How to detect invasions?
I.M.Walberg
imw at tiac.net
Fri Aug 29 20:25:19 EDT 2003
I had RedHat 7.3 installed about a year ago. I set up the firewall with
medium security. Recently, I've noticed that my rp3 shows send and
receive activity even when I'm not doing anything. I rebooted to check
this out and it shows activity even when the only programs I'm running are
xterms and rp3 (connected obviously).
Naturally, this concerns me because I never noticed this before (too
obtuse maybe?) and know that it definitely didn't happen under my previous
RedHat installation (6.x). The rp3 display shows anywhere from 0 - 84 B,
with 38 B being common. The activity continues the entire time I'm
connected. Since I have a dialup connection, unfortunately, I didn't have
the foresight to set up tripwire. I do take standard precautions like
only downloading software from trusted sites and not opening email
attachments.
Can anyone help me figure out what this activity is and what is generating
it? I've taken a quick look at netstat and it shows IP and Icmp activity,
but I am not really sure what to look for. Also, if anyone could send me
a list (or where I could find a list) of the standard set of processes
which run automatically on reboot (this is a RedHat 7.3 standard
workstation minimum install w/Gnome), I could check for suspicious
processes.
I'm pretty computer savvy in general, but rather a novice at system
security. I've tried to RTFM but without a little direction I'm in over
my head. Any advice would be appreciated.
Ilane
More information about the Discuss
mailing list