You are not logged in.

#1 2013-03-12 22:50:30

Zzipo
Member
From: North Spain
Registered: 2013-01-07
Posts: 48

Afraid of system being compromised - newbie in "security"

Hello,

PART 1:

There are two computers. Computer A uses openSuse and it is usually used for common tasks (not risk at all), suddenly, one day some "bookmarks" from Mozilla Firefox were modified but not by the legitimate users. The firewall rules were for the Eth0 (unique interface) in External zone, and the router is connected directly to the DSL line (no other computers in LAN). So, only legitimate users on one computer, they know how to change bookmarks, and they are pretty sure they didn't modified them.

I extract also here the iptables -L rules.

userA@computerA:~> sudo /usr/sbin/iptables -L
Chain INPUT (policy DROP)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere             ctstate ESTABLISHED
ACCEPT     icmp --  anywhere             anywhere             ctstate RELATED
input_ext  all  --  anywhere             anywhere            
LOG        all  --  anywhere             anywhere             limit: avg 3/min burst 5 LOG level warning tcp-options ip-options prefix "SFW2-IN-ILL-TARGET "
DROP       all  --  anywhere             anywhere            

Chain FORWARD (policy DROP)
target     prot opt source               destination         
LOG        all  --  anywhere             anywhere             limit: avg 3/min burst 5 LOG level warning tcp-options ip-options prefix "SFW2-FWD-ILL-ROUTING "

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere            

Chain forward_ext (0 references)
target     prot opt source               destination         

Chain input_ext (1 references)
target     prot opt source               destination         
DROP       all  --  anywhere             anywhere             PKTTYPE = broadcast
ACCEPT     icmp --  anywhere             anywhere             icmp source-quench                                                                   
ACCEPT     icmp --  anywhere             anywhere             icmp echo-request                                                                    
DROP       all  --  anywhere             anywhere             PKTTYPE = multicast                                                                  
DROP       all  --  anywhere             anywhere             PKTTYPE = broadcast                                                                  
LOG        tcp  --  anywhere             anywhere             limit: avg 3/min burst 5 tcpflags: FIN,SYN,RST,ACK/SYN LOG level warning tcp-options ip-options prefix "SFW2-INext-DROP-DEFLT "                                                                                                         
LOG        icmp --  anywhere             anywhere             limit: avg 3/min burst 5 LOG level warning tcp-options ip-options prefix "SFW2-INext-DROP-DEFLT "                                                                                                                                       
LOG        udp  --  anywhere             anywhere             limit: avg 3/min burst 5 ctstate NEW LOG level warning tcp-options ip-options prefix "SFW2-INext-DROP-DEFLT "                                                                                                                           
DROP       all  --  anywhere             anywhere                                                                                                  
                                                                                                                                                   
Chain reject_func (0 references)                                                                                                                   
target     prot opt source               destination                                                                                               
REJECT     tcp  --  anywhere             anywhere             reject-with tcp-reset
REJECT     udp  --  anywhere             anywhere             reject-with icmp-port-unreachable
REJECT     all  --  anywhere             anywhere             reject-with icmp-proto-unreachable

The modification in the bookmarks of Firefox is not possible to be done by us, is not so easy to do it by error, because the bookmarks where modified specifically in a tree of folders, deleting two URL markers and adding other two.
I know by the language and the context of the new URL that the "intruder" is from my nationality.

The problem is that the legitimate users of the computer just delete both fake URL and add the original ones. After that, they just continue using normally the computer. That day, none of that URL webpages where under attack (like DNS or sth like that and that maybe the auto-refresh  - i don't know if it exists - of Firefox just updated both of them in the moment of the attack of the webpages). Also, they didn't say anything about a possible attack days after that. And because is in the bookmarks of Firefox (something that is locally stored) I thought was a direct and specified attack to the computer A and its users.

Question A: Was my supposition correct? Or there is still any possibility to be a general attack? I dismiss any possibility of popular worm/virus because the modification of the markers were really specific and on national context.

Question B: What is the best procedure to analyze the source of the attack and how to protect against it? How to know what things have been modified? I think it is weird that the intruder shows himself modified something in the system (like markers in Firefox), so, he/she wants to be known, like a threat.

I have installed and started the Clamav antivirus. I can show so far that there are:

Windows and Data NTFS partitions (Windows not really used, Data used from Linux): 
      - hundreds of [b]Heuristics.Encrypted.ZIP[/b] (or PDF, RAR), [b]Heuristics.Broken.Executable[/b]   
      - file .htm with [b]Exploit.HTML.MHTRedir.4n[/b]
      - file .pdf with [b]Exploit.PDF-1745[/b]
      - file .rar with [b]Trojan.W32.HotKeysHook.A[/b]
      - 5 files .js with [b]Worm.JS.Redlof.A[/b]

Linux (normally used):
      - /boot/vmlinux-3.1.10-1.16-desktop.gz                                              Heuristics.Broken.Executable
      - /home/userA/Applications/jDownloaders/JDownlaoder/libs/jna.jar     Heuristics.Broken.Executable
      - /home/userA/.jd/libs/jna.jar                                                               Heuristics.Broken.Executable
      - /home/userA/.thunderbird/ct5dfrhd.default/training.dat                   Heuristics.Broken.Executable
      - /lib/firmware/vxge/X3fw.ncf                                                                Heuristics.Encrypted.Zip
      - /lib/firmware/vxge/X3fw-pxe.ncf                                                         Heuristics.Encrypted.Zip

In the time the detection was notified, Windows wasn't used in the days before. Therefore, Linux was the O.S. in the time of the intrusion. So, the files with Exploits, Trojan and Worm is really difficult (or pretty sure) to be executed the days before, because are really weird files and maybe used some months or years ago, not the last weeks, and for sure not from linux.


PART 2:

Now I have access to the main computerA, were the "intrusion" was done 2 weeks and half ago, but I really don't know what to do and how to proceed. At least I have installed clamav and I have shown the results above.

The problem is that I come with the computerB with ArchLinux, and I needed internet to start checking how to perform with all this. The problem is that after activate eth0 and send dhcp client to get the IP, I get the connection and just after that I saw a really weird behaviour. Suddenly, the computer got a little freeze, well, not really freeze, but slow for some moments, and when I check in terminal what happend, my prompt was modified.
Before was:
ussr@localhost
now:
ussr@unknown002454062846

That put my alarms on, so I quickly disconnect ethernet. Because I don't know how to proceed, and really scared of the situation, I just post the below "captures".

iptables of computerB ( I followed the Arch Linux Simple Stateful Firewall.... I think I got it correctly )

Chain INPUT (policy DROP)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
ACCEPT     all  --  anywhere             anywhere            
DROP       all  --  anywhere             anywhere             ctstate INVALID
ACCEPT     icmp --  anywhere             anywhere             icmp echo-request ctstate NEW
UDP        udp  --  anywhere             anywhere             ctstate NEW
TCP        tcp  --  anywhere             anywhere             tcp flags:FIN,SYN,RST,ACK/SYN ctstate NEW
REJECT     all  --  anywhere             anywhere             reject-with icmp-proto-unreachable
           icmp --  anywhere             anywhere             icmp echo-request recent: SET name: ping_limiter side: source mask: 255.255.255.255
DROP       icmp --  anywhere             anywhere             icmp echo-request recent: UPDATE seconds: 4 hit_count: 6 name: ping_limiter side: source mask: 255.255.255.255
ACCEPT     icmp --  anywhere             anywhere             icmp echo-request
REJECT     tcp  --  anywhere             anywhere             recent: SET name: TCP-PORTSCAN side: source mask: 255.255.255.255 reject-with tcp-reset
REJECT     udp  --  anywhere             anywhere             recent: SET name: UDP-PORTSCAN side: source mask: 255.255.255.255 reject-with icmp-port-unreachable

Chain FORWARD (policy DROP)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         

Chain TCP (1 references)
target     prot opt source               destination         
REJECT     tcp  --  anywhere             anywhere             recent: UPDATE seconds: 60 name: TCP-PORTSCAN side: source mask: 255.255.255.255 reject-with tcp-reset
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:http

Chain UDP (1 references)
target     prot opt source               destination         
REJECT     udp  --  anywhere             anywhere             recent: UPDATE seconds: 60 name: UDP-PORTSCAN side: source mask: 255.255.255.255 reject-with icmp-port-unreachable
ACCEPT     udp  --  anywhere             anywhere             udp dpt:domain

ls /var/log

[ussr@unknown002454062846 log]$ ls
auth.log    btmp         crond.log.3   daemon.log.3  errors.log.3      everything.log.4  kernel.log    messages.log    pacman.log         syslog.log.3  user.log.4
auth.log.1  btmp.1       crond.log.4   daemon.log.4  errors.log.4      faillog           kernel.log.1  messages.log.1  pm-powersave.log   syslog.log.4  wtmp
auth.log.2  ConsoleKit   cups          dmesg.log     everything.log    httpd             kernel.log.2  messages.log.2  speech-dispatcher  user.log      wtmp.1
auth.log.3  crond.log    daemon.log    errors.log    everything.log.1  journal           kernel.log.3  messages.log.3  syslog.log         user.log.1    Xorg.0.log
auth.log.4  crond.log.1  daemon.log.1  errors.log.1  everything.log.2  kdm.log           kernel.log.4  messages.log.4  syslog.log.1       user.log.2    Xorg.0.log.old
boot        crond.log.2  daemon.log.2  errors.log.2  everything.log.3  kdm.log.1         lastlog       old             syslog.log.2       user.log.3    Xorg.1.log

sudo cat /var/log/auth.log

Mar 12 21:47:06 localhost polkitd[463]: Registered Authentication Agent for unix-session:1 (system bus name :1.19 [/usr/lib/kde4/libexec/polkit-kde-authentication-agent-1], object path /org/kde/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8)
Mar 12 21:56:16 localhost sudo:     ussr : TTY=pts/2 ; PWD=/home/ussr ; USER=root ; COMMAND=/sbin/ifconfig eth0 up
Mar 12 21:56:16 localhost sudo: pam_unix(sudo:session): session opened for user root by ussr(uid=0)
Mar 12 21:56:16 localhost sudo: pam_unix(sudo:session): session closed for user root
Mar 12 21:58:03 localhost sudo:     ussr : TTY=pts/2 ; PWD=/home/ussr ; USER=root ; COMMAND=/usr/sbin/dhcpcd
Mar 12 21:58:03 localhost sudo: pam_unix(sudo:session): session opened for user root by ussr(uid=0)
Mar 12 21:58:10 localhost sudo: pam_unix(sudo:session): session closed for user root
Mar 12 22:01:01 localhost crond[1185]: pam_unix(crond:session): session opened for user root by (uid=0)
Mar 12 22:01:01 localhost CROND[1185]: pam_unix(crond:session): session closed for user root
Mar 12 22:01:19 localhost systemd-logind[341]: New session 3 of user ussr.
Mar 12 22:01:16 localhost polkitd[463]: Unregistered Authentication Agent for unix-session:1 (system bus name :1.19, object path /org/kde/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8)
Mar 12 22:01:17 localhost kdm: :0[371]: pam_unix(kde:session): session closed for user ussr
Mar 12 22:01:19 localhost kdm: :0[1252]: pam_unix(kde:session): session opened for user ussr by (uid=0)
Mar 12 22:01:31 localhost polkitd[463]: Registered Authentication Agent for unix-session:3 (system bus name :1.45 [/usr/lib/kde4/libexec/polkit-kde-authentication-agent-1], object path /org/kde/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8)
Mar 12 22:02:41 localhost sudo:     ussr : TTY=pts/2 ; PWD=/var/log ; USER=root ; COMMAND=/usr/bin/cat auth.log
Mar 12 22:02:41 localhost sudo: pam_unix(sudo:session): session opened for user root by ussr(uid=0)
Mar 12 22:02:41 localhost sudo: pam_unix(sudo:session): session closed for user root
Mar 12 22:05:08 localhost sudo:     ussr : TTY=pts/2 ; PWD=/var/log ; USER=root ; COMMAND=/usr/bin/cat crond.log
Mar 12 22:05:08 localhost sudo: pam_unix(sudo:session): session opened for user root by ussr(uid=0)
Mar 12 22:05:09 localhost sudo: pam_unix(sudo:session): session closed for user root
Mar 12 22:06:08 localhost sudo:     ussr : TTY=pts/2 ; PWD=/var/log ; USER=root ; COMMAND=/usr/bin/cat messages.log
Mar 12 22:06:08 localhost sudo: pam_unix(sudo:session): session opened for user root by ussr(uid=0)
Mar 12 22:06:09 localhost sudo: pam_unix(sudo:session): session closed for user root

sudo cat /var/log/crond.log

Mar 12 21:19:12 localhost crond[343]: (CRON) INFO (Syslog will be used instead of sendmail.)
Mar 12 21:19:12 localhost crond[343]: (CRON) INFO (running with inotify support)
Mar 12 21:46:15 localhost crond[339]: (CRON) INFO (Syslog will be used instead of sendmail.)
Mar 12 21:46:15 localhost crond[339]: (CRON) INFO (running with inotify support)
Mar 12 22:01:01 localhost CROND[1186]: (root) CMD (run-parts /etc/cron.hourly)
Mar 12 22:01:01 localhost anacron[1192]: Anacron started on 2013-03-12
Mar 12 22:01:01 localhost anacron[1192]: Normal exit (0 jobs run)
Mar 12 23:01:01 localhost CROND[1847]: (root) CMD (run-parts /etc/cron.hourly)
Mar 12 23:01:01 localhost anacron[1853]: Anacron started on 2013-03-12
Mar 12 23:01:01 localhost anacron[1853]: Normal exit (0 jobs run)

sudo cat /var/log/everything.log [more info maybe]

Mar 12 21:46:46 localhost dbus[340]: [system] Activating via systemd: service name='org.freedesktop.Avahi' unit='dbus-org.freedesktop.Avahi.service'
Mar 12 21:46:46 localhost dbus[340]: [system] Activation via systemd failed for unit 'dbus-org.freedesktop.Avahi.service': Unit dbus-org.freedesktop.Avahi.service failed to load: No such file or directory. See system logs and 'systemctl status dbus-org.freedesktop.Avahi.service' for details.
Mar 12 21:46:46 localhost dbus-daemon[340]: dbus[340]: [system] Activation via systemd failed for unit 'dbus-org.freedesktop.Avahi.service': Unit dbus-org.freedesktop.Avahi.service failed to load: No such file or directory. See system logs and 'systemctl status dbus-org.freedesktop.Avahi.service' for details.
Mar 12 21:46:55 localhost dbus-daemon[340]: dbus[340]: [system] Activating service name='org.kde.powerdevil.backlighthelper' (using servicehelper)
Mar 12 21:46:55 localhost dbus[340]: [system] Activating service name='org.kde.powerdevil.backlighthelper' (using servicehelper)
Mar 12 21:46:55 localhost org.kde.powerdevil.backlighthelper: QDBusConnection: system D-Bus connection created before QCoreApplication. Application may misbehave.
Mar 12 21:46:55 localhost dbus-daemon[340]: dbus[340]: [system] Successfully activated service 'org.kde.powerdevil.backlighthelper'
Mar 12 21:46:55 localhost dbus[340]: [system] Successfully activated service 'org.kde.powerdevil.backlighthelper'
Mar 12 21:50:43 localhost kernel: [  282.346749] usb 4-1: USB disconnect, device number 2
Mar 12 21:50:44 localhost kernel: [  283.346743] usb 1-1: USB disconnect, device number 2
Mar 12 21:50:46 localhost dbus-daemon[340]: dbus[340]: [system] Activating service name='org.kde.powerdevil.backlighthelper' (using servicehelper)
Mar 12 21:50:46 localhost dbus[340]: [system] Activating service name='org.kde.powerdevil.backlighthelper' (using servicehelper)
Mar 12 21:50:46 localhost org.kde.powerdevil.backlighthelper: QDBusConnection: system D-Bus connection created before QCoreApplication. Application may misbehave.
Mar 12 21:50:46 localhost dbus-daemon[340]: dbus[340]: [system] Successfully activated service 'org.kde.powerdevil.backlighthelper'
Mar 12 21:50:46 localhost dbus[340]: [system] Successfully activated service 'org.kde.powerdevil.backlighthelper'
Mar 12 21:50:46 localhost kernel: [  284.773394] Monitor-Mwait will be used to enter C-3 state
Mar 12 21:50:46 localhost kernel: [  285.600790] EXT4-fs (sda5): re-mounted. Opts: data=ordered,commit=600
Mar 12 21:51:46 localhost dbus-daemon[340]: dbus[340]: [system] Activating service name='org.kde.powerdevil.backlighthelper' (using servicehelper)
Mar 12 21:51:46 localhost dbus[340]: [system] Activating service name='org.kde.powerdevil.backlighthelper' (using servicehelper)
Mar 12 21:51:46 localhost org.kde.powerdevil.backlighthelper: QDBusConnection: system D-Bus connection created before QCoreApplication. Application may misbehave.
Mar 12 21:51:46 localhost dbus-daemon[340]: dbus[340]: [system] Successfully activated service 'org.kde.powerdevil.backlighthelper'
Mar 12 21:51:46 localhost dbus[340]: [system] Successfully activated service 'org.kde.powerdevil.backlighthelper'
Mar 12 21:52:03 localhost kernel: [  361.720026] usb 4-1: new low-speed USB device number 3 using uhci_hcd
Mar 12 21:52:03 localhost kernel: [  362.021197] input:   USB Keyboard as /devices/pci0000:00/0000:00:1d.0/usb4/4-1/4-1:1.0/input/input15
Mar 12 21:52:03 localhost kernel: [  362.021535] hid-generic 0003:05AF:0802.0004: input,hidraw0: USB HID v1.10 Keyboard [  USB Keyboard] on usb-0000:00:1d.0-1/input0
Mar 12 21:52:03 localhost kernel: [  362.113907] input:   USB Keyboard as /devices/pci0000:00/0000:00:1d.0/usb4/4-1/4-1:1.1/input/input16
Mar 12 21:52:03 localhost kernel: [  362.114113] hid-generic 0003:05AF:0802.0005: input,hidraw1: USB HID v1.10 Device [  USB Keyboard] on usb-0000:00:1d.0-1/input1
Mar 12 21:52:03 localhost dbus-daemon[340]: dbus[340]: [system] Activating service name='org.kde.powerdevil.backlighthelper' (using servicehelper)
Mar 12 21:52:03 localhost dbus[340]: [system] Activating service name='org.kde.powerdevil.backlighthelper' (using servicehelper)
Mar 12 21:52:04 localhost org.kde.powerdevil.backlighthelper: QDBusConnection: system D-Bus connection created before QCoreApplication. Application may misbehave.
Mar 12 21:52:04 localhost dbus-daemon[340]: dbus[340]: [system] Successfully activated service 'org.kde.powerdevil.backlighthelper'
Mar 12 21:52:04 localhost dbus[340]: [system] Successfully activated service 'org.kde.powerdevil.backlighthelper'
Mar 12 21:53:36 localhost dbus-daemon[340]: dbus[340]: [system] Activating service name='org.kde.powerdevil.backlighthelper' (using servicehelper)
Mar 12 21:53:36 localhost dbus[340]: [system] Activating service name='org.kde.powerdevil.backlighthelper' (using servicehelper)
Mar 12 21:53:36 localhost org.kde.powerdevil.backlighthelper: QDBusConnection: system D-Bus connection created before QCoreApplication. Application may misbehave.
Mar 12 21:53:36 localhost dbus-daemon[340]: dbus[340]: [system] Successfully activated service 'org.kde.powerdevil.backlighthelper'
Mar 12 21:53:36 localhost dbus[340]: [system] Successfully activated service 'org.kde.powerdevil.backlighthelper'
Mar 12 21:53:36 localhost kernel: [  455.631890] EXT4-fs (sda5): re-mounted. Opts: data=ordered,commit=0
Mar 12 21:54:15 localhost kernel: [  494.630014] usb 1-1: new low-speed USB device number 3 using uhci_hcd
Mar 12 21:54:16 localhost kernel: [  494.819169] input: Logitech USB Optical Mouse as /devices/pci0000:00/0000:00:1a.0/usb1/1-1/1-1:1.0/input/input17
Mar 12 21:54:16 localhost kernel: [  494.819483] hid-generic 0003:046D:C05B.0006: input,hidraw2: USB HID v1.11 Mouse [Logitech USB Optical Mouse] on usb-0000:00:1a.0-1/input0
Mar 12 21:56:16 localhost kernel: [  615.359568] sky2 0000:06:00.0 eth0: enabling interface
Mar 12 21:56:16 localhost kernel: [  615.359925] IPv6: ADDRCONF(NETDEV_UP): eth0: link is not ready
Mar 12 21:56:18 localhost kernel: [  617.200722] sky2 0000:06:00.0 eth0: Link is up at 100 Mbps, full duplex, flow control rx
Mar 12 21:56:18 localhost kernel: [  617.200761] IPv6: ADDRCONF(NETDEV_CHANGE): eth0: link becomes ready
Mar 12 21:57:01 localhost kernel: [  659.837395] sky2 0000:06:00.0 eth0: Link is down
Mar 12 21:57:03 localhost kernel: [  662.485483] sky2 0000:06:00.0 eth0: Link is up at 100 Mbps, full duplex, flow control rx
Mar 12 21:58:03 localhost dhcpcd[1072]: version 5.6.4 starting
Mar 12 21:58:03 localhost kernel: [  722.424132] IPv6: ADDRCONF(NETDEV_UP): wlan0: link is not ready
Mar 12 21:58:03 localhost dhcpcd[1072]: eth0: sending IPv6 Router Solicitation
Mar 12 21:58:03 localhost dhcpcd[1072]: eth0: broadcasting for a lease
Mar 12 21:58:03 localhost dhcpcd[1072]: wlan0: waiting for carrier
Mar 12 21:58:03 localhost dhcpcd[1072]: wlan0: carrier acquired
Mar 12 21:58:03 localhost dhcpcd[1072]: wlan0: carrier lost
Mar 12 21:58:03 localhost dhcpcd[1072]: wlan0: waiting for carrier
Mar 12 21:58:04 localhost dhcpcd[1072]: eth0: offered 192.168.1.35 from 192.168.1.1
Mar 12 21:58:04 localhost dhcpcd[1072]: eth0: acknowledged 192.168.1.35 from 192.168.1.1
Mar 12 21:58:04 localhost dhcpcd[1072]: eth0: checking for 192.168.1.35
Mar 12 21:58:07 localhost dhcpcd[1072]: eth0: sending IPv6 Router Solicitation
Mar 12 21:58:10 localhost dhcpcd[1072]: eth0: leased 192.168.1.35 for 43200 seconds
Mar 12 21:58:10 localhost dhcpcd[1072]: forked to background, child pid 1119
Mar 12 21:58:11 localhost dhcpcd[1119]: eth0: sending IPv6 Router Solicitation
Mar 12 21:58:15 localhost dhcpcd[1119]: eth0: sending IPv6 Router Solicitation
Mar 12 21:58:15 localhost dhcpcd[1119]: eth0: no IPv6 Routers available
Mar 12 21:59:33 localhost kernel: [  812.425190] konsole[1156]: segfault at 84 ip b73128d4 sp bf9e00c0 error 4 in libkdeui.so.5.10.0[b6fcb000+42b000]
Mar 12 21:59:33 localhost systemd-coredump[1158]: Process 1156 (konsole) dumped core.
Mar 12 21:59:47 localhost kernel: [  826.338582] konsole[1164]: segfault at 84 ip b761e8d4 sp bfb066b0 error 4 in libkdeui.so.5.10.0[b72d7000+42b000]
Mar 12 21:59:48 localhost systemd-coredump[1165]: Process 1164 (konsole) dumped core.
Mar 12 22:00:32 localhost kernel: [  870.727165] konsole[1174]: segfault at 84 ip b761e8d4 sp bfb066b0 error 4 in libkdeui.so.5.10.0[b72d7000+42b000]
Mar 12 22:00:32 localhost systemd-coredump[1175]: Process 1174 (konsole) dumped core.
Mar 12 22:01:01 localhost systemd[1]: Starting Cleanup of Temporary Directories...
Mar 12 22:01:01 localhost CROND[1186]: (root) CMD (run-parts /etc/cron.hourly)
Mar 12 22:01:01 localhost anacron[1192]: Anacron started on 2013-03-12
Mar 12 22:01:01 localhost anacron[1192]: Normal exit (0 jobs run)
Mar 12 22:01:01 localhost systemd[1]: Started Cleanup of Temporary Directories.
Mar 12 22:01:04 localhost kernel: [  902.743018] konsole[1196]: segfault at 84 ip b761e8d4 sp bfb066b0 error 4 in libkdeui.so.5.10.0[b72d7000+42b000]
Mar 12 22:01:04 localhost systemd-coredump[1197]: Process 1196 (konsole) dumped core.
Mar 12 22:01:21 localhost dbus[340]: [system] Activating service name='org.kde.powerdevil.backlighthelper' (using servicehelper)
Mar 12 22:01:21 localhost org.kde.powerdevil.backlighthelper: QDBusConnection: system D-Bus connection created before QCoreApplication. Application may misbehave.
Mar 12 22:01:21 localhost dbus[340]: [system] Successfully activated service 'org.kde.powerdevil.backlighthelper'
Mar 12 22:01:22 localhost dbus[340]: [system] Activating via systemd: service name='org.freedesktop.Avahi' unit='dbus-org.freedesktop.Avahi.service'
Mar 12 22:01:22 localhost dbus[340]: [system] Activation via systemd failed for unit 'dbus-org.freedesktop.Avahi.service': Unit dbus-org.freedesktop.Avahi.service failed to load: No such file or directory. See system logs and 'systemctl status dbus-org.freedesktop.Avahi.service' for details.
Mar 12 22:01:26 localhost dbus-daemon[340]: dbus[340]: [system] Activating service name='org.kde.powerdevil.backlighthelper' (using servicehelper)
Mar 12 22:01:26 localhost dbus-daemon[340]: dbus[340]: [system] Successfully activated service 'org.kde.powerdevil.backlighthelper'
Mar 12 22:01:26 localhost dbus-daemon[340]: dbus[340]: [system] Activating via systemd: service name='org.freedesktop.Avahi' unit='dbus-org.freedesktop.Avahi.service'
Mar 12 22:01:26 localhost dbus-daemon[340]: dbus[340]: [system] Activation via systemd failed for unit 'dbus-org.freedesktop.Avahi.service': Unit dbus-org.freedesktop.Avahi.service failed to load: No such file or directory. See system logs and 'systemctl status dbus-org.freedesktop.Avahi.service' for details.
Mar 12 22:01:46 localhost dhcpcd[1119]: eth0: carrier lost
Mar 12 22:01:46 localhost kernel: [  945.353892] sky2 0000:06:00.0 eth0: Link is down

ps aux

[ussr@unknown002454062846 ~]$ ps aux
USER       PID %CPU %MEM    VSZ   RSS TTY      STAT START   TIME COMMAND                                                                                                
root         1  0.0  0.0   5040  2772 ?        Ss   21:46   0:00 /bin/systemd                                                                                           
root         2  0.0  0.0      0     0 ?        S    21:46   0:00 [kthreadd]                                                                                             
root         3  0.0  0.0      0     0 ?        S    21:46   0:01 [ksoftirqd/0]                                                                                          
root         5  0.0  0.0      0     0 ?        S<   21:46   0:00 [kworker/0:0H]                                                                                         
root         7  0.0  0.0      0     0 ?        S<   21:46   0:00 [kworker/u:0H]                                                                                         
root         8  0.0  0.0      0     0 ?        S    21:46   0:00 [migration/0]                                                                                          
root         9  0.0  0.0      0     0 ?        S    21:46   0:01 [rcu_preempt]                                                                                          
root        10  0.0  0.0      0     0 ?        S    21:46   0:00 [rcu_bh]                                                                                               
root        11  0.0  0.0      0     0 ?        S    21:46   0:00 [rcu_sched]                                                                                            
root        12  0.0  0.0      0     0 ?        S    21:46   0:00 [watchdog/0]                                                                                           
root        13  0.0  0.0      0     0 ?        S    21:46   0:00 [watchdog/1]                                                                                           
root        14  0.0  0.0      0     0 ?        S    21:46   0:01 [ksoftirqd/1]                                                                                          
root        15  0.0  0.0      0     0 ?        S    21:46   0:00 [migration/1]                                                                                          
root        17  0.0  0.0      0     0 ?        S<   21:46   0:00 [kworker/1:0H]                                                                                         
root        18  0.0  0.0      0     0 ?        S<   21:46   0:00 [cpuset]                                                                                               
root        19  0.0  0.0      0     0 ?        S<   21:46   0:00 [khelper]                                                                                              
root        20  0.0  0.0      0     0 ?        S    21:46   0:00 [kdevtmpfs]
root        21  0.0  0.0      0     0 ?        S<   21:46   0:00 [netns]
root        22  0.0  0.0      0     0 ?        S    21:46   0:00 [bdi-default]
root        23  0.0  0.0      0     0 ?        S<   21:46   0:00 [kblockd]
root        26  0.0  0.0      0     0 ?        S    21:46   0:00 [khungtaskd]
root        27  0.0  0.0      0     0 ?        S    21:46   0:00 [kswapd0]
root        28  0.0  0.0      0     0 ?        SN   21:46   0:00 [ksmd]
root        29  0.0  0.0      0     0 ?        SN   21:46   0:00 [khugepaged]
root        30  0.0  0.0      0     0 ?        S    21:46   0:00 [fsnotify_mark]
root        31  0.0  0.0      0     0 ?        S<   21:46   0:00 [crypto]
root        35  0.0  0.0      0     0 ?        S<   21:46   0:00 [kthrotld]
root        37  0.0  0.0      0     0 ?        S<   21:46   0:00 [deferwq]
root        82  0.0  0.0      0     0 ?        S    21:46   0:00 [khubd]
root        83  0.0  0.0      0     0 ?        S<   21:46   0:00 [ata_sff]
root        84  0.0  0.0      0     0 ?        S    21:46   0:00 [scsi_eh_0]
root        85  0.0  0.0      0     0 ?        S    21:46   0:00 [scsi_eh_1]
root        86  0.0  0.0      0     0 ?        S    21:46   0:00 [scsi_eh_2]
root        87  0.0  0.0      0     0 ?        S    21:46   0:00 [scsi_eh_3]
root        88  0.0  0.0      0     0 ?        S    21:46   0:00 [scsi_eh_4]
root        89  0.0  0.0      0     0 ?        S    21:46   0:00 [scsi_eh_5]
root        92  0.0  0.0      0     0 ?        S    21:46   0:00 [kworker/u:4]
root        97  0.0  0.0      0     0 ?        S<   21:46   0:00 [kworker/1:1H]
root        98  0.0  0.0      0     0 ?        S<   21:46   0:00 [kworker/0:1H]
root       106  0.0  0.0      0     0 ?        S    21:46   0:00 [jbd2/sda5-8]
root       107  0.0  0.0      0     0 ?        S<   21:46   0:00 [ext4-dio-unwrit]
root       124  0.0  0.0  11032  1904 ?        Ss   21:46   0:00 /usr/lib/systemd/systemd-udevd
root       134  0.9  0.8 118768 26528 ?        Ss   21:46   1:04 /usr/lib/systemd/systemd-journald
root       145  0.0  0.0      0     0 ?        S<   21:46   0:00 [iprt]
root       229  0.0  0.0      0     0 ?        S<   21:46   0:00 [led_workqueue]
root       230  0.0  0.0      0     0 ?        S<   21:46   0:00 [kpsmoused]
root       240  0.0  0.0      0     0 ?        S<   21:46   0:00 [cfg80211]
root       242  0.0  0.0      0     0 ?        S<   21:46   0:00 [ttm_swap]
root       304  0.0  0.0      0     0 ?        S<   21:46   0:00 [hd-audio0]
root       327  0.0  0.0      0     0 ?        S<   21:46   0:00 [hd-audio1]
root       331  0.0  0.0   4924   996 ?        Ss   21:46   0:00 /usr/bin/mount.ntfs-3g /dev/sda4 /media/Datos -o rw,relatime
root       337  0.0  0.1   7608  3252 ?        Ss   21:46   0:00 /usr/sbin/syslog-ng -F
root       339  0.0  0.0   4800  1280 ?        Ss   21:46   0:00 /usr/sbin/crond -n
dbus       340  0.0  0.0   3384  1800 ?        Ss   21:46   0:00 /usr/bin/dbus-daemon --system --address=systemd: --nofork --nopidfile --systemd-activation
root       341  0.0  0.0   3336  1568 ?        Ss   21:46   0:00 /usr/lib/systemd/systemd-logind
root       347  0.0  0.0   3812   744 tty1     Ss+  21:46   0:00 /sbin/agetty --noclear tty1 38400 linux
root       348  0.0  0.0   3968  1040 ?        Ss   21:46   0:00 /usr/bin/kdm -nodaemon
root       455  0.0  0.2  29692  8296 ?        Ssl  21:46   0:01 /usr/lib/upower/upowerd
polkitd    463  0.0  0.3  61912 11272 ?        Ssl  21:46   0:00 /usr/lib/polkit-1/polkitd --no-debug
root       500  0.0  0.1  43028  4060 ?        Ssl  21:46   0:01 /usr/lib/udisks2/udisksd --no-debug
root      1119  0.0  0.0   2420   348 ?        Ss   21:58   0:00 dhcpcd
root      1248  0.4  1.1  86772 34320 tty7     Ssl+ 22:01   0:27 /usr/bin/X :0 vt7 -nolisten tcp -auth /var/run/xauth/A:0-WnL9Aa
root      1252  0.0  0.0   5468  2316 ?        S    22:01   0:00 -:0                   
ussr      1267  0.0  0.0   5196  1624 ?        Ss   22:01   0:00 /bin/sh /usr/bin/startkde
ussr      1278  0.0  0.0   3624   592 ?        S    22:01   0:00 /usr/bin/dbus-launch --sh-syntax --exit-with-session
ussr      1279  0.0  0.0   4300  1848 ?        Ss   22:01   0:01 /usr/bin/dbus-daemon --fork --print-pid 4 --print-address 6 --session
ussr      1305  0.0  0.0   4736   384 ?        Ss   22:01   0:00 /usr/bin/gpg-agent -s --daemon --pinentry-program /usr/bin/pinentry-qt4 --write-env-file
ussr      1308  0.0  0.0   4216   424 ?        Ss   22:01   0:00 /usr/bin/ssh-agent -s
root      1323  0.0  0.0   2032    56 ?        S    22:01   0:00 /usr/lib/kde4/libexec/start_kdeinit +kcminit_startup
ussr      1324  0.0  0.5 129264 16476 ?        Ss   22:01   0:00 kdeinit4: kdeinit4 Running...                  
ussr      1325  0.0  0.3 131292 11184 ?        S    22:01   0:00 kdeinit4: klauncher [kdeinit] --fd=9           
ussr      1327  0.0  1.0 215392 30976 ?        Sl   22:01   0:01 kdeinit4: kded4 [kdeinit]                      
ussr      1334  0.0  0.6 146508 18616 ?        S    22:01   0:00 kdeinit4: kglobalaccel [kdeinit]               
ussr      1338  0.0  0.5 162384 17088 ?        Sl   22:01   0:00 /usr/bin/kactivitymanagerd
ussr      1346  0.0  0.0   2168   284 ?        S    22:01   0:00 kwrapper4 ksmserver
ussr      1347  0.0  0.6 155184 18500 ?        Sl   22:01   0:00 kdeinit4: ksmserver [kdeinit]                  
ussr      1353  0.3  2.7 481808 83556 ?        Sl   22:01   0:19 kwin -session 1014cd7d2d4000134981367400000006900000_1363122074_66050
ussr      1363  0.0  0.8 148664 26072 ?        Sl   22:01   0:00 /usr/bin/knotify4
ussr      1367  0.4  4.5 466704 139528 ?       Sl   22:01   0:27 kdeinit4: plasma-desktop [kdeinit]             
ussr      1373  0.0  0.4  86180 15092 ?        S    22:01   0:00 /usr/bin/kuiserver
ussr      1379  0.0  0.1  45584  5780 ?        Sl   22:01   0:00 /usr/bin/akonadi_control
ussr      1381  0.0  0.3 204676 10096 ?        Sl   22:01   0:00 akonadiserver
ussr      1384  0.0  1.2 241804 38312 ?        Sl   22:01   0:01 /usr/bin/mysqld --defaults-file=/home/ussr/.local/share/akonadi/mysql.conf --datadir=/home/ussr/.local/
ussr      1418  0.0  0.5  85804 16604 ?        Sl   22:01   0:00 /usr/bin/akonadi_agent_launcher akonadi_akonotes_resource akonadi_akonotes_resource_0
ussr      1419  0.0  0.9 158040 29748 ?        S    22:01   0:00 /usr/bin/akonadi_archivemail_agent --identifier akonadi_archivemail_agent
ussr      1420  0.0  0.5  86000 16680 ?        Sl   22:01   0:00 /usr/bin/akonadi_agent_launcher akonadi_ical_resource akonadi_ical_resource_0
ussr      1421  0.0  0.5  85940 16876 ?        Sl   22:01   0:00 /usr/bin/akonadi_agent_launcher akonadi_maildir_resource akonadi_maildir_resource_0
ussr      1422  0.0  0.6  94976 19712 ?        S    22:01   0:00 /usr/bin/akonadi_maildispatcher_agent --identifier akonadi_maildispatcher_agent
ussr      1423  0.0  0.9 158060 30048 ?        S    22:01   0:00 /usr/bin/akonadi_mailfilter_agent --identifier akonadi_mailfilter_agent
ussr      1424  0.0  0.6  99780 18892 ?        Sl   22:01   0:00 /usr/bin/akonadi_nepomuk_feeder --identifier akonadi_nepomuk_feeder
ussr      1446  0.0  0.3 129528  9488 ?        S    22:01   0:00 kdeinit4: kio_http_cache_cleaner [kdeinit]     
ussr      1456  0.0  0.3  73352  9880 ?        Sl   22:01   0:00 /usr/bin/nepomukserver
ussr      1461  0.2  2.3 231052 71768 ?        SNl  22:01   0:12 /usr/bin/nepomukservicestub nepomukstorage
ussr      1471  0.6  1.4  57668 44308 ?        SNl  22:01   0:35 /usr/bin/virtuoso-t +foreground +configfile /tmp/virtuoso_ZT1461.ini +wait
ussr      1481  0.0  1.2 272872 37436 ?        Sl   22:01   0:00 kdeinit4: krunner [kdeinit]                    
ussr      1484  0.0  0.7 241356 24124 ?        Sl   22:01   0:00 kdeinit4: kmix [kdeinit] -session 1014cd7d2d400013498136850000
ussr      1488  0.0  0.4  87280 14960 ?        S    22:01   0:00 /usr/bin/nepomukcontroller -session 1014cd7d2d4000134981368500000006900010_1363122074_36315
ussr      1490  0.0  0.7 111408 23264 ?        Sl   22:01   0:04 yakuake -session 1014cd7d2d4000135280595900000005570044_1363122074_36424
ussr      1495  0.0  0.0   5360  2060 pts/0    Ss+  22:01   0:00 /bin/bash
ussr      1503  0.0  0.5  97452 16812 ?        Sl   22:01   0:00 /usr/lib/kde4/libexec/polkit-kde-authentication-agent-1
ussr      1504  0.0  0.5 105388 17392 ?        S    22:01   0:00 /usr/bin/korgac --icon korgac
ussr      1516  0.0  0.5 145452 17504 ?        S    22:01   0:00 kdeinit4: klipper [kdeinit]                    
ussr      1561  0.2  0.9 164820 27976 ?        Rl   22:01   0:12 kdeinit4: konsole [kdeinit]                    
ussr      1563  0.0  0.0   5356  2112 pts/2    Ss   22:01   0:00 /bin/bash
ussr      1565  0.0  0.6 109208 19384 ?        SNl  22:01   0:00 /usr/bin/nepomukservicestub nepomukfilewatch
ussr      1569  0.1  1.2 123320 37384 ?        SNl  22:01   0:08 /usr/bin/nepomukservicestub nepomukfileindexer
root      1825  0.0  0.0      0     0 ?        S    22:06   0:01 [kworker/1:1]
root      1837  0.0  0.0      0     0 ?        S    22:21   0:00 [flush-8:0]
root      1859  0.0  0.0      0     0 ?        S    23:10   0:00 [kworker/0:1]
root      1872  0.0  0.0      0     0 ?        S    23:10   0:00 [scsi_eh_6]
root      1873  0.0  0.0      0     0 ?        S    23:10   0:00 [usb-storage]
root      1876  0.0  0.0      0     0 ?        S    23:10   0:00 [kworker/1:0]
root      1877  0.0  0.0      0     0 ?        S    23:10   0:00 [kworker/u:0]
ussr      1919  0.0  0.0  35080  2892 ?        Sl   23:11   0:00 /usr/lib/at-spi2-core/at-spi-bus-launcher
ussr      1974  0.0  0.0   3020  1356 ?        S    23:12   0:00 /usr/bin/dbus-daemon --config-file=/etc/at-spi2/accessibility.conf --nofork --print-address 3
ussr      1977  0.0  0.1  17320  3152 ?        Sl   23:12   0:00 /usr/lib/at-spi2-core/at-spi2-registryd --use-gnome-session
ussr      1980  0.0  0.0   8084  1968 ?        S    23:12   0:00 /usr/lib/GConf/gconfd-2
root      2036  0.0  0.0      0     0 ?        S    23:21   0:00 [kworker/0:0]
root      2044  0.0  0.0      0     0 ?        S    23:31   0:00 [kworker/0:2]
root      2047  0.0  0.0      0     0 ?        S    23:34   0:00 [flush-8:16]
ussr      2079  0.0  0.0   4676  1208 pts/2    R+   23:36   0:00 ps aux

I have checked in .bashrc and the prompt is still:
PS1='[\u@\h \W]\$ '
And \h means hostname... And if I check in /etc/hosts:
127.0.0.1   localhost.localdomain   localhost
::1   localhost.localdomain   localhost

So, something is wrong..

I don't know how to proceed, nor in the computer A, neither in the computer B.

Question C: Is possible to have any mechanism to know every file that is modified, add or delete on the whole system? Something like the log but for every file? I think is the only way to know what is going on.

Any help? Please, I'm so lost in this area..

Offline

#2 2013-03-12 23:19:19

ewaller
Administrator
From: Pasadena, CA
Registered: 2009-07-13
Posts: 12,254

Re: Afraid of system being compromised - newbie in "security"

Computer A:  This is not an Arch machine, so please do not dwell on it in these forums.  What services are you running?  sshd, telnet? ftp?  Are the log in attempts in the logs legitimate, or were they at a time when you were not attempting to login?

Is your router wireless?  Is it locked down?  It could provide a way around the firewall in the router.  Are you forwarding ports on the router?  Which ones, and where to?

Are you certain that malware running in the browser did not change things?  No chance that your users were phished? Java exploits?

Computer B:  That really looks like it is just a host name configuration problem.

Quaestion C: Tripwire


Nothing is too wonderful to be true, if it be consistent with the laws of nature -- Michael Faraday
Like you, I have no idea what you are doing, but I am pretty sure it is wrong...Jasonwryan
----
How to Ask Questions the Smart Way

Offline

#3 2013-03-13 09:49:19

brebs
Member
Registered: 2007-04-03
Posts: 3,401

Re: Afraid of system being compromised - newbie in "security"

So, firefox bookmarks have been added, and your DHCP needs more setup.

It would have to be a pretty stupid hacker, to change your hostname and bring such attention. Far more likely to be your mis-configuration.

Java, and Flash, are being heavily exploited - they might be responsible for the bookmarks, if it's not user error. But that's within firefox, so no evidence of breaking firefox's sandbox, or Linux security.

Some tips for the future:

1. Don't show us "iptables -L" - "iptables-save" is easier to read.

2. Install e.g. AppArmor (which is what I use and recommend). I had a good laugh at acroread creating a user file, which had its attempted write blocked, showing in my log:

apparmor="DENIED" operation="mknod" parent=1 profile="/usr/lib/firefox/firefox" name="/home/myusername/C:\nppdf32Log\debuglog.txt"

Offline

#4 2013-03-13 16:55:16

Zzipo
Member
From: North Spain
Registered: 2013-01-07
Posts: 48

Re: Afraid of system being compromised - newbie in "security"

Ok, thank you for the answers.

Because I don't know about which computer you ask about the services, I write for both.

Computer A

uname -r
3.1.10-1.16-desktop


Processes (ps -Al)

USER       PID %CPU %MEM    VSZ   RSS TTY      STAT START   TIME COMMAND
root         1  0.0  0.0   5408  2536 ?        Ss   Mar12   0:02 /sbin/init showopts
root         2  0.0  0.0      0     0 ?        S    Mar12   0:00 [kthreadd]
root         3  0.0  0.0      0     0 ?        S    Mar12   0:00 [ksoftirqd/0]
root         6  0.0  0.0      0     0 ?        S    Mar12   0:00 [migration/0]
root         7  0.0  0.0      0     0 ?        SN   Mar12   0:16 [rcuc0]
root         8  0.0  0.0      0     0 ?        S    Mar12   0:00 [rcun0]
root         9  0.0  0.0      0     0 ?        S    Mar12   0:00 [rcub0]
root        10  0.0  0.0      0     0 ?        S    Mar12   0:00 [rcun1]
root        11  0.0  0.0      0     0 ?        S    Mar12   0:00 [rcub1]
root        12  0.0  0.0      0     0 ?        S    Mar12   0:00 [watchdog/0]
root        13  0.0  0.0      0     0 ?        S    Mar12   0:00 [migration/1]
root        15  0.0  0.0      0     0 ?        SN   Mar12   0:14 [rcuc1]
root        16  0.0  0.0      0     0 ?        S    Mar12   0:00 [ksoftirqd/1]
root        18  0.0  0.0      0     0 ?        S    Mar12   0:00 [watchdog/1]
root        19  0.0  0.0      0     0 ?        S    Mar12   0:00 [migration/2]
root        21  0.0  0.0      0     0 ?        SN   Mar12   0:12 [rcuc2]
root        22  0.0  0.0      0     0 ?        S    Mar12   0:00 [ksoftirqd/2]
root        23  0.0  0.0      0     0 ?        S    Mar12   0:00 [watchdog/2]
root        24  0.0  0.0      0     0 ?        S    Mar12   0:00 [migration/3]
root        26  0.0  0.0      0     0 ?        SN   Mar12   0:09 [rcuc3]
root        27  0.0  0.0      0     0 ?        S    Mar12   0:04 [ksoftirqd/3]
root        28  0.0  0.0      0     0 ?        S    Mar12   0:00 [watchdog/3]
root        29  0.0  0.0      0     0 ?        S<   Mar12   0:00 [cpuset]
root        30  0.0  0.0      0     0 ?        S<   Mar12   0:00 [khelper]
root        31  0.0  0.0      0     0 ?        S    Mar12   0:00 [kdevtmpfs]
root        32  0.0  0.0      0     0 ?        S<   Mar12   0:00 [netns]
root        33  0.0  0.0      0     0 ?        S    Mar12   0:00 [sync_supers]
root        34  0.0  0.0      0     0 ?        S    Mar12   0:00 [bdi-default]
root        35  0.0  0.0      0     0 ?        S<   Mar12   0:00 [kintegrityd]
root        36  0.0  0.0      0     0 ?        S<   Mar12   0:00 [kblockd]
root        37  0.0  0.0      0     0 ?        S<   Mar12   0:00 [ata_sff]
root        38  0.0  0.0      0     0 ?        S    Mar12   0:00 [khubd]
root        39  0.0  0.0      0     0 ?        S<   Mar12   0:00 [md]
root        41  0.0  0.0      0     0 ?        S    Mar12   0:00 [khungtaskd]
root        42  0.3  0.0      0     0 ?        S    Mar12   3:02 [kswapd0]
root        43  0.0  0.0      0     0 ?        SN   Mar12   0:00 [ksmd]
root        44  0.0  0.0      0     0 ?        SN   Mar12   0:02 [khugepaged]
root        45  0.0  0.0      0     0 ?        S    Mar12   0:00 [fsnotify_mark]
root        46  0.0  0.0      0     0 ?        S<   Mar12   0:00 [crypto]
root        50  0.0  0.0      0     0 ?        S<   Mar12   0:00 [kthrotld]
root        85  0.0  0.0      0     0 ?        S    Mar12   0:00 [scsi_eh_0]
root        86  0.0  0.0      0     0 ?        S    Mar12   0:00 [scsi_eh_1]
root        87  0.0  0.0      0     0 ?        S    Mar12   0:00 [scsi_eh_2]
root        88  0.0  0.0      0     0 ?        S    Mar12   0:00 [scsi_eh_3]
root        92  0.0  0.0      0     0 ?        S    Mar12   0:00 [kworker/u:3]
root       101  0.0  0.0      0     0 ?        S<   Mar12   0:00 [kpsmoused]
root       103  0.0  0.0      0     0 ?        S    Mar12   0:00 [scsi_eh_4]
root       104  0.0  0.0      0     0 ?        S    Mar12   0:03 [usb-storage]
root       106  0.0  0.0      0     0 ?        S    Mar12   0:00 [kworker/u:5]
root       141  0.0  0.0      0     0 ?        S    Mar12   0:00 [scsi_eh_5]
root       142  0.0  0.0      0     0 ?        S    Mar12   0:00 [scsi_eh_6]
root       143  0.0  0.0      0     0 ?        S    Mar12   0:00 [scsi_eh_7]
root       144  0.0  0.0      0     0 ?        S    Mar12   0:20 [usb-storage]
root       148  0.0  0.0      0     0 ?        S    Mar12   0:00 [scsi_eh_8]
root       149  0.0  0.0      0     0 ?        S    Mar12   0:00 [scsi_eh_9]
root       217  0.0  0.0      0     0 ?        S<   Mar12   0:00 [ttm_swap]
root       432  0.0  0.0      0     0 ?        S    Mar12   0:01 [jbd2/sda5-8]
root       433  0.0  0.0      0     0 ?        S<   Mar12   0:00 [ext4-dio-unwrit]
root       471  0.0  0.0   3236   348 ?        Ss   Mar12   0:00 /sbin/udevd
root       494  0.0  0.0      0     0 ?        S    Mar12   0:00 [kauditd]
root       495  0.0  0.0   2284   364 ?        Ss   Mar12   0:00 /lib/systemd/systemd-stdout-syslog-bridge
root       643  0.0  0.0   3148   256 ?        S    Mar12   0:00 /sbin/udevd
root       644  0.0  0.0   3148   244 ?        S    Mar12   0:00 /sbin/udevd
root       749  0.0  0.0      0     0 ?        S<   Mar12   0:00 [firewire]
root       782  0.0  0.0      0     0 ?        S<   Mar12   0:00 [hd-audio1]
root       824  0.0  0.0      0     0 ?        S<   Mar12   0:00 [hd-audio2]
root       881  0.8  0.0  12720  1580 ?        Ss   Mar12   7:49 /sbin/mount.ntfs-3g /dev/sdc1 /windows/datos -o rw,locale=es_ES.UTF-8
root       897  1.5  0.0  10540  2064 ?        Ss   Mar12  13:31 /sbin/mount.ntfs-3g /dev/sda3 /windows/othe -o rw,noexec,nosuid,nodev,users,gid=10
root       898  0.7  0.0   9780  1088 ?        Ss   Mar12   6:36 /sbin/mount.ntfs-3g /dev/sda4 /windows/caviarblue -o rw,locale=es_ES.UTF-8
root       903  0.0  0.0      0     0 ?        S    Mar12   0:12 [jbd2/sda6-8]
root       904  0.0  0.0      0     0 ?        S<   Mar12   0:00 [ext4-dio-unwrit]
root       963  0.0  0.0   3140   840 ?        Ss   Mar12   0:00 /lib/systemd/systemd-logind
root       988  0.0  0.0  40136   232 ?        Sl   Mar12   0:00 /sbin/rsyslogd -c 5 -f /etc/rsyslog.conf
root       994  0.0  0.0   1920   276 ?        Ss   Mar12   0:00 /sbin/acpid
avahi     1010  0.0  0.0   2940   676 ?        Ss   Mar12   0:00 avahi-daemon: running [linux-7sgr.local]
root      1021  0.0  0.0   1908   248 ?        Ss   Mar12   0:00 /usr/sbin/nscd
102       1043  0.0  0.0   3540  1308 ?        Ss   Mar12   0:12 /bin/dbus-daemon --system --address=systemd: --nofork --systemd-activation
root      1058  0.0  0.0   6288   184 ?        Ss   Mar12   0:03 /sbin/haveged -w 1024 -v 1
root      1199  0.0  0.0   7888   780 ?        Ss   Mar12   0:00 /usr/sbin/cupsd -C /etc/cups/cupsd.conf
root      1312  0.0  0.0   4124   308 ?        Ss   Mar12   0:00 /usr/bin/kdm
root      1427  5.6  1.1  65368 42660 tty7     Ss+  Mar12  50:26 /usr/bin/Xorg -br :0 vt7 -nolisten tcp -auth /var/lib/xdm/authdir/authfiles/A:0-Fx
root      1489  0.0  0.0   1908   268 tty1     Ss+  Mar12   0:00 /sbin/agetty tty1 38400
root      1703  0.0  0.0   5164   420 ?        S    Mar12   0:00 -:0         
root      1727  0.0  0.0  33660   992 ?        Ssl  Mar12   0:00 /usr/sbin/console-kit-daemon --no-daemon
root      1801  0.0  0.0  25224  2300 ?        Sl   Mar12   0:01 /usr/lib/polkit-1/polkitd --no-debug
userA      1825  0.0  0.0   4624   292 ?        Ss   Mar12   0:00 /bin/sh /usr/bin/startkde
root      1992  0.0  0.0   5248   492 ?        S    Mar12   0:00 /sbin/dhclient6 -6 -cf /var/lib/dhcp6/dhclient6.eth0.conf -lf /var/lib/dhcp6/dhcli
userA      1995  0.0  0.0   5464  1112 ?        Ss   Mar12   0:01 /usr/bin/gpg-agent --sh --daemon --write-env-file /home/userA/.gnupg/agent.info /et
userA      2115  0.0  0.0   3332   268 ?        S    Mar12   0:00 dbus-launch --sh-syntax --exit-with-session
userA      2116  0.0  0.0   4736  1612 ?        Ss   Mar12   0:02 /bin/dbus-daemon --fork --print-pid 5 --print-address 7 --session
root      2123  0.0  0.0   1752   112 ?        S    Mar12   0:00 /usr/lib/kde4/libexec/start_kdeinit +kcminit_startup
userA      2133  0.0  0.0  92820  1976 ?        Ss   Mar12   0:00 kdeinit4: kdeinit4 Running...                  
userA      2143  0.0  0.0  96676  3636 ?        S    Mar12   0:00 kdeinit4: klauncher [kdeinit] --fd=9           
userA      2213  0.0  0.1 216804  6720 ?        Sl   Mar12   0:06 kdeinit4: kded4 [kdeinit]                      
root      2533  0.0  0.0   2100   432 ?        Ss   Mar12   0:00 /sbin/dhcpcd --netconfig -L -E -HHH -c /etc/sysconfig/network/scripts/dhcpcd-hook
userA      2553  0.0  0.0 111996  3512 ?        S    Mar12   0:01 kdeinit4: kglobalaccel [kdeinit]               
root      2576  0.0  0.0  28016  1060 ?        Sl   Mar12   0:00 /usr/lib/upower/upowerd
userA      2601  0.0  0.0   1888     0 ?        S    Mar12   0:00 kwrapper4 ksmserver
userA      2605  0.0  0.0 119976  3448 ?        Sl   Mar12   0:01 kdeinit4: ksmserver [kdeinit]                  
root      2624  0.0  0.0  24100  1788 ?        Sl   Mar12   0:11 /usr/lib/udisks/udisks-daemon
root      2625  0.0  0.0   6308   160 ?        S    Mar12   0:00 udisks-daemon: not polling any devices
userA      2654  1.4  8.8 585524 339936 ?       Sl   Mar12  12:35 kwin -session 1014b108a5e8000134377289300000096170000_1363115313_870095
userA      2727  0.0  0.0  61432  2768 ?        S    Mar12   0:01 /usr/bin/kactivitymanagerd
userA      2804  0.0  0.1 266168  4040 ?        Sl   Mar12   0:02 /usr/bin/knotify4
userA      2836  0.2  0.7 350760 28952 ?        Sl   Mar12   2:09 kdeinit4: plasma-desktop [kdeinit]             
userA      2978  0.0  0.0  61184  2696 ?        S    Mar12   0:01 /usr/bin/kuiserver
userA      3048  0.0  0.0 110224  2292 ?        S    Mar12   0:03 kdeinit4: kaccess [kdeinit]                    
userA      3055  0.0  0.0 104028  1480 ?        Sl   Mar12   0:00 kdeinit4: nepomukserver [kdeinit]              
userA      3058  0.2  0.9 315204 35676 ?        Sl   Mar12   2:27 kdeinit4: krunner [kdeinit]                    
userA      3064  0.0  0.4 264532 15884 ?        SNl  Mar12   0:01 /usr/bin/nepomukservicestub nepomukstorage
userA      3080  0.0  0.3  49512 12752 ?        SNl  Mar12   0:10 /usr/bin/virtuoso-t +foreground +configfile /tmp/virtuoso_Ti3064.ini +wait
userA      3119  0.0  0.0  20364  1740 ?        Sl   Mar12   0:01 /usr/bin/akonadi_control
userA      3123  0.0  0.0 248556  1212 ?        Sl   Mar12   0:03 akonadiserver
userA      3130  0.0  0.2 253544  8312 ?        Sl   Mar12   0:19 /usr/sbin/mysqld --defaults-file=/home/userA/.local/share/akonadi//mysql.conf --dat
userA      3228  0.0  0.0  60248  2340 ?        S    Mar12   0:01 /usr/bin/nepomukcontroller -session 1014b108a5e8000134377292700000096170011_136311
userA      3231  0.0  0.2 272104  9184 ?        Sl   Mar12   0:02 kdeinit4: kmix [kdeinit] -session 1014b108a5e80001346397487000
userA      3241  0.0  0.1 115340  4092 ?        S    Mar12   0:01 /usr/bin/kget -session 1014b108a5e8000135447427400000059430038_1363115313_756240
userA      3274  0.0  0.0  67384  2356 ?        SN   Mar12   0:00 /usr/bin/nepomukservicestub nepomukbackupsync
userA      3275  0.0  0.0 120176  2140 ?        SN   Mar12   0:00 /usr/bin/nepomukservicestub digikamnepomukservice
userA      3276  0.0  0.1  90360  3996 ?        SNl  Mar12   0:02 /usr/bin/nepomukservicestub nepomukfilewatch
userA      3280  0.0  0.1  80288  5564 ?        SN   Mar12   0:00 /usr/bin/nepomukservicestub nepomukqueryservice
userA      3293  0.0  0.1 230116  6096 ?        Sl   Mar12   0:42 /usr/bin/pulseaudio --start --log-target=syslog
rtkit     3295  0.0  0.0  20824   364 ?        SNl  Mar12   0:01 /usr/lib/rtkit/rtkit-daemon
userA      3325  0.0  0.0  60340  2424 ?        Sl   Mar12   0:01 /usr/bin/akonadi_agent_launcher akonadi_akonotes_resource akonadi_akonotes_resourc
userA      3326  0.0  0.0  60336  2536 ?        Sl   Mar12   0:00 /usr/bin/akonadi_agent_launcher akonadi_akonotes_resource akonadi_akonotes_resourc
userA      3327  0.0  0.0  59940  2528 ?        Sl   Mar12   0:00 /usr/bin/akonadi_agent_launcher akonadi_contacts_resource akonadi_contacts_resourc
userA      3328  0.0  0.0  59996  2372 ?        Sl   Mar12   0:00 /usr/bin/akonadi_agent_launcher akonadi_contacts_resource akonadi_contacts_resourc
userA      3329  0.0  0.0  59996  2556 ?        Sl   Mar12   0:00 /usr/bin/akonadi_agent_launcher akonadi_contacts_resource akonadi_contacts_resourc
userA      3330  0.0  0.0  59976  2360 ?        Sl   Mar12   0:00 /usr/bin/akonadi_agent_launcher akonadi_contacts_resource akonadi_contacts_resourc
userA      3331  0.0  0.0  59940  2332 ?        Sl   Mar12   0:00 /usr/bin/akonadi_agent_launcher akonadi_contacts_resource akonadi_contacts_resourc
userA      3340  0.0  0.0  59976  2396 ?        Sl   Mar12   0:00 /usr/bin/akonadi_agent_launcher akonadi_contacts_resource akonadi_contacts_resourc
userA      3342  0.0  0.0  59976  2360 ?        Sl   Mar12   0:00 /usr/bin/akonadi_agent_launcher akonadi_contacts_resource akonadi_contacts_resourc
userA      3343  0.0  0.0  60000  2380 ?        Sl   Mar12   0:00 /usr/bin/akonadi_agent_launcher akonadi_contacts_resource akonadi_contacts_resourc
userA      3344  0.0  0.0  59940  2540 ?        Sl   Mar12   0:00 /usr/bin/akonadi_agent_launcher akonadi_contacts_resource akonadi_contacts_resourc
userA      3345  0.0  0.0  59940  2516 ?        Sl   Mar12   0:00 /usr/bin/akonadi_agent_launcher akonadi_contacts_resource akonadi_contacts_resourc
userA      3346  0.0  0.0  60588  2484 ?        Sl   Mar12   0:00 /usr/bin/akonadi_agent_launcher akonadi_ical_resource akonadi_ical_resource_0
userA      3348  0.0  0.0  60600  2508 ?        Sl   Mar12   0:00 /usr/bin/akonadi_agent_launcher akonadi_ical_resource akonadi_ical_resource_1
userA      3349  0.0  0.0  60604  2492 ?        Sl   Mar12   0:00 /usr/bin/akonadi_agent_launcher akonadi_ical_resource akonadi_ical_resource_2
userA      3354  0.0  0.0  60344  2472 ?        Sl   Mar12   0:01 /usr/bin/akonadi_agent_launcher akonadi_maildir_resource akonadi_maildir_resource_
userA      3357  0.0  0.0  69112  2848 ?        S    Mar12   0:01 /usr/bin/akonadi_maildispatcher_agent --identifier akonadi_maildispatcher_agent
userA      3366  0.0  0.0  64084  2884 ?        S    Mar12   0:01 /usr/bin/akonadi_nepomuk_calendar_feeder --identifier akonadi_nepomuk_calendar_fee
userA      3367  0.0  0.0  63388  2708 ?        S    Mar12   0:01 /usr/bin/akonadi_nepomuk_contact_feeder --identifier akonadi_nepomuk_contact_feede
userA      3368  0.0  0.0 107516  3424 ?        S    Mar12   0:01 /usr/bin/akonadi_nepomuk_email_feeder --identifier akonadi_nepomuk_email_feeder
userA      3471  0.0  0.0  70708  2140 ?        Sl   Mar12   0:00 /usr/lib/kde4/libexec/polkit-kde-authentication-agent-1
userA      3512  0.0  0.0   7536   752 ?        S    Mar12   0:00 /usr/lib/gvfs/gvfsd
userA      3516  0.0  0.0  34272   204 ?        Ssl  Mar12   0:00 /usr/lib/gvfs//gvfs-fuse-daemon /home/userA/.gvfs
root      3923  0.0  0.0   4668   408 ?        Ss   Mar12   0:00 /usr/sbin/cron -n
userA      4848  0.0  0.0   8032  1068 ?        S    Mar12   0:00 /usr/lib/GConf/2/gconfd-2
root      5490  0.0  0.0      0     0 ?        S    Mar12   0:08 [kworker/1:2]
root      6174  0.0  0.0      0     0 ?        S    02:12   0:03 [kworker/2:3]
root      6331  0.0  0.0      0     0 ?        S    03:30   0:00 [flush-8:0]
userA      8569  1.8  5.6 766616 217576 ?       Sl   08:43   1:33 /usr/lib/firefox/firefox
userA      8601  0.0  0.4  64256 17276 ?        S    08:43   0:00 /usr/lib/mozilla/kmozillahelper
userA      8693  9.0  0.5 127856 21652 ?        Rl   08:50   6:58 kdeinit4: konsole [kdeinit]                    
userA      8701  0.0  0.0   5432  2436 pts/1    Ss   08:50   0:00 /bin/bash
root      8751  0.0  0.0   7968  2352 pts/1    S+   08:54   0:00 sudo clamscan -r -l logclamav.log / --exclude-dir=/media/
root      8753 69.3  3.0 129096 117808 pts/1   R+   08:54  50:19 clamscan -r -l logclamav.log / --exclude-dir=/media/
root      8823  0.0  0.0      0     0 ?        S    09:17   0:01 [kworker/2:2]
root      8830  0.1  0.0      0     0 ?        S    09:26   0:03 [kworker/3:0]
root      8852  0.5  0.0      0     0 ?        S    09:34   0:10 [kworker/0:0]
root      8858  0.0  0.0      0     0 ?        S    09:40   0:01 [kworker/2:0]
userA      8945  0.0  0.0   5432  2432 pts/2    Ss   09:51   0:00 /bin/bash
root      9174  0.1  0.0      0     0 ?        S    09:53   0:01 [kworker/1:0]
root      9177  0.5  0.0      0     0 ?        S    09:55   0:03 [kworker/0:3]
userA      9178  1.7  0.9 166588 36800 ?        Sl   09:55   0:12 kdeinit4: kwrite [kdeinit]                     
root      9192  0.0  0.0      0     0 ?        S    09:57   0:00 [kworker/3:1]
root      9227  0.0  0.0      0     0 ?        S    10:00   0:00 [kworker/0:2]
root      9239  0.0  0.0      0     0 ?        S    10:00   0:00 [flush-8:32]
userA      9280  0.3  0.0   5768  1700 ?        SL   10:01   0:01 scdaemon --multi-server
userA      9301  8.3  1.0 205940 39936 ?        Sl   10:01   0:31 /usr/bin/vlc /windows/datos/Música/Caro emerald - Deleted scenes from the cutting 
root      9594  0.1  0.0      0     0 ?        S    10:02   0:00 [kworker/3:2]
root      9947  0.0  0.0      0     0 ?        S    10:05   0:00 [kworker/2:1]
userA      9987  0.0  0.1 102804  6520 ?        Sl   10:05   0:00 kdeinit4: kio_trash [kdeinit] trash local:/tmp/ksocket-userA/kl
userA      9988  0.0  0.1  93424  5280 ?        S    10:05   0:00 kdeinit4: kio_file [kdeinit] file local:/tmp/ksocket-userA/klau
userA      9997  0.0  0.1  93420  5280 ?        S    10:05   0:00 kdeinit4: kio_file [kdeinit] file local:/tmp/ksocket-userA/klau
userA      9998  0.1  0.3 112416 14036 ?        S    10:05   0:00 kdeinit4: kio_thumbnail [kdeinit] thumbnail local:/tmp/ksocket
root     10034  0.0  0.0      0     0 ?        S    10:05   0:00 [kworker/0:1]
userA     10128  1.5  0.6 143964 23404 ?        Sl   10:05   0:01 /usr/lib/firefox/plugin-container /usr/lib/browser-plugins/libflashplayer.so -greo
userA     10385  0.0  0.0      0     0 ?        Z    10:07   0:00 [scdaemon] <defunct>
userA     10387  0.0  0.0   2620   864 pts/2    R+   10:07   0:00 ps aux

I don't see above any process related with ftp, telnet, sshd (inactive below), etc. But above and below we can see dhcp6/dhcpcd/dhclient6 active.

Services (sudo /sbin/service --status-all)

redirecting to systemctl
SuSEfirewall2_init.service - LSB: SuSEfirewall2 phase 1
          Loaded: loaded (/etc/init.d/SuSEfirewall2_init)
          Active: active (exited) since Tue, 12 Mar 2013 19:09:30 +0000; 14h ago
         Process: 938 ExecStart=/etc/init.d/SuSEfirewall2_init start (code=exited, status=0/SUCCESS)
          CGroup: name=systemd:/system/SuSEfirewall2_init.service
Checking the status of SuSEfirewall2                                                                                                    running
redirecting to systemctl
acpid.service - ACPI Event Daemon
          Loaded: loaded (/lib/systemd/system/acpid.service; enabled)
          Active: active (running) since Tue, 12 Mar 2013 19:09:30 +0000; 14h ago
         Process: 993 ExecStart=/sbin/acpid (code=exited, status=0/SUCCESS)
        Main PID: 994 (acpid)
          CGroup: name=systemd:/system/acpid.service
                  └ 994 /sbin/acpid
redirecting to systemctl
alsa-restore.service - Restore Sound Card State
          Loaded: loaded (/lib/systemd/system/alsa-restore.service; static)
          Active: inactive (dead) since Tue, 12 Mar 2013 19:09:29 +0000; 14h ago
         Process: 909 ExecStart=/usr/sbin/alsactl restore (code=exited, status=0/SUCCESS)
          CGroup: name=systemd:/system/alsa-restore.service
redirecting to systemctl
atd.service - LSB: Start AT batch job daemon
          Loaded: loaded (/etc/init.d/atd)
          Active: inactive (dead)
          CGroup: name=systemd:/system/atd.service
redirecting to systemctl
autofs.service - LSB: automatic mounting of filesystems
          Loaded: loaded (/etc/init.d/autofs)
          Active: inactive (dead)
          CGroup: name=systemd:/system/autofs.service
redirecting to systemctl
avahi-daemon.service - Avahi mDNS/DNS-SD Stack
          Loaded: loaded (/lib/systemd/system/avahi-daemon.service; enabled)
          Active: active (running) since Tue, 12 Mar 2013 19:09:30 +0000; 14h ago
        Main PID: 1010 (avahi-daemon)
          Status: "Server startup complete. Host name is linux-7sgr.local. Local service cookie is 198690539."
          CGroup: name=systemd:/system/avahi-daemon.service
                  └ 1010 avahi-daemon: running [linux-7sgr.local]
redirecting to systemctl
avahi-dnsconfd.service - Avahi DNS Configuration Daemon
          Loaded: loaded (/lib/systemd/system/avahi-dnsconfd.service; disabled)
          Active: inactive (dead)
          CGroup: name=systemd:/system/avahi-dnsconfd.service
redirecting to systemctl
bluez-coldplug.service - LSB: handles udev coldplug of bluetooth dongles
          Loaded: loaded (/etc/init.d/bluez-coldplug)
          Active: active (exited) since Tue, 12 Mar 2013 19:09:52 +0000; 14h ago
         Process: 3920 ExecStart=/etc/init.d/bluez-coldplug start (code=exited, status=0/SUCCESS)
          CGroup: name=systemd:/system/bluez-coldplug.service
redirecting to systemctl
cgroup.service
          Loaded: masked (/dev/null)
          Active: inactive (dead)
redirecting to systemctl
systemd-tmpfiles-setup.service - Recreate Volatile Files and Directories
          Loaded: loaded (/lib/systemd/system/systemd-tmpfiles-setup.service; static)
          Active: active (exited) since Tue, 12 Mar 2013 19:09:29 +0000; 14h ago
         Process: 906 ExecStart=/bin/systemd-tmpfiles --create --remove (code=exited, status=0/SUCCESS)
          CGroup: name=systemd:/system/systemd-tmpfiles-setup.service
redirecting to systemctl
clock.service
          Loaded: masked (/dev/null)
          Active: inactive (dead)
redirecting to systemctl
crypto.service
          Loaded: masked (/dev/null)
          Active: inactive (dead)
redirecting to systemctl
crypto-early.service
          Loaded: masked (/dev/null)
          Active: inactive (dead)
redirecting to systemctl
cycle.service - LSB: Set default boot entry if called
          Loaded: loaded (/etc/init.d/boot.cycle)
          Active: active (exited) since Tue, 12 Mar 2013 19:09:19 +0000; 14h ago
         Process: 470 ExecStart=/etc/init.d/boot.cycle start (code=exited, status=6/NOTCONFIGURED)
          CGroup: name=systemd:/system/cycle.service
redirecting to systemctl
device-mapper.service
          Loaded: masked (/dev/null)
          Active: inactive (dead)

Warning: Unit file changed on disk, 'systemctl --system daemon-reload' recommended.
redirecting to systemctl
dmraid.service - LSB: start dmraid
          Loaded: loaded (/etc/init.d/boot.dmraid)
          Active: inactive (dead)
          CGroup: name=systemd:/system/dmraid.service
redirecting to systemctl
klog.service - Early Kernel Boot Messages
          Loaded: loaded (/lib/systemd/system/klog.service; disabled)
          Active: inactive (dead)
          CGroup: name=systemd:/system/klog.service
redirecting to systemctl
ldconfig.service
          Loaded: masked (/dev/null)
          Active: inactive (dead)
redirecting to systemctl
loadmodules.service
          Loaded: masked (/dev/null)
          Active: inactive (dead)

Warning: Unit file changed on disk, 'systemctl --system daemon-reload' recommended.
redirecting to systemctl
localfs.service - Shadow /etc/init.d/boot.localfs
          Loaded: loaded (/lib/systemd/system/localfs.service; static)
          Active: inactive (dead)
          CGroup: name=systemd:/system/localfs.service
redirecting to systemctl
localnet.service - LSB: setup hostname and yp
          Loaded: loaded (/etc/init.d/boot.localnet)
          Active: active (exited) since Tue, 12 Mar 2013 19:09:20 +0000; 14h ago
         Process: 503 ExecStart=/etc/init.d/boot.localnet start (code=exited, status=0/SUCCESS)
          CGroup: name=systemd:/system/localnet.service
redirecting to systemctl
lvm.service - LSB: start logical volumes
          Loaded: loaded (/etc/init.d/boot.lvm)
          Active: inactive (dead)
          CGroup: name=systemd:/system/lvm.service
redirecting to systemctl
lvm_monitor.service - LSB: start monitoring of LVM VGs now filesystems are mounted rw
          Loaded: loaded (/etc/init.d/boot.lvm_monitor)
          Active: inactive (dead)
          CGroup: name=systemd:/system/lvm_monitor.service
redirecting to systemctl
md.service - LSB: Multiple Device RAID
          Loaded: loaded (/etc/init.d/boot.md)
          Active: inactive (dead)
          CGroup: name=systemd:/system/md.service
redirecting to systemctl
multipath.service - LSB: Create multipath device targets
          Loaded: loaded (/etc/init.d/boot.multipath)
          Active: inactive (dead)
          CGroup: name=systemd:/system/multipath.service
redirecting to systemctl
fsck-root.service - File System Check on Root Device
          Loaded: loaded (/lib/systemd/system/fsck-root.service; static)
          Active: inactive (dead)
                  start condition failed at Tue, 12 Mar 2013 19:09:19 +0000; 14h ago
          CGroup: name=systemd:/system/fsck-root.service
redirecting to systemctl
swap.service
          Loaded: masked (/dev/null)
          Active: inactive (dead)
redirecting to systemctl
systemd-sysctl.service - Apply Kernel Variables
          Loaded: loaded (/lib/systemd/system/systemd-sysctl.service; static)
          Active: active (exited) since Tue, 12 Mar 2013 19:09:20 +0000; 14h ago
         Process: 528 ExecStart=/lib/systemd/systemd-sysctl (code=exited, status=0/SUCCESS)
          CGroup: name=systemd:/system/systemd-sysctl.service
redirecting to systemctl
udev.service - udev Kernel Device Manager
          Loaded: loaded (/lib/systemd/system/udev.service; static)
          Active: active (running) since Tue, 12 Mar 2013 19:09:19 +0000; 14h ago
        Main PID: 471 (udevd)
          CGroup: name=systemd:/system/udev.service
                  ├ 471 /sbin/udevd
                  ├ 643 /sbin/udevd
                  └ 644 /sbin/udevd
redirecting to systemctl
cifs.service - LSB: Import remote SMB/ CIFS (MS Windows) file systems
          Loaded: loaded (/etc/init.d/cifs)
          Active: inactive (dead)
          CGroup: name=systemd:/system/cifs.service
redirecting to systemctl
clamav-milter.service - LSB: milter compatible mail scanner
          Loaded: loaded (/etc/init.d/clamav-milter)
          Active: inactive (dead)
          CGroup: name=systemd:/system/clamav-milter.service
redirecting to systemctl
clamd.service - LSB: virus scanner daemon
          Loaded: loaded (/etc/init.d/clamd)
          Active: inactive (dead)
          CGroup: name=systemd:/system/clamd.service
redirecting to systemctl
cpufreq.service - LSB: CPUFreq modules loader
          Loaded: loaded (/etc/init.d/cpufreq)
          Active: active (exited) since Tue, 12 Mar 2013 19:09:29 +0000; 14h ago
         Process: 916 ExecStart=/etc/init.d/cpufreq start (code=exited, status=0/SUCCESS)
          CGroup: name=systemd:/system/cpufreq.service
redirecting to systemctl
cron.service - Command Scheduler
          Loaded: loaded (/lib/systemd/system/cron.service; enabled)
          Active: active (running) since Tue, 12 Mar 2013 19:09:52 +0000; 14h ago
        Main PID: 3923 (cron)
          CGroup: name=systemd:/system/cron.service
                  └ 3923 /usr/sbin/cron -n
redirecting to systemctl
cups.service - LSB: CUPS printer daemon
          Loaded: loaded (/etc/init.d/cups)
          Active: active (running) since Tue, 12 Mar 2013 19:09:30 +0000; 14h ago
         Process: 1062 ExecStart=/etc/init.d/cups start (code=exited, status=0/SUCCESS)
          CGroup: name=systemd:/system/cups.service
                  └ 1199 /usr/sbin/cupsd -C /etc/cups/cupsd.conf
redirecting to systemctl
dbus.service - D-Bus System Message Bus
          Loaded: loaded (/lib/systemd/system/dbus.service; static)
          Active: active (running) since Tue, 12 Mar 2013 19:09:30 +0000; 14h ago
         Process: 1024 ExecStartPre=/bin/rm -f /var/run/dbus/pid (code=exited, status=0/SUCCESS)
         Process: 1003 ExecStartPre=/bin/dbus-uuidgen --ensure (code=exited, status=0/SUCCESS)
        Main PID: 1043 (dbus-daemon)
          CGroup: name=systemd:/system/dbus.service
                  ├ 1043 /bin/dbus-daemon --system --address=systemd: --nofork --systemd-activation
                  ├ 1801 /usr/lib/polkit-1/polkitd --no-debug
                  ├ 2576 /usr/lib/upower/upowerd
                  ├ 2624 /usr/lib/udisks/udisks-daemon
                  ├ 2625 udisks-daemon: not polling any devices
                  └ 3295 /usr/lib/rtkit/rtkit-daemon
redirecting to systemctl
dnsmasq.service - LSB: Starts internet name service masq caching server (DNS)
          Loaded: loaded (/etc/init.d/dnsmasq)
          Active: inactive (dead)
          CGroup: name=systemd:/system/dnsmasq.service
Checking for service syslog:                                                                                                            running
redirecting to systemctl
freshclam.service - LSB: virus scanner daemon
          Loaded: loaded (/etc/init.d/freshclam)
          Active: inactive (dead)
          CGroup: name=systemd:/system/freshclam.service
Neither the variables MOUSEDEVICE and MOUSETYPE nor the variable GPM_PARAM
is set in /etc/sysconfig/mouse
Run 'yast mouse' to set up gpm
redirecting to systemctl
haveged.service - Haveged Entropy Gathering Daemon
          Loaded: loaded (/lib/systemd/system/haveged.service; enabled)
          Active: active (running) since Tue, 12 Mar 2013 19:09:30 +0000; 14h ago
         Process: 995 ExecStart=/sbin/haveged -w 1024 -v 1 (code=exited, status=0/SUCCESS)
        Main PID: 1058 (haveged)
          CGroup: name=systemd:/system/haveged.service
                  └ 1058 /sbin/haveged -w 1024 -v 1
redirecting to systemctl
joystick.service - LSB: Set up analog joysticks
          Loaded: loaded (/etc/init.d/joystick)
          Active: inactive (dead)
          CGroup: name=systemd:/system/joystick.service
redirecting to systemctl
kbd.service
          Loaded: masked (/dev/null)
          Active: inactive (dead)

Warning: Unit file changed on disk, 'systemctl --system daemon-reload' recommended.
redirecting to systemctl
kexec.service - Reboot via kexec
          Loaded: loaded (/lib/systemd/system/kexec.service; static)
          Active: inactive (dead)
          CGroup: name=systemd:/system/kexec.service
redirecting to systemctl
ksysguardd.service - LSB: KDE ksysguard daemon
          Loaded: loaded (/etc/init.d/ksysguardd)
          Active: inactive (dead)
          CGroup: name=systemd:/system/ksysguardd.service
redirecting to systemctl
lirc.service - LSB: lirc daemon
          Loaded: loaded (/etc/init.d/lirc)
          Active: inactive (dead)
          CGroup: name=systemd:/system/lirc.service
redirecting to systemctl
mdadmd.service - LSB: mdadmd daemon monitoring MD devices
          Loaded: loaded (/etc/init.d/mdadmd)
          Active: inactive (dead)
          CGroup: name=systemd:/system/mdadmd.service
redirecting to systemctl
microcode.ctl.service - LSB: CPU microcode updater
          Loaded: loaded (/etc/init.d/microcode.ctl)
          Active: active (exited) since Tue, 12 Mar 2013 19:09:29 +0000; 14h ago
         Process: 914 ExecStart=/etc/init.d/microcode.ctl start (code=exited, status=0/SUCCESS)
          CGroup: name=systemd:/system/microcode.ctl.service
redirecting to systemctl
multipathd.service - LSB: Starts multipath daemon
          Loaded: loaded (/etc/init.d/multipathd)
          Active: inactive (dead)
          CGroup: name=systemd:/system/multipathd.service
redirecting to systemctl
mysql.service - LSB: Start the MySQL database server
          Loaded: loaded (/etc/init.d/mysql)
          Active: inactive (dead)
          CGroup: name=systemd:/system/mysql.service
redirecting to systemctl
network.service - LSB: Configure the localfs depending network interfaces
          Loaded: loaded (/etc/init.d/network)
          Active: active (running) since Tue, 12 Mar 2013 19:09:52 +0000; 14h ago
         Process: 1061 ExecStart=/etc/init.d/network start (code=exited, status=0/SUCCESS)
          CGroup: name=systemd:/system/network.service
                  ├ 1992 /sbin/dhclient6 -6 -cf /var/lib/dhcp6/dhclient6.eth0.conf -lf /var/lib/dhcp6/dhclient6.eth0.lease -pf /var/run/dhclie...
                  └ 2533 /sbin/dhcpcd --netconfig -L -E -HHH -c /etc/sysconfig/network/scripts/dhcpcd-hook -t 0 -h linux-7sgr eth0
redirecting to systemctl
network-remotefs.service - LSB: Configure the remote-fs depending network interfaces
          Loaded: loaded (/etc/init.d/network-remotefs)
          Active: active (exited) since Tue, 12 Mar 2013 19:09:52 +0000; 14h ago
         Process: 3935 ExecStart=/etc/init.d/network-remotefs start (code=exited, status=0/SUCCESS)
          CGroup: name=systemd:/system/network-remotefs.service
redirecting to systemctl
nfs.service - LSB: NFS client services
          Loaded: loaded (/etc/init.d/nfs)
          Active: inactive (dead)
          CGroup: name=systemd:/system/nfs.service
redirecting to systemctl
nmb.service - LSB: Samba NetBIOS naming service over IP
          Loaded: loaded (/etc/init.d/nmb)
          Active: inactive (dead)
          CGroup: name=systemd:/system/nmb.service
redirecting to systemctl
nscd.service - LSB: Start Name Service Cache Daemon
          Loaded: loaded (/etc/init.d/nscd)
          Active: active (running) since Tue, 12 Mar 2013 19:09:30 +0000; 14h ago
         Process: 1008 ExecStart=/etc/init.d/nscd start (code=exited, status=0/SUCCESS)
          CGroup: name=systemd:/system/nscd.service
                  └ 1021 /usr/sbin/nscd
redirecting to systemctl
ntp.service - LSB: Network time protocol daemon (ntpd)
          Loaded: loaded (/etc/init.d/ntp)
          Active: inactive (dead)
          CGroup: name=systemd:/system/ntp.service
redirecting to systemctl
openvpn.service - LSB: OpenVPN tunnel
          Loaded: loaded (/etc/init.d/openvpn)
          Active: inactive (dead)
          CGroup: name=systemd:/system/openvpn.service
redirecting to systemctl
pm-profiler.service - LSB: Script infrastructure to enable/disable certain power management functions
          Loaded: loaded (/etc/init.d/pm-profiler)
          Active: inactive (dead)
          CGroup: name=systemd:/system/pm-profiler.service
redirecting to systemctl
Failed to issue method call: Unknown unit
redirecting to systemctl
powerd.service - LSB: Start the UPS monitoring daemon
          Loaded: loaded (/etc/init.d/powerd)
          Active: inactive (dead)
          CGroup: name=systemd:/system/powerd.service
redirecting to systemctl
systemd-random-seed-load.service - Load Random Seed
          Loaded: loaded (/lib/systemd/system/systemd-random-seed-load.service; static)
          Active: inactive (dead) since Tue, 12 Mar 2013 19:09:22 +0000; 14h ago
         Process: 533 ExecStart=/lib/systemd/systemd-random-seed load (code=exited, status=0/SUCCESS)
          CGroup: name=systemd:/system/systemd-random-seed-load.service
redirecting to systemctl
raw.service - LSB: raw devices
          Loaded: loaded (/etc/init.d/raw)
          Active: inactive (dead)
          CGroup: name=systemd:/system/raw.service
redirecting to systemctl
rpcbind.service - LSB: TI-RPC program number mapper
          Loaded: loaded (/etc/init.d/rpcbind)
          Active: inactive (dead)
          CGroup: name=systemd:/system/rpcbind.service
redirecting to systemctl
rpmconfigcheck.service - LSB: rpm config file scan
          Loaded: loaded (/etc/init.d/rpmconfigcheck)
          Active: inactive (dead)
          CGroup: name=systemd:/system/rpmconfigcheck.service
redirecting to systemctl
rsyncd.service - LSB: Start the rsync server daemon
          Loaded: loaded (/etc/init.d/rsyncd)
          Active: inactive (dead)
          CGroup: name=systemd:/system/rsyncd.service
redirecting to systemctl
setserial.service - LSB: Initializes the serial ports
          Loaded: loaded (/etc/init.d/setserial)
          Active: inactive (dead)
          CGroup: name=systemd:/system/setserial.service
/usr/sbin/FOO not installed
redirecting to systemctl
smartd.service - Self Monitoring and Reporting Technology (SMART) Daemon
          Loaded: loaded (/lib/systemd/system/smartd.service; disabled)
          Active: inactive (dead)
          CGroup: name=systemd:/system/smartd.service
redirecting to systemctl
smb.service - LSB: Samba SMB/CIFS file and print server
          Loaded: loaded (/etc/init.d/smb)
          Active: inactive (dead)
          CGroup: name=systemd:/system/smb.service
redirecting to systemctl
smolt.service - LSB: Enables automated checkins with smolt
          Loaded: loaded (/etc/init.d/smolt)
          Active: inactive (dead)
          CGroup: name=systemd:/system/smolt.service
redirecting to systemctl
splash.service - LSB: Splash screen setup
          Loaded: loaded (/etc/init.d/splash)
          Active: active (exited) since Tue, 12 Mar 2013 19:09:30 +0000; 14h ago
         Process: 971 ExecStart=/etc/init.d/splash start (code=exited, status=0/SUCCESS)
          CGroup: name=systemd:/system/splash.service
redirecting to systemctl
splash_early.service - LSB: kills animation after network start
          Loaded: loaded (/etc/init.d/splash_early)
          Active: active (exited) since Tue, 12 Mar 2013 19:09:52 +0000; 14h ago
         Process: 3921 ExecStart=/etc/init.d/splash_early start (code=exited, status=0/SUCCESS)
          CGroup: name=systemd:/system/splash_early.service
redirecting to systemctl
sshd.service - LSB: Start the sshd daemon
          Loaded: loaded (/etc/init.d/sshd)
          Active: inactive (dead)
          CGroup: name=systemd:/system/sshd.service
redirecting to systemctl
syslog.service - System Logging Service
          Loaded: loaded (/lib/systemd/system/syslog.service; enabled)
          Active: active (running) since Tue, 12 Mar 2013 19:09:30 +0000; 14h ago
         Process: 984 ExecStart=/sbin/rsyslogd -c 5 -f /etc/rsyslog.conf (code=exited, status=0/SUCCESS)
         Process: 982 ExecStartPre=/var/run/rsyslog/addsockets (code=exited, status=0/SUCCESS)
         Process: 923 ExecStartPre=/bin/systemctl stop systemd-kmsg-syslogd.service (code=exited, status=0/SUCCESS)
        Main PID: 988 (rsyslogd)
          CGroup: name=systemd:/system/syslog.service
                  └ 988 /sbin/rsyslogd -c 5 -f /etc/rsyslog.conf
redirecting to systemctl
xdm.service - LSB: X Display Manager
          Loaded: loaded (/etc/init.d/xdm)
          Active: active (running) since Tue, 12 Mar 2013 19:09:31 +0000; 14h ago
         Process: 1068 ExecStart=/etc/init.d/xdm start (code=exited, status=0/SUCCESS)
          CGroup: name=systemd:/system/xdm.service
                  ├ 1312 /usr/bin/kdm
                  └ 1427 /usr/bin/Xorg -br :0 vt7 -nolisten tcp -auth /var/lib/xdm/authdir/authfiles/A:0-FxZ3mb
redirecting to systemctl
xfs.service - LSB: X Font Server
          Loaded: loaded (/etc/init.d/xfs)
          Active: inactive (dead)
          CGroup: name=systemd:/system/xfs.service
redirecting to systemctl
xinetd.service - LSB: Starts the xinet daemon. Be aware that xinetd doesn't start if no service is configured to run under it. To enable xinetd services go to YaST Network Services (xinetd) section.
          Loaded: loaded (/etc/init.d/xinetd)
          Active: inactive (dead)
          CGroup: name=systemd:/system/xinetd.service
redirecting to systemctl
ypbind.service - LSB: Start ypbind (necessary for a NIS client)
          Loaded: loaded (/etc/init.d/ypbind)
          Active: inactive (dead)
          CGroup: name=systemd:/system/ypbind.service

Mozilla Firefox 14.0.1

Plugins:
  - IcedTea-Web Plugin (using IcedTea-Web 1.2 (suse-3.1-i386)) - to execute Java Applets
  - PackageKit - for installing Applications (new) - First time I see this plugin, but probably always have been here in the Firefox of Opensuse.
  - Shockwave Flash 11.2 r202
  - Silverlight Plug-In 4.0.51204.0

Addons:
  - Adblock Plus
  - All-in-One Sidebar
  - Blank Your Monitor + Easy Reading
  - DownloadHelper
  - Novell Moonlight
  - openSUSE Firefox extensions
  - Personas
  - Wiktionary and Google Translate

I don't understand the question 'Are the log in attempts in the logs legitimate, or were they at a time when you were not attempting to login?', but I will try to answer something related:
The computerA is usually connected (nearly 24/7) and between the normal using (not attack identified) and the notification of modification of the bookmarks (possible attack performed) it was 1 day in between. They didn't need to log in again, because the computer was switched on and only with the screen blacked out.

Router
The router has the possibility to be used by wireless, but is deactivated. The only wires connected directly to the router goes to the computerA. There is no way to be tapped. Impossible to be other users (intruders) from the same LAN.
Only two possibilities:
- tap the wire in some point from our house to the DSLAM (telco's), the wires of the neighborhood.
- attack from outside

Router has a easy password to access, but I think first it has to be in the LAN to can connect, isn't it?
For sure none of the legitimate users access the router.
I have to say, I trust in the legitimate users 120%.

I have changed the physical address to show it here.

ARP Table
IP address 	Physical Address 	Interface 	Static 	 
192.168.1.33	sf:sf:sf:sf:sf:sf	eth0		no


Routing Table
Destination 	Netmask 	Gateway 	Interface 	Metric 	 
0.0.0.0 	0.0.0.0 	0.0.0.0 	ppp-0 	1


IP Filter Configuration
IP Filtering: Disabled


Port Forwarding Configuration
Name 	Protocol 	External Port 	Internal IP 	Internal Port 			 		 
ppp-0 	 
eMULE 	TCP 		37000 		192.168.1.33 	37000		 
eMULE 	UDP 		8000 		192.168.1.33 	8000 


Vitual Server Configuration
DMZ Host
Interface 	DMZ Host 		 
ppp-0 		N/A 		 
ppp-1 		N/A 		 


MAC Filtering
Disabled


Quality of Service Configuration
Traffic Name 	Priority 	VLAN ID Min-Max 	IP TOS 		802.1p 	[Source IP] AddressNetmask 	Start Port	End Port 	[Destination IP] AddressNetmask 	Start Port	End Port 	 
Profile Name: voip 	 
Rule: voip 	7 		-1--1 			Normal Service 	-1 	0.0.0.0		0.0.0.0 	0		65535 		81.47.224.0	255.255.252.0 		0		65535

NMAP in Computer A
sudo nmap -v -sT 192.168.1.0/24

Starting Nmap 5.61TEST2 ( http://nmap.org ) at 2013-03-13 10:43 WET
Initiating ARP Ping Scan at 10:43
Scanning 33 hosts [1 port/host]
Completed ARP Ping Scan at 10:43, 0.65s elapsed (33 total hosts)
Initiating Parallel DNS resolution of 33 hosts. at 10:43
Completed Parallel DNS resolution of 33 hosts. at 10:43, 0.06s elapsed
Initiating Parallel DNS resolution of 1 host. at 10:43
Completed Parallel DNS resolution of 1 host. at 10:43, 0.06s elapsed
Initiating Connect Scan at 10:43
Scanning 192.168.1.1 [1000 ports]
Discovered open port 80/tcp on 192.168.1.1
Discovered open port 23/tcp on 192.168.1.1
Discovered open port 21/tcp on 192.168.1.1
Discovered open port 53/tcp on 192.168.1.1
Discovered open port 8008/tcp on 192.168.1.1
Discovered open port 2800/tcp on 192.168.1.1
Completed Connect Scan at 10:43, 1.11s elapsed (1000 total ports)
Nmap scan report for 192.168.1.1
Host is up (0.58s latency).
Not shown: 994 closed ports
PORT     STATE SERVICE
21/tcp   open  ftp
23/tcp   open  telnet
53/tcp   open  domain
80/tcp   open  http
2800/tcp open  acc-raid
8008/tcp open  http
MAC Address: sf:sf:sf:sf:sf:sf (sfsfsfs.)

Initiating ARP Ping Scan at 10:43
Scanning 222 hosts [1 port/host]
Completed ARP Ping Scan at 10:43, 9.24s elapsed (222 total hosts)
Initiating Connect Scan at 10:43
Scanning 192.168.1.33 [1000 ports]
Completed Connect Scan at 10:43, 0.01s elapsed (1000 total ports)
Nmap scan report for 192.168.1.33
Host is up (0.00022s latency).
All 1000 scanned ports on 192.168.1.33 are closed

Read data files from: /usr/bin/../share/nmap
Nmap done: 256 IP addresses (2 hosts up) scanned in 11.26 seconds
           Raw packets sent: 509 (14.252KB) | Rcvd: 1 (28B)

sudo nmap -sT -O localhost

Starting Nmap 5.61TEST2 ( http://nmap.org ) at 2013-03-13 10:47 WET
Nmap scan report for localhost (127.0.0.1)
Host is up (0.000071s latency).
Not shown: 999 closed ports
PORT    STATE SERVICE
631/tcp open  ipp
No exact OS matches for host (If you know what OS is running on it, see http://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(
....)

Network Distance: 0 hops

OS detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 12.63 seconds

'Are you certain that malware running in the browser did not change things?'
- I don't know how to detect if I have malware in my browser, but I don't see anything like weird addons, advertisement,..
'No chance that your users were phished?'
- No idea how to know if they were phished, and how to know know looking the computer.
'Java exploits?'
- The same. No idea how to know. I posted the version of icedtea to run java applets. I think they are not used to execute java applets on the Web, they usually use it for e-mail + digital newspapers.


I see in port forwarding two ports for emule (really weird... several years without using that program), but then nmap doesn't detect open that ports. Why?

Computer B - The next results is without internet connection. (If I connect ethernet I will need other services like iptables, dhcpcd,... that are not listed now)

Executed without internet connection:
systemctl list-units --full | grep active

proc-sys-fs-binfmt_misc.automount                                                        loaded active waiting   Arbitrary Executable File Formats File System Automount Point
sys-devices-pci0000:00-0000:00:01.0-0000:01:00.1-sound-card1.device                      loaded active plugged   /sys/devices/pci0000:00/0000:00:01.0/0000:01:00.1/sound/card1
sys-devices-pci0000:00-0000:00:1b.0-sound-card0.device                                   loaded active plugged   /sys/devices/pci0000:00/0000:00:1b.0/sound/card0
sys-devices-pci0000:00-0000:00:1c.0-0000:02:00.0-net-wlan0.device                        loaded active plugged   /sys/devices/pci0000:00/0000:00:1c.0/0000:02:00.0/net/wlan0
sys-devices-pci0000:00-0000:00:1c.3-0000:06:00.0-net-eth0.device                         loaded active plugged   /sys/devices/pci0000:00/0000:00:1c.3/0000:06:00.0/net/eth0
sys-devices-pci0000:00-0000:00:1f.2-ata1-host0-target0:0:0-0:0:0:0-block-sda-sda1.device loaded active plugged   ST9500325AS
sys-devices-pci0000:00-0000:00:1f.2-ata1-host0-target0:0:0-0:0:0:0-block-sda-sda2.device loaded active plugged   ST9500325AS
sys-devices-pci0000:00-0000:00:1f.2-ata1-host0-target0:0:0-0:0:0:0-block-sda-sda3.device loaded active plugged   ST9500325AS
sys-devices-pci0000:00-0000:00:1f.2-ata1-host0-target0:0:0-0:0:0:0-block-sda-sda4.device loaded active plugged   ST9500325AS
sys-devices-pci0000:00-0000:00:1f.2-ata1-host0-target0:0:0-0:0:0:0-block-sda-sda5.device loaded active plugged   ST9500325AS
sys-devices-pci0000:00-0000:00:1f.2-ata1-host0-target0:0:0-0:0:0:0-block-sda-sda6.device loaded active plugged   ST9500325AS
sys-devices-pci0000:00-0000:00:1f.2-ata1-host0-target0:0:0-0:0:0:0-block-sda.device      loaded active plugged   ST9500325AS
sys-devices-platform-serial8250-tty-ttyS0.device                                         loaded active plugged   /sys/devices/platform/serial8250/tty/ttyS0
sys-devices-platform-serial8250-tty-ttyS1.device                                         loaded active plugged   /sys/devices/platform/serial8250/tty/ttyS1
sys-devices-platform-serial8250-tty-ttyS2.device                                         loaded active plugged   /sys/devices/platform/serial8250/tty/ttyS2
sys-devices-platform-serial8250-tty-ttyS3.device                                         loaded active plugged   /sys/devices/platform/serial8250/tty/ttyS3
sys-module-configfs.device                                                               loaded active plugged   /sys/module/configfs
sys-module-fuse.device                                                                   loaded active plugged   /sys/module/fuse
sys-subsystem-net-devices-eth0.device                                                    loaded active plugged   /sys/subsystem/net/devices/eth0
sys-subsystem-net-devices-wlan0.device                                                   loaded active plugged   /sys/subsystem/net/devices/wlan0
-.mount                                                                                  loaded active mounted   /
dev-hugepages.mount                                                                      loaded active mounted   Huge Pages File System
dev-mqueue.mount                                                                         loaded active mounted   POSIX Message Queue File System
media-Datos.mount                                                                        loaded active mounted   /media/Datos
sys-fs-fuse-connections.mount                                                            loaded active mounted   FUSE Control File System
sys-kernel-config.mount                                                                  loaded active mounted   Configuration File System
sys-kernel-debug.mount                                                                   loaded active mounted   Debug File System
tmp.mount                                                                                loaded active mounted   /tmp
systemd-ask-password-console.path                                                        loaded active waiting   Dispatch Password Requests to Console Directory Watch
systemd-ask-password-wall.path                                                           loaded active waiting   Forward Password Requests to Wall Directory Watch
cronie.service                                                                           loaded active running   Periodic Command Scheduler
dbus.service                                                                             loaded active running   D-Bus System Message Bus
getty@tty1.service                                                                       loaded active running   Getty on tty1
iptables.service                                                                         loaded active exited    Packet Filtering Framework
kdm.service                                                                              loaded active running   K Display Manager
lm_sensors.service                                                                       loaded active exited    Initialize hardware monitoring sensors
polkit.service                                                                           loaded active running   Authorization Manager
rc-local.service                                                                         loaded active exited    /etc/rc.local Compatibility
syslog-ng.service                                                                        loaded active running   System Logger Daemon
systemd-journald.service                                                                 loaded active running   Journal Service
systemd-logind.service                                                                   loaded active running   Login Service
systemd-modules-load.service                                                             loaded active exited    Load Kernel Modules
systemd-remount-fs.service                                                               loaded active exited    Remount Root and Kernel File Systems
systemd-sysctl.service                                                                   loaded active exited    Apply Kernel Variables
systemd-tmpfiles-setup.service                                                           loaded active exited    Recreate Volatile Files and Directories
systemd-udev-trigger.service                                                             loaded active exited    udev Coldplug all Devices
systemd-udevd.service                                                                    loaded active running   udev Kernel Device Manager
systemd-user-sessions.service                                                            loaded active exited    Permit User Sessions
systemd-vconsole-setup.service                                                           loaded active exited    Setup Virtual Console
udisks2.service                                                                          loaded active running   Disk Manager
upower.service                                                                           loaded active running   Daemon for power management
dbus.socket                                                                              loaded active running   D-Bus System Message Bus Socket
dmeventd.socket                                                                          loaded active listening Device-mapper event daemon FIFOs
lvmetad.socket                                                                           loaded active listening LVM2 metadata daemon socket
syslog.socket                                                                            loaded active running   Syslog Socket
systemd-initctl.socket                                                                   loaded active listening /dev/initctl Compatibility Named Pipe
systemd-journald.socket                                                                  loaded active running   Journal Socket
systemd-shutdownd.socket                                                                 loaded active listening Delayed Shutdown Socket
systemd-udevd-control.socket                                                             loaded active listening udev Control Socket
systemd-udevd-kernel.socket                                                              loaded active running   udev Kernel Socket
dev-sda6.swap                                                                            loaded active active    /dev/sda6
arch-daemons.target                                                                      loaded active active    Arch Daemons
basic.target                                                                             loaded active active    Basic System
cryptsetup.target                                                                        loaded active active    Encrypted Volumes
getty.target                                                                             loaded active active    Login Prompts
graphical.target                                                                         loaded active active    Graphical Interface
local-fs-pre.target                                                                      loaded active active    Local File Systems (Pre)
local-fs.target                                                                          loaded active active    Local File Systems
multi-user.target                                                                        loaded active active    Multi-User
remote-fs.target                                                                         loaded active active    Remote File Systems
sockets.target                                                                           loaded active active    Sockets
sound.target                                                                             loaded active active    Sound Card
swap.target                                                                              loaded active active    Swap
sysinit.target                                                                           loaded active active    System Initialization
syslog.target                                                                            loaded active active    Syslog
systemd-tmpfiles-clean.timer                                                             loaded active waiting   Daily Cleanup of Temporary Directories
76 loaded units listed. Pass --all to see loaded but inactive units, too.

sudo nmap -v -sT localhost

Starting Nmap 6.25 ( http://nmap.org ) at 2013-03-13 13:01 CET
mass_dns: warning: Unable to determine any DNS servers. Reverse DNS is disabled. Try using --system-dns or specify valid servers with --dns-servers
Initiating Connect Scan at 13:01
Scanning localhost (127.0.0.1) [1000 ports]
Completed Connect Scan at 13:01, 0.03s elapsed (1000 total ports)
Nmap scan report for localhost (127.0.0.1)
Host is up (0.00058s latency).
Other addresses for localhost (not scanned): 127.0.0.1
rDNS record for 127.0.0.1: localhost.localdomain
All 1000 scanned ports on localhost (127.0.0.1) are closed

Read data files from: /usr/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 0.13 seconds
           Raw packets sent: 0 (0B) | Rcvd: 0 (0B)

[Connecting to the LAN and therefore to Internet]
If I try to connect to internet now, it doesn't work. I can do sudo ifconfig eth0 up, but sudo dhcpcd eth0 doesn't work.
It says: eth0 sending IPv6 Router Solicitation.... finally no IPv6 Routers available. Timed out.    I know that it has to be IPv4, but yesterday it worked, today not.
If I try to do ping 192.168.1.1 it says: network is unreachable.
I have to edit /etc/dhcpcd.conf manually and modify this lines:
#noipv4ll
noipv6rs

Also, modify the /etc/hosts and comment ::1 line
But as I said, i didn't modified them to the inverse, and yesterday (first time I connect computerB to the LAN of computerA it worked correctly the dhcpcd for ipv4)

As I see, still not network connection... at least dhcpcd has assigned me an ip, etc, but it is not the normal in range 192.168.1.x (as the router 192.168.1.1 and the other pc 192.168.1.33)
but 169.254.67.213, netmask 255.255.0.0 and broadcast 169.254.255.255
Something weird... and of course, still network is unreachable if I try to do ping to google or the router.
I have to reset manually the router to can work properly from the computerB.

Anormal behaviour
The point is after I connect to the Internet (ping that works) the computer get slowly, emacs doesn't work, if I try to open another terminal it says KDEInit could not launch '/usr/bin/konsole'
So, something goes wrong.



uname -r
3.7.9-2-ARCH

NMAP from ComputerA to ComputerB

Initiating Connect Scan at 13:51
Scanning 192.168.1.34 [1000 ports]
Completed Connect Scan at 13:52, 50.80s elapsed (1000 total ports)
Nmap scan report for 192.168.1.34
Host is up (0.98s latency).
Not shown: 999 filtered ports
PORT   STATE  SERVICE
80/tcp closed http
MAC Address: xf:xf:xf:xf:xf:xf (xfxfxf.)

Read data files from: /usr/bin/../share/nmap
Nmap done: 256 IP addresses (3 hosts up) scanned in 62.24 seconds
           Raw packets sent: 508 (14.224KB) | Rcvd: 2 (56B)

ps aux in computerB

F S   UID   PID  PPID  C PRI  NI ADDR SZ WCHAN  TTY          TIME CMD
4 S     0     1     0  0  80   0 -  1261 epoll_ ?        00:00:00 systemd
1 S     0     2     0  0  80   0 -     0 kthrea ?        00:00:00 kthreadd
1 S     0     3     2  0  80   0 -     0 smpboo ?        00:00:00 ksoftirqd/0
1 S     0     5     2  0  60 -20 -     0 worker ?        00:00:00 kworker/0:0H
1 S     0     7     2  0  60 -20 -     0 worker ?        00:00:00 kworker/u:0H
1 S     0     8     2  0 -40   - -     0 cpu_st ?        00:00:00 migration/0
1 S     0     9     2  0  80   0 -     0 rcu_gp ?        00:00:00 rcu_preempt
1 S     0    10     2  0  80   0 -     0 rcu_gp ?        00:00:00 rcu_bh
1 S     0    11     2  0  80   0 -     0 rcu_gp ?        00:00:00 rcu_sched
5 S     0    12     2  0 -40   - -     0 smpboo ?        00:00:00 watchdog/0
5 S     0    13     2  0 -40   - -     0 smpboo ?        00:00:00 watchdog/1
1 S     0    14     2  0  80   0 -     0 smpboo ?        00:00:00 ksoftirqd/1
1 S     0    15     2  0 -40   - -     0 cpu_st ?        00:00:00 migration/1
1 S     0    17     2  0  60 -20 -     0 worker ?        00:00:00 kworker/1:0H
1 S     0    18     2  0  60 -20 -     0 rescue ?        00:00:00 cpuset
1 S     0    19     2  0  60 -20 -     0 rescue ?        00:00:00 khelper
5 S     0    20     2  0  80   0 -     0 devtmp ?        00:00:00 kdevtmpfs
1 S     0    21     2  0  60 -20 -     0 rescue ?        00:00:00 netns
1 S     0    22     2  0  80   0 -     0 bdi_fo ?        00:00:00 bdi-default
1 S     0    23     2  0  60 -20 -     0 rescue ?        00:00:00 kblockd
1 S     0    26     2  0  80   0 -     0 watchd ?        00:00:00 khungtaskd
1 S     0    27     2  0  80   0 -     0 kswapd ?        00:00:00 kswapd0
1 S     0    28     2  0  85   5 -     0 ksm_sc ?        00:00:00 ksmd
1 S     0    29     2  0  99  19 -     0 khugep ?        00:00:00 khugepaged
1 S     0    30     2  0  80   0 -     0 fsnoti ?        00:00:00 fsnotify_mark
1 S     0    31     2  0  60 -20 -     0 rescue ?        00:00:00 crypto
1 S     0    35     2  0  60 -20 -     0 rescue ?        00:00:00 kthrotld
1 S     0    36     2  0  80   0 -     0 worker ?        00:00:00 kworker/1:2
1 S     0    37     2  0  60 -20 -     0 rescue ?        00:00:00 deferwq
1 S     0    78     2  0  80   0 -     0 hub_th ?        00:00:00 khubd
1 S     0    79     2  0  60 -20 -     0 rescue ?        00:00:00 ata_sff
1 S     0    80     2  0  80   0 -     0 scsi_e ?        00:00:00 scsi_eh_0
1 S     0    81     2  0  80   0 -     0 scsi_e ?        00:00:00 scsi_eh_1
1 S     0    82     2  0  80   0 -     0 scsi_e ?        00:00:00 scsi_eh_2
1 S     0    83     2  0  80   0 -     0 scsi_e ?        00:00:00 scsi_eh_3
1 S     0    84     2  0  80   0 -     0 scsi_e ?        00:00:00 scsi_eh_4
1 S     0    85     2  0  80   0 -     0 scsi_e ?        00:00:00 scsi_eh_5
1 S     0    88     2  0  80   0 -     0 worker ?        00:00:00 kworker/u:4
1 S     0    89     2  0  80   0 -     0 worker ?        00:00:00 kworker/u:5
1 S     0    92     2  0  80   0 -     0 scsi_e ?        00:00:00 scsi_eh_6
1 S     0    93     2  0  80   0 -     0 usb_st ?        00:00:00 usb-storage
1 S     0    96     2  0  60 -20 -     0 worker ?        00:00:00 kworker/1:1H
1 S     0    97     2  0  60 -20 -     0 worker ?        00:00:00 kworker/0:1H
1 S     0    98     2  0  80   0 -     0 worker ?        00:00:00 kworker/0:2
1 S     0   106     2  0  80   0 -     0 kjourn ?        00:00:00 jbd2/sda5-8
1 S     0   107     2  0  60 -20 -     0 rescue ?        00:00:00 ext4-dio-unwrit
4 S     0   124     1  0  80   0 -  2752 epoll_ ?        00:00:00 systemd-udevd
4 S     0   129     1  9  80   0 - 69899 epoll_ ?        00:02:51 systemd-journal
1 S     0   136     2  0  60 -20 -     0 rescue ?        00:00:00 iprt
1 S     0   217     2  0  60 -20 -     0 rescue ?        00:00:00 kpsmoused
1 S     0   220     2  0  80   0 -     0 bdi_wr ?        00:00:00 flush-8:0
1 S     0   238     2  0  60 -20 -     0 rescue ?        00:00:00 led_workqueue
1 S     0   239     2  0  60 -20 -     0 rescue ?        00:00:00 cfg80211
1 S     0   270     2  0  60 -20 -     0 rescue ?        00:00:00 ttm_swap
1 S     0   272     2  0  60 -20 -     0 rescue ?        00:00:00 hd-audio0
1 S     0   341     2  0  60 -20 -     0 rescue ?        00:00:00 hd-audio1
5 S     0   345     1  0  80   0 -  1231 fuse_d ?        00:00:00 mount.ntfs-3g
4 S     0   350     1  0  80   0 -  1902 epoll_ ?        00:00:00 syslog-ng
4 S     0   354     1  0  80   0 -  1202 hrtime ?        00:00:00 crond
4 S    81   355     1  0  80   0 -   834 epoll_ ?        00:00:00 dbus-daemon
4 S     0   356     1  0  80   0 -   834 epoll_ ?        00:00:00 systemd-logind
4 S     0   363     1  0  80   0 -   953 n_tty_ tty1     00:00:00 agetty
4 S     0   364     1  0  80   0 -   992 poll_s ?        00:00:00 kdm
4 S     0   391   364  0  80   0 - 20112 poll_s tty7     00:00:12 X
5 S     0   400   364  0  80   0 -  1367 sigsus ?        00:00:00 kdm
4 S  1000   412   400  0  80   0 -  1299 wait   ?        00:00:00 startkde
1 S  1000   423     1  0  80   0 -   906 poll_s ?        00:00:00 dbus-launch
1 S  1000   424     1  0  80   0 -  1027 epoll_ ?        00:00:00 dbus-daemon
1 S  1000   450     1  0  80   0 -  1184 poll_s ?        00:00:00 gpg-agent
1 S  1000   453     1  0  80   0 -  1054 poll_s ?        00:00:00 ssh-agent
5 S     0   468     1  0  80   0 -   508 pipe_w ?        00:00:00 start_kdeinit
1 S  1000   469     1  0  80   0 - 32316 poll_s ?        00:00:00 kdeinit4
1 S  1000   470   469  0  80   0 - 32821 poll_s ?        00:00:00 klauncher
1 S  1000   472     1  0  80   0 - 53818 poll_s ?        00:00:01 kded4
1 S  1000   479     1  0  80   0 - 36628 poll_s ?        00:00:00 kglobalaccel
1 S  1000   483     1  0  80   0 - 36498 poll_s ?        00:00:00 kactivitymanage
0 S     0   484     1  0  80   0 -  7424 poll_s ?        00:00:00 upowerd
0 S  1000   485   412  0  80   0 -   542 unix_s ?        00:00:00 kwrapper4
1 S  1000   486   469  0  80   0 - 38796 poll_s ?        00:00:00 ksmserver
4 S   102   492     1  0  80   0 - 15479 poll_s ?        00:00:00 polkitd
0 S     0   528     1  0  80   0 - 10763 poll_s ?        00:00:00 udisksd
0 S  1000   550   486  0  80   0 - 117798 poll_s ?       00:00:11 kwin
1 S  1000   579     1  0  80   0 - 37489 poll_s ?        00:00:02 knotify4
1 S  1000   583     1  0  80   0 - 117596 poll_s ?       00:00:10 plasma-desktop
1 S  1000   589     1  0  80   0 - 21540 poll_s ?        00:00:00 kuiserver
0 S  1000   598     1  0  80   0 - 11396 poll_s ?        00:00:00 akonadi_control
0 S  1000   600   598  0  80   0 - 51206 poll_s ?        00:00:00 akonadiserver
0 S  1000   603   600  0  80   0 - 62394 poll_s ?        00:00:00 mysqld
1 S  1000   636     1  0  80   0 - 77142 poll_s ?        00:00:01 krunner
1 S  1000   638   469  0  80   0 - 35216 poll_s ?        00:00:00 nepomukserver
0 S  1000   642   638  0  99  19 - 40628 poll_s ?        00:00:06 nepomukservices
1 S  1000   645     1  0  80   0 - 60325 poll_s ?        00:00:00 kmix
1 S  1000   647     1  0  80   0 - 21835 poll_s ?        00:00:00 nepomukcontroll
1 S  1000   650     1  0  80   0 - 27785 poll_s ?        00:00:02 yakuake
0 S  1000   662   598  0  80   0 - 21476 poll_s ?        00:00:00 akonadi_agent_l
0 S  1000   663   598  0  80   0 - 39524 poll_s ?        00:00:00 akonadi_archive
0 S  1000   666   598  0  80   0 - 21526 poll_s ?        00:00:00 akonadi_agent_l
0 S  1000   667   598  0  80   0 - 21475 poll_s ?        00:00:00 akonadi_agent_l
0 S  1000   668   598  0  80   0 - 23760 poll_s ?        00:00:00 akonadi_maildis
0 S  1000   669   598  0  80   0 - 39525 poll_s ?        00:00:00 akonadi_mailfil
1 S  1000   671     1  0  80   0 - 24361 poll_s ?        00:00:00 polkit-kde-auth
0 S  1000   672   598  0  80   0 - 24962 poll_s ?        00:00:00 akonadi_nepomuk
0 S  1000   679   650  0  80   0 -  1312 wait   pts/1    00:00:00 bash
1 S  1000   692     1  0  80   0 - 26347 poll_s ?        00:00:00 korgac
1 S  1000   711     1  0  80   0 - 36400 poll_s ?        00:00:00 klipper
0 S  1000   768   642  1  99  19 - 13394 futex_ ?        00:00:30 virtuoso-t
0 S  1000   779   638  0  99  19 - 27301 poll_s ?        00:00:00 nepomukservices
0 S  1000   780   638  0  99  19 - 30844 poll_s ?        00:00:11 nepomukservices
1 S     0   884     2  0  80   0 -     0 worker ?        00:00:00 kworker/1:0
5 S     0   992     1  0  80   0 -   605 poll_s ?        00:00:00 dhcpcd
1 S     0  1019     2  0  80   0 -     0 worker ?        00:00:00 kworker/0:1
1 S     0  1150     2  0  80   0 -     0 worker ?        00:00:00 kworker/0:0
4 S     0  1173   679  0  80   0 -  1267 poll_s pts/1    00:00:00 sudo
4 R     0  1174  1173  0  80   0 -  1156 -      pts/1    00:00:00 ps

About Question B: Today I have switch on again the ComputerB and now is normal with the "@localhost", but for me was weird the yesterday behaviour.. never happen to me before. I would like to know why it happened.

Thank you for the tripwire, I will have a look.

[More info related to network]
Both computers use:
- everyday Mozilla Firefox and Thunderbird
- often KTorrent, KGet and Skype
- seldom DropBox


[Answering Brebs]
Yes, firefox bookmarks have been modified (two deleted, two added) in a specific folder of one of the users.

I know that is the first rule of a intruder: don't alert legitimate users when you go inside. But in this case it can be "seen" as a threat.

I'm pretty sure (100%) the users didn't modify that. And if is in some weird/error manipulation of the user interface of Firefox, is not so easy. At least "Bookmarks - Toolbar - FolderX - Right Button - Delete" twice times, and then add another two.
One or two clicks in a random way, could provoque something, but no so many things, movements.

How can I know if the "Firefox sandbox" was broken?
I have never tested an exploit, so I don't know what is the potential of its use.

I will have a look to AppArmor in the next hours.

Thanks for you both!

Offline

#5 2013-03-14 04:51:47

hunterthomson
Member
Registered: 2008-06-22
Posts: 794
Website

Re: Afraid of system being compromised - newbie in "security"

Ya, OpenSUSE... configure AppArmor to your liking

As for, "how do I know when I have been attacked, what they did, ...." You need to plan ahead of time to be able to do this stuff. Look into OSSEC, AIDE, TripWire. Some "Security Solution" you should look into are Alien Vault and Security-Onion

Personally, I'd say go OSSEC on all computers and AlienVault for the whole network. On Linux boxes hardened the kernel with grsecurity/PaX.

As of right now for all computers that you think "may" have been compromised assume they are; backup + fresh install.

Last edited by hunterthomson (2013-03-14 05:02:03)


OpenBSD-current Thinkpad X230, i7-3520M, 16GB CL9 Kingston, Samsung 830 256GB
Contributor: linux-grsec

Offline

#6 2013-03-14 10:10:35

brebs
Member
Registered: 2007-04-03
Posts: 3,401

Re: Afraid of system being compromised - newbie in "security"

hunterthomson wrote:

"may" have been compromised assume they are

And then be hacked again, because it happened by magic. This is scaremongering to my mind - two surprising firefox bookmarks do not make a compromised system.

Offline

#7 2013-03-14 10:17:10

Trilby
Forum Moderator
From: Massachusetts, USA
Registered: 2011-11-29
Posts: 13,376
Website

Re: Afraid of system being compromised - newbie in "security"

Well it's the first thing I'd do if I hacked into someone else's system: I change their firefox bookmarks ... but only a couple of them.

It's so very evil just because it makes them unsure about whether they've really been hacked.  It makes them second guess their own suspicions.  It makes them wonder if they're crazy.

Or maybe not.


InterrobangSlider
• How's my coding? See this page.
• How's my moderating? Feel free to email any concerns, complaints, or objections.

Offline

#8 2013-03-15 03:58:32

hunterthomson
Member
Registered: 2008-06-22
Posts: 794
Website

Re: Afraid of system being compromised - newbie in "security"

brebs wrote:
hunterthomson wrote:

"may" have been compromised assume they are

And then be hacked again, because it happened by magic. This is scaremongering to my mind - two surprising firefox bookmarks do not make a compromised system.

Well, I was assuming that when they did the fresh install they would setup the systems and services needed to harden their systems and track intrusions.

Sure, amusing the book marks were in fact changed, it is very likely only Firefox was molested and not the whole system. However, if you don't have any logs you can trust... assume the systems are compromised and reinstall.

It sounded like they are not some home computers, but computers being used in a business. Don't take the risk of assuming nothing is compromised based only on hope. Do your job and protect the network.

Last edited by hunterthomson (2013-03-15 04:01:46)


OpenBSD-current Thinkpad X230, i7-3520M, 16GB CL9 Kingston, Samsung 830 256GB
Contributor: linux-grsec

Offline

#9 2013-03-15 06:04:14

dag
Member
From: US
Registered: 2013-01-20
Posts: 216

Re: Afraid of system being compromised - newbie in "security"

it would like a burgler steeling nothing but just rearange your furniture. you still make sure the grates on window and the door lock work correctly or even change the key.


--------------------------------------
alcoves wonder creates the wonder unto the ages; never lose that.

Offline

#10 2013-03-15 07:18:55

hunterthomson
Member
Registered: 2008-06-22
Posts: 794
Website

Re: Afraid of system being compromised - newbie in "security"

Well, I am sure we all know the attack could go down something like this.

Find a small drive-by exploit to change bookmarks in Firefox

Use this attack to change the bookmarks on peoples Firefox to redirect them to a website that hosts up-to-date exploits for the Win, Mac, Linux.

This exploit then downloads a virus or rootkit.

Now the attacker owns your box and steals all your site/vpn/ssh/ftp logins, SSN's, credit card numbers, infect other computers on the LAN, and make it a part of a botnet.

Last edited by hunterthomson (2013-03-15 12:29:44)


OpenBSD-current Thinkpad X230, i7-3520M, 16GB CL9 Kingston, Samsung 830 256GB
Contributor: linux-grsec

Offline

#11 2013-03-31 09:28:12

Zzipo
Member
From: North Spain
Registered: 2013-01-07
Posts: 48

Re: Afraid of system being compromised - newbie in "security"

hunterthomson wrote:

Ya, OpenSUSE... configure AppArmor to your liking

As for, "how do I know when I have been attacked, what they did, ...." You need to plan ahead of time to be able to do this stuff. Look into OSSEC, AIDE, TripWire. Some "Security Solution" you should look into are Alien Vault and Security-Onion

Personally, I'd say go OSSEC on all computers and AlienVault for the whole network. On Linux boxes hardened the kernel with grsecurity/PaX.

As of right now for all computers that you think "may" have been compromised assume they are; backup + fresh install.

Thank you very much to everyone.

I am reading about AppArmor. I see that it started in OpenSUSE with this, but I see that it is possible to use in ArchLinux (AUR,..).

Are complementary? Or it is better to use only OSSEC?. Because If I don't understand you wrongly, the best would be: OSSEC + grsecurity/PaX + AlienVault.

I don't know if the users of the computer (random people) would find difficult to work with the computer if I put all these systems.

I don't know about security, but I can imagine that everything is possible, like you say through "java/bookmarks,... exploits in Firefox and then going up in the linux system with rootkit".

Thank you again

Offline

#12 2013-04-01 12:59:50

hunterthomson
Member
Registered: 2008-06-22
Posts: 794
Website

Re: Afraid of system being compromised - newbie in "security"

Yes, you can use OSSEC with AppArmor. OSSEC is a cross-platform (Windows and Linux) Open Source very well respected Host Based Intrusion Detection System (HIDS). With it you can have it monitor syslog log's and send alerts when it recognizes log entries that match regular expressions you configure. (I don't know about journal systemd, however you can use syslog alongside systemd's journal) OSSEC can also maintain a list of hashes of all the files in whatever directories you configure it to, such as /boot /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin   ...  OSSEC has two parts, and Agent and a Server. This way you can keep all these logs on the Server.

AppArmor basically will define a list of files and directories that an executable or user or group has permissions to access and what those permissions are. The basic example is that if you define a AppArmor policy for an NTP daemon (which runs as root) if that NTP daemon gets exploited the attacker would basically only be able to change the time, in stead of having full Root access to the computer.

grsecurity & PAX prevent the computer from being exploited in the first place. A Linux system hardened with grsecurity & pax is the most secure main stream OS in the world. More secure then OpenBSD, more secure the NetBSD. However, on a desktop you need to make some security exceptions for desktop applications to function. So, on a desktop you also need to setup RBAC (which is what inspired AppArmor) to make up for them. On a server you don't need to make any exceptions. All common Linux server software like Apache, Postfix, Dovecot, and so on will run on a fully hardened system with all grsecurity hardening settings turned on. >> NOTE: not all grsecurity settings make the system more secure. Some enable backwords compatablity that makes it weaker. << The config that ships with the AUR packages only needs a few things changed. On a Desktop you only need to disable grsecurity sysctl support. On a server you can enable the CONFIG_GRKERNSEC_IO and CONFIG_PAX_SIZE_OVERFLOW also disable sysctl support.... I keep asking the maintainer to have grsecruity sysctl support disabled in the default config, but he really dose not want to for some reason. Up-steam even says it should be disabled on a production system. If it is enabled, all someone needs to do is get Root access and then they can disable all the security settings and gain Kernel access.

AlienVault is a Debian based all-in-one "Security Appliance". It will take you a good month to really figure it all out. But it is a fully baked solution. It can be your OSSEC Server. It also has Snort with a load of good rules to alert on. It basically has every Open Source security monitoring software ever invented integrated into it.

All of these solutions will take you a good amount of time to learn. I'd say learn them for a while on test computers and/or VM's then when you are comfortable reinstall the OS on all desktops and servers in a really secure way.... maybe migrate the servers first then when the dust settles migrate the desktops.

Last edited by hunterthomson (2013-04-01 13:09:00)


OpenBSD-current Thinkpad X230, i7-3520M, 16GB CL9 Kingston, Samsung 830 256GB
Contributor: linux-grsec

Offline

#13 2013-04-02 18:54:25

Zzipo
Member
From: North Spain
Registered: 2013-01-07
Posts: 48

Re: Afraid of system being compromised - newbie in "security"

Really, thank you for those explanations... really good!! wink

Now It is like Chinese, but eventually, it will be like an understandable language.

My plan is to use for desktops (not servers), although maybe one or two desktops run sshd server, but not more.

I read about AlienVault, and it appears OSSIM, with lots of applications like Snort. I understand that AlienVault is the company/group of developers, and OSSIM the product. As I see in its Web, there are lot of "products". I think it is too hard for now. When you say "Debian-based" I understand some sort of distribution. But when you said in previous post "for the whole network" I understood another thing.

Ok, so far, I am going to try to use AppArmor + OSSEC. And in a while grsecurity+PaX (maybe some months).

I think I will need lot of time to understand/use, because I am really busy in other things.

The only thing that confused me is "client and server side", when I am going to use it in desktop systems. I understand I will need to do it combined with other systems (maybe where the "hashes" of the files to compare against changes).

I will "research" from this point.

Really thank you for this info!

Offline

#14 2013-04-03 13:43:09

hunterthomson
Member
Registered: 2008-06-22
Posts: 794
Website

Re: Afraid of system being compromised - newbie in "security"

That sound like a good plan to me. Ya, it will take time. No one would expect you to learn it all in a week tongue

Owe... ya, that is correct. The product name is OSSIM. Silly me. Well, think of it as a "Network Appliance". It is Debian based but don't try and mess with it on that level. Only use their scripts and web-configuration otherwise it will get all kinds of messed up.

The reason I said "for the whole network" is because you can use Netflow and JFlow (Juniper's netflow) on all your managed switches and routers to send all kinds of statistics about network traffic to OSSIM. You can also have Linux send Netflow data to OSSIM. All your routers, switches, server, and desktops can send their logs to OSSIM to be stored and signed with a GPG key to verify integrity. OSSIM will also monitor the logs and alert on events..... So, I just meant that every device on your whole network can be monitored by OSSIM.

Ya, OSSEC can have an Agent on the desktops and be controlled by a central computer running the server component (I may have those names backwards Agent/Server). This way even if the desktop gets owned the server is not so it will still report the security breach. If you run the Agent and Server both on the same computer then an attacker can just turn it off or modify the program to not report anything.

I also just want to clarify that... grsecurity + PAX gives you the tools you need to have the most secure OS.... but right out of the box it dose basically still make Linux the most secure OS tongue

There are thing that you can configure to make it super secure.

Example: It give you TPE "Trusted Path Execution" and makes it impossible for even the Root user to re-mount a file-system Read-Write after it has been mounted Read-Only. The only way to make it Read-Wirte again is to boot into a stock kernel ... or into a live CD and edit the fstab so they are not read only.

So... you could mount everything Read-Only except /tmp /var and /home . Then TPE will prevent anything from being executed from these directories. That way the only places on the disk that you can execute code from are on file-system that are Read-Only.... basically making Privilege Escalation Attacks super crazy hard, and modifying any program impossible, without first owning the Kernel which it self is super crazy hard to own with all the other security measures put in place.

Last edited by hunterthomson (2013-04-03 13:44:15)


OpenBSD-current Thinkpad X230, i7-3520M, 16GB CL9 Kingston, Samsung 830 256GB
Contributor: linux-grsec

Offline

Board footer

Powered by FluxBB