system log question

[BourneAgain]

I'm new to linux and i was hoping i could get some help breaking apart the system log for the most part its self explanitory however i looked at the process table and noticed a shell running that i did'nt open was i hacked??? if this is a comical question i'm glad i could make someone laugh. however i'll never learn anything if i don't ask. If anyone could be of help i would appreciate it.


Aug 21 17:35:42 linux kernel: SuSE-FW-ACCEPT IN=eth0 OUT= MAC=00:02:e3:0b:X:06:00:X:b8:02:4f:50:08:00 SRC=216.22.82.188 DST=207.X.XXX.X LEN=48 TOS=0x00 PREC=0x00 TTL=110 ID=19119 DF PROTO=TCP SPT=30134 DPT=4899 WINDOW=64240 RES=0x00 SYN URGP=0 OPT (020405B401010402)

[souleman]

That is a realllly long MAC address...

Is this from your system log? or a firewall log? or something like snort? I may be wrong but isn't SuSE-FW-ACCEPT the firewall?

You said that you saw a shell running that you didn't open. Who was the owner of the shell? Was it your account or root or one of the system accounts?

This one is confusing me because it looks like a TCP connection to port 4899 on your machine from port 30134 of the other machine.

okay... 4899 is the default port for Radmin http://www.famatech.com/default.html I believe that is just a windows product though. So it was probably just a port scanner touching your machine to see if radmin was installed. but..I am not going to guarantee that.

[BourneAgain]

the user of the shell was my account not root. it may well be the firewall log its listed under system log. I'm curious how the shell came to be?

[souleman]

I would have to see the output from ps and know what you were doing at the time to give a specific answer. But... are you running X (ie KDE or Gnome or something). We you in a terminal window at all? What shell was running? Was it doing anything or just idle? At one point, the gui started under a shell (don't know if it still does or not, haven't thought about it lately). Then for every terminal you are running, there is another shell. If I knew what it was doing, I might be able to give some more help, or if you knew what its parent process was, that might help also. 'ps -aux' will give you a list of all processes, no matter who is running them. 'ps -auxf' will put them in a "tree" format so you can easilly see what started each process and what each process is running. If you see it again, check those, and if it doesn't help, then save the output to a txt file ( 'ps -auxf > psoutput' ) and upload the file so I or someone else can see whats going on at the time.

[BourneAgain]

i do use kde however the shell that i saw isn't usualy listed in the process table. it was idle at the time that i saw it but i noticed when i woke up i was'nt sure if maye it was doing somthing during the night??? i closed the shell the day i saw it and havnt seen it since i was just wondering if maybe i was hacked? or if some other process spawned its own shell for whatever reason? i apprecite you trying to help me out its nice to have a message board that does'nt insult people who dont know very much (yet).

[souleman]

From what you have said, it appears to be a shell that was either spawned by another process or was used to start a process. And then it didn't die properly (zombie). Like you might have opened a terminal window to do something, finished, and when you closed the window, KDE didn't kill it properly. It does happen and that is why you hear about "zombie" processes. They may not be doing anything any more but they were at one time and now whatever started the process is dead and the child just sits there waiting for input from something that is no longer running.

Now I am not saying that you were not hacked. It is entirely possile that you were hacked and someone tossed a rootkit on your system and thats why you never see the shell pop up again. BUT from what you have said, I don't think that is the case.

[BourneAgain]

Souleman thanks alot i appreciate the help. if it is a rootkit how would i go about checking for it??? i dont have any extra ports. is there a way for me to tell?

[lumpyporridge]

http://www.chkrootkit.org/ has a very common prog for rootkit detection . http://www.tripwire.org/ is good to have installed on a clean system too.