Connessione sospetta. Che roba è???

[frakka]

Stasera per caso dò uno sguardo al log del firewall (firestarter su ubuntu 6.10) e trovo una connessione attiva che non avevo mai notato prima.

Che roba è???
Nell'ordine da sx verso dx l'host sorgente, la destinazione (il mio pc) la porta e il nome del servizio ("Fido").

[Cybertech]

Stasera per caso dò uno sguardo al log del firewall (firestarter su ubuntu 6.10) e trovo una connessione attiva che non avevo mai notato prima.

Che roba è???
Nell'ordine da sx verso dx l'host sorgente, la destinazione (il mio pc) la porta e il nome del servizio ("Fido").

Potrebbe essere un exploit.... come riportato da packet storm....
http://packetstormsecurity.org/0010-exploits/

/// File Name: easy-adv-exploit.pl
Description: Easy Advertiser v. 2.04 Remote Exploit. The stats.cgi script used in Easy Advertiser has an insecure open() that allows this exploit to bind a shell to port 60179 running with user priviledges that the webserver is run as. Netcat is needed locally to use this.
Author: teleh0r[at]doglover.com and anno.
Homepage: http://teleh0r.cjb.net

/// File Name: formnow-exploit.pl
Description: FormNow CGI script v1.0 remote exploit - Takes advantage of an insecure sendmail call to bind a shell to tcp port 60179.
Author: Telehor
Homepage: http://teleh0r.cjb.net

tempo fa mi sono imbattuto nello stesso problema avendo un firewall linux.. (IPCOP), ho chiuso la porta in questione e non ho avuto malfunzionamenti strani,

Ciao

[frakka]

Ma il fatto che avesse una connessione aperta con il mio pc è preoccupante?? E soprattutto come ripulisco il pc?
Ieri sera ho lanciato una scansione di tutto il filesystem con clamAV ma non ha trovato alcun file infetto. Però probabilmente non si tratta i un virus, giusto?

Scusate l'ignoranza...

[lubu]

guarda frakka, molto probabilente è un qualcuno ke passando dalla porta di ingresso aveva solo intenzione di darti una sbirciatina al pc ed al limite appoggiarsi a te x qualke operazione nn proprio lecita..quando fanno ste cose non le infdividui mai con l'antivirus, qualke piccolap probabilita in piu la hai con un antispy dato ke di questo in genere si tratta, se lo hai sgamato con firewall (e mi sembra strano ke il firewall nn ti abbia avvertito) kiudilo, semplicemente lo "banni" dal tuo pc kiudendo la porta e il log di entrata..cosi funziona con windows e sygate..spero sia cosi anke con linux

[frakka]

Lo avevo immaginato ma non conosco antispyware o antimalvare per Linux. E onestamente non ne ho mai sentito parlare.

Per quanto riguarda la chiusura della porta immaginavo di dover operare in questo modo ma devo studiarmi il manuale di firestarter. Tnx!

[betaxp86]

fai una ricerca degli eseguibili con nome Fido, fai un ps -aux |grep Fido lanciato da root e guarda se ti appare tra i processi prova anche con netstat |grep Fido per individuare se c'è qualche connessione attiva, e infini netstat |grep TCP per vedere tutte le connessioni e porte attive in quel momento.

[frakka]

Mi sembra tutto a posto. Ti posto gli output. Se puoi darci una letta mi dai la conferma.

ps aux |grep Fido

matteo 9012 0.0 0.0 2860 776 pts/0 S+ 15:53 0:00 grep Fido

netstat |grep Fido

-nessun output -

netstat

Active Internet connections (w/o servers)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 192.168.0.3:4664 host252-43-dynamic:4204 TIME_WAIT
tcp 0 6440 192.168.0.3:37222 dsl-189-130-89-250:4662 ESTABLISHED
tcp 0 30 192.168.0.3:56492 62.241.53.16:4242 ESTABLISHED
tcp 0 0 192.168.0.3:4664 host57-74-dynamic:54770 ESTABLISHED
tcp 0 0 192.168.0.3:4664 125.143.43.188:2533 ESTABLISHED
tcp 0 0 192.168.0.3:37702 d83-184-65-172.cu:30505 TIME_WAIT
tcp 0 0 192.168.0.3:60281 88-149-211-118.f5.:4662 ESTABLISHED
tcp 0 0 192.168.0.3:37937 host45-124.pool824:4881 TIME_WAIT
tcp 0 2600 192.168.0.3:44265 151.23.186.251:4662 ESTABLISHED
tcp 0 0 192.168.0.3:34084 host191-42-dynamic:4662 ESTABLISHED
tcp 0 0 192.168.0.3:37677 host-84-222-137-3:61394 TIME_WAIT
tcp 0 0 192.168.0.3:55963 host133-208-dynam:38025 TIME_WAIT
tcp 0 0 192.168.0.3:60163 host235-56-dynamic:4662 TIME_WAIT
tcp 0 0 192.168.0.3:33125 host141-44-dynamic:4662 ESTABLISHED
tcp 0 980 192.168.0.3:55848 host155-64.pool825:4699 ESTABLISHED
tcp 0 0 192.168.0.3:48011 151.75.129.208:4089 ESTABLISHED
tcp 0 0 192.168.0.3:37892 host18-241-dynamic:4662 TIME_WAIT
tcp 0 0 192.168.0.3:46069 host158-116-dynami:8435 TIME_WAIT
tcp 1 0 192.168.0.3:59742 www.worldcommunit:https CLOSE_WAIT
tcp 1 0 192.168.0.3:59743 www.worldcommunit:https CLOSE_WAIT
tcp 0 0 192.168.0.3:53606 host54-28-dynamic:63856 TIME_WAIT
tcp 0 0 192.168.0.3:49226 host156-226-dynami:4662 ESTABLISHED
tcp 0 0 192.168.0.3:38427 host55-25-dynamic.:4662 TIME_WAIT
tcp 0 0 192.168.0.3:50036 host253.200-117-3:43762 ESTABLISHED
tcp 0 0 192.168.0.3:50721 host151-137-dynami:4662 ESTABLISHED
tcp 0 0 192.168.0.3:32866 host134-198-dynami:4662 TIME_WAIT
tcp 0 0 192.168.0.3:48509 host87-143-dynami:50090 TIME_WAIT
tcp 0 0 192.168.0.3:56644 host149-165-dynami:4662 ESTABLISHED
tcp 0 0 192.168.0.3:39471 STATIC.62-123-184:34572 TIME_WAIT
tcp 0 0 192.168.0.3:40556 host171-45-dynamic:4662 TIME_WAIT
tcp 0 0 192.168.0.3:46638 151.43.55.171:4612 TIME_WAIT
tcp 0 0 192.168.0.3:47245 popmail.inwind.it:imap2 ESTABLISHED
tcp 0 0 192.168.0.3:47229 popmail.inwind.it:imap2 ESTABLISHED
tcp 0 0 192.168.0.3:54311 da-in-f99.google.co:www TIME_WAIT
tcp 0 0 192.168.0.3:34715 host176-92.pool825:4662 TIME_WAIT
tcp 0 0 192.168.0.3:58370 popmail.inwind.it:imap2 ESTABLISHED
tcp 0 0 192.168.0.3:38006 ppp-82-84-230-226.:9346 TIME_WAIT
Active UNIX domain sockets (w/o servers)
Proto RefCnt Flags Type State I-Node Path
unix 2 [ ] DGRAM 4808 @/com/ubuntu/upstart
unix 2 [ ] DGRAM 4926 @/org/kernel/udev/udevd
unix 7 [ ] DGRAM 9081 /dev/log
unix 3 [ ] STREAM CONNECTED 27303
unix 3 [ ] STREAM CONNECTED 27302
unix 3 [ ] STREAM CONNECTED 27300 /tmp/orbit-matteo/linc-22c2-0-19f7dca17c058
unix 3 [ ] STREAM CONNECTED 27299
unix 3 [ ] STREAM CONNECTED 27298 /tmp/orbit-matteo/linc-1136-0-2586d4bc19a5
unix 3 [ ] STREAM CONNECTED 27297
unix 3 [ ] STREAM CONNECTED 27296 /tmp/orbit-matteo/linc-22c2-0-19f7dca17c058
unix 3 [ ] STREAM CONNECTED 27295
unix 3 [ ] STREAM CONNECTED 27292 /tmp/orbit-matteo/linc-1118-0-543ac4a36c9c
unix 3 [ ] STREAM CONNECTED 27291
unix 3 [ ] STREAM CONNECTED 27289 /tmp/.ICE-unix/4333
unix 3 [ ] STREAM CONNECTED 27288
unix 3 [ ] STREAM CONNECTED 27284 /tmp/.X11-unix/X0
unix 3 [ ] STREAM CONNECTED 27283
unix 3 [ ] STREAM CONNECTED 12271 /tmp/.esd-0/socket
unix 3 [ ] STREAM CONNECTED 12270
unix 2 [ ] STREAM 12263
unix 3 [ ] STREAM CONNECTED 12255 /tmp/orbit-root/linc-120b-0-1ef2a85db87cc
unix 3 [ ] STREAM CONNECTED 12254
unix 3 [ ] STREAM CONNECTED 12253 /tmp/orbit-root/linc-120d-0-27bd9f3aaf21f
unix 3 [ ] STREAM CONNECTED 12242
unix 2 [ ] DGRAM 12232
unix 3 [ ] STREAM CONNECTED 12219 /tmp/.X11-unix/X0
unix 3 [ ] STREAM CONNECTED 12218
unix 3 [ ] STREAM CONNECTED 12200 /tmp/orbit-matteo/linc-120a-0-1187db25dfcfe
unix 3 [ ] STREAM CONNECTED 12199
unix 3 [ ] STREAM CONNECTED 12196 /tmp/orbit-matteo/linc-1118-0-543ac4a36c9c
unix 3 [ ] STREAM CONNECTED 12195
unix 63 [ ] STREAM CONNECTED 12191 /tmp/.X11-unix/X0
unix 3 [ ] STREAM CONNECTED 12190
unix 3 [ ] STREAM CONNECTED 11728 /tmp/.X11-unix/X0
unix 3 [ ] STREAM CONNECTED 11727
unix 3 [ ] STREAM CONNECTED 10655 /tmp/orbit-matteo/linc-11b7-0-1df67dbd276b6
unix 3 [ ] STREAM CONNECTED 10654
unix 3 [ ] STREAM CONNECTED 10651 /tmp/orbit-matteo/linc-1118-0-543ac4a36c9c
unix 3 [ ] STREAM CONNECTED 10650
unix 3 [ ] STREAM CONNECTED 10639 /tmp/.X11-unix/X0
unix 3 [ ] STREAM CONNECTED 10638
unix 3 [ ] STREAM CONNECTED 10346 @/tmp/dbus-rB0nEPRZOk
unix 3 [ ] STREAM CONNECTED 10345
unix 3 [ ] STREAM CONNECTED 10344 /tmp/orbit-matteo/linc-11ac-0-76aa785aa4bb8
unix 3 [ ] STREAM CONNECTED 10343
unix 3 [ ] STREAM CONNECTED 10340 /tmp/orbit-matteo/linc-1118-0-543ac4a36c9c
unix 3 [ ] STREAM CONNECTED 10339
unix 3 [ ] STREAM CONNECTED 10333 /tmp/.X11-unix/X0
unix 3 [ ] STREAM CONNECTED 10332
unix 3 [ ] STREAM CONNECTED 10229 /tmp/.X11-unix/X0
unix 3 [ ] STREAM CONNECTED 10228
unix 3 [ ] STREAM CONNECTED 10203 /tmp/orbit-matteo/linc-1192-0-3777f118ccaf2
unix 3 [ ] STREAM CONNECTED 10202
unix 3 [ ] STREAM CONNECTED 10199 /tmp/orbit-matteo/linc-1118-0-543ac4a36c9c
unix 3 [ ] STREAM CONNECTED 10198
unix 3 [ ] STREAM CONNECTED 10185 /tmp/.X11-unix/X0
unix 3 [ ] STREAM CONNECTED 10184
unix 3 [ ] STREAM CONNECTED 10159 /tmp/orbit-matteo/linc-1130-0-7ede3ad625439
unix 3 [ ] STREAM CONNECTED 10157
unix 3 [ ] STREAM CONNECTED 10156 /tmp/orbit-matteo/linc-117b-0-d2cb1ed9db49
unix 3 [ ] STREAM CONNECTED 10155
unix 3 [ ] STREAM CONNECTED 10146 /tmp/orbit-matteo/linc-1130-0-7ede3ad625439
unix 3 [ ] STREAM CONNECTED 10145
unix 3 [ ] STREAM CONNECTED 10144 /tmp/orbit-matteo/linc-117d-0-d2cb1edba755
unix 3 [ ] STREAM CONNECTED 10142
unix 3 [ ] STREAM CONNECTED 10134 /tmp/orbit-matteo/linc-117d-0-d2cb1edba755
unix 3 [ ] STREAM CONNECTED 10133
unix 3 [ ] STREAM CONNECTED 10132 /tmp/orbit-matteo/linc-1136-0-2586d4bc19a5
unix 3 [ ] STREAM CONNECTED 10131
unix 3 [ ] STREAM CONNECTED 10130 /tmp/orbit-matteo/linc-117d-0-d2cb1edba755
unix 3 [ ] STREAM CONNECTED 10129
unix 3 [ ] STREAM CONNECTED 10126 /tmp/orbit-matteo/linc-1118-0-543ac4a36c9c
unix 3 [ ] STREAM CONNECTED 10125
unix 3 [ ] STREAM CONNECTED 10121 /tmp/.X11-unix/X0
unix 3 [ ] STREAM CONNECTED 10120
unix 3 [ ] STREAM CONNECTED 10115 /tmp/orbit-matteo/linc-117b-0-d2cb1ed9db49
unix 3 [ ] STREAM CONNECTED 10114
unix 3 [ ] STREAM CONNECTED 10113 /tmp/orbit-matteo/linc-1136-0-2586d4bc19a5
unix 3 [ ] STREAM CONNECTED 10112
unix 3 [ ] STREAM CONNECTED 10111 /tmp/orbit-matteo/linc-117b-0-d2cb1ed9db49
unix 3 [ ] STREAM CONNECTED 10110
unix 3 [ ] STREAM CONNECTED 10107 /tmp/orbit-matteo/linc-1118-0-543ac4a36c9c
unix 3 [ ] STREAM CONNECTED 10106
unix 3 [ ] STREAM CONNECTED 10102 /tmp/.X11-unix/X0
unix 3 [ ] STREAM CONNECTED 10101
unix 3 [ ] STREAM CONNECTED 10058 /tmp/orbit-matteo/linc-1130-0-7ede3ad625439
unix 3 [ ] STREAM CONNECTED 10057
unix 3 [ ] STREAM CONNECTED 10056 /tmp/orbit-matteo/linc-1166-0-184d4db8aadd7
unix 3 [ ] STREAM CONNECTED 10055
unix 3 [ ] STREAM CONNECTED 10048 @/tmp/dbus-rB0nEPRZOk
unix 3 [ ] STREAM CONNECTED 10047
unix 3 [ ] STREAM CONNECTED 10046 /tmp/orbit-matteo/linc-1166-0-184d4db8aadd7
unix 3 [ ] STREAM CONNECTED 10045
unix 3 [ ] STREAM CONNECTED 10044 /tmp/orbit-matteo/linc-1136-0-2586d4bc19a5
unix 3 [ ] STREAM CONNECTED 10043
unix 3 [ ] STREAM CONNECTED 10042 /tmp/orbit-matteo/linc-1166-0-184d4db8aadd7
unix 3 [ ] STREAM CONNECTED 10041
unix 3 [ ] STREAM CONNECTED 10038 /tmp/orbit-matteo/linc-1118-0-543ac4a36c9c
unix 3 [ ] STREAM CONNECTED 10037
unix 3 [ ] STREAM CONNECTED 10033 /tmp/.X11-unix/X0
unix 3 [ ] STREAM CONNECTED 10032
unix 3 [ ] STREAM CONNECTED 10019 /tmp/mapping-matteo
unix 3 [ ] STREAM CONNECTED 10011
unix 3 [ ] STREAM CONNECTED 9999 @/tmp/dbus-rB0nEPRZOk
unix 3 [ ] STREAM CONNECTED 9998
unix 3 [ ] STREAM CONNECTED 9921 /tmp/orbit-matteo/linc-1132-0-20a12cd525f8b
unix 3 [ ] STREAM CONNECTED 9920
unix 3 [ ] STREAM CONNECTED 9919 /tmp/orbit-matteo/linc-1130-0-7ede3ad625439
unix 3 [ ] STREAM CONNECTED 9918
unix 3 [ ] STREAM CONNECTED 9917 /tmp/orbit-matteo/linc-1136-0-2586d4bc19a5
unix 3 [ ] STREAM CONNECTED 9915
unix 3 [ ] STREAM CONNECTED 9916 /tmp/orbit-matteo/linc-1136-0-2586d4bc19a5
unix 3 [ ] STREAM CONNECTED 9914
unix 3 [ ] STREAM CONNECTED 9902 /tmp/orbit-matteo/linc-1139-0-6ff63adf617e6
unix 3 [ ] STREAM CONNECTED 9901
unix 3 [ ] STREAM CONNECTED 9898 /tmp/orbit-matteo/linc-1118-0-543ac4a36c9c
unix 3 [ ] STREAM CONNECTED 9897
unix 3 [ ] STREAM CONNECTED 9894 @/tmp/dbus-rB0nEPRZOk
unix 3 [ ] STREAM CONNECTED 9893
unix 3 [ ] STREAM CONNECTED 9866 @/tmp/dbus-rB0nEPRZOk
unix 3 [ ] STREAM CONNECTED 9865
unix 3 [ ] STREAM CONNECTED 9850 /tmp/orbit-matteo/linc-1132-0-20a12cd525f8b
unix 3 [ ] STREAM CONNECTED 9849
unix 3 [ ] STREAM CONNECTED 9846 /tmp/orbit-matteo/linc-1118-0-543ac4a36c9c
unix 3 [ ] STREAM CONNECTED 9845
unix 3 [ ] STREAM CONNECTED 9843 /tmp/orbit-matteo/linc-1130-0-7ede3ad625439
unix 3 [ ] STREAM CONNECTED 9842
unix 3 [ ] STREAM CONNECTED 9839 /tmp/orbit-matteo/linc-1118-0-543ac4a36c9c
unix 3 [ ] STREAM CONNECTED 9838
unix 3 [ ] STREAM CONNECTED 9836 /tmp/.ICE-unix/4333
unix 3 [ ] STREAM CONNECTED 9834
unix 3 [ ] STREAM CONNECTED 9830 /tmp/.X11-unix/X0
unix 3 [ ] STREAM CONNECTED 9829
unix 3 [ ] STREAM CONNECTED 9835 /tmp/.ICE-unix/4333
unix 3 [ ] STREAM CONNECTED 9822
unix 3 [ ] STREAM CONNECTED 9816 /tmp/.X11-unix/X0
unix 3 [ ] STREAM CONNECTED 9815
unix 3 [ ] STREAM CONNECTED 9805 /tmp/.ICE-unix/4333
unix 3 [ ] STREAM CONNECTED 9804
unix 3 [ ] STREAM CONNECTED 9803 /tmp/.X11-unix/X0
unix 3 [ ] STREAM CONNECTED 9802
unix 3 [ ] STREAM CONNECTED 9801 /tmp/orbit-matteo/linc-112b-0-7065dcac97025
unix 3 [ ] STREAM CONNECTED 9800
unix 3 [ ] STREAM CONNECTED 9797 /tmp/orbit-matteo/linc-1118-0-543ac4a36c9c
unix 3 [ ] STREAM CONNECTED 9796
unix 3 [ ] STREAM CONNECTED 9751 @/tmp/dbus-rB0nEPRZOk
unix 3 [ ] STREAM CONNECTED 9750
unix 3 [ ] STREAM CONNECTED 9743 /tmp/orbit-matteo/linc-111e-0-c3b23163f26b
unix 3 [ ] STREAM CONNECTED 9742
unix 3 [ ] STREAM CONNECTED 9739 /tmp/orbit-matteo/linc-1118-0-543ac4a36c9c
unix 3 [ ] STREAM CONNECTED 9738
unix 3 [ ] STREAM CONNECTED 9734 /tmp/.X11-unix/X0
unix 3 [ ] STREAM CONNECTED 9733
unix 3 [ ] STREAM CONNECTED 9720 @/tmp/dbus-rB0nEPRZOk
unix 3 [ ] STREAM CONNECTED 9719
unix 3 [ ] STREAM CONNECTED 9692 /tmp/orbit-matteo/linc-10ed-0-2b42f6ae45def
unix 3 [ ] STREAM CONNECTED 9691
unix 3 [ ] STREAM CONNECTED 9690 /tmp/orbit-matteo/linc-1118-0-543ac4a36c9c
unix 3 [ ] STREAM CONNECTED 9549
unix 2 [ ] DGRAM 9535
unix 3 [ ] STREAM CONNECTED 9529 /tmp/.X11-unix/X0
unix 3 [ ] STREAM CONNECTED 9528
unix 3 [ ] STREAM CONNECTED 9525 /tmp/.X11-unix/X0
unix 3 [ ] STREAM CONNECTED 9524
unix 3 [ ] STREAM CONNECTED 9523
unix 3 [ ] STREAM CONNECTED 9522
unix 2 [ ] DGRAM 9470
unix 2 [ ] DGRAM 9328
unix 3 [ ] STREAM CONNECTED 9291 /var/run/acpid.socket
unix 3 [ ] STREAM CONNECTED 9290
unix 6 [ ] STREAM CONNECTED 9432 /tmp/.X11-unix/X0
unix 3 [ ] STREAM CONNECTED 9289
unix 2 [ ] DGRAM 9126
unix 3 [ ] STREAM CONNECTED 8710 @/com/ubuntu/upstart/logd
unix 3 [ ] STREAM CONNECTED 8709

sudo netstat |grep TCP

-nessun output -

Quest'ultimo non è strano? il solo netstat mi restituisce la pappardella di cui sopra e " netstat |grep TCP" nulla?

Ora lancio la ricerca degli eseguibili...

[betaxp86]

Non so chi sia FIDO... man FIDO restituisce qualcosa?
L'ultimo non restituisce nulla perchè TCP era da scrivere minuscolo mea culpa

[frakka]

man Fido
Non c'è il manuale per Fido

Idem per FIDO.
Cmq ieri sera quando me ne sono accorto ho lockato il firewall e l'ho lasciato bloccato fino a stamani. Oggi non compare più tra le connessioni attive.

Ho lanciato questo comando per la ricerca del file, può andare??

sudo grep -iwr 'Fido' /

Stà ancora frullando...

[frakka]

sudo netstat |grep tcp

Avendo aperto i seguenti programmi:

amule (ed2k e KAD)
Thunderbird (IMAP)
Firefox
Il client boinc

di sconosciute mi rimangono solo queste anche se presumo che una buona parte potrebbero essere della rete KAD:

tcp 0 0 192.168.0.3:50617 62.241.53.16:4242 ESTABLISHED
tcp 0 3840 192.168.0.3:37222 dsl-189-130-89-250:4662 ESTABLISHED
tcp 0 0 192.168.0.3:49070 host94-91-dynamic:11817 ESTABLISHED
tcp 0 0 192.168.0.3:40531 host24-65-dynamic.:9257 TIME_WAIT
tcp 0 0 192.168.0.3:51222 ppp-10-21.32-151.i:4662 TIME_WAIT
tcp 0 0 192.168.0.3:50209 host-84-223-65-182:4662 ESTABLISHED
tcp 0 338 192.168.0.3:55848 host155-64.pool825:4699 ESTABLISHED
tcp 0 0 192.168.0.3:39699 host254-250-dynami:4662 ESTABLISHED
tcp 0 0 192.168.0.3:35112 host24-6-dynamic.0:4662 ESTABLISHED
tcp 0 1 192.168.0.3:43802 135.209.3.87:50871 SYN_SENT
tcp 0 0 192.168.0.3:58475 host239-55-dynamic:4662 ESTABLISHED
tcp 0 0 192.168.0.3:54019 adsl-ull-54-12.41-:1755 TIME_WAIT
tcp 0 0 192.168.0.3:55938 host155-15-dynamic:4662 ESTABLISHED
tcp 0 0 192.168.0.3:34670 host243-7-dynamic:39684 TIME_WAIT

tcp 0 0 192.168.0.3:36023 195.128.235.37:www TIME_WAIT
tcp 0 0 192.168.0.3:36020 195.128.235.37:www TIME_WAIT

Eurocodici???