How to detect invasions?

[dgavin at davegavin.com (Dave Gavin)]

 Ilane,

   Check to see if you have either tcpdump or ethereal on your system.
 "rpm -q ethereal tcpdump" should give you the version installed. If you don't
have either one, go get them from rpmfind or from redhat's site and install
them. Run "tcpdump -i ppp0" to watch the packets flowing in and out over the
dialup. ethereal is a graphic front end to tcpdump and if you're running X,
it'll be a lot easier to use - just select Capture -> Start and select the ppp0
interface.

 You may find that it's rhnd checking in with redhat for updates, dns, ntpd
checking the time, or some other task that may or may not be appropriate for a
dial-up - then you can shut the daemons off if you want.

 You may also find that it's some morons doing portscans or web attacks on your
address - it's amazing how many systems are out there trying to spread virii. I
get a couple of thousand hits on my firewall each day with a fairly static IP
address and I used to see quite a bit of incoming nonsense on my dialup before I
got a cable modem. If you have a spare system, you might consider setting up a
firewall system using ipcop, smoothwall or one of the other open source
firewalls out there. A stand-alone dedicated firewall box is a lot easier to
maintain than a workstation with some iptables rules added.

 my $.02

 Dave



On Fri, 29 Aug 2003 20:25:19 -0400 (EDT)
"I.M.Walberg" <imw at tiac.net> wrote:

> I had RedHat 7.3 installed about a year ago.  I set up the firewall with
> medium security.  Recently, I've noticed that my rp3 shows send and
> receive activity even when I'm not doing anything.  I rebooted to check
> this out and it shows activity even when the only programs I'm running are
> xterms and rp3 (connected obviously).  
> 
> Naturally, this concerns me because I never noticed this before (too
> obtuse maybe?) and know that it definitely didn't happen under my previous
> RedHat installation (6.x).  The rp3 display shows anywhere from 0 - 84 B,
> with 38 B being common.  The activity continues the entire time I'm
> connected.  Since I have a dialup connection, unfortunately, I didn't have
> the foresight to set up tripwire.  I do take standard precautions like
> only downloading software from trusted sites and not opening email
> attachments.
> 
> Can anyone help me figure out what this activity is and what is generating
> it?  I've taken a quick look at netstat and it shows IP and Icmp activity,
> but I am not really sure what to look for.  Also, if anyone could send me
> a list (or where I could find a list) of the standard set of processes
> which run automatically on reboot (this is a RedHat 7.3 standard
> workstation minimum install w/Gnome), I could check for suspicious
> processes.
> 
> I'm pretty computer savvy in general, but rather a novice at system
> security.  I've tried to RTFM but without a little direction I'm in over 
> my head.  Any advice would be appreciated.
> 
> Ilane
> 
> 
> _______________________________________________
> Discuss mailing list
> Discuss at blu.org
> http://www.blu.org/mailman/listinfo/discuss


--
Being shot out of a cannon will always be better than being squeezed
out of a tube.  That is why God made fast motorcycles, Bubba....
                    "Song of the Sausage Creature" Hunter S. Tompson