Localhost connect to Localhost

This is a discussion on Localhost connect to Localhost within the Linux Security forums, part of the System Security and Security Related category; System: Ubuntu Linux; latest updates, etc. I have run both rkhunter and chkrootkit one after the other and then compare ...


Go Back   Usenet Forums > System Security and Security Related > Linux Security

Reload this Page Localhost connect to Localhost

FAQ Members List Calendar Search Today's Posts Mark Forums Read

Reply

 

LinkBack Thread Tools Search this Thread Display Modes
  #1 (permalink)  
Old 09-17-2007
CWO4 Dave Mann
 
Posts: n/a
Default Localhost connect to Localhost
System: Ubuntu Linux; latest updates, etc.

I have run both rkhunter and chkrootkit one after the other and then
compare the output.

Some warnings are easy to figure out but others are obscure. I use Google
and a couple of Linux forums plus lurking here.

For example, I found a warning which I couldn't figure out and then simply
opened, examined it, and then seeing nothing which made sense to me,
changed the name of the file.

Next, using a combination of wireshark (as root) and the verbose output
from firestarter I found that there was a port opened (2208) between
"localhost and localhost" as if the work station was talking to itself via
port 2008.

I set firestarter and set it to deny ports 2207, 2208, and 2209.

Then I did a complete and drastic cold reboot (shutting everything off at
the power mains, unplugging the cat 5 cable from both the workstation card
and from the router, then restarting the box, the router, the cable
adapter, and other bits and pieces dangling from the workstation.

Next, after the workstation was up and running with the log-on prompt
screen, I signed on as user dave and proceeded to load sequentially each
of the applications which normally run open on user dave. User dave has 12
windows set up with each one a different function and name. Looking like
this:

Window #:

1 = Thunderbird email
2 = Firefox browser
3 = System work area (usually no applications open)
4 = Connection Mapping (EtherApe and xtraceroute)
5 = e-Books (browser and PDF reader for e-Books I am reading)
6 = Working Area #1 (Open Office word processing)
7 = Kopete Chat
8 = Google Earth (usually not loaded)
9 = Music (xmms connected to www.radioparadise.com - 24/7)
10 = Solitaire
11 = KOrganizer schedule application open
12 = System Status (View of system, including firestarter, gkrellm,
sysmonitor, terminal window open, ksysdisk)

What transpired on the real-time view from EtherApe compared with
firestarter firewall, was that localhost was transmitting "where is (an
IP # which won't resolve)" packets to localhost in what appeared to be an
endless loop.

I began shutting off each active process, using the top application in
an sudo'd terminal or closing the application from it's own control panel.
I recognize that deliberately killing processes one by one is dangerous,
so I chose my victims carefully before beginning the wack-a-mole process.

At the end of the killing process, firestarter's display of active
connections still listed the localhost --> localhost connection on port
2008.

Now ports 2007 and 2008 are well known as potential holes for trojan
behavior. My question then at that time, did the Linux box in question
have a trojan or not?

I continued the wack-a-mole process and eventually crashed the system when
I yanked lifesupport on a netstat process which was a zombie instead of asleep.

I once again powered up the system and returned to user dave and the Full
Monty of screens and applications. Neither firestarter or EtherApe showed
any activity on pots 2008, et al.

I used WireShark to scan the dormant and unused WIFI card ra0 (which has
had the actual antenna removed at the card and a terminating dummy
antenna/RF sink screwed into the antenna connector). Nothing there,
Citizen, no move along.

I used WireShark again using the ea0 Cat 5 network card in both
promiscuous mode and in non-slut mode. Again, nothing to or from 2206,
07, or 08.

So far (after a measured 465 hours of up time) there has been no further
indication of any activity on the suspect ports 2206, 07, 08, 09. Neither
has there been any other suspect behavior on other ports. Meaning that
the ports which are sending and receiving data are the ports that are
supposed to be there and working for the various applications loaded which
need communications.

Any ideas, comments, or remarks are requested.

Thanks for your insight and I appreciate any comments on this
situation.

Dave

--
Posted via a free Usenet account from http://www.teranews.com

Reply With Quote
  #2 (permalink)  
Old 09-17-2007
Lew Pitcher
 
Posts: n/a
Default Re: Localhost connect to Localhost
On Sep 16, 7:28 pm, CWO4 Dave Mann <misterfi...@loveable.com> wrote:
> System: Ubuntu Linux; latest updates, etc.
>
> I have run both rkhunter and chkrootkit one after the other and then
> compare the output.
>
> Some warnings are easy to figure out but others are obscure. I use Google
> and a couple of Linux forums plus lurking here.
>
> For example, I found a warning which I couldn't figure out and then simply
> opened, examined it, and then seeing nothing which made sense to me,
> changed the name of the file.
>
> Next, using a combination of wireshark (as root) and the verbose output
> from firestarter I found that there was a port opened (2208) between
> "localhost and localhost" as if the work station was talking to itself via
> port 2008.
[snip]
> Any ideas, comments, or remarks are requested.
>
> Thanks for your insight and I appreciate any comments on this
> situation.

First off, ports opened between a localhost client and a localhost
service are "business as usual". Many client apps talk to the local
server through the localhost address. In fact, pretty much all of the
legitimate TCP/IP services on your system offer a localhost connection
(check out Samba, or Cups, or Apache, for instance).

Secondly, while in the MSWindows world, port 2008 may be allocated by
trojans, here in the Linux world, it is owned by the conf service
(TCP) and the terminaldb service (UDP). Both are legitimate services,
and thus what you are seeing are probably legitimate connections. If
you are ever unsure, you can always check the contents of /etc/
services to see what service /should/ be using a port.

Having said all that, I have to caution you that installing firewall
prevention between localhost clients and localhost servers can cause
your system to break unless you know what you are doing. Don't, for
instance, install a firewall lockout on localhost port 25 (your mail
services), 106 (mail, again), 80 (your web server), 20 & 21 (ftp),
etc.


Reply With Quote
  #3 (permalink)  
Old 09-17-2007
CWO4 Dave Mann
 
Posts: n/a
Default Re: Localhost connect to Localhost
On Mon, 17 Sep 2007 06:38:13 -0700:

> On Sep 16, 7:28 pm, CWO4 Dave Mann <misterfi...@loveable.com> wrote:
>> System: Ubuntu Linux; latest updates, etc.
>>
>> I have run both rkhunter and chkrootkit one after the other and then
>> compare the output.
>>
>> Some warnings are easy to figure out but others are obscure. I use Google
>> and a couple of Linux forums plus lurking here.
>>
>> For example, I found a warning which I couldn't figure out and then simply
>> opened, examined it, and then seeing nothing which made sense to me,
>> changed the name of the file.
>>
>> Next, using a combination of wireshark (as root) and the verbose output
>> from firestarter I found that there was a port opened (2208) between
>> "localhost and localhost" as if the work station was talking to itself via
>> port 2008.
> [snip]
>> Any ideas, comments, or remarks are requested.
>>
>> Thanks for your insight and I appreciate any comments on this
>> situation.
>
> First off, ports opened between a localhost client and a localhost
> service are "business as usual". Many client apps talk to the local
> server through the localhost address. In fact, pretty much all of the
> legitimate TCP/IP services on your system offer a localhost connection
> (check out Samba, or Cups, or Apache, for instance).
>
> Secondly, while in the MSWindows world, port 2008 may be allocated by
> trojans, here in the Linux world, it is owned by the conf service
> (TCP) and the terminaldb service (UDP). Both are legitimate services,
> and thus what you are seeing are probably legitimate connections. If
> you are ever unsure, you can always check the contents of /etc/
> services to see what service /should/ be using a port.
>
> Having said all that, I have to caution you that installing firewall
> prevention between localhost clients and localhost servers can cause
> your system to break unless you know what you are doing. Don't, for
> instance, install a firewall lockout on localhost port 25 (your mail
> services), 106 (mail, again), 80 (your web server), 20 & 21 (ftp),
> etc.

Thank you for the very informative response. I am going to remove the
block and see how it goes.

Thanks again,

Dave

--
Posted via a free Usenet account from http://www.teranews.com

Reply With Quote
Reply
Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes
Linear Mode Linear Mode

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are Off
[IMG] code is Off
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are On



All times are GMT +1. The time now is 09:30 AM.

Contact Us - Usenet Forums - Archive - Top

Powered by vBulletin® Version 3.7.3
Copyright ©2000 - 2008, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO 3.0.0