Localhost connect to Localhost - Security

This is a discussion on Localhost connect to Localhost - Security ; System: Ubuntu Linux; latest updates, etc. I have run both rkhunter and chkrootkit one after the other and then compare the output. Some warnings are easy to figure out but others are obscure. I use Google and a couple of ...

+ Reply to Thread
Results 1 to 3 of 3

Thread: Localhost connect to Localhost

  1. Localhost connect to Localhost

    System: Ubuntu Linux; latest updates, etc.

    I have run both rkhunter and chkrootkit one after the other and then
    compare the output.

    Some warnings are easy to figure out but others are obscure. I use Google
    and a couple of Linux forums plus lurking here.

    For example, I found a warning which I couldn't figure out and then simply
    opened, examined it, and then seeing nothing which made sense to me,
    changed the name of the file.

    Next, using a combination of wireshark (as root) and the verbose output
    from firestarter I found that there was a port opened (2208) between
    "localhost and localhost" as if the work station was talking to itself via
    port 2008.

    I set firestarter and set it to deny ports 2207, 2208, and 2209.

    Then I did a complete and drastic cold reboot (shutting everything off at
    the power mains, unplugging the cat 5 cable from both the workstation card
    and from the router, then restarting the box, the router, the cable
    adapter, and other bits and pieces dangling from the workstation.

    Next, after the workstation was up and running with the log-on prompt
    screen, I signed on as user dave and proceeded to load sequentially each
    of the applications which normally run open on user dave. User dave has 12
    windows set up with each one a different function and name. Looking like
    this:

    Window #:

    1 = Thunderbird email
    2 = Firefox browser
    3 = System work area (usually no applications open)
    4 = Connection Mapping (EtherApe and xtraceroute)
    5 = e-Books (browser and PDF reader for e-Books I am reading)
    6 = Working Area #1 (Open Office word processing)
    7 = Kopete Chat
    8 = Google Earth (usually not loaded)
    9 = Music (xmms connected to www.radioparadise.com - 24/7)
    10 = Solitaire
    11 = KOrganizer schedule application open
    12 = System Status (View of system, including firestarter, gkrellm,
    sysmonitor, terminal window open, ksysdisk)

    What transpired on the real-time view from EtherApe compared with
    firestarter firewall, was that localhost was transmitting "where is (an
    IP # which won't resolve)" packets to localhost in what appeared to be an
    endless loop.

    I began shutting off each active process, using the top application in
    an sudo'd terminal or closing the application from it's own control panel.
    I recognize that deliberately killing processes one by one is dangerous,
    so I chose my victims carefully before beginning the wack-a-mole process.

    At the end of the killing process, firestarter's display of active
    connections still listed the localhost --> localhost connection on port
    2008.

    Now ports 2007 and 2008 are well known as potential holes for trojan
    behavior. My question then at that time, did the Linux box in question
    have a trojan or not?

    I continued the wack-a-mole process and eventually crashed the system when
    I yanked lifesupport on a netstat process which was a zombie instead of asleep.

    I once again powered up the system and returned to user dave and the Full
    Monty of screens and applications. Neither firestarter or EtherApe showed
    any activity on pots 2008, et al.

    I used WireShark to scan the dormant and unused WIFI card ra0 (which has
    had the actual antenna removed at the card and a terminating dummy
    antenna/RF sink screwed into the antenna connector). Nothing there,
    Citizen, no move along.

    I used WireShark again using the ea0 Cat 5 network card in both
    promiscuous mode and in non-slut mode. Again, nothing to or from 2206,
    07, or 08.

    So far (after a measured 465 hours of up time) there has been no further
    indication of any activity on the suspect ports 2206, 07, 08, 09. Neither
    has there been any other suspect behavior on other ports. Meaning that
    the ports which are sending and receiving data are the ports that are
    supposed to be there and working for the various applications loaded which
    need communications.

    Any ideas, comments, or remarks are requested.

    Thanks for your insight and I appreciate any comments on this
    situation.

    Dave

    --
    Posted via a free Usenet account from http://www.teranews.com


  2. Re: Localhost connect to Localhost

    On Sep 16, 7:28 pm, CWO4 Dave Mann wrote:
    > System: Ubuntu Linux; latest updates, etc.
    >
    > I have run both rkhunter and chkrootkit one after the other and then
    > compare the output.
    >
    > Some warnings are easy to figure out but others are obscure. I use Google
    > and a couple of Linux forums plus lurking here.
    >
    > For example, I found a warning which I couldn't figure out and then simply
    > opened, examined it, and then seeing nothing which made sense to me,
    > changed the name of the file.
    >
    > Next, using a combination of wireshark (as root) and the verbose output
    > from firestarter I found that there was a port opened (2208) between
    > "localhost and localhost" as if the work station was talking to itself via
    > port 2008.

    [snip]
    > Any ideas, comments, or remarks are requested.
    >
    > Thanks for your insight and I appreciate any comments on this
    > situation.


    First off, ports opened between a localhost client and a localhost
    service are "business as usual". Many client apps talk to the local
    server through the localhost address. In fact, pretty much all of the
    legitimate TCP/IP services on your system offer a localhost connection
    (check out Samba, or Cups, or Apache, for instance).

    Secondly, while in the MSWindows world, port 2008 may be allocated by
    trojans, here in the Linux world, it is owned by the conf service
    (TCP) and the terminaldb service (UDP). Both are legitimate services,
    and thus what you are seeing are probably legitimate connections. If
    you are ever unsure, you can always check the contents of /etc/
    services to see what service /should/ be using a port.

    Having said all that, I have to caution you that installing firewall
    prevention between localhost clients and localhost servers can cause
    your system to break unless you know what you are doing. Don't, for
    instance, install a firewall lockout on localhost port 25 (your mail
    services), 106 (mail, again), 80 (your web server), 20 & 21 (ftp),
    etc.



  3. Re: Localhost connect to Localhost

    On Mon, 17 Sep 2007 06:38:13 -0700:

    > On Sep 16, 7:28 pm, CWO4 Dave Mann wrote:
    >> System: Ubuntu Linux; latest updates, etc.
    >>
    >> I have run both rkhunter and chkrootkit one after the other and then
    >> compare the output.
    >>
    >> Some warnings are easy to figure out but others are obscure. I use Google
    >> and a couple of Linux forums plus lurking here.
    >>
    >> For example, I found a warning which I couldn't figure out and then simply
    >> opened, examined it, and then seeing nothing which made sense to me,
    >> changed the name of the file.
    >>
    >> Next, using a combination of wireshark (as root) and the verbose output
    >> from firestarter I found that there was a port opened (2208) between
    >> "localhost and localhost" as if the work station was talking to itself via
    >> port 2008.

    > [snip]
    >> Any ideas, comments, or remarks are requested.
    >>
    >> Thanks for your insight and I appreciate any comments on this
    >> situation.

    >
    > First off, ports opened between a localhost client and a localhost
    > service are "business as usual". Many client apps talk to the local
    > server through the localhost address. In fact, pretty much all of the
    > legitimate TCP/IP services on your system offer a localhost connection
    > (check out Samba, or Cups, or Apache, for instance).
    >
    > Secondly, while in the MSWindows world, port 2008 may be allocated by
    > trojans, here in the Linux world, it is owned by the conf service
    > (TCP) and the terminaldb service (UDP). Both are legitimate services,
    > and thus what you are seeing are probably legitimate connections. If
    > you are ever unsure, you can always check the contents of /etc/
    > services to see what service /should/ be using a port.
    >
    > Having said all that, I have to caution you that installing firewall
    > prevention between localhost clients and localhost servers can cause
    > your system to break unless you know what you are doing. Don't, for
    > instance, install a firewall lockout on localhost port 25 (your mail
    > services), 106 (mail, again), 80 (your web server), 20 & 21 (ftp),
    > etc.


    Thank you for the very informative response. I am going to remove the
    block and see how it goes.

    Thanks again,

    Dave

    --
    Posted via a free Usenet account from http://www.teranews.com


+ Reply to Thread