local]
root 1021 0.0 0.0 1908 248 ? Ss Mar12 0:00 /usr/sbin/nscd
102 1043 0.0 0.0 3540 1308 ? Ss Mar12 0:12 /bin/dbus-daemon --system --address=systemd: --nofork --systemd-activation
root 1058 0.0 0.0 6288 184 ? Ss Mar12 0:03 /sbin/haveged -w 1024 -v 1
root 1199 0.0 0.0 7888 780 ? Ss Mar12 0:00 /usr/sbin/cupsd -C /etc/cups/cupsd.conf
root 1312 0.0 0.0 4124 308 ? Ss Mar12 0:00 /usr/bin/kdm
root 1427 5.6 1.1 65368 42660 tty7 Ss+ Mar12 50:26 /usr/bin/Xorg -br :0 vt7 -nolisten tcp -auth /var/lib/xdm/authdir/authfiles/A:0-Fx
root 1489 0.0 0.0 1908 268 tty1 Ss+ Mar12 0:00 /sbin/agetty tty1 38400
root 1703 0.0 0.0 5164 420 ? S Mar12 0:00 -:0
root 1727 0.0 0.0 33660 992 ? Ssl Mar12 0:00 /usr/sbin/console-kit-daemon --no-daemon
root 1801 0.0 0.0 25224 2300 ? Sl Mar12 0:01 /usr/lib/polkit-1/polkitd --no-debug
userA 1825 0.0 0.0 4624 292 ? Ss Mar12 0:00 /bin/sh /usr/bin/startkde
root 1992 0.0 0.0 5248 492 ? S Mar12 0:00 /sbin/dhclient6 -6 -cf /var/lib/dhcp6/dhclient6.eth0.conf -lf /var/lib/dhcp6/dhcli
userA 1995 0.0 0.0 5464 1112 ? Ss Mar12 0:01 /usr/bin/gpg-agent --sh --daemon --write-env-file /home/userA/.gnupg/agent.info /et
userA 2115 0.0 0.0 3332 268 ? S Mar12 0:00 dbus-launch --sh-syntax --exit-with-session
userA 2116 0.0 0.0 4736 1612 ? Ss Mar12 0:02 /bin/dbus-daemon --fork --print-pid 5 --print-address 7 --session
root 2123 0.0 0.0 1752 112 ? S Mar12 0:00 /usr/lib/kde4/libexec/start_kdeinit +kcminit_startup
userA 2133 0.0 0.0 92820 1976 ? Ss Mar12 0:00 kdeinit4: kdeinit4 Running...
userA 2143 0.0 0.0 96676 3636 ? S Mar12 0:00 kdeinit4: klauncher [kdeinit] --fd=9
userA 2213 0.0 0.1 216804 6720 ? Sl Mar12 0:06 kdeinit4: kded4 [kdeinit]
root 2533 0.0 0.0 2100 432 ? Ss Mar12 0:00 /sbin/dhcpcd --netconfig -L -E -HHH -c /etc/sysconfig/network/scripts/dhcpcd-hook
userA 2553 0.0 0.0 111996 3512 ? S Mar12 0:01 kdeinit4: kglobalaccel [kdeinit]
root 2576 0.0 0.0 28016 1060 ? Sl Mar12 0:00 /usr/lib/upower/upowerd
userA 2601 0.0 0.0 1888 0 ? S Mar12 0:00 kwrapper4 ksmserver
userA 2605 0.0 0.0 119976 3448 ? Sl Mar12 0:01 kdeinit4: ksmserver [kdeinit]
root 2624 0.0 0.0 24100 1788 ? Sl Mar12 0:11 /usr/lib/udisks/udisks-daemon
root 2625 0.0 0.0 6308 160 ? S Mar12 0:00 udisks-daemon: not polling any devices
userA 2654 1.4 8.8 585524 339936 ? Sl Mar12 12:35 kwin -session 1014b108a5e8000134377289300000096170000_1363115313_870095
userA 2727 0.0 0.0 61432 2768 ? S Mar12 0:01 /usr/bin/kactivitymanagerd
userA 2804 0.0 0.1 266168 4040 ? Sl Mar12 0:02 /usr/bin/knotify4
userA 2836 0.2 0.7 350760 28952 ? Sl Mar12 2:09 kdeinit4: plasma-desktop [kdeinit]
userA 2978 0.0 0.0 61184 2696 ? S Mar12 0:01 /usr/bin/kuiserver
userA 3048 0.0 0.0 110224 2292 ? S Mar12 0:03 kdeinit4: kaccess [kdeinit]
userA 3055 0.0 0.0 104028 1480 ? Sl Mar12 0:00 kdeinit4: nepomukserver [kdeinit]
userA 3058 0.2 0.9 315204 35676 ? Sl Mar12 2:27 kdeinit4: krunner [kdeinit]
userA 3064 0.0 0.4 264532 15884 ? SNl Mar12 0:01 /usr/bin/nepomukservicestub nepomukstorage
userA 3080 0.0 0.3 49512 12752 ? SNl Mar12 0:10 /usr/bin/virtuoso-t +foreground +configfile /tmp/virtuoso_Ti3064.ini +wait
userA 3119 0.0 0.0 20364 1740 ? Sl Mar12 0:01 /usr/bin/akonadi_control
userA 3123 0.0 0.0 248556 1212 ? Sl Mar12 0:03 akonadiserver
userA 3130 0.0 0.2 253544 8312 ? Sl Mar12 0:19 /usr/sbin/mysqld --defaults-file=/home/userA/.local/share/akonadi//mysql.conf --dat
userA 3228 0.0 0.0 60248 2340 ? S Mar12 0:01 /usr/bin/nepomukcontroller -session 1014b108a5e8000134377292700000096170011_136311
userA 3231 0.0 0.2 272104 9184 ? Sl Mar12 0:02 kdeinit4: kmix [kdeinit] -session 1014b108a5e80001346397487000
userA 3241 0.0 0.1 115340 4092 ? S Mar12 0:01 /usr/bin/kget -session 1014b108a5e8000135447427400000059430038_1363115313_756240
userA 3274 0.0 0.0 67384 2356 ? SN Mar12 0:00 /usr/bin/nepomukservicestub nepomukbackupsync
userA 3275 0.0 0.0 120176 2140 ? SN Mar12 0:00 /usr/bin/nepomukservicestub digikamnepomukservice
userA 3276 0.0 0.1 90360 3996 ? SNl Mar12 0:02 /usr/bin/nepomukservicestub nepomukfilewatch
userA 3280 0.0 0.1 80288 5564 ? SN Mar12 0:00 /usr/bin/nepomukservicestub nepomukqueryservice
userA 3293 0.0 0.1 230116 6096 ? Sl Mar12 0:42 /usr/bin/pulseaudio --start --log-target=syslog
rtkit 3295 0.0 0.0 20824 364 ? SNl Mar12 0:01 /usr/lib/rtkit/rtkit-daemon
userA 3325 0.0 0.0 60340 2424 ? Sl Mar12 0:01 /usr/bin/akonadi_agent_launcher akonadi_akonotes_resource akonadi_akonotes_resourc
userA 3326 0.0 0.0 60336 2536 ? Sl Mar12 0:00 /usr/bin/akonadi_agent_launcher akonadi_akonotes_resource akonadi_akonotes_resourc
userA 3327 0.0 0.0 59940 2528 ? Sl Mar12 0:00 /usr/bin/akonadi_agent_launcher akonadi_contacts_resource akonadi_contacts_resourc
userA 3328 0.0 0.0 59996 2372 ? Sl Mar12 0:00 /usr/bin/akonadi_agent_launcher akonadi_contacts_resource akonadi_contacts_resourc
userA 3329 0.0 0.0 59996 2556 ? Sl Mar12 0:00 /usr/bin/akonadi_agent_launcher akonadi_contacts_resource akonadi_contacts_resourc
userA 3330 0.0 0.0 59976 2360 ? Sl Mar12 0:00 /usr/bin/akonadi_agent_launcher akonadi_contacts_resource akonadi_contacts_resourc
userA 3331 0.0 0.0 59940 2332 ? Sl Mar12 0:00 /usr/bin/akonadi_agent_launcher akonadi_contacts_resource akonadi_contacts_resourc
userA 3340 0.0 0.0 59976 2396 ? Sl Mar12 0:00 /usr/bin/akonadi_agent_launcher akonadi_contacts_resource akonadi_contacts_resourc
userA 3342 0.0 0.0 59976 2360 ? Sl Mar12 0:00 /usr/bin/akonadi_agent_launcher akonadi_contacts_resource akonadi_contacts_resourc
userA 3343 0.0 0.0 60000 2380 ? Sl Mar12 0:00 /usr/bin/akonadi_agent_launcher akonadi_contacts_resource akonadi_contacts_resourc
userA 3344 0.0 0.0 59940 2540 ? Sl Mar12 0:00 /usr/bin/akonadi_agent_launcher akonadi_contacts_resource akonadi_contacts_resourc
userA 3345 0.0 0.0 59940 2516 ? Sl Mar12 0:00 /usr/bin/akonadi_agent_launcher akonadi_contacts_resource akonadi_contacts_resourc
userA 3346 0.0 0.0 60588 2484 ? Sl Mar12 0:00 /usr/bin/akonadi_agent_launcher akonadi_ical_resource akonadi_ical_resource_0
userA 3348 0.0 0.0 60600 2508 ? Sl Mar12 0:00 /usr/bin/akonadi_agent_launcher akonadi_ical_resource akonadi_ical_resource_1
userA 3349 0.0 0.0 60604 2492 ? Sl Mar12 0:00 /usr/bin/akonadi_agent_launcher akonadi_ical_resource akonadi_ical_resource_2
userA 3354 0.0 0.0 60344 2472 ? Sl Mar12 0:01 /usr/bin/akonadi_agent_launcher akonadi_maildir_resource akonadi_maildir_resource_
userA 3357 0.0 0.0 69112 2848 ? S Mar12 0:01 /usr/bin/akonadi_maildispatcher_agent --identifier akonadi_maildispatcher_agent
userA 3366 0.0 0.0 64084 2884 ? S Mar12 0:01 /usr/bin/akonadi_nepomuk_calendar_feeder --identifier akonadi_nepomuk_calendar_fee
userA 3367 0.0 0.0 63388 2708 ? S Mar12 0:01 /usr/bin/akonadi_nepomuk_contact_feeder --identifier akonadi_nepomuk_contact_feede
userA 3368 0.0 0.0 107516 3424 ? S Mar12 0:01 /usr/bin/akonadi_nepomuk_email_feeder --identifier akonadi_nepomuk_email_feeder
userA 3471 0.0 0.0 70708 2140 ? Sl Mar12 0:00 /usr/lib/kde4/libexec/polkit-kde-authentication-agent-1
userA 3512 0.0 0.0 7536 752 ? S Mar12 0:00 /usr/lib/gvfs/gvfsd
userA 3516 0.0 0.0 34272 204 ? Ssl Mar12 0:00 /usr/lib/gvfs//gvfs-fuse-daemon /home/userA/.gvfs
root 3923 0.0 0.0 4668 408 ? Ss Mar12 0:00 /usr/sbin/cron -n
userA 4848 0.0 0.0 8032 1068 ? S Mar12 0:00 /usr/lib/GConf/2/gconfd-2
root 5490 0.0 0.0 0 0 ? S Mar12 0:08 [kworker/1:2]
root 6174 0.0 0.0 0 0 ? S 02:12 0:03 [kworker/2:3]
root 6331 0.0 0.0 0 0 ? S 03:30 0:00 [flush-8:0]
userA 8569 1.8 5.6 766616 217576 ? Sl 08:43 1:33 /usr/lib/firefox/firefox
userA 8601 0.0 0.4 64256 17276 ? S 08:43 0:00 /usr/lib/mozilla/kmozillahelper
userA 8693 9.0 0.5 127856 21652 ? Rl 08:50 6:58 kdeinit4: konsole [kdeinit]
userA 8701 0.0 0.0 5432 2436 pts/1 Ss 08:50 0:00 /bin/bash
root 8751 0.0 0.0 7968 2352 pts/1 S+ 08:54 0:00 sudo clamscan -r -l logclamav.log / --exclude-dir=/media/
root 8753 69.3 3.0 129096 117808 pts/1 R+ 08:54 50:19 clamscan -r -l logclamav.log / --exclude-dir=/media/
root 8823 0.0 0.0 0 0 ? S 09:17 0:01 [kworker/2:2]
root 8830 0.1 0.0 0 0 ? S 09:26 0:03 [kworker/3:0]
root 8852 0.5 0.0 0 0 ? S 09:34 0:10 [kworker/0:0]
root 8858 0.0 0.0 0 0 ? S 09:40 0:01 [kworker/2:0]
userA 8945 0.0 0.0 5432 2432 pts/2 Ss 09:51 0:00 /bin/bash
root 9174 0.1 0.0 0 0 ? S 09:53 0:01 [kworker/1:0]
root 9177 0.5 0.0 0 0 ? S 09:55 0:03 [kworker/0:3]
userA 9178 1.7 0.9 166588 36800 ? Sl 09:55 0:12 kdeinit4: kwrite [kdeinit]
root 9192 0.0 0.0 0 0 ? S 09:57 0:00 [kworker/3:1]
root 9227 0.0 0.0 0 0 ? S 10:00 0:00 [kworker/0:2]
root 9239 0.0 0.0 0 0 ? S 10:00 0:00 [flush-8:32]
userA 9280 0.3 0.0 5768 1700 ? SL 10:01 0:01 scdaemon --multi-server
userA 9301 8.3 1.0 205940 39936 ? Sl 10:01 0:31 /usr/bin/vlc /windows/datos/Música/Caro emerald - Deleted scenes from the cutting
root 9594 0.1 0.0 0 0 ? S 10:02 0:00 [kworker/3:2]
root 9947 0.0 0.0 0 0 ? S 10:05 0:00 [kworker/2:1]
userA 9987 0.0 0.1 102804 6520 ? Sl 10:05 0:00 kdeinit4: kio_trash [kdeinit] trash local:/tmp/ksocket-userA/kl
userA 9988 0.0 0.1 93424 5280 ? S 10:05 0:00 kdeinit4: kio_file [kdeinit] file local:/tmp/ksocket-userA/klau
userA 9997 0.0 0.1 93420 5280 ? S 10:05 0:00 kdeinit4: kio_file [kdeinit] file local:/tmp/ksocket-userA/klau
userA 9998 0.1 0.3 112416 14036 ? S 10:05 0:00 kdeinit4: kio_thumbnail [kdeinit] thumbnail local:/tmp/ksocket
root 10034 0.0 0.0 0 0 ? S 10:05 0:00 [kworker/0:1]
userA 10128 1.5 0.6 143964 23404 ? Sl 10:05 0:01 /usr/lib/firefox/plugin-container /usr/lib/browser-plugins/libflashplayer.so -greo
userA 10385 0.0 0.0 0 0 ? Z 10:07 0:00 [scdaemon] <defunct>
userA 10387 0.0 0.0 2620 864 pts/2 R+ 10:07 0:00 ps aux
I don't see above any process related with ftp, telnet, sshd (inactive below), etc. But above and below we can see dhcp6/dhcpcd/dhclient6 active.
Services (sudo /sbin/service --status-all)
redirecting to systemctl
SuSEfirewall2_init.service - LSB: SuSEfirewall2 phase 1
Loaded: loaded (/etc/init.d/SuSEfirewall2_init)
Active: active (exited) since Tue, 12 Mar 2013 19:09:30 +0000; 14h ago
Process: 938 ExecStart=/etc/init.d/SuSEfirewall2_init start (code=exited, status=0/SUCCESS)
CGroup: name=systemd:/system/SuSEfirewall2_init.service
Checking the status of SuSEfirewall2 running
redirecting to systemctl
acpid.service - ACPI Event Daemon
Loaded: loaded (/lib/systemd/system/acpid.service; enabled)
Active: active (running) since Tue, 12 Mar 2013 19:09:30 +0000; 14h ago
Process: 993 ExecStart=/sbin/acpid (code=exited, status=0/SUCCESS)
Main PID: 994 (acpid)
CGroup: name=systemd:/system/acpid.service
└ 994 /sbin/acpid
redirecting to systemctl
alsa-restore.service - Restore Sound Card State
Loaded: loaded (/lib/systemd/system/alsa-restore.service; static)
Active: inactive (dead) since Tue, 12 Mar 2013 19:09:29 +0000; 14h ago
Process: 909 ExecStart=/usr/sbin/alsactl restore (code=exited, status=0/SUCCESS)
CGroup: name=systemd:/system/alsa-restore.service
redirecting to systemctl
atd.service - LSB: Start AT batch job daemon
Loaded: loaded (/etc/init.d/atd)
Active: inactive (dead)
CGroup: name=systemd:/system/atd.service
redirecting to systemctl
autofs.service - LSB: automatic mounting of filesystems
Loaded: loaded (/etc/init.d/autofs)
Active: inactive (dead)
CGroup: name=systemd:/system/autofs.service
redirecting to systemctl
avahi-daemon.service - Avahi mDNS/DNS-SD Stack
Loaded: loaded (/lib/systemd/system/avahi-daemon.service; enabled)
Active: active (running) since Tue, 12 Mar 2013 19:09:30 +0000; 14h ago
Main PID: 1010 (avahi-daemon)
Status: "Server startup complete. Host name is linux-7sgr.local. Local service cookie is 198690539."
CGroup: name=systemd:/system/avahi-daemon.service
└ 1010 avahi-daemon: running [linux-7sgr.local]
redirecting to systemctl
avahi-dnsconfd.service - Avahi DNS Configuration Daemon
Loaded: loaded (/lib/systemd/system/avahi-dnsconfd.service; disabled)
Active: inactive (dead)
CGroup: name=systemd:/system/avahi-dnsconfd.service
redirecting to systemctl
bluez-coldplug.service - LSB: handles udev coldplug of bluetooth dongles
Loaded: loaded (/etc/init.d/bluez-coldplug)
Active: active (exited) since Tue, 12 Mar 2013 19:09:52 +0000; 14h ago
Process: 3920 ExecStart=/etc/init.d/bluez-coldplug start (code=exited, status=0/SUCCESS)
CGroup: name=systemd:/system/bluez-coldplug.service
redirecting to systemctl
cgroup.service
Loaded: masked (/dev/null)
Active: inactive (dead)
redirecting to systemctl
systemd-tmpfiles-setup.service - Recreate Volatile Files and Directories
Loaded: loaded (/lib/systemd/system/systemd-tmpfiles-setup.service; static)
Active: active (exited) since Tue, 12 Mar 2013 19:09:29 +0000; 14h ago
Process: 906 ExecStart=/bin/systemd-tmpfiles --create --remove (code=exited, status=0/SUCCESS)
CGroup: name=systemd:/system/systemd-tmpfiles-setup.service
redirecting to systemctl
clock.service
Loaded: masked (/dev/null)
Active: inactive (dead)
redirecting to systemctl
crypto.service
Loaded: masked (/dev/null)
Active: inactive (dead)
redirecting to systemctl
crypto-early.service
Loaded: masked (/dev/null)
Active: inactive (dead)
redirecting to systemctl
cycle.service - LSB: Set default boot entry if called
Loaded: loaded (/etc/init.d/boot.cycle)
Active: active (exited) since Tue, 12 Mar 2013 19:09:19 +0000; 14h ago
Process: 470 ExecStart=/etc/init.d/boot.cycle start (code=exited, status=6/NOTCONFIGURED)
CGroup: name=systemd:/system/cycle.service
redirecting to systemctl
device-mapper.service
Loaded: masked (/dev/null)
Active: inactive (dead)
Warning: Unit file changed on disk, 'systemctl --system daemon-reload' recommended.
redirecting to systemctl
dmraid.service - LSB: start dmraid
Loaded: loaded (/etc/init.d/boot.dmraid)
Active: inactive (dead)
CGroup: name=systemd:/system/dmraid.service
redirecting to systemctl
klog.service - Early Kernel Boot Messages
Loaded: loaded (/lib/systemd/system/klog.service; disabled)
Active: inactive (dead)
CGroup: name=systemd:/system/klog.service
redirecting to systemctl
ldconfig.service
Loaded: masked (/dev/null)
Active: inactive (dead)
redirecting to systemctl
loadmodules.service
Loaded: masked (/dev/null)
Active: inactive (dead)
Warning: Unit file changed on disk, 'systemctl --system daemon-reload' recommended.
redirecting to systemctl
localfs.service - Shadow /etc/init.d/boot.localfs
Loaded: loaded (/lib/systemd/system/localfs.service; static)
Active: inactive (dead)
CGroup: name=systemd:/system/localfs.service
redirecting to systemctl
localnet.service - LSB: setup hostname and yp
Loaded: loaded (/etc/init.d/boot.localnet)
Active: active (exited) since Tue, 12 Mar 2013 19:09:20 +0000; 14h ago
Process: 503 ExecStart=/etc/init.d/boot.localnet start (code=exited, status=0/SUCCESS)
CGroup: name=systemd:/system/localnet.service
redirecting to systemctl
lvm.service - LSB: start logical volumes
Loaded: loaded (/etc/init.d/boot.lvm)
Active: inactive (dead)
CGroup: name=systemd:/system/lvm.service
redirecting to systemctl
lvm_monitor.service - LSB: start monitoring of LVM VGs now filesystems are mounted rw
Loaded: loaded (/etc/init.d/boot.lvm_monitor)
Active: inactive (dead)
CGroup: name=systemd:/system/lvm_monitor.service
redirecting to systemctl
md.service - LSB: Multiple Device RAID
Loaded: loaded (/etc/init.d/boot.md)
Active: inactive (dead)
CGroup: name=systemd:/system/md.service
redirecting to systemctl
multipath.service - LSB: Create multipath device targets
Loaded: loaded (/etc/init.d/boot.multipath)
Active: inactive (dead)
CGroup: name=systemd:/system/multipath.service
redirecting to systemctl
fsck-root.service - File System Check on Root Device
Loaded: loaded (/lib/systemd/system/fsck-root.service; static)
Active: inactive (dead)
start condition failed at Tue, 12 Mar 2013 19:09:19 +0000; 14h ago
CGroup: name=systemd:/system/fsck-root.service
redirecting to systemctl
swap.service
Loaded: masked (/dev/null)
Active: inactive (dead)
redirecting to systemctl
systemd-sysctl.service - Apply Kernel Variables
Loaded: loaded (/lib/systemd/system/systemd-sysctl.service; static)
Active: active (exited) since Tue, 12 Mar 2013 19:09:20 +0000; 14h ago
Process: 528 ExecStart=/lib/systemd/systemd-sysctl (code=exited, status=0/SUCCESS)
CGroup: name=systemd:/system/systemd-sysctl.service
redirecting to systemctl
udev.service - udev Kernel Device Manager
Loaded: loaded (/lib/systemd/system/udev.service; static)
Active: active (running) since Tue, 12 Mar 2013 19:09:19 +0000; 14h ago
Main PID: 471 (udevd)
CGroup: name=systemd:/system/udev.service
├ 471 /sbin/udevd
├ 643 /sbin/udevd
└ 644 /sbin/udevd
redirecting to systemctl
cifs.service - LSB: Import remote SMB/ CIFS (MS Windows) file systems
Loaded: loaded (/etc/init.d/cifs)
Active: inactive (dead)
CGroup: name=systemd:/system/cifs.service
redirecting to systemctl
clamav-milter.service - LSB: milter compatible mail scanner
Loaded: loaded (/etc/init.d/clamav-milter)
Active: inactive (dead)
CGroup: name=systemd:/system/clamav-milter.service
redirecting to systemctl
clamd.service - LSB: virus scanner daemon
Loaded: loaded (/etc/init.d/clamd)
Active: inactive (dead)
CGroup: name=systemd:/system/clamd.service
redirecting to systemctl
cpufreq.service - LSB: CPUFreq modules loader
Loaded: loaded (/etc/init.d/cpufreq)
Active: active (exited) since Tue, 12 Mar 2013 19:09:29 +0000; 14h ago
Process: 916 ExecStart=/etc/init.d/cpufreq start (code=exited, status=0/SUCCESS)
CGroup: name=systemd:/system/cpufreq.service
redirecting to systemctl
cron.service - Command Scheduler
Loaded: loaded (/lib/systemd/system/cron.service; enabled)
Active: active (running) since Tue, 12 Mar 2013 19:09:52 +0000; 14h ago
Main PID: 3923 (cron)
CGroup: name=systemd:/system/cron.service
└ 3923 /usr/sbin/cron -n
redirecting to systemctl
cups.service - LSB: CUPS printer daemon
Loaded: loaded (/etc/init.d/cups)
Active: active (running) since Tue, 12 Mar 2013 19:09:30 +0000; 14h ago
Process: 1062 ExecStart=/etc/init.d/cups start (code=exited, status=0/SUCCESS)
CGroup: name=systemd:/system/cups.service
└ 1199 /usr/sbin/cupsd -C /etc/cups/cupsd.conf
redirecting to systemctl
dbus.service - D-Bus System Message Bus
Loaded: loaded (/lib/systemd/system/dbus.service; static)
Active: active (running) since Tue, 12 Mar 2013 19:09:30 +0000; 14h ago
Process: 1024 ExecStartPre=/bin/rm -f /var/run/dbus/pid (code=exited, status=0/SUCCESS)
Process: 1003 ExecStartPre=/bin/dbus-uuidgen --ensure (code=exited, status=0/SUCCESS)
Main PID: 1043 (dbus-daemon)
CGroup: name=systemd:/system/dbus.service
├ 1043 /bin/dbus-daemon --system --address=systemd: --nofork --systemd-activation
├ 1801 /usr/lib/polkit-1/polkitd --no-debug
├ 2576 /usr/lib/upower/upowerd
├ 2624 /usr/lib/udisks/udisks-daemon
├ 2625 udisks-daemon: not polling any devices
└ 3295 /usr/lib/rtkit/rtkit-daemon
redirecting to systemctl
dnsmasq.service - LSB: Starts internet name service masq caching server (DNS)
Loaded: loaded (/etc/init.d/dnsmasq)
Active: inactive (dead)
CGroup: name=systemd:/system/dnsmasq.service
Checking for service syslog: running
redirecting to systemctl
freshclam.service - LSB: virus scanner daemon
Loaded: loaded (/etc/init.d/freshclam)
Active: inactive (dead)
CGroup: name=systemd:/system/freshclam.service
Neither the variables MOUSEDEVICE and MOUSETYPE nor the variable GPM_PARAM
is set in /etc/sysconfig/mouse
Run 'yast mouse' to set up gpm
redirecting to systemctl
haveged.service - Haveged Entropy Gathering Daemon
Loaded: loaded (/lib/systemd/system/haveged.service; enabled)
Active: active (running) since Tue, 12 Mar 2013 19:09:30 +0000; 14h ago
Process: 995 ExecStart=/sbin/haveged -w 1024 -v 1 (code=exited, status=0/SUCCESS)
Main PID: 1058 (haveged)
CGroup: name=systemd:/system/haveged.service
└ 1058 /sbin/haveged -w 1024 -v 1
redirecting to systemctl
joystick.service - LSB: Set up analog joysticks
Loaded: loaded (/etc/init.d/joystick)
Active: inactive (dead)
CGroup: name=systemd:/system/joystick.service
redirecting to systemctl
kbd.service
Loaded: masked (/dev/null)
Active: inactive (dead)
Warning: Unit file changed on disk, 'systemctl --system daemon-reload' recommended.
redirecting to systemctl
kexec.service - Reboot via kexec
Loaded: loaded (/lib/systemd/system/kexec.service; static)
Active: inactive (dead)
CGroup: name=systemd:/system/kexec.service
redirecting to systemctl
ksysguardd.service - LSB: KDE ksysguard daemon
Loaded: loaded (/etc/init.d/ksysguardd)
Active: inactive (dead)
CGroup: name=systemd:/system/ksysguardd.service
redirecting to systemctl
lirc.service - LSB: lirc daemon
Loaded: loaded (/etc/init.d/lirc)
Active: inactive (dead)
CGroup: name=systemd:/system/lirc.service
redirecting to systemctl
mdadmd.service - LSB: mdadmd daemon monitoring MD devices
Loaded: loaded (/etc/init.d/mdadmd)
Active: inactive (dead)
CGroup: name=systemd:/system/mdadmd.service
redirecting to systemctl
microcode.ctl.service - LSB: CPU microcode updater
Loaded: loaded (/etc/init.d/microcode.ctl)
Active: active (exited) since Tue, 12 Mar 2013 19:09:29 +0000; 14h ago
Process: 914 ExecStart=/etc/init.d/microcode.ctl start (code=exited, status=0/SUCCESS)
CGroup: name=systemd:/system/microcode.ctl.service
redirecting to systemctl
multipathd.service - LSB: Starts multipath daemon
Loaded: loaded (/etc/init.d/multipathd)
Active: inactive (dead)
CGroup: name=systemd:/system/multipathd.service
redirecting to systemctl
mysql.service - LSB: Start the MySQL database server
Loaded: loaded (/etc/init.d/mysql)
Active: inactive (dead)
CGroup: name=systemd:/system/mysql.service
redirecting to systemctl
network.service - LSB: Configure the localfs depending network interfaces
Loaded: loaded (/etc/init.d/network)
Active: active (running) since Tue, 12 Mar 2013 19:09:52 +0000; 14h ago
Process: 1061 ExecStart=/etc/init.d/network start (code=exited, status=0/SUCCESS)
CGroup: name=systemd:/system/network.service
├ 1992 /sbin/dhclient6 -6 -cf /var/lib/dhcp6/dhclient6.eth0.conf -lf /var/lib/dhcp6/dhclient6.eth0.lease -pf /var/run/dhclie...
└ 2533 /sbin/dhcpcd --netconfig -L -E -HHH -c /etc/sysconfig/network/scripts/dhcpcd-hook -t 0 -h linux-7sgr eth0
redirecting to systemctl
network-remotefs.service - LSB: Configure the remote-fs depending network interfaces
Loaded: loaded (/etc/init.d/network-remotefs)
Active: active (exited) since Tue, 12 Mar 2013 19:09:52 +0000; 14h ago
Process: 3935 ExecStart=/etc/init.d/network-remotefs start (code=exited, status=0/SUCCESS)
CGroup: name=systemd:/system/network-remotefs.service
redirecting to systemctl
nfs.service - LSB: NFS client services
Loaded: loaded (/etc/init.d/nfs)
Active: inactive (dead)
CGroup: name=systemd:/system/nfs.service
redirecting to systemctl
nmb.service - LSB: Samba NetBIOS naming service over IP
Loaded: loaded (/etc/init.d/nmb)
Active: inactive (dead)
CGroup: name=systemd:/system/nmb.service
redirecting to systemctl
nscd.service - LSB: Start Name Service Cache Daemon
Loaded: loaded (/etc/init.d/nscd)
Active: active (running) since Tue, 12 Mar 2013 19:09:30 +0000; 14h ago
Process: 1008 ExecStart=/etc/init.d/nscd start (code=exited, status=0/SUCCESS)
CGroup: name=systemd:/system/nscd.service
└ 1021 /usr/sbin/nscd
redirecting to systemctl
ntp.service - LSB: Network time protocol daemon (ntpd)
Loaded: loaded (/etc/init.d/ntp)
Active: inactive (dead)
CGroup: name=systemd:/system/ntp.service
redirecting to systemctl
openvpn.service - LSB: OpenVPN tunnel
Loaded: loaded (/etc/init.d/openvpn)
Active: inactive (dead)
CGroup: name=systemd:/system/openvpn.service
redirecting to systemctl
pm-profiler.service - LSB: Script infrastructure to enable/disable certain power management functions
Loaded: loaded (/etc/init.d/pm-profiler)
Active: inactive (dead)
CGroup: name=systemd:/system/pm-profiler.service
redirecting to systemctl
Failed to issue method call: Unknown unit
redirecting to systemctl
powerd.service - LSB: Start the UPS monitoring daemon
Loaded: loaded (/etc/init.d/powerd)
Active: inactive (dead)
CGroup: name=systemd:/system/powerd.service
redirecting to systemctl
systemd-random-seed-load.service - Load Random Seed
Loaded: loaded (/lib/systemd/system/systemd-random-seed-load.service; static)
Active: inactive (dead) since Tue, 12 Mar 2013 19:09:22 +0000; 14h ago
Process: 533 ExecStart=/lib/systemd/systemd-random-seed load (code=exited, status=0/SUCCESS)
CGroup: name=systemd:/system/systemd-random-seed-load.service
redirecting to systemctl
raw.service - LSB: raw devices
Loaded: loaded (/etc/init.d/raw)
Active: inactive (dead)
CGroup: name=systemd:/system/raw.service
redirecting to systemctl
rpcbind.service - LSB: TI-RPC program number mapper
Loaded: loaded (/etc/init.d/rpcbind)
Active: inactive (dead)
CGroup: name=systemd:/system/rpcbind.service
redirecting to systemctl
rpmconfigcheck.service - LSB: rpm config file scan
Loaded: loaded (/etc/init.d/rpmconfigcheck)
Active: inactive (dead)
CGroup: name=systemd:/system/rpmconfigcheck.service
redirecting to systemctl
rsyncd.service - LSB: Start the rsync server daemon
Loaded: loaded (/etc/init.d/rsyncd)
Active: inactive (dead)
CGroup: name=systemd:/system/rsyncd.service
redirecting to systemctl
setserial.service - LSB: Initializes the serial ports
Loaded: loaded (/etc/init.d/setserial)
Active: inactive (dead)
CGroup: name=systemd:/system/setserial.service
/usr/sbin/FOO not installed
redirecting to systemctl
smartd.service - Self Monitoring and Reporting Technology (SMART) Daemon
Loaded: loaded (/lib/systemd/system/smartd.service; disabled)
Active: inactive (dead)
CGroup: name=systemd:/system/smartd.service
redirecting to systemctl
smb.service - LSB: Samba SMB/CIFS file and print server
Loaded: loaded (/etc/init.d/smb)
Active: inactive (dead)
CGroup: name=systemd:/system/smb.service
redirecting to systemctl
smolt.service - LSB: Enables automated checkins with smolt
Loaded: loaded (/etc/init.d/smolt)
Active: inactive (dead)
CGroup: name=systemd:/system/smolt.service
redirecting to systemctl
splash.service - LSB: Splash screen setup
Loaded: loaded (/etc/init.d/splash)
Active: active (exited) since Tue, 12 Mar 2013 19:09:30 +0000; 14h ago
Process: 971 ExecStart=/etc/init.d/splash start (code=exited, status=0/SUCCESS)
CGroup: name=systemd:/system/splash.service
redirecting to systemctl
splash_early.service - LSB: kills animation after network start
Loaded: loaded (/etc/init.d/splash_early)
Active: active (exited) since Tue, 12 Mar 2013 19:09:52 +0000; 14h ago
Process: 3921 ExecStart=/etc/init.d/splash_early start (code=exited, status=0/SUCCESS)
CGroup: name=systemd:/system/splash_early.service
redirecting to systemctl
sshd.service - LSB: Start the sshd daemon
Loaded: loaded (/etc/init.d/sshd)
Active: inactive (dead)
CGroup: name=systemd:/system/sshd.service
redirecting to systemctl
syslog.service - System Logging Service
Loaded: loaded (/lib/systemd/system/syslog.service; enabled)
Active: active (running) since Tue, 12 Mar 2013 19:09:30 +0000; 14h ago
Process: 984 ExecStart=/sbin/rsyslogd -c 5 -f /etc/rsyslog.conf (code=exited, status=0/SUCCESS)
Process: 982 ExecStartPre=/var/run/rsyslog/addsockets (code=exited, status=0/SUCCESS)
Process: 923 ExecStartPre=/bin/systemctl stop systemd-kmsg-syslogd.service (code=exited, status=0/SUCCESS)
Main PID: 988 (rsyslogd)
CGroup: name=systemd:/system/syslog.service
└ 988 /sbin/rsyslogd -c 5 -f /etc/rsyslog.conf
redirecting to systemctl
xdm.service - LSB: X Display Manager
Loaded: loaded (/etc/init.d/xdm)
Active: active (running) since Tue, 12 Mar 2013 19:09:31 +0000; 14h ago
Process: 1068 ExecStart=/etc/init.d/xdm start (code=exited, status=0/SUCCESS)
CGroup: name=systemd:/system/xdm.service
├ 1312 /usr/bin/kdm
└ 1427 /usr/bin/Xorg -br :0 vt7 -nolisten tcp -auth /var/lib/xdm/authdir/authfiles/A:0-FxZ3mb
redirecting to systemctl
xfs.service - LSB: X Font Server
Loaded: loaded (/etc/init.d/xfs)
Active: inactive (dead)
CGroup: name=systemd:/system/xfs.service
redirecting to systemctl
xinetd.service - LSB: Starts the xinet daemon. Be aware that xinetd doesn't start if no service is configured to run under it. To enable xinetd services go to YaST Network Services (xinetd) section.
Loaded: loaded (/etc/init.d/xinetd)
Active: inactive (dead)
CGroup: name=systemd:/system/xinetd.service
redirecting to systemctl
ypbind.service - LSB: Start ypbind (necessary for a NIS client)
Loaded: loaded (/etc/init.d/ypbind)
Active: inactive (dead)
CGroup: name=systemd:/system/ypbind.service
Mozilla Firefox 14.0.1
Plugins:
- IcedTea-Web Plugin (using IcedTea-Web 1.2 (suse-3.1-i386)) - to execute Java Applets
- PackageKit - for installing Applications (new) - First time I see this plugin, but probably always have been here in the Firefox of Opensuse.
- Shockwave Flash 11.2 r202
- Silverlight Plug-In 4.0.51204.0
Addons:
- Adblock Plus
- All-in-One Sidebar
- Blank Your Monitor + Easy Reading
- DownloadHelper
- Novell Moonlight
- openSUSE Firefox extensions
- Personas
- Wiktionary and Google Translate
I don't understand the question 'Are the log in attempts in the logs legitimate, or were they at a time when you were not attempting to login?', but I will try to answer something related:
The computerA is usually connected (nearly 24/7) and between the normal using (not attack identified) and the notification of modification of the bookmarks (possible attack performed) it was 1 day in between. They didn't need to log in again, because the computer was switched on and only with the screen blacked out.
Router
The router has the possibility to be used by wireless, but is deactivated. The only wires connected directly to the router goes to the computerA. There is no way to be tapped. Impossible to be other users (intruders) from the same LAN.
Only two possibilities:
- tap the wire in some point from our house to the DSLAM (telco's), the wires of the neighborhood.
- attack from outside
Router has a easy password to access, but I think first it has to be in the LAN to can connect, isn't it?
For sure none of the legitimate users access the router.
I have to say, I trust in the legitimate users 120%.
I have changed the physical address to show it here.
ARP Table
IP address Physical Address Interface Static
192.168.1.33 sf:sf:sf:sf:sf:sf eth0 no
Routing Table
Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 0.0.0.0 ppp-0 1
IP Filter Configuration
IP Filtering: Disabled
Port Forwarding Configuration
Name Protocol External Port Internal IP Internal Port
ppp-0
eMULE TCP 37000 192.168.1.33 37000
eMULE UDP 8000 192.168.1.33 8000
Vitual Server Configuration
DMZ Host
Interface DMZ Host
ppp-0 N/A
ppp-1 N/A
MAC Filtering
Disabled
Quality of Service Configuration
Traffic Name Priority VLAN ID Min-Max IP TOS 802.1p [Source IP] AddressNetmask Start Port End Port [Destination IP] AddressNetmask Start Port End Port
Profile Name: voip
Rule: voip 7 -1--1 Normal Service -1 0.0.0.0 0.0.0.0 0 65535 81.47.224.0 255.255.252.0 0 65535
NMAP in Computer A
sudo nmap -v -sT 192.168.1.0/24
Starting Nmap 5.61TEST2 ( http://nmap.org ) at 2013-03-13 10:43 WET
Initiating ARP Ping Scan at 10:43
Scanning 33 hosts [1 port/host]
Completed ARP Ping Scan at 10:43, 0.65s elapsed (33 total hosts)
Initiating Parallel DNS resolution of 33 hosts. at 10:43
Completed Parallel DNS resolution of 33 hosts. at 10:43, 0.06s elapsed
Initiating Parallel DNS resolution of 1 host. at 10:43
Completed Parallel DNS resolution of 1 host. at 10:43, 0.06s elapsed
Initiating Connect Scan at 10:43
Scanning 192.168.1.1 [1000 ports]
Discovered open port 80/tcp on 192.168.1.1
Discovered open port 23/tcp on 192.168.1.1
Discovered open port 21/tcp on 192.168.1.1
Discovered open port 53/tcp on 192.168.1.1
Discovered open port 8008/tcp on 192.168.1.1
Discovered open port 2800/tcp on 192.168.1.1
Completed Connect Scan at 10:43, 1.11s elapsed (1000 total ports)
Nmap scan report for 192.168.1.1
Host is up (0.58s latency).
Not shown: 994 closed ports
PORT STATE SERVICE
21/tcp open ftp
23/tcp open telnet
53/tcp open domain
80/tcp open http
2800/tcp open acc-raid
8008/tcp open http
MAC Address: sf:sf:sf:sf:sf:sf (sfsfsfs.)
Initiating ARP Ping Scan at 10:43
Scanning 222 hosts [1 port/host]
Completed ARP Ping Scan at 10:43, 9.24s elapsed (222 total hosts)
Initiating Connect Scan at 10:43
Scanning 192.168.1.33 [1000 ports]
Completed Connect Scan at 10:43, 0.01s elapsed (1000 total ports)
Nmap scan report for 192.168.1.33
Host is up (0.00022s latency).
All 1000 scanned ports on 192.168.1.33 are closed
Read data files from: /usr/bin/../share/nmap
Nmap done: 256 IP addresses (2 hosts up) scanned in 11.26 seconds
Raw packets sent: 509 (14.252KB) | Rcvd: 1 (28B)
sudo nmap -sT -O localhost
Starting Nmap 5.61TEST2 ( http://nmap.org ) at 2013-03-13 10:47 WET
Nmap scan report for localhost (127.0.0.1)
Host is up (0.000071s latency).
Not shown: 999 closed ports
PORT STATE SERVICE
631/tcp open ipp
No exact OS matches for host (If you know what OS is running on it, see http://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(
....)
Network Distance: 0 hops
OS detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 12.63 seconds
'Are you certain that malware running in the browser did not change things?'
- I don't know how to detect if I have malware in my browser, but I don't see anything like weird addons, advertisement,..
'No chance that your users were phished?'
- No idea how to know if they were phished, and how to know know looking the computer.
'Java exploits?'
- The same. No idea how to know. I posted the version of icedtea to run java applets. I think they are not used to execute java applets on the Web, they usually use it for e-mail + digital newspapers.
I see in port forwarding two ports for emule (really weird... several years without using that program), but then nmap doesn't detect open that ports. Why?
Computer B - The next results is without internet connection. (If I connect ethernet I will need other services like iptables, dhcpcd,... that are not listed now)
Executed without internet connection:
systemctl list-units --full | grep active
proc-sys-fs-binfmt_misc.automount loaded active waiting Arbitrary Executable File Formats File System Automount Point
sys-devices-pci0000:00-0000:00:01.0-0000:01:00.1-sound-card1.device loaded active plugged /sys/devices/pci0000:00/0000:00:01.0/0000:01:00.1/sound/card1
sys-devices-pci0000:00-0000:00:1b.0-sound-card0.device loaded active plugged /sys/devices/pci0000:00/0000:00:1b.0/sound/card0
sys-devices-pci0000:00-0000:00:1c.0-0000:02:00.0-net-wlan0.device loaded active plugged /sys/devices/pci0000:00/0000:00:1c.0/0000:02:00.0/net/wlan0
sys-devices-pci0000:00-0000:00:1c.3-0000:06:00.0-net-eth0.device loaded active plugged /sys/devices/pci0000:00/0000:00:1c.3/0000:06:00.0/net/eth0
sys-devices-pci0000:00-0000:00:1f.2-ata1-host0-target0:0:0-0:0:0:0-block-sda-sda1.device loaded active plugged ST9500325AS
sys-devices-pci0000:00-0000:00:1f.2-ata1-host0-target0:0:0-0:0:0:0-block-sda-sda2.device loaded active plugged ST9500325AS
sys-devices-pci0000:00-0000:00:1f.2-ata1-host0-target0:0:0-0:0:0:0-block-sda-sda3.device loaded active plugged ST9500325AS
sys-devices-pci0000:00-0000:00:1f.2-ata1-host0-target0:0:0-0:0:0:0-block-sda-sda4.device loaded active plugged ST9500325AS
sys-devices-pci0000:00-0000:00:1f.2-ata1-host0-target0:0:0-0:0:0:0-block-sda-sda5.device loaded active plugged ST9500325AS
sys-devices-pci0000:00-0000:00:1f.2-ata1-host0-target0:0:0-0:0:0:0-block-sda-sda6.device loaded active plugged ST9500325AS
sys-devices-pci0000:00-0000:00:1f.2-ata1-host0-target0:0:0-0:0:0:0-block-sda.device loaded active plugged ST9500325AS
sys-devices-platform-serial8250-tty-ttyS0.device loaded active plugged /sys/devices/platform/serial8250/tty/ttyS0
sys-devices-platform-serial8250-tty-ttyS1.device loaded active plugged /sys/devices/platform/serial8250/tty/ttyS1
sys-devices-platform-serial8250-tty-ttyS2.device loaded active plugged /sys/devices/platform/serial8250/tty/ttyS2
sys-devices-platform-serial8250-tty-ttyS3.device loaded active plugged /sys/devices/platform/serial8250/tty/ttyS3
sys-module-configfs.device loaded active plugged /sys/module/configfs
sys-module-fuse.device loaded active plugged /sys/module/fuse
sys-subsystem-net-devices-eth0.device loaded active plugged /sys/subsystem/net/devices/eth0
sys-subsystem-net-devices-wlan0.device loaded active plugged /sys/subsystem/net/devices/wlan0
-.mount loaded active mounted /
dev-hugepages.mount loaded active mounted Huge Pages File System
dev-mqueue.mount loaded active mounted POSIX Message Queue File System
media-Datos.mount loaded active mounted /media/Datos
sys-fs-fuse-connections.mount loaded active mounted FUSE Control File System
sys-kernel-config.mount loaded active mounted Configuration File System
sys-kernel-debug.mount loaded active mounted Debug File System
tmp.mount loaded active mounted /tmp
systemd-ask-password-console.path loaded active waiting Dispatch Password Requests to Console Directory Watch
systemd-ask-password-wall.path loaded active waiting Forward Password Requests to Wall Directory Watch
cronie.service loaded active running Periodic Command Scheduler
dbus.service loaded active running D-Bus System Message Bus
getty@tty1.service loaded active running Getty on tty1
iptables.service loaded active exited Packet Filtering Framework
kdm.service loaded active running K Display Manager
lm_sensors.service loaded active exited Initialize hardware monitoring sensors
polkit.service loaded active running Authorization Manager
rc-local.service loaded active exited /etc/rc.local Compatibility
syslog-ng.service loaded active running System Logger Daemon
systemd-journald.service loaded active running Journal Service
systemd-logind.service loaded active running Login Service
systemd-modules-load.service loaded active exited Load Kernel Modules
systemd-remount-fs.service loaded active exited Remount Root and Kernel File Systems
systemd-sysctl.service loaded active exited Apply Kernel Variables
systemd-tmpfiles-setup.service loaded active exited Recreate Volatile Files and Directories
systemd-udev-trigger.service loaded active exited udev Coldplug all Devices
systemd-udevd.service loaded active running udev Kernel Device Manager
systemd-user-sessions.service loaded active exited Permit User Sessions
systemd-vconsole-setup.service loaded active exited Setup Virtual Console
udisks2.service loaded active running Disk Manager
upower.service loaded active running Daemon for power management
dbus.socket loaded active running D-Bus System Message Bus Socket
dmeventd.socket loaded active listening Device-mapper event daemon FIFOs
lvmetad.socket loaded active listening LVM2 metadata daemon socket
syslog.socket loaded active running Syslog Socket
systemd-initctl.socket loaded active listening /dev/initctl Compatibility Named Pipe
systemd-journald.socket loaded active running Journal Socket
systemd-shutdownd.socket loaded active listening Delayed Shutdown Socket
systemd-udevd-control.socket loaded active listening udev Control Socket
systemd-udevd-kernel.socket loaded active running udev Kernel Socket
dev-sda6.swap loaded active active /dev/sda6
arch-daemons.target loaded active active Arch Daemons
basic.target loaded active active Basic System
cryptsetup.target loaded active active Encrypted Volumes
getty.target loaded active active Login Prompts
graphical.target loaded active active Graphical Interface
local-fs-pre.target loaded active active Local File Systems (Pre)
local-fs.target loaded active active Local File Systems
multi-user.target loaded active active Multi-User
remote-fs.target loaded active active Remote File Systems
sockets.target loaded active active Sockets
sound.target loaded active active Sound Card
swap.target loaded active active Swap
sysinit.target loaded active active System Initialization
syslog.target loaded active active Syslog
systemd-tmpfiles-clean.timer loaded active waiting Daily Cleanup of Temporary Directories
76 loaded units listed. Pass --all to see loaded but inactive units, too.
sudo nmap -v -sT localhost
Starting Nmap 6.25 ( http://nmap.org ) at 2013-03-13 13:01 CET
mass_dns: warning: Unable to determine any DNS servers. Reverse DNS is disabled. Try using --system-dns or specify valid servers with --dns-servers
Initiating Connect Scan at 13:01
Scanning localhost (127.0.0.1) [1000 ports]
Completed Connect Scan at 13:01, 0.03s elapsed (1000 total ports)
Nmap scan report for localhost (127.0.0.1)
Host is up (0.00058s latency).
Other addresses for localhost (not scanned): 127.0.0.1
rDNS record for 127.0.0.1: localhost.localdomain
All 1000 scanned ports on localhost (127.0.0.1) are closed
Read data files from: /usr/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 0.13 seconds
Raw packets sent: 0 (0B) | Rcvd: 0 (0B)
[Connecting to the LAN and therefore to Internet]
If I try to connect to internet now, it doesn't work. I can do sudo ifconfig eth0 up, but sudo dhcpcd eth0 doesn't work.
It says: eth0 sending IPv6 Router Solicitation.... finally no IPv6 Routers available. Timed out. I know that it has to be IPv4, but yesterday it worked, today not.
If I try to do ping 192.168.1.1 it says: network is unreachable.
I have to edit /etc/dhcpcd.conf manually and modify this lines:
#noipv4ll
noipv6rs
Also, modify the /etc/hosts and comment ::1 line
But as I said, i didn't modified them to the inverse, and yesterday (first time I connect computerB to the LAN of computerA it worked correctly the dhcpcd for ipv4)
As I see, still not network connection... at least dhcpcd has assigned me an ip, etc, but it is not the normal in range 192.168.1.x (as the router 192.168.1.1 and the other pc 192.168.1.33)
but 169.254.67.213, netmask 255.255.0.0 and broadcast 169.254.255.255
Something weird... and of course, still network is unreachable if I try to do ping to google or the router.
I have to reset manually the router to can work properly from the computerB.
Anormal behaviour
The point is after I connect to the Internet (ping that works) the computer get slowly, emacs doesn't work, if I try to open another terminal it says KDEInit could not launch '/usr/bin/konsole'
So, something goes wrong.
uname -r
3.7.9-2-ARCH
NMAP from ComputerA to ComputerB
Initiating Connect Scan at 13:51
Scanning 192.168.1.34 [1000 ports]
Completed Connect Scan at 13:52, 50.80s elapsed (1000 total ports)
Nmap scan report for 192.168.1.34
Host is up (0.98s latency).
Not shown: 999 filtered ports
PORT STATE SERVICE
80/tcp closed http
MAC Address: xf:xf:xf:xf:xf:xf (xfxfxf.)
Read data files from: /usr/bin/../share/nmap
Nmap done: 256 IP addresses (3 hosts up) scanned in 62.24 seconds
Raw packets sent: 508 (14.224KB) | Rcvd: 2 (56B)
ps aux in computerB
F S UID PID PPID C PRI NI ADDR SZ WCHAN TTY TIME CMD
4 S 0 1 0 0 80 0 - 1261 epoll_ ? 00:00:00 systemd
1 S 0 2 0 0 80 0 - 0 kthrea ? 00:00:00 kthreadd
1 S 0 3 2 0 80 0 - 0 smpboo ? 00:00:00 ksoftirqd/0
1 S 0 5 2 0 60 -20 - 0 worker ? 00:00:00 kworker/0:0H
1 S 0 7 2 0 60 -20 - 0 worker ? 00:00:00 kworker/u:0H
1 S 0 8 2 0 -40 - - 0 cpu_st ? 00:00:00 migration/0
1 S 0 9 2 0 80 0 - 0 rcu_gp ? 00:00:00 rcu_preempt
1 S 0 10 2 0 80 0 - 0 rcu_gp ? 00:00:00 rcu_bh
1 S 0 11 2 0 80 0 - 0 rcu_gp ? 00:00:00 rcu_sched
5 S 0 12 2 0 -40 - - 0 smpboo ? 00:00:00 watchdog/0
5 S 0 13 2 0 -40 - - 0 smpboo ? 00:00:00 watchdog/1
1 S 0 14 2 0 80 0 - 0 smpboo ? 00:00:00 ksoftirqd/1
1 S 0 15 2 0 -40 - - 0 cpu_st ? 00:00:00 migration/1
1 S 0 17 2 0 60 -20 - 0 worker ? 00:00:00 kworker/1:0H
1 S 0 18 2 0 60 -20 - 0 rescue ? 00:00:00 cpuset
1 S 0 19 2 0 60 -20 - 0 rescue ? 00:00:00 khelper
5 S 0 20 2 0 80 0 - 0 devtmp ? 00:00:00 kdevtmpfs
1 S 0 21 2 0 60 -20 - 0 rescue ? 00:00:00 netns
1 S 0 22 2 0 80 0 - 0 bdi_fo ? 00:00:00 bdi-default
1 S 0 23 2 0 60 -20 - 0 rescue ? 00:00:00 kblockd
1 S 0 26 2 0 80 0 - 0 watchd ? 00:00:00 khungtaskd
1 S 0 27 2 0 80 0 - 0 kswapd ? 00:00:00 kswapd0
1 S 0 28 2 0 85 5 - 0 ksm_sc ? 00:00:00 ksmd
1 S 0 29 2 0 99 19 - 0 khugep ? 00:00:00 khugepaged
1 S 0 30 2 0 80 0 - 0 fsnoti ? 00:00:00 fsnotify_mark
1 S 0 31 2 0 60 -20 - 0 rescue ? 00:00:00 crypto
1 S 0 35 2 0 60 -20 - 0 rescue ? 00:00:00 kthrotld
1 S 0 36 2 0 80 0 - 0 worker ? 00:00:00 kworker/1:2
1 S 0 37 2 0 60 -20 - 0 rescue ? 00:00:00 deferwq
1 S 0 78 2 0 80 0 - 0 hub_th ? 00:00:00 khubd
1 S 0 79 2 0 60 -20 - 0 rescue ? 00:00:00 ata_sff
1 S 0 80 2 0 80 0 - 0 scsi_e ? 00:00:00 scsi_eh_0
1 S 0 81 2 0 80 0 - 0 scsi_e ? 00:00:00 scsi_eh_1
1 S 0 82 2 0 80 0 - 0 scsi_e ? 00:00:00 scsi_eh_2
1 S 0 83 2 0 80 0 - 0 scsi_e ? 00:00:00 scsi_eh_3
1 S 0 84 2 0 80 0 - 0 scsi_e ? 00:00:00 scsi_eh_4
1 S 0 85 2 0 80 0 - 0 scsi_e ? 00:00:00 scsi_eh_5
1 S 0 88 2 0 80 0 - 0 worker ? 00:00:00 kworker/u:4
1 S 0 89 2 0 80 0 - 0 worker ? 00:00:00 kworker/u:5
1 S 0 92 2 0 80 0 - 0 scsi_e ? 00:00:00 scsi_eh_6
1 S 0 93 2 0 80 0 - 0 usb_st ? 00:00:00 usb-storage
1 S 0 96 2 0 60 -20 - 0 worker ? 00:00:00 kworker/1:1H
1 S 0 97 2 0 60 -20 - 0 worker ? 00:00:00 kworker/0:1H
1 S 0 98 2 0 80 0 - 0 worker ? 00:00:00 kworker/0:2
1 S 0 106 2 0 80 0 - 0 kjourn ? 00:00:00 jbd2/sda5-8
1 S 0 107 2 0 60 -20 - 0 rescue ? 00:00:00 ext4-dio-unwrit
4 S 0 124 1 0 80 0 - 2752 epoll_ ? 00:00:00 systemd-udevd
4 S 0 129 1 9 80 0 - 69899 epoll_ ? 00:02:51 systemd-journal
1 S 0 136 2 0 60 -20 - 0 rescue ? 00:00:00 iprt
1 S 0 217 2 0 60 -20 - 0 rescue ? 00:00:00 kpsmoused
1 S 0 220 2 0 80 0 - 0 bdi_wr ? 00:00:00 flush-8:0
1 S 0 238 2 0 60 -20 - 0 rescue ? 00:00:00 led_workqueue
1 S 0 239 2 0 60 -20 - 0 rescue ? 00:00:00 cfg80211
1 S 0 270 2 0 60 -20 - 0 rescue ? 00:00:00 ttm_swap
1 S 0 272 2 0 60 -20 - 0 rescue ? 00:00:00 hd-audio0
1 S 0 341 2 0 60 -20 - 0 rescue ? 00:00:00 hd-audio1
5 S 0 345 1 0 80 0 - 1231 fuse_d ? 00:00:00 mount.ntfs-3g
4 S 0 350 1 0 80 0 - 1902 epoll_ ? 00:00:00 syslog-ng
4 S 0 354 1 0 80 0 - 1202 hrtime ? 00:00:00 crond
4 S 81 355 1 0 80 0 - 834 epoll_ ? 00:00:00 dbus-daemon
4 S 0 356 1 0 80 0 - 834 epoll_ ? 00:00:00 systemd-logind
4 S 0 363 1 0 80 0 - 953 n_tty_ tty1 00:00:00 agetty
4 S 0 364 1 0 80 0 - 992 poll_s ? 00:00:00 kdm
4 S 0 391 364 0 80 0 - 20112 poll_s tty7 00:00:12 X
5 S 0 400 364 0 80 0 - 1367 sigsus ? 00:00:00 kdm
4 S 1000 412 400 0 80 0 - 1299 wait ? 00:00:00 startkde
1 S 1000 423 1 0 80 0 - 906 poll_s ? 00:00:00 dbus-launch
1 S 1000 424 1 0 80 0 - 1027 epoll_ ? 00:00:00 dbus-daemon
1 S 1000 450 1 0 80 0 - 1184 poll_s ? 00:00:00 gpg-agent
1 S 1000 453 1 0 80 0 - 1054 poll_s ? 00:00:00 ssh-agent
5 S 0 468 1 0 80 0 - 508 pipe_w ? 00:00:00 start_kdeinit
1 S 1000 469 1 0 80 0 - 32316 poll_s ? 00:00:00 kdeinit4
1 S 1000 470 469 0 80 0 - 32821 poll_s ? 00:00:00 klauncher
1 S 1000 472 1 0 80 0 - 53818 poll_s ? 00:00:01 kded4
1 S 1000 479 1 0 80 0 - 36628 poll_s ? 00:00:00 kglobalaccel
1 S 1000 483 1 0 80 0 - 36498 poll_s ? 00:00:00 kactivitymanage
0 S 0 484 1 0 80 0 - 7424 poll_s ? 00:00:00 upowerd
0 S 1000 485 412 0 80 0 - 542 unix_s ? 00:00:00 kwrapper4
1 S 1000 486 469 0 80 0 - 38796 poll_s ? 00:00:00 ksmserver
4 S 102 492 1 0 80 0 - 15479 poll_s ? 00:00:00 polkitd
0 S 0 528 1 0 80 0 - 10763 poll_s ? 00:00:00 udisksd
0 S 1000 550 486 0 80 0 - 117798 poll_s ? 00:00:11 kwin
1 S 1000 579 1 0 80 0 - 37489 poll_s ? 00:00:02 knotify4
1 S 1000 583 1 0 80 0 - 117596 poll_s ? 00:00:10 plasma-desktop
1 S 1000 589 1 0 80 0 - 21540 poll_s ? 00:00:00 kuiserver
0 S 1000 598 1 0 80 0 - 11396 poll_s ? 00:00:00 akonadi_control
0 S 1000 600 598 0 80 0 - 51206 poll_s ? 00:00:00 akonadiserver
0 S 1000 603 600 0 80 0 - 62394 poll_s ? 00:00:00 mysqld
1 S 1000 636 1 0 80 0 - 77142 poll_s ? 00:00:01 krunner
1 S 1000 638 469 0 80 0 - 35216 poll_s ? 00:00:00 nepomukserver
0 S 1000 642 638 0 99 19 - 40628 poll_s ? 00:00:06 nepomukservices
1 S 1000 645 1 0 80 0 - 60325 poll_s ? 00:00:00 kmix
1 S 1000 647 1 0 80 0 - 21835 poll_s ? 00:00:00 nepomukcontroll
1 S 1000 650 1 0 80 0 - 27785 poll_s ? 00:00:02 yakuake
0 S 1000 662 598 0 80 0 - 21476 poll_s ? 00:00:00 akonadi_agent_l
0 S 1000 663 598 0 80 0 - 39524 poll_s ? 00:00:00 akonadi_archive
0 S 1000 666 598 0 80 0 - 21526 poll_s ? 00:00:00 akonadi_agent_l
0 S 1000 667 598 0 80 0 - 21475 poll_s ? 00:00:00 akonadi_agent_l
0 S 1000 668 598 0 80 0 - 23760 poll_s ? 00:00:00 akonadi_maildis
0 S 1000 669 598 0 80 0 - 39525 poll_s ? 00:00:00 akonadi_mailfil
1 S 1000 671 1 0 80 0 - 24361 poll_s ? 00:00:00 polkit-kde-auth
0 S 1000 672 598 0 80 0 - 24962 poll_s ? 00:00:00 akonadi_nepomuk
0 S 1000 679 650 0 80 0 - 1312 wait pts/1 00:00:00 bash
1 S 1000 692 1 0 80 0 - 26347 poll_s ? 00:00:00 korgac
1 S 1000 711 1 0 80 0 - 36400 poll_s ? 00:00:00 klipper
0 S 1000 768 642 1 99 19 - 13394 futex_ ? 00:00:30 virtuoso-t
0 S 1000 779 638 0 99 19 - 27301 poll_s ? 00:00:00 nepomukservices
0 S 1000 780 638 0 99 19 - 30844 poll_s ? 00:00:11 nepomukservices
1 S 0 884 2 0 80 0 - 0 worker ? 00:00:00 kworker/1:0
5 S 0 992 1 0 80 0 - 605 poll_s ? 00:00:00 dhcpcd
1 S 0 1019 2 0 80 0 - 0 worker ? 00:00:00 kworker/0:1
1 S 0 1150 2 0 80 0 - 0 worker ? 00:00:00 kworker/0:0
4 S 0 1173 679 0 80 0 - 1267 poll_s pts/1 00:00:00 sudo
4 R 0 1174 1173 0 80 0 - 1156 - pts/1 00:00:00 ps
About Question B: Today I have switch on again the ComputerB and now is normal with the "@localhost", but for me was weird the yesterday behaviour.. never happen to me before. I would like to know why it happened.
Thank you for the tripwire, I will have a look.
[More info related to network]
Both computers use:
- everyday Mozilla Firefox and Thunderbird
- often KTorrent, KGet and Skype
- seldom DropBox
[Answering Brebs]
Yes, firefox bookmarks have been modified (two deleted, two added) in a specific folder of one of the users.
I know that is the first rule of a intruder: don't alert legitimate users when you go inside. But in this case it can be "seen" as a threat.
I'm pretty sure (100%) the users didn't modify that. And if is in some weird/error manipulation of the user interface of Firefox, is not so easy. At least "Bookmarks - Toolbar - FolderX - Right Button - Delete" twice times, and then add another two.
One or two clicks in a random way, could provoque something, but no so many things, movements.
How can I know if the "Firefox sandbox" was broken?
I have never tested an exploit, so I don't know what is the potential of its use.
I will have a look to AppArmor in the next hours.
Thanks for you both!
Offline
Ya, OpenSUSE... configure AppArmor to your liking
As for, "how do I know when I have been attacked, what they did, ...." You need to plan ahead of time to be able to do this stuff. Look into OSSEC, AIDE, TripWire. Some "Security Solution" you should look into are Alien Vault and Security-Onion
Personally, I'd say go OSSEC on all computers and AlienVault for the whole network. On Linux boxes hardened the kernel with grsecurity/PaX.
As of right now for all computers that you think "may" have been compromised assume they are; backup + fresh install.
Last edited by hunterthomson (2013-03-14 05:02:03)
OpenBSD-current Thinkpad X230, i7-3520M, 16GB CL9 Kingston, Samsung 830 256GB
Contributor: linux-grsec
Offline
"may" have been compromised assume they are
And then be hacked again, because it happened by magic. This is scaremongering to my mind - two surprising firefox bookmarks do not make a compromised system.
Offline
Well it's the first thing I'd do if I hacked into someone else's system: I change their firefox bookmarks ... but only a couple of them.
It's so very evil just because it makes them unsure about whether they've really been hacked. It makes them second guess their own suspicions. It makes them wonder if they're crazy.
Or maybe not.
"UNIX is simple and coherent..." - Dennis Ritchie, "GNU's Not UNIX" - Richard Stallman
Offline
hunterthomson wrote:"may" have been compromised assume they are
And then be hacked again, because it happened by magic. This is scaremongering to my mind - two surprising firefox bookmarks do not make a compromised system.
Well, I was assuming that when they did the fresh install they would setup the systems and services needed to harden their systems and track intrusions.
Sure, amusing the book marks were in fact changed, it is very likely only Firefox was molested and not the whole system. However, if you don't have any logs you can trust... assume the systems are compromised and reinstall.
It sounded like they are not some home computers, but computers being used in a business. Don't take the risk of assuming nothing is compromised based only on hope. Do your job and protect the network.
Last edited by hunterthomson (2013-03-15 04:01:46)
OpenBSD-current Thinkpad X230, i7-3520M, 16GB CL9 Kingston, Samsung 830 256GB
Contributor: linux-grsec
Offline
it would like a burgler steeling nothing but just rearange your furniture. you still make sure the grates on window and the door lock work correctly or even change the key.
--------------------------------------
alcoves wonder creates the wonder unto the ages; never lose that.
Offline
Well, I am sure we all know the attack could go down something like this.
Find a small drive-by exploit to change bookmarks in Firefox
Use this attack to change the bookmarks on peoples Firefox to redirect them to a website that hosts up-to-date exploits for the Win, Mac, Linux.
This exploit then downloads a virus or rootkit.
Now the attacker owns your box and steals all your site/vpn/ssh/ftp logins, SSN's, credit card numbers, infect other computers on the LAN, and make it a part of a botnet.
Last edited by hunterthomson (2013-03-15 12:29:44)
OpenBSD-current Thinkpad X230, i7-3520M, 16GB CL9 Kingston, Samsung 830 256GB
Contributor: linux-grsec
Offline
Ya, OpenSUSE... configure AppArmor to your liking
As for, "how do I know when I have been attacked, what they did, ...." You need to plan ahead of time to be able to do this stuff. Look into OSSEC, AIDE, TripWire. Some "Security Solution" you should look into are Alien Vault and Security-Onion
Personally, I'd say go OSSEC on all computers and AlienVault for the whole network. On Linux boxes hardened the kernel with grsecurity/PaX.
As of right now for all computers that you think "may" have been compromised assume they are; backup + fresh install.
Thank you very much to everyone.
I am reading about AppArmor. I see that it started in OpenSUSE with this, but I see that it is possible to use in ArchLinux (AUR,..).
Are complementary? Or it is better to use only OSSEC?. Because If I don't understand you wrongly, the best would be: OSSEC + grsecurity/PaX + AlienVault.
I don't know if the users of the computer (random people) would find difficult to work with the computer if I put all these systems.
I don't know about security, but I can imagine that everything is possible, like you say through "java/bookmarks,... exploits in Firefox and then going up in the linux system with rootkit".
Thank you again
Offline
Yes, you can use OSSEC with AppArmor. OSSEC is a cross-platform (Windows and Linux) Open Source very well respected Host Based Intrusion Detection System (HIDS). With it you can have it monitor syslog log's and send alerts when it recognizes log entries that match regular expressions you configure. (I don't know about journal systemd, however you can use syslog alongside systemd's journal) OSSEC can also maintain a list of hashes of all the files in whatever directories you configure it to, such as /boot /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin ... OSSEC has two parts, and Agent and a Server. This way you can keep all these logs on the Server.
AppArmor basically will define a list of files and directories that an executable or user or group has permissions to access and what those permissions are. The basic example is that if you define a AppArmor policy for an NTP daemon (which runs as root) if that NTP daemon gets exploited the attacker would basically only be able to change the time, in stead of having full Root access to the computer.
grsecurity & PAX prevent the computer from being exploited in the first place. A Linux system hardened with grsecurity & pax is the most secure main stream OS in the world. More secure then OpenBSD, more secure the NetBSD. However, on a desktop you need to make some security exceptions for desktop applications to function. So, on a desktop you also need to setup RBAC (which is what inspired AppArmor) to make up for them. On a server you don't need to make any exceptions. All common Linux server software like Apache, Postfix, Dovecot, and so on will run on a fully hardened system with all grsecurity hardening settings turned on. >> NOTE: not all grsecurity settings make the system more secure. Some enable backwords compatablity that makes it weaker. << The config that ships with the AUR packages only needs a few things changed. On a Desktop you only need to disable grsecurity sysctl support. On a server you can enable the CONFIG_GRKERNSEC_IO and CONFIG_PAX_SIZE_OVERFLOW also disable sysctl support.... I keep asking the maintainer to have grsecruity sysctl support disabled in the default config, but he really dose not want to for some reason. Up-steam even says it should be disabled on a production system. If it is enabled, all someone needs to do is get Root access and then they can disable all the security settings and gain Kernel access.
AlienVault is a Debian based all-in-one "Security Appliance". It will take you a good month to really figure it all out. But it is a fully baked solution. It can be your OSSEC Server. It also has Snort with a load of good rules to alert on. It basically has every Open Source security monitoring software ever invented integrated into it.
All of these solutions will take you a good amount of time to learn. I'd say learn them for a while on test computers and/or VM's then when you are comfortable reinstall the OS on all desktops and servers in a really secure way.... maybe migrate the servers first then when the dust settles migrate the desktops.
Last edited by hunterthomson (2013-04-01 13:09:00)
OpenBSD-current Thinkpad X230, i7-3520M, 16GB CL9 Kingston, Samsung 830 256GB
Contributor: linux-grsec
Offline
Really, thank you for those explanations... really good!!
Now It is like Chinese, but eventually, it will be like an understandable language.
My plan is to use for desktops (not servers), although maybe one or two desktops run sshd server, but not more.
I read about AlienVault, and it appears OSSIM, with lots of applications like Snort. I understand that AlienVault is the company/group of developers, and OSSIM the product. As I see in its Web, there are lot of "products". I think it is too hard for now. When you say "Debian-based" I understand some sort of distribution. But when you said in previous post "for the whole network" I understood another thing.
Ok, so far, I am going to try to use AppArmor + OSSEC. And in a while grsecurity+PaX (maybe some months).
I think I will need lot of time to understand/use, because I am really busy in other things.
The only thing that confused me is "client and server side", when I am going to use it in desktop systems. I understand I will need to do it combined with other systems (maybe where the "hashes" of the files to compare against changes).
I will "research" from this point.
Really thank you for this info!
Offline
That sound like a good plan to me. Ya, it will take time. No one would expect you to learn it all in a week
Owe... ya, that is correct. The product name is OSSIM. Silly me. Well, think of it as a "Network Appliance". It is Debian based but don't try and mess with it on that level. Only use their scripts and web-configuration otherwise it will get all kinds of messed up.
The reason I said "for the whole network" is because you can use Netflow and JFlow (Juniper's netflow) on all your managed switches and routers to send all kinds of statistics about network traffic to OSSIM. You can also have Linux send Netflow data to OSSIM. All your routers, switches, server, and desktops can send their logs to OSSIM to be stored and signed with a GPG key to verify integrity. OSSIM will also monitor the logs and alert on events..... So, I just meant that every device on your whole network can be monitored by OSSIM.
Ya, OSSEC can have an Agent on the desktops and be controlled by a central computer running the server component (I may have those names backwards Agent/Server). This way even if the desktop gets owned the server is not so it will still report the security breach. If you run the Agent and Server both on the same computer then an attacker can just turn it off or modify the program to not report anything.
I also just want to clarify that... grsecurity + PAX gives you the tools you need to have the most secure OS.... but right out of the box it dose basically still make Linux the most secure OS
There are thing that you can configure to make it super secure.
Example: It give you TPE "Trusted Path Execution" and makes it impossible for even the Root user to re-mount a file-system Read-Write after it has been mounted Read-Only. The only way to make it Read-Wirte again is to boot into a stock kernel ... or into a live CD and edit the fstab so they are not read only.
So... you could mount everything Read-Only except /tmp /var and /home . Then TPE will prevent anything from being executed from these directories. That way the only places on the disk that you can execute code from are on file-system that are Read-Only.... basically making Privilege Escalation Attacks super crazy hard, and modifying any program impossible, without first owning the Kernel which it self is super crazy hard to own with all the other security measures put in place.
Last edited by hunterthomson (2013-04-03 13:44:15)
OpenBSD-current Thinkpad X230, i7-3520M, 16GB CL9 Kingston, Samsung 830 256GB
Contributor: linux-grsec
Offline