Security :: Connection Between Traffic Control Rules & Chkrootkit Threat Notifications?
Sep 25, 2010
Two days ago we started to receive the following message:
/etc/cron.daily/chkrootkit:
The following suspicious files and directories were found:
/lib/init/rw/.mdadm /lib/init/rw/.ramfs
/lib/init/rw/.mdadm
INFECTED (PORTS: 4369)
You have 2 process hidden for ps command
chkproc: Warning: Possible LKM Trojan installed
And about at the same time (a day before that) we have set up new rules for the queueing disciplines using 'tc' on our Debian lenny box (these rules are for some of the experiments we are carrying out). I have ran the chkrootkit manually and this message (as above) keeps appearing, while the rkhunter tool does not complain about these items. Could there be a connection between setting up the new qdisc's and the chkrootkit "INFECTED" messages?
View 7 Replies
ADVERTISEMENT
May 30, 2010
When I upgraded to 10.4LT I agreed to something that stopped snort, after days decided to just re-do with new snort version. Used bodhi.zazen's MySql instruction version (which is what I used in the past) Everything went pretty well except for figuring out that I needed to delete all the lib_sfdynamic_preprocessor_example?? files (I also deleted all the lib_sfdynamic_example?? files too just to be safe). Used my original Oinkmaster with updated rules version and downloaded the emerging threats too (as I had in the past) and snort won't run with some of the emerging threat rules because it's lookning for snortsam (fwsam). I read up and snortsam looks like a good idea (if I'm wrong somebody just let me know)
if this seems dumb, but I really don't understand, the snortsam directions are HORRIBLE, the snortsam src looks like a windows file when unpacked with all the .dll files(but they say for all OS's), it builds but you need to copy the binary to /usr/local/bin (what in ubuntu would be a binary?).
the snortsam-patch-2.8.tar.gz won't unpack and the Snort 2.8.6 patch is a file, not a package (have no clue where to put it or what to call it if I got the 2.8.tar.gz to unpack so I could build it)
View 3 Replies
View Related
Feb 23, 2010
I have setup my linux fedora server and i want to restrict access to my server.Basically i control using iptables.I'm not sure how to write an iptables rules to control drop all connection to port 8080 and allow only certain ip can access the instance on port 8080 example ip=10.254.14.16,192.168.1.10.
View 3 Replies
View Related
May 1, 2010
I have trouble with opensuse susefirewall 2 and my own rules. since i have installed a suspicious download manager, i detect outgoing traffic in the monitor and i want to block ougoing traffic except some apps like firefox, jinchess ...
1) I had to modify FW_CUSTOMRULES="" with FW_CUSTOMRULES="/etc/sysconfig/scripts/SuSEfirewall2-custom" in /etc/sysconfig/SuSefirewall2
2) I had to add my own rules in /etc/sysconfig/scripts/SuSEfirewall2-custom in the appropriate hook
3) I don't know if rules are good.. they seem to work because for example jinchess can't access his server with the DROP rule until i add the ACCEPT rule BUT in fact the download manager still access internet and amarok too when it searches for songs lyrics ! i have discovered it's because the others apps use port 80
I give here the file /etc/sysconfig/scripts/SuSEfirewall2-custom
How to to make firefox use another specified port ? i wanted to use privoxy with tor but it doesn't work .. is there input/output controler on linux (something like zonealarm on XP) ? the trouble is that all outgoing traffic is permitted by default!
View 4 Replies
View Related
Dec 14, 2008
Either Verizon has been hacked or they have installed something that should be a security concern.I have found that following Javascript "injected" into most webpages. I know it is added via a Verizon (wireless broadband) connection because a) it does not happen when I use Embarq DSL, and b) is happens to webpages that I have created (and I certainly did not add the Javascript!). So, here it is:
Well, that's my story. My concern is that I was able to view some private information (via a backend login) using the modified link, example: http:// 62.0.5.133/www.somedomain.comm/login/myaccount.php!! (this displayed private info!)I have since installed Privoxy to remove the offending Javascript before it gets actuated by my browser.
View 14 Replies
View Related
Feb 24, 2011
I work in a relatively small organisation of about 30 people (but with a complex network) and we've been looking to move our firewall to Microsoft's Threat Protection Manager on a mostly Windows network. I've been thinking we should have an IDS/IPS inside the firewall and I've been thinking about Snort in NIDS mode but have some basic questions:
1. Can anyone recommend a good web GUI for Snort?
2. Is it advisable to run both on the same machine? (Both from a POV of security and resources.)
3. Would Snort add any real benifit to using TPM?
View 2 Replies
View Related
Apr 14, 2010
What the best method is for checking for rootkits? I have heard that it is best not to install and run these programs on the distro itself. Would it be possible to install them on another distro/partition and then use them to check for rootkits on my main partition/distro (Ubuntu)?
View 9 Replies
View Related
Mar 28, 2011
Looks like my firefox has been compromised and i have a packet sniffer. Not sure what to do.Should I just delete the suspicous files? here's the chkrootkit log:
ROOTDIR is `/'
Checking `amd'... not found
Checking `basename'... not infected
[code]....
View 6 Replies
View Related
Jun 8, 2010
I am going through the motions of testing the checkrootkit and rootkit hunter applications on one of our servers. I wanted to get feedback from those who know both as to which of the two is better at 'sniffing' out rootkits. Alternatively, can both be installed without their interfering with the other?
View 4 Replies
View Related
Feb 16, 2011
Let's say you have a host with some kind of locally installed root kit detector/scanner.
If someone managed to get root access to that box. Wouldn't the first thing to do, before installing a root kit, be to remove any kind root kit detector?
View 3 Replies
View Related
Aug 1, 2010
I ran a chkrootkit scan and found this: The following suspicious files and directories were found: /usr/lib/pymodules/python2.6/.path /usr/lib/xulrunner-1.9.2.8/.autoreg /usr/lib/firefox 3.6.8/.autoreg /usr/lib/jvm/.java-6-openjdk.jinfo
How do I get rid of this suspicious file?
View 4 Replies
View Related
Mar 22, 2011
I have a machine with 3 internet facing nics, all of which have static IP's. The IP's are all in the same subnet, and use the same default gateway.Using ip tables and rules, will I be able to make all three of these able to handle traffic?I have the following configured, but it doesn't appear to work:
# ip rule
0:from all lookup local
500:from 72.43.220.146/29 lookup 1
[code].....
View 5 Replies
View Related
May 12, 2011
I need assistance with my Snort Installation. I used Bodhi Zazen's Network Intrusion Detection System post and found it easier than the previous time I had done it. I am currently running Ubuntu 10.04 server and Snort 2.8.6.1 with BASE 1.4.5. I followed Bodhi Zazen's instructions and when I tested snort it ended with a Fatal Error due to ERROR: /etc/snort/rules/exploit.rules(264) => 'fast_pattern' does not take an argument
Fatal Error, Quitting.. Here is the entire output once I ran the test command: snort -c /etc/snort/snort.con -T Running in Test mode
[Code]...
View 2 Replies
View Related
May 7, 2010
When installing these progs on Lucid it comes with exim4,I noticed this in the terminal output. What has exim4 to do with rkhunter and/or chkrootkit?
View 3 Replies
View Related
Oct 19, 2010
How are packets treated that do not match any of the filters?
View 4 Replies
View Related
Jun 25, 2010
I would like to have all traffic from the ethernet connection out through the wireless (basically using the box as a router) however I am having some trouble doing this.
I have done this before on Windows however I am having some trouble doing this on linux, I have tried using Squid Proxy however I am having some trouble using configuring/using it.
I am using Yellow Dog Linux however I am willing to change to any other distro as long as it is compatable with PS3 (as this is what im using linux on)
View 14 Replies
View Related
Mar 21, 2011
tcng for linux traffic control. I have done all the steps necessary including compiling a QoS ready kernel and still receiving the same error while trying to ./configure
[Code]...
I definitely have bison installed, and I've also tried other packages involving YACC root@mikeypc:/usr/src/tcng# which yacc /usr/bin/yacc which then leads to bison
View 1 Replies
View Related
Feb 23, 2010
I'm currently reading through the Linux Advanced Routing and Traffic Control HOWTO from lartc.org, and I'm wondering whether anyone knows of a file where I could keep qos rules persistent across a reboot, similar to /etc/sysconfig/iptables for netfilter. Should I just write my own script, or does something already exist?
By the way, iproute-2.6.29-4.fc12.i686.
View 2 Replies
View Related
Jul 27, 2010
I have a desktop, a laptop, & a wireless router. The router, unfortunately, doesn't support dd-wrt, tomato, etc firmware, but I would still like to prioritize voip/web browsing over bulk Internet traffic. I hope I can offload the router's missing QoS to my desktop.
Is it possible to have the laptop's connection go from the wall to the router to the desktop, where the desktop could perform the QoS of tomato, then continue on to the laptop? I'm a bit of a noob to networking (subnets?) but do well enough following good instructions.
As for the program that would do the QoS... Don't some Linux machines basically work as super-powered routers for businesses? So there must be some package but couldn't find one. The closest I got was wondershaper but it only shapes traffic for the computer on which it's installed; it might form part of the solution but falls short on its own. other devices should be able to access the Internet normally if the desktop is turned off, & work with other devices like a (jailbroken) iPod Touch.
View 1 Replies
View Related
May 5, 2010
The network in my company use Squid Proxy serveto browse internet.Browser is IE or Firefox, and OS is Windows XP.The company need to use a new software for work, but the software don't have function that can configure Proxy server to connect to Server outside.I don't want to NAT port on router because I cannot control the traffic.Is there any software same as Proxy Client ... installed on Windows XP?My idea is that the software same as ISA server - ISA client
View 1 Replies
View Related
May 15, 2015
Is there any way to get update notifications for security patches on debian jessie. I was using update-manager and update-notifier and wheezy and that worked good, Update-notifier on jessie doesn't seem like its working...
View 12 Replies
View Related
Mar 7, 2010
Can ossec be run from ubuntu with less notifications to mail only intrusions. i really dont wish to be notified of every single thing that goes on in my system. i only want to be notified of intrusions and anything else that would be of serious concern. can anyone tell me what setting i can do to achieve the goal in mind ?
View 3 Replies
View Related
Jan 18, 2010
I have those notifications bubbles that appear right and top of my Screen.
Besides being RIDICULOUSLY big, i don't need them
I don't know if it is the same, but they look like this:
NOTE THIS PICTURE IS JUST AN EXAMPLE I FOUND ON THE INTERNETS - I WANT TO DISABLE ALL NOTIFICATIONS
View 14 Replies
View Related
Feb 14, 2011
i have a xeon machine with ubuntu os machine specification is 3gb RAM 3 scsi hard drives each 73gb it have two ethernet cards one ethernet card is connected with adsl modem and the second is connected with LAN. now what is mikrotik doing for me is control access to bind mac adress with ip adress and control the band width for induvisual conection.
View 2 Replies
View Related
Sep 3, 2010
I've been wondering about how I can change settings on the notifications that show on the screen when a wireless connection is established, when I get new mail, etc. They look a lot like growl notifications from OSX, but clicking on them doesn't show me anything. If someone could explain a little about what they are/do
View 2 Replies
View Related
Sep 27, 2009
Recently I notice that when I'm connected to an vpn server (pptpd) and I'm using it as a default gateway my download and upload speed decreases almost to the half of the usual speed. I made a test using iptables in order to count how much GRE packets are generated (except the real traffic itself) in that way:
Code:
iptables -I INPUT -p gre -j ACCEPT
iptables -I OUTPUT -p gre -j ACCEPT
iptables -I FORWARD -s 172.16.10.101 -j ACCEPT
iptables -I FORWARD -d 172.16.10.101 -j ACCEPT
The first 2 rules match all GRE packets between the pptpd server and client, and the next rules - the traffic between the server and the client.
When I turn the counters to zero and begin to generate traffic (to browse, to download etc.) I see that the GRE packets are even more than these in the FORWARD chain.
So, my question is first of all is my test correct and is it true that so much gre traffic is being generated during the browsing (it becames clear that the traffic is double than if the pptpd wasn't used as a gateway) and if yes - can that traffic be reduced?
View 3 Replies
View Related
May 20, 2011
When I reinstalled ubuntu I chose to encrypt my home folder (something that i've never done before) but now that I know it doesn't really make a difference i'd like to decrypt it because the .encryptfs folder is taking up so much space i'm getting notifications every time I log in.
View 7 Replies
View Related
Jul 4, 2010
I tried to finally set-up surround sound on my Ubuntu 10.04 machine and i was successful in doing so after a while of changing settings and tinkering. After doing so though, i was later in the day not able to get into the Pulseaudio Volume Control, therefore, everything is stuck where it is and i can't change anything. When i try to open Pulseaudio Volume Control i get the error message, Connection failed, Connection refused. My programs still play sound and i can control the sound of the programs through the programs, but i cant control the sound of the sorround sound now and my main sound bar only affects my stereo speakers, not the surround ones.
I believe this may have happened after the random disk check on restart, but i can't 100% confirm that and i'm not even sure if they are related. I still have sound, but i have no way to control the volume of my entire system at once. I did some looking around online and saw that others are having or had the same issue, and it was through different versions of Linux also. somehow reset everything so i can access PAVC and start over . I also tried steps listed in another thread here on the same topic, but they weren't working and it also seemed to be for older Ubuntu versions.
[Code]....
View 9 Replies
View Related
Jun 9, 2010
I googled this question, no relevant results. I don't samba, ssh, or any P2P file sharing. Is udp neccesary for general web browsing/file downloading? What would be the best general ufw rules to set for above conditions and varying ip address? I know how to use the full ufw syntax in command line.
View 5 Replies
View Related
Dec 21, 2010
on a fresh Fedora 2.6.35.9-64.fc14.x86_64 installation I have little trouble with chrony. I love that tool for synchronyzing my clock. SELinux complains, that /usr/sbin/chronyd like to read/write to chronyd.pid. Further I find entries in /var/log/messages, that /var/lib/chrony/drift could not be opened. As I'm completely new to SELinux - I'd like to get some help setting the Security Rules. PS: Should the rules be quite fine from the FC-Repo?
View 11 Replies
View Related
