fred@aussie! ~ $ sudo nmap -sT -O localhost
Starting Nmap 6.47 ( http://nmap.org ) at 2015-10-15 10:25 EDT
Nmap scan report for localhost (127.0.0.1)
Host is up (0.00087s latency).
Other addresses for localhost (not scanned): 127.0.0.1
Not shown: 997 closed ports
PORT STATE SERVICE
139/tcp open netbios-ssn
445/tcp open microsoft-ds
631/tcp open ipp
Device type: general purpose
Running: Linux 3.X
OS CPE: cpe:/o:linux:linux_kernel:3
OS details: Linux 3.7 - 3.15
Network Distance: 0 hops
OS detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 3.78 seconds
Is this normal? I'm particularly concerned about port 445-the microsoft-ds service. *Puts on tinfoil hat.* I don't have any reason that I'm aware of to have open ports. I'm not a gamer, I don't connect anywhere remotely, and I don't remember doing anything that would open any ports.
Thanks for any advice! I'm sort of freaking out right now.
Last edited by LockBot on Wed Dec 28, 2022 7:16 am, edited 2 times in total.
Reason:Topic automatically closed 6 months after creation. New replies are no longer allowed.
"Once you can accept the universe as matter expanding into nothing that is something, wearing stripes with plaid comes easy."
- Albert Einstein
Samba (smbd/nmbd) are running by default, so those ports will be open. You can disable the service if you won't need it, or firewall the ports off with ufw.
Also, 631 is for cups (printing). You can also firewall that one off if you are not sharing a printer.
Habitual--I do have a router. Maybe that explains it?
I'm starting to be a little...interested...now. Gufw is crashing every second time I launch it and does not show up in my menu (Cinnamon). By "crashing" I mean that the gufw window shuts down suddenly. When I launch it after that everything is turned off. When I enable it "in" and "out" have no values. And then when I set them correctly, close the window, and launch it again, it crashes. And so on...
"Once you can accept the universe as matter expanding into nothing that is something, wearing stripes with plaid comes easy."
- Albert Einstein
Fred:
Did you change the "Status" to On in gufw?
Does doing so change how gufw handles your changes?
If it is already enabled, then IDK what else it could be.
fred@aussie! ~ $ sudo ufw status verbose
[sudo] password for fred:
WARN: /etc is group writable!
WARN: /lib is group writable!
Status: active
Logging: off
Default: deny (incoming), allow (outgoing)
New profiles: skip
Thanks Habitual!
"Once you can accept the universe as matter expanding into nothing that is something, wearing stripes with plaid comes easy."
- Albert Einstein
fred@aussie! ~ $ sudo ufw status verbose
[sudo] password for fred:
WARN: /etc is group writable!
WARN: /lib is group writable!
Status: active
Logging: off
Default: deny (incoming), allow (outgoing)
New profiles: skip
Thanks Habitual!
Fred I may not be the sharpest knife in the drawer, but it looks to me as if the firewall will not allow any incoming on your ports. Also, I run LMDE2 64 bit also and have had the same trouble with gufw.
fred@aussie! ~ $ sudo rkhunter -c -sk
[sudo] password for fred:
[ Rootkit Hunter version 1.4.2 ]
Checking system commands...
Performing 'strings' command checks
Checking 'strings' command [ OK ]
Performing 'shared libraries' checks
Checking for preloading variables [ None found ]
Checking for preloaded libraries [ None found ]
Checking LD_LIBRARY_PATH variable [ Not found ]
Performing file properties checks
Checking for prerequisites [ Warning ]
/usr/sbin/adduser [ Warning ]
/usr/sbin/chroot [ Warning ]
/usr/sbin/cron [ Warning ]
/usr/sbin/groupadd [ Warning ]
/usr/sbin/groupdel [ Warning ]
/usr/sbin/groupmod [ Warning ]
/usr/sbin/grpck [ Warning ]
/usr/sbin/nologin [ Warning ]
/usr/sbin/pwck [ Warning ]
/usr/sbin/rsyslogd [ Warning ]
/usr/sbin/tcpd [ Warning ]
/usr/sbin/useradd [ Warning ]
/usr/sbin/userdel [ Warning ]
/usr/sbin/usermod [ Warning ]
/usr/sbin/vipw [ Warning ]
/usr/bin/awk [ Warning ]
/usr/bin/basename [ Warning ]
/usr/bin/chattr [ Warning ]
/usr/bin/curl [ Warning ]
/usr/bin/cut [ Warning ]
/usr/bin/diff [ Warning ]
/usr/bin/dirname [ Warning ]
/usr/bin/dpkg [ Warning ]
/usr/bin/dpkg-query [ Warning ]
/usr/bin/du [ Warning ]
/usr/bin/env [ Warning ]
/usr/bin/file [ Warning ]
/usr/bin/find [ Warning ]
/usr/bin/GET [ Warning ]
/usr/bin/groups [ Warning ]
/usr/bin/head [ Warning ]
/usr/bin/id [ Warning ]
/usr/bin/killall [ Warning ]
/usr/bin/last [ Warning ]
/usr/bin/lastlog [ Warning ]
/usr/bin/ldd [ Warning ]
/usr/bin/less [ Warning ]
/usr/bin/locate [ Warning ]
/usr/bin/logger [ Warning ]
/usr/bin/lsattr [ Warning ]
/usr/bin/lsof [ Warning ]
/usr/bin/mail [ Warning ]
/usr/bin/md5sum [ Warning ]
/usr/bin/mlocate [ Warning ]
/usr/bin/newgrp [ Warning ]
/usr/bin/passwd [ Warning ]
/usr/bin/perl [ Warning ]
/usr/bin/pgrep [ Warning ]
/usr/bin/pkill [ Warning ]
/usr/bin/pstree [ Warning ]
/usr/bin/rkhunter [ Warning ]
/usr/bin/rpm [ Warning ]
/usr/bin/runcon [ Warning ]
/usr/bin/sha1sum [ Warning ]
/usr/bin/sha224sum [ Warning ]
/usr/bin/sha256sum [ Warning ]
/usr/bin/sha384sum [ Warning ]
/usr/bin/sha512sum [ Warning ]
/usr/bin/size [ Warning ]
/usr/bin/sort [ Warning ]
/usr/bin/ssh [ Warning ]
/usr/bin/stat [ Warning ]
/usr/bin/strace [ Warning ]
/usr/bin/strings [ Warning ]
/usr/bin/sudo [ Warning ]
/usr/bin/tail [ Warning ]
/usr/bin/telnet [ Warning ]
/usr/bin/test [ Warning ]
/usr/bin/top [ Warning ]
/usr/bin/touch [ Warning ]
/usr/bin/tr [ Warning ]
/usr/bin/uniq [ Warning ]
/usr/bin/users [ Warning ]
/usr/bin/vmstat [ Warning ]
/usr/bin/w [ Warning ]
/usr/bin/watch [ Warning ]
/usr/bin/wc [ Warning ]
/usr/bin/wget [ Warning ]
/usr/bin/whatis [ Warning ]
/usr/bin/whereis [ Warning ]
/usr/bin/which [ Warning ]
/usr/bin/who [ Warning ]
/usr/bin/whoami [ Warning ]
/usr/bin/gawk [ Warning ]
/usr/bin/lwp-request [ Warning ]
/usr/bin/mail.mailutils [ Warning ]
/usr/bin/telnet.netkit [ Warning ]
/usr/bin/w.procps [ Warning ]
/sbin/depmod [ Warning ]
/sbin/fsck [ Warning ]
/sbin/ifconfig [ Warning ]
/sbin/ifdown [ Warning ]
/sbin/ifup [ Warning ]
/sbin/init [ Warning ]
/sbin/insmod [ Warning ]
/sbin/ip [ Warning ]
/sbin/lsmod [ Warning ]
/sbin/modinfo [ Warning ]
/sbin/modprobe [ Warning ]
/sbin/rmmod [ Warning ]
/sbin/route [ Warning ]
/sbin/runlevel [ Warning ]
/sbin/sulogin [ Warning ]
/sbin/sysctl [ Warning ]
/bin/bash [ Warning ]
/bin/cat [ Warning ]
/bin/chmod [ Warning ]
/bin/chown [ Warning ]
/bin/cp [ Warning ]
/bin/date [ Warning ]
/bin/df [ Warning ]
/bin/dmesg [ Warning ]
/bin/echo [ Warning ]
/bin/ed [ Warning ]
/bin/egrep [ Warning ]
/bin/fgrep [ Warning ]
/bin/fuser [ Warning ]
/bin/grep [ Warning ]
/bin/ip [ Warning ]
/bin/kill [ Warning ]
/bin/less [ Warning ]
/bin/login [ Warning ]
/bin/ls [ Warning ]
/bin/lsmod [ Warning ]
/bin/mktemp [ Warning ]
/bin/more [ Warning ]
/bin/mount [ Warning ]
/bin/mv [ Warning ]
/bin/netstat [ Warning ]
/bin/ping [ Warning ]
/bin/ps [ Warning ]
/bin/pwd [ Warning ]
/bin/readlink [ Warning ]
/bin/sed [ Warning ]
/bin/sh [ Warning ]
/bin/su [ Warning ]
/bin/touch [ Warning ]
/bin/uname [ Warning ]
/bin/which [ Warning ]
/bin/kmod [ Warning ]
/bin/dash [ Warning ]
Checking for rootkits...
Performing check of known rootkit files and directories
55808 Trojan - Variant A [ Not found ]
ADM Worm [ Not found ]
AjaKit Rootkit [ Not found ]
Adore Rootkit [ Not found ]
aPa Kit [ Not found ]
Apache Worm [ Not found ]
Ambient (ark) Rootkit [ Not found ]
Balaur Rootkit [ Not found ]
BeastKit Rootkit [ Not found ]
beX2 Rootkit [ Not found ]
BOBKit Rootkit [ Not found ]
cb Rootkit [ Not found ]
CiNIK Worm (Slapper.B variant) [ Not found ]
Danny-Boy's Abuse Kit [ Not found ]
Devil RootKit [ Not found ]
Dica-Kit Rootkit [ Not found ]
Dreams Rootkit [ Not found ]
Duarawkz Rootkit [ Not found ]
Enye LKM [ Not found ]
Flea Linux Rootkit [ Not found ]
Fu Rootkit [ Not found ]
rainbows`it Rootkit [ Not found ]
GasKit Rootkit [ Not found ]
Heroin LKM [ Not found ]
HjC Kit [ Not found ]
ignoKit Rootkit [ Not found ]
IntoXonia-NG Rootkit [ Not found ]
Irix Rootkit [ Not found ]
Jynx Rootkit [ Not found ]
KBeast Rootkit [ Not found ]
Kitko Rootkit [ Not found ]
Knark Rootkit [ Not found ]
ld-linuxv.so Rootkit [ Not found ]
Li0n Worm [ Not found ]
Lockit / LJK2 Rootkit [ Not found ]
Mood-NT Rootkit [ Not found ]
MRK Rootkit [ Not found ]
Ni0 Rootkit [ Not found ]
Ohhara Rootkit [ Not found ]
Optic Kit (Tux) Worm [ Not found ]
Oz Rootkit [ Not found ]
Phalanx Rootkit [ Not found ]
Phalanx2 Rootkit [ Not found ]
Phalanx2 Rootkit (extended tests) [ Not found ]
Portacelo Rootkit [ Not found ]
R3dstorm Toolkit [ Not found ]
RH-Sharpe's Rootkit [ Not found ]
RSHA's Rootkit [ Not found ]
Scalper Worm [ Not found ]
Sebek LKM [ Not found ]
Shutdown Rootkit [ Not found ]
SHV4 Rootkit [ Not found ]
SHV5 Rootkit [ Not found ]
Sin Rootkit [ Not found ]
Slapper Worm [ Not found ]
Sneakin Rootkit [ Not found ]
'Spanish' Rootkit [ Not found ]
Suckit Rootkit [ Not found ]
Superkit Rootkit [ Not found ]
TBD (Telnet BackDoor) [ Not found ]
TeLeKiT Rootkit [ Not found ]
T0rn Rootkit [ Not found ]
trNkit Rootkit [ Not found ]
Trojanit Kit [ Not found ]
Tuxtendo Rootkit [ Not found ]
URK Rootkit [ Not found ]
Vampire Rootkit [ Not found ]
VcKit Rootkit [ Not found ]
Volc Rootkit [ Not found ]
Xzibit Rootkit [ Not found ]
zaRwT.KiT Rootkit [ Not found ]
ZK Rootkit [ Not found ]
Performing additional rootkit checks
Suckit Rookit additional checks [ OK ]
Checking for possible rootkit files and directories [ None found ]
Checking for possible rootkit strings [ None found ]
Performing malware checks
Checking running processes for suspicious files [ None found ]
Checking for login backdoors [ None found ]
Checking for suspicious directories [ None found ]
Checking for sniffer log files [ None found ]
Suspicious Shared Memory segments [ None found ]
Performing Linux specific checks
Checking loaded kernel modules [ OK ]
Checking kernel module names [ OK ]
Checking the network...
Performing checks on the network ports
Checking for backdoor ports [ None found ]
Checking for hidden ports [ Skipped ]
Performing checks on the network interfaces
Checking for promiscuous interfaces [ None found ]
Checking the local host...
Performing system boot checks
Checking for local host name [ Found ]
Checking for system startup files [ Found ]
Checking system startup files for malware [ None found ]
Performing group and account checks
Checking for passwd file [ Found ]
Checking for root equivalent (UID 0) accounts [ None found ]
Checking for passwordless accounts [ None found ]
Checking for passwd file changes [ Warning ]
Checking for group file changes [ Warning ]
Checking root account shell history files [ OK ]
Performing system configuration file checks
Checking for an SSH configuration file [ Not found ]
Checking for a running system logging daemon [ Found ]
Checking for a system logging configuration file [ Found ]
Checking if syslog remote logging is allowed [ Not allowed ]
Performing filesystem checks
Checking /dev for suspicious file types [ None found ]
Checking for hidden files and directories [ Warning ]
System checks summary
=====================
File properties checks...
Required commands check failed
Files checked: 141
Suspect files: 141
Rootkit checks...
Rootkits checked : 365
Possible rootkits: 0
Applications checks...
All checks skipped
The system checks took: 3 minutes and 3 seconds
All results have been written to the log file: /var/log/rkhunter.log
One or more warnings have been found while checking the system.
Please check the log file (/var/log/rkhunter.log)
fred@aussie! ~ $
I've never seen so many warnings from rkhunter in my life! I don't know what you guys think, but I'm getting outta here until I hear more! At least I have triple-boot. Back soon!
EDIT: I also can't log out. Hmmm....
EDIT2: I just booted into Kali and had a similar (though not identical) result. After running "rkhunter --propupd" the warnings were gone. I still don't trust it right now, though. Fortunately, my install of Betsy reconfigured to use Devuan is reporting clean.
"Once you can accept the universe as matter expanding into nothing that is something, wearing stripes with plaid comes easy."
- Albert Einstein
Thanks Habitual. The only trouble is I'm afraid to boot back into that installation until I figure out what those warnings were about! I'd dismiss 'em as false positives if it weren't for:
(a). I run rkhunter a good bit and I've never seen anything like this before. I've definitely run it multiple times on this installation and it's always come back clean.
(b). My not being able to log out was also slightly suspicious.
I'm a tad worried now I've got a "friend" in my system.
"Once you can accept the universe as matter expanding into nothing that is something, wearing stripes with plaid comes easy."
- Albert Einstein
One wishes that rkhunter would be a little more verbose about its warnings. A legitimate update could have changed all of those binaries and their database could just be a little behind the times.
Fred Barclay wrote:Thanks Habitual. The only trouble is I'm afraid to boot back into that installation until I figure out what those warnings were about! I'd dismiss 'em as false positives if it weren't for:
(a). I run rkhunter a good bit and I've never seen anything like this before. I've definitely run it multiple times on this installation and it's always come back clean.
(b). My not being able to log out was also slightly suspicious.
I'm a tad worried now I've got a "friend" in my system.
Yeah, sorry, I started a new thread a few hours ago about this. I was just letting you know that the link you sent did not show any open ports.
But as far as rkhunter itself goes, I do believe that the trouble was my not running the --propupd just as you mentioned. If you want to look at that thread, it's http://forums.linuxmint.com/viewtopic.p ... 2&t=207441 I'll post there in a moment with /var/log/rkhunter.log
EDIT: Wait...what??? I was responding to a post by you that doesn't seem to be there.
Last edited by Fred Barclay on Fri Oct 16, 2015 5:56 pm, edited 1 time in total.
"Once you can accept the universe as matter expanding into nothing that is something, wearing stripes with plaid comes easy."
- Albert Einstein
and scan the router to see if anything is open.
If they are not, You won't need [g]ufw for the current situation.
See you Monday'ish Cobber.
Have a good weekend.
Same to you!
I'll check that link ASAP. Meanwhile, I do need a firewall of some sort since this is a lappy and I travel with it a good deal--or am I wrong? This means connecting to untrusted wifi's, unfortunately.
Edit: I've already used that link. All ports are closed, or so it says. Thanks!
"Once you can accept the universe as matter expanding into nothing that is something, wearing stripes with plaid comes easy."
- Albert Einstein