Cable modem poops out on me

I haven't installed any new hardware or done any system fiddling to
account for this, but my cable modem has been going slower and slower
for the past month or so, taking a really long time to connect to mail,
news, and web servers. Sometimes it even times out from taking so long.
What the heck is going on? I haven't kicked my computer or installed
anything new, it used to run just fine and when I booted to my Windows
partition (which I haven't done in a long time) to test out the speed
there, it ran as fast as ever.

--

----- BEGIN GEEK CODE BLOCK -----
Version 3.1
GAT d? !s !a C++++ UL+ P L++ E- W+ N+ o-- K- w--
O- !M !V PS-- PE++ Y+ PGP- t++>++++* 5? !X-- R- tv b++ DI+ D++
G e !h !r !y
...... END GEEK CODE BLOCK ----

On 2005-03-09, Jacob Oost <(E-Mail Removed)> wrote:
> I haven't installed any new hardware or done any system fiddling to
> account for this, but my cable modem has been going slower and slower
> for the past month or so, taking a really long time to connect to mail,
> news, and web servers. Sometimes it even times out from taking so long.
> What the heck is going on? I haven't kicked my computer or installed
> anything new, it used to run just fine and when I booted to my Windows
> partition (which I haven't done in a long time) to test out the speed
> there, it ran as fast as ever.

What makes you think it's the cable modem, as opposed to your own
system?

Why didn't you give any information that might help debug your
problem?

It's a FGA (Frequently Given Answer) but you should read "How to Ask
Questions The Smart Way" by Eric Raymond.

http://www.catb.org/~esr/faqs/smart-questions.html

--
Carl Fink (E-Mail Removed)
Ask me about I-Con 24, April 8-10, 2005
http://iconsf.org

Carl Fink wrote:
> What makes you think it's the cable modem, as opposed to your own
> system?
>

I didn't mean to imply that it was my modem per se, I guess I could have
said "broadband poops out on me."

> Why didn't you give any information that might help debug your
> problem?
>

Well, I didn't want to provide a bunch of unnecessary information, so I
figured that whoever might be able to help me would prompt me for what
was necessary. I'm not a networking expert.

--

----- BEGIN GEEK CODE BLOCK -----
Version 3.1
GAT d? !s !a C++++ UL+ P L++ E- W+ N+ o-- K- w--
O- !M !V PS-- PE++ Y+ PGP- t++>++++* 5? !X-- R- tv b++ DI+ D++
G e !h !r !y
...... END GEEK CODE BLOCK ----

Jacob Oost wrote:
> Carl Fink wrote:
> > What makes you think it's the cable modem, as opposed to your own
> > system?
> >
>
> I didn't mean to imply that it was my modem per se, I guess I could
have
> said "broadband poops out on me."
>
> > Why didn't you give any information that might help debug your
> > problem?
> >
>
> Well, I didn't want to provide a bunch of unnecessary information, so
I
> figured that whoever might be able to help me would prompt me for
what
> was necessary. I'm not a networking expert.
>
> --
>
> ----- BEGIN GEEK CODE BLOCK -----
> Version 3.1
> GAT d? !s !a C++++ UL+ P L++ E- W+ N+ o-- K- w--
> O- !M !V PS-- PE++ Y+ PGP- t++>++++* 5? !X-- R- tv b++ DI+ D++
> G e !h !r !y
> ..... END GEEK CODE BLOCK ----

Windoze blazes across the internet you say, while your *nix partition
crawls along? My guess.. and of course it could be many things... Is
your box has been rooted. By that i mean, someone may be using your
box as a jump point, or they are just using your bandwidth to FXP (ftp
server to ftp server) information from higher speed connection rooted
boxes. Either way, the only thing you'd probably notice if you were
unaware of such events is slower network speeds.... I would check what
users are running procs on the box (ps aux) , and also check to see
what your "netstat" returns as.. The entries which are important are
those with the heading tcp... Another key... And this is simple... Look
at those status lights on your router/cable modem. if they are flashing
outa control and your not doing a damn thing... chances are someone
else is... Remotely. My 2¢

(E-Mail Removed) wrote:
> Windoze blazes across the internet you say, while your *nix partition
> crawls along? My guess.. and of course it could be many things... Is
> your box has been rooted. By that i mean, someone may be using your
> box as a jump point, or they are just using your bandwidth to FXP (ftp
> server to ftp server) information from higher speed connection rooted
> boxes. Either way, the only thing you'd probably notice if you were
> unaware of such events is slower network speeds.... I would check what
> users are running procs on the box (ps aux)

Good glaven, I thought Linux was supposed to be more secure than XP!
When I enter "ps aux" I see mostly "root" and "jacob" (that's me). I
also see a few things under the users xfs, 72, daemon, and rpc. I only
have my root account and my personal account on my machine, so I take it
these are the rogue users hacking my system?

> , and also check to see
> what your "netstat" returns as..

I see about ten under "tcp," I don't really know what they mean but I
see one for amazon.com, a web page I hardly ever go to.

> The entries which are important are
> those with the heading tcp... Another key... And this is simple... Look
> at those status lights on your router/cable modem. if they are flashing
> outa control and your not doing a damn thing... chances are someone
> else is... Remotely. My 2¢
>

I've noticed that too. Thanks for your help, what can I do to stop this?

--

----- BEGIN GEEK CODE BLOCK -----
Version 3.1
GAT d? !s !a C++++ UL+ P L++ E- W+ N+ o-- K- w--
O- !M !V PS-- PE++ Y+ PGP- t++>++++* 5? !X-- R- tv b++ DI+ D++
G e !h !r !y
...... END GEEK CODE BLOCK ----

On 2005-03-09, Jacob Oost <(E-Mail Removed)> wrote:

> Good glaven, I thought Linux was supposed to be more secure than XP!
> When I enter "ps aux" I see mostly "root" and "jacob" (that's me). I
> also see a few things under the users xfs, 72, daemon, and rpc. I only
> have my root account and my personal account on my machine, so I take it
> these are the rogue users hacking my system?

Nope, they're system users automatically created by the installation
of various programs. Or crackers, no way to tell since you persist
in not giving any useful information.

"Linux" is highly insecure, and XP with Service Pack 2 is quite
secure. Now, a modern and well-done Linux distribution (say, Debian
or SuSE) set up and administered by a competent person (say, me) is
fairly secure, but for an inexperienced administrator you're actually
far more secure with Windows.

>> , and also check to see
>> what your "netstat" returns as..
>
> I see about ten under "tcp," I don't really know what they mean but I
> see one for amazon.com, a web page I hardly ever go to.

Did it even occur to you to post the actual results of netstat and
ps? Actually if a process is connecting to a site without your
permission that's a very bad sign.

If you want to be sure you're cracked, run programs like chkrootkit
or Rootkit Hunter, which check for known penetration techniques. To
be really safe, take your system off the network, repartition and
reformat the hard disk, and install a new operating system. (You can
back up all your actual data to a CD or something, just don't save
any programs.) The whole reinstallation process can take less than
two hours if you do it right. I strongly suggest either switching to
a less administration-intensive operating system, or at least reading
up on Linux before installing.

If you're a Linux beginner and don't want to go back to Windows, may
I suggest Ubuntu Linux? It's not the most hand-holding distribution,
but a very simple command ("aptitude update && aptitude upgrade") can
install every security fix known to the developers in a matter of
minutes, and being a Debian-derived distro it's very quick on the
update.
--
Carl Fink (E-Mail Removed)
Ask me about I-Con 24, April 8-10, 2005
http://iconsf.org

Carl Fink wrote:

> "Linux" is highly insecure, and XP with Service Pack 2 is quite
> secure.**Now,*a*modern*and*well-done*Linux*distribution*(say,*Debian
> or SuSE) set up and administered by a competent person (say, me) is
> fairly secure, but for an inexperienced administrator you're actually
> far more secure with Windows.

The only person I've heard make that claim, is Steve Ballmer. Why do you
consider Linux insecure, when so many in the industry say otherwise? I'm
not talking about people who do dumb things, like run telnet over the
internet etc.

On 2005-03-10, James Knott <(E-Mail Removed)> wrote:
> Carl Fink wrote:
>
>> "Linux" is highly insecure, and XP with Service Pack 2 is quite
>> secure.**Now,*a*modern*and*well-done*Linux*distribution*(say,*Debian
>> or SuSE) set up and administered by a competent person (say, me) is
>> fairly secure, but for an inexperienced administrator you're actually
>> far more secure with Windows.
>
> The only person I've heard make that claim, is Steve Ballmer. Why do you
> consider Linux insecure, when so many in the industry say otherwise? I'm
> not talking about people who do dumb things, like run telnet over the
> internet etc.

Because most distributions are insecure as shipped and most newbies
don't know how to secure them. Also, most people don't regularly
update their systems as exploits are discovered.

A *properly administered* Linux system can be extremely secure. It's
just that it's much easier to secure an XP box.
--
Carl Fink (E-Mail Removed)
Ask me about I-Con 24, April 8-10, 2005
http://iconsf.org

On Thu, 10 Mar 2005 21:43:56 +0000 (UTC), Carl Fink wrote:

> It's just that it's much easier to secure an XP box.


Yeah, right, Sure it is, Uh huh, You bet, just follow the ckecklist
http://www.blackviper.com/WinXP/servicecfg.htm

Carl Fink wrote:
> On 2005-03-09, Jacob Oost <(E-Mail Removed)> wrote:
>
>
>>Good glaven, I thought Linux was supposed to be more secure than XP!
>>When I enter "ps aux" I see mostly "root" and "jacob" (that's me). I
>>also see a few things under the users xfs, 72, daemon, and rpc. I only
>>have my root account and my personal account on my machine, so I take it
>>these are the rogue users hacking my system?
>
>
> Nope, they're system users automatically created by the installation
> of various programs. Or crackers, no way to tell since you persist
> in not giving any useful information.
>
> "Linux" is highly insecure, and XP with Service Pack 2 is quite
> secure. Now, a modern and well-done Linux distribution (say, Debian
> or SuSE) set up and administered by a competent person (say, me) is
> fairly secure, but for an inexperienced administrator you're actually
> far more secure with Windows.
>
>
>>>, and also check to see
>>>what your "netstat" returns as..
>>
>>I see about ten under "tcp," I don't really know what they mean but I
>>see one for amazon.com, a web page I hardly ever go to.
>
>
> Did it even occur to you to post the actual results of netstat and
> ps? Actually if a process is connecting to a site without your
> permission that's a very bad sign.
>

I didn't know how much info would be wanted on this newsgroup. On some
groups people complain about long posts. Here's what I get with ps aux:

> USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND
> root 1 0.4 0.0 1408 496 ? S 17:40 0:01 init [5]
> root 2 0.0 0.0 0 0 ? SN 17:40 0:00 [ksoftirqd/0]
> root 3 0.0 0.0 0 0 ? S< 17:40 0:00 [events/0]
> root 4 0.0 0.0 0 0 ? S< 17:40 0:00 [khelper]
> root 5 0.0 0.0 0 0 ? S< 17:40 0:00 [kblockd/0]
> root 32 0.0 0.0 0 0 ? S 17:40 0:00 [kapmd]
> root 34 0.0 0.0 0 0 ? S 17:40 0:00 [pdflush]
> root 35 0.0 0.0 0 0 ? S 17:40 0:00 [pdflush]
> root 37 0.0 0.0 0 0 ? S< 17:40 0:00 [aio/0]
> root 36 0.0 0.0 0 0 ? S 17:40 0:00 [kswapd0]
> root 147 0.0 0.0 0 0 ? S 17:40 0:00 [kseriod]
> root 274 0.0 0.0 0 0 ? S 17:40 0:00 [kjournald]
> root 431 0.0 0.0 1388 372 ? S<s 17:40 0:00 udevd
> root 828 0.0 0.0 0 0 ? S 17:40 0:00 [khubd]
> root 1124 0.0 0.0 0 0 ? S 17:40 0:00 [kjournald]
> root 1334 0.0 0.0 0 0 ? S 17:40 0:00 [khpsbpkt]
> root 1338 0.0 0.0 0 0 ? S 17:40 0:00 [knodemgrd_0]
> root 2786 0.0 0.0 1416 484 ? Ss 17:40 0:00 /sbin/ifplugd -w
> root 2857 0.0 0.1 1940 960 ? Ss 17:40 0:00 /sbin/dhclient -1
> rpc 4462 0.0 0.1 1536 560 ? Ss 17:40 0:00 portmap
> root 4486 0.0 0.1 1460 612 ? Ss 17:40 0:00 syslogd -m 0
> root 4508 0.0 0.2 2104 1228 ? Ss 17:40 0:00 klogd -2
> xfs 4803 0.0 1.1 7852 5872 ? Ss 17:40 0:00 xfs -port -1 -dae
> 72 4837 0.0 0.2 2052 1052 ? Ss 17:40 0:00 dbus-daemon-1 --s
> root 4871 0.0 0.1 1616 684 ? Ss 17:40 0:00 hcid: processing
> root 4882 0.0 0.0 1452 516 ? Ss 17:40 0:00 sdpd
> root 4894 0.0 0.0 0 0 ? S< 17:40 0:00 [krfcommd]
> root 4983 0.0 0.1 2436 692 ? S 17:40 0:00 /usr/bin/mdkkdm -
> root 5009 1.7 3.6 152436 19076 ? SL 17:40 0:05 /etc/X11/X -defer
> daemon 5010 0.0 0.1 1524 548 ? Ss 17:40 0:00 /usr/sbin/atd
> root 5065 0.0 0.2 3188 1396 ? S 17:40 0:00 -:0
> root 5077 0.0 0.1 1988 860 ? Ss 17:40 0:00 xinetd -stayalive
> root 5374 0.0 0.1 1448 604 ? Ss 17:40 0:00 crond
> root 5480 0.0 0.0 1396 412 tty1 Ss+ 17:40 0:00 /sbin/mingetty tt
> root 5481 0.0 0.0 1396 412 tty2 Ss+ 17:40 0:00 /sbin/mingetty tt
> root 5482 0.0 0.0 1396 412 tty3 Ss+ 17:40 0:00 /sbin/mingetty tt
> root 5483 0.0 0.0 1396 412 tty4 Ss+ 17:40 0:00 /sbin/mingetty tt
> root 5484 0.0 0.0 1396 412 tty5 Ss+ 17:40 0:00 /sbin/mingetty tt
> root 5485 0.0 0.0 1396 412 tty6 Ss+ 17:40 0:00 /sbin/mingetty tt
> jacob 5933 0.0 0.2 2856 1492 ? S 17:41 0:00 /bin/sh /usr/bin/
> jacob 5988 0.0 0.7 10984 3664 ? S 17:41 0:00 /usr/bin/bluez-pi
> jacob 5992 0.2 3.3 26200 17288 ? S 17:41 0:00 /usr/bin/perl /us
> jacob 6003 0.2 3.7 27104 19196 ? S 17:41 0:00 /usr/bin/perl /us
> jacob 6019 0.0 0.1 2432 704 ? S 17:41 0:00 dbus-launch --sh-
> jacob 6020 0.0 0.2 2052 1044 ? Ss 17:41 0:00 dbus-daemon-1 --f
> jacob 6030 0.0 0.1 2636 976 ? Ss 17:41 0:00 s2u --daemon=yes
> jacob 6059 0.0 1.1 14580 6040 ? S 17:41 0:00 magicdev
> jacob 6076 0.0 1.6 22288 8540 ? Ss 17:41 0:00 kdeinit: Running.
> jacob 6079 0.0 1.6 22176 8640 ? S 17:41 0:00 kdeinit: dcopserv
> jacob 6081 0.0 0.4 3756 2276 ? S 17:41 0:00 /usr/lib/gconfd-2
> jacob 6083 0.0 1.9 23756 10088 ? S 17:41 0:00 kdeinit: klaunche
> jacob 6086 0.0 2.4 25728 12648 ? S 17:41 0:00 kdeinit: kded
> jacob 6090 0.0 0.2 3164 1536 ? Ss 17:41 0:00 famd
> jacob 6098 0.1 1.2 10832 6396 ? S 17:41 0:00 /usr/bin/artsd -F
> jacob 6103 0.0 2.9 30916 15272 ? S 17:41 0:00 kdeinit: knotify
> jacob 6104 0.0 0.0 1400 300 ? S 17:41 0:00 kwrapper ksmserve
> jacob 6106 0.0 2.1 23672 11352 ? S 17:41 0:00 kdeinit: ksmserve
> jacob 6107 0.1 2.6 25492 13632 ? S 17:41 0:00 kdeinit: kwin -se
> jacob 6109 0.3 3.6 32232 18840 ? S 17:41 0:01 kdeinit: kdesktop
> jacob 6111 0.3 3.3 32264 17156 ? S 17:41 0:00 kdeinit: kicker
> jacob 6112 0.0 1.7 23284 9132 ? S 17:41 0:00 kdeinit: kio_file
> jacob 6122 0.0 2.3 24368 11944 ? S 17:41 0:00 kweatherservice
> jacob 6129 0.0 2.3 24064 11916 ? S 17:41 0:00 kdeinit: khotkeys
> jacob 6131 0.0 2.4 24856 12740 ? S 17:41 0:00 kdeinit: kwrited
> jacob 6132 0.1 2.9 28012 15112 ? S 17:41 0:00 korgac --miniicon
> jacob 6136 0.0 0.2 2872 1512 ? S 17:41 0:00 /bin/sh /usr/loca
> jacob 6138 0.0 0.2 2908 1528 ? S 17:41 0:00 /bin/sh /usr/loca
> jacob 6143 3.0 7.0 94228 36200 ? Sl 17:41 0:07 /usr/local/mozill
> jacob 6312 11.6 2.8 27268 14880 ? S 17:45 0:00 kdeinit: konsole
> jacob 6313 0.5 0.3 3072 1824 pts/1 Ss 17:45 0:00 /bin/bash
> jacob 6344 0.0 0.1 2248 736 pts/1 R+ 17:45 0:00 ps aux

Here's what I get with netstat (which took a while):

> Active Internet connections (w/o servers)
> Proto Recv-Q Send-Q Local Address Foreign Address State
> tcp 0 0 192.168.1.100:32783 news-server-fe-02.:nntp ESTABLISHED
> tcp 0 0 192.168.1.100:32782 64.236.38.141:http ESTABLISHED
> tcp 0 0 192.168.1.100:32779 64.236.38.135:http ESTABLISHED
> tcp 0 0 192.168.1.100:32780 64.236.38.135:http ESTABLISHED
> tcp 0 0 192.168.1.100:32790 12.120.81.15:http ESTABLISHED
> udp 0 0 192.168.1.100:32851 clmboh-dns-cac-0:domain ESTABLISHED
> udp 0 0 192.168.1.100:32854 clmboh-dns-cac-0:domain ESTABLISHED
> Active UNIX domain sockets (w/o servers)
> Proto RefCnt Flags Type State I-Node Path
> unix 10 [ ] DGRAM 8977 /dev/log
> unix 2 [ ] DGRAM 791 @udevd
> unix 3 [ ] STREAM CONNECTED 12376 /tmp/.ICE-unix/dcop6079-1110494470
> unix 3 [ ] STREAM CONNECTED 12375
> unix 3 [ ] STREAM CONNECTED 12368 /tmp/.ICE-unix/6106
> unix 3 [ ] STREAM CONNECTED 12367
> unix 3 [ ] STREAM CONNECTED 12366 /tmp/.X11-unix/X0
> unix 3 [ ] STREAM CONNECTED 12365
> unix 3 [ ] STREAM CONNECTED 12195 /tmp/ksocket-jacob/klauncherb4ip2b.slave-socket
> unix 3 [ ] STREAM CONNECTED 12192
> unix 3 [ ] STREAM CONNECTED 11739 /tmp/.X11-unix/X0
> unix 3 [ ] STREAM CONNECTED 11738
> unix 3 [ ] STREAM CONNECTED 11729 /tmp/.X11-unix/X0
> unix 3 [ ] STREAM CONNECTED 11728
> unix 3 [ ] STREAM CONNECTED 11716 /tmp/.fam2ZFGXp
> unix 3 [ ] STREAM CONNECTED 11715
> unix 3 [ ] STREAM CONNECTED 11700 /tmp/.ICE-unix/6106
> unix 3 [ ] STREAM CONNECTED 11699
> unix 3 [ ] STREAM CONNECTED 11696 /tmp/.X11-unix/X0
> unix 3 [ ] STREAM CONNECTED 11695
> unix 3 [ ] STREAM CONNECTED 11694 /tmp/.ICE-unix/dcop6079-1110494470
> unix 3 [ ] STREAM CONNECTED 11693
> unix 3 [ ] STREAM CONNECTED 11682 /tmp/.ICE-unix/dcop6079-1110494470
> unix 3 [ ] STREAM CONNECTED 11681
> unix 3 [ ] STREAM CONNECTED 11680 /tmp/.X11-unix/X0
> unix 3 [ ] STREAM CONNECTED 11679
> unix 3 [ ] STREAM CONNECTED 11678 /tmp/.ICE-unix/dcop6079-1110494470
> unix 3 [ ] STREAM CONNECTED 11677
> unix 3 [ ] STREAM CONNECTED 11663 /tmp/.ICE-unix/6106
> unix 3 [ ] STREAM CONNECTED 11662
> unix 3 [ ] STREAM CONNECTED 11659 /tmp/.X11-unix/X0
> unix 3 [ ] STREAM CONNECTED 11658
> unix 3 [ ] STREAM CONNECTED 11657 /tmp/.ICE-unix/dcop6079-1110494470
> unix 3 [ ] STREAM CONNECTED 11656
> unix 3 [ ] STREAM CONNECTED 11622 /tmp/.ICE-unix/6106
> unix 3 [ ] STREAM CONNECTED 11621
> unix 3 [ ] STREAM CONNECTED 11618 /tmp/.X11-unix/X0
> unix 3 [ ] STREAM CONNECTED 11617
> unix 3 [ ] STREAM CONNECTED 11616 /tmp/.ICE-unix/dcop6079-1110494470
> unix 3 [ ] STREAM CONNECTED 11615
> unix 3 [ ] STREAM CONNECTED 11538 /tmp/.ICE-unix/6106
> unix 3 [ ] STREAM CONNECTED 11537
> unix 3 [ ] STREAM CONNECTED 11534 /tmp/.X11-unix/X0
> unix 3 [ ] STREAM CONNECTED 11533
> unix 3 [ ] STREAM CONNECTED 11532 /tmp/.ICE-unix/dcop6079-1110494470
> unix 3 [ ] STREAM CONNECTED 11531
> unix 3 [ ] STREAM CONNECTED 11528 /tmp/.famuGd85c
> unix 3 [ ] STREAM CONNECTED 11527
> unix 3 [ ] STREAM CONNECTED 11520 /tmp/mcop-jacob/localhost-17d2-4230cd0d
> unix 3 [ ] STREAM CONNECTED 11519
> unix 3 [ ] STREAM CONNECTED 11507 /tmp/.ICE-unix/6106
> unix 3 [ ] STREAM CONNECTED 11506
> unix 3 [ ] STREAM CONNECTED 11503 /tmp/.X11-unix/X0
> unix 3 [ ] STREAM CONNECTED 11502
> unix 3 [ ] STREAM CONNECTED 11501 /tmp/.ICE-unix/dcop6079-1110494470
> unix 3 [ ] STREAM CONNECTED 11500
> unix 3 [ ] STREAM CONNECTED 11488 /tmp/.ICE-unix/6106
> unix 3 [ ] STREAM CONNECTED 11487
> unix 3 [ ] STREAM CONNECTED 11486 /tmp/.ICE-unix/dcop6079-1110494470
> unix 3 [ ] STREAM CONNECTED 11485
> unix 3 [ ] STREAM CONNECTED 11482 /tmp/.ICE-unix/6106
> unix 3 [ ] STREAM CONNECTED 11481
> unix 3 [ ] STREAM CONNECTED 11480 /tmp/.X11-unix/X0
> unix 3 [ ] STREAM CONNECTED 11479
> unix 3 [ ] STREAM CONNECTED 11474 /tmp/.ICE-unix/dcop6079-1110494470
> unix 3 [ ] STREAM CONNECTED 11473
> unix 3 [ ] STREAM CONNECTED 11470 /tmp/.X11-unix/X0
> unix 3 [ ] STREAM CONNECTED 11469
> unix 3 [ ] STREAM CONNECTED 11463 /tmp/ksocket-jacob/kdeinit__0
> unix 3 [ ] STREAM CONNECTED 11462
> unix 3 [ ] STREAM CONNECTED 11459 /tmp/mcop-jacob/localhost-17d2-4230cd0d
> unix 3 [ ] STREAM CONNECTED 11458
> unix 3 [ ] STREAM CONNECTED 11436 /tmp/.X11-unix/X0
> unix 3 [ ] STREAM CONNECTED 11435
> unix 3 [ ] STREAM CONNECTED 11434 /tmp/.ICE-unix/dcop6079-1110494470
> unix 3 [ ] STREAM CONNECTED 11433
> unix 3 [ ] STREAM CONNECTED 11384 /tmp/.X11-unix/X0
> unix 3 [ ] STREAM CONNECTED 11383
> unix 3 [ ] STREAM CONNECTED 11372 /tmp/.famiCmA8c
> unix 3 [ ] STREAM CONNECTED 11370
> unix 3 [ ] STREAM CONNECTED 11347 /tmp/.X11-unix/X0
> unix 3 [ ] STREAM CONNECTED 11346
> unix 3 [ ] STREAM CONNECTED 11345 /tmp/.ICE-unix/dcop6079-1110494470
> unix 3 [ ] STREAM CONNECTED 11344
> unix 3 [ ] STREAM CONNECTED 11333 /home/jacob/tmp/orbit-jacob/linc-17ab-0-285d8dc856c65
> unix 3 [ ] STREAM CONNECTED 11332
> unix 3 [ ] STREAM CONNECTED 11331 /home/jacob/tmp/orbit-jacob/linc-17c1-0-177ab805c01a6
> unix 3 [ ] STREAM CONNECTED 11318
> unix 3 [ ] STREAM CONNECTED 11316 /tmp/.ICE-unix/dcop6079-1110494470
> unix 3 [ ] STREAM CONNECTED 11315
> unix 3 [ ] STREAM CONNECTED 11311
> unix 3 [ ] STREAM CONNECTED 11310
> unix 2 [ ] DGRAM 11298
> unix 3 [ ] STREAM CONNECTED 11272 /tmp/.X11-unix/X0
> unix 3 [ ] STREAM CONNECTED 11271
> unix 3 [ ] STREAM CONNECTED 11108 /tmp/.X11-unix/X0
> unix 3 [ ] STREAM CONNECTED 11107
> unix 3 [ ] STREAM CONNECTED 11102 /tmp/.X11-unix/X0
> unix 3 [ ] STREAM CONNECTED 11101
> unix 3 [ ] STREAM CONNECTED 11084 @/tmp/dbus-2x9KEJqI5Q
> unix 3 [ ] STREAM CONNECTED 11083
> unix 3 [ ] STREAM CONNECTED 11071 /tmp/.X11-unix/X0
> unix 3 [ ] STREAM CONNECTED 11070
> unix 3 [ ] STREAM CONNECTED 11069
> unix 3 [ ] STREAM CONNECTED 11068
> unix 3 [ ] STREAM CONNECTED 11081 /var/run/dbus/system_dbus_socket
> unix 3 [ ] STREAM CONNECTED 11061
> unix 3 [ ] STREAM CONNECTED 11056 /tmp/.X11-unix/X0
> unix 3 [ ] STREAM CONNECTED 11055
> unix 2 [ ] DGRAM 11054
> unix 3 [ ] STREAM CONNECTED 10969 /tmp/.font-unix/fs-1
> unix 3 [ ] STREAM CONNECTED 10968
> unix 2 [ ] DGRAM 10224
> unix 2 [ ] DGRAM 9901
> unix 7 [ ] STREAM CONNECTED 10974 /tmp/.X11-unix/X0
> unix 3 [ ] STREAM CONNECTED 9887
> unix 2 [ ] DGRAM 9606
> unix 3 [ ] STREAM CONNECTED 9605 /var/run/dbus/system_dbus_socket
> unix 3 [ ] STREAM CONNECTED 9604
> unix 2 [ ] DGRAM 9587
> unix 3 [ ] STREAM CONNECTED 9527
> unix 3 [ ] STREAM CONNECTED 9526
> unix 2 [ ] DGRAM 9517
> unix 2 [ ] DGRAM 8990
> unix 2 [ ] STREAM CONNECTED 6004
> unix 2 [ ] DGRAM 738


> If you want to be sure you're cracked, run programs like chkrootkit
> or Rootkit Hunter, which check for known penetration techniques.

Tried chkrootkit, gave me this:

> ROOTDIR is `/'
> Checking `amd'... not found
> Checking `basename'... not infected
> Checking `biff'... not found
> Checking `chfn'... not infected
> Checking `chsh'... not infected
> Checking `cron'... not infected
> Checking `date'... not infected
> Checking `du'... not infected
> Checking `dirname'... not infected
> Checking `echo'... not infected
> Checking `egrep'... not infected
> Checking `env'... not infected
> Checking `find'... not infected
> Checking `fingerd'... not found
> Checking `gpm'... not found
> Checking `grep'... not infected
> Checking `hdparm'... not infected
> Checking `su'... not infected
> Checking `ifconfig'... not infected
> Checking `inetd'... not tested
> Checking `inetdconf'... not found
> Checking `identd'... not found
> Checking `init'... not infected
> Checking `killall'... not infected
> Checking `ldsopreload'... can't exec ./strings-static, not tested
> Checking `login'... not infected
> Checking `ls'... not infected
> Checking `lsof'... not found
> Checking `mail'... not found
> Checking `mingetty'... not infected
> Checking `netstat'... not infected
> Checking `named'... not found
> Checking `passwd'... not infected
> Checking `pidof'... not infected
> Checking `pop2'... not found
> Checking `pop3'... not found
> Checking `ps'... not infected
> Checking `pstree'... not infected
> Checking `rpcinfo'... not infected
> Checking `rlogind'... not found
> Checking `rshd'... not found
> Checking `slogin'... not infected
> Checking `sendmail'... not found
> Checking `sshd'... /usr/bin/strings: Warning: '/' is not an ordinary file
> not infected
> Checking `syslogd'... not infected
> Checking `tar'... not infected
> Checking `tcpd'... not infected
> Checking `tcpdump'... not infected
> Checking `top'... not infected
> Checking `telnetd'... not found
> Checking `timed'... not found
> Checking `traceroute'... not found
> Checking `vdir'... not infected
> Checking `w'... not infected
> Checking `write'... not infected
> Checking `aliens'... no suspect files
> Searching for sniffer's logs, it may take a while... nothing found
> Searching for HiDrootkit's default dir... nothing found
> Searching for t0rn's default files and dirs... nothing found
> Searching for t0rn's v8 defaults... nothing found
> Searching for Lion Worm default files and dirs... nothing found
> Searching for RSHA's default files and dir... nothing found
> Searching for RH-Sharpe's default files... nothing found
> Searching for Ambient's rootkit (ark) default files and dirs... nothing found
> Searching for suspicious files and dirs, it may take a while... nothing found
> Searching for LPD Worm files and dirs... nothing found
> Searching for Ramen Worm files and dirs... nothing found
> Searching for Maniac files and dirs... nothing found
> Searching for RK17 files and dirs... nothing found
> Searching for Ducoci rootkit... nothing found
> Searching for Adore Worm... nothing found
> Searching for ShitC Worm... nothing found
> Searching for Omega Worm... nothing found
> Searching for Sadmind/IIS Worm... nothing found
> Searching for MonKit... nothing found
> Searching for Showtee... nothing found
> Searching for OpticKit... nothing found
> Searching for T.R.K... nothing found
> Searching for Mithra... nothing found
> Searching for OBSD rk v1... nothing found
> Searching for LOC rootkit... nothing found
> Searching for Romanian rootkit... nothing found
> Searching for HKRK rootkit... nothing found
> Searching for Suckit rootkit... nothing found
> Searching for Volc rootkit... nothing found
> Searching for Gold2 rootkit... nothing found
> Searching for TC2 Worm default files and dirs... nothing found
> Searching for Anonoying rootkit default files and dirs... nothing found
> Searching for ZK rootkit default files and dirs... nothing found
> Searching for ShKit rootkit default files and dirs... nothing found
> Searching for AjaKit rootkit default files and dirs... nothing found
> Searching for zaRwT rootkit default files and dirs... nothing found
> Searching for Madalin rootkit default files... nothing found
> Searching for Fu rootkit default files... nothing found
> Searching for ESRK rootkit default files... nothing found
> Searching for anomalies in shell history files... nothing found
> Checking `asp'... not infected
> Checking `bindshell'... not infected
> Checking `lkm'... chkproc: nothing detected
> Checking `rexedcs'... not found
> Checking `sniffer'... eth0: PF_PACKET(/sbin/dhclient)
> Checking `w55808'... not infected
> Checking `wted'... chkwtmp: nothing deleted
> Checking `scalper'... not infected
> Checking `slapper'... not infected
> Checking `z2'... chklastlog: nothing deleted
> Checking `chkutmp'... not tested: can't exec ./chkutmp


> To
> be really safe, take your system off the network, repartition and
> reformat the hard disk, and install a new operating system. (You can
> back up all your actual data to a CD or something, just don't save
> any programs.) The whole reinstallation process can take less than
> two hours if you do it right. I strongly suggest either switching to
> a less administration-intensive operating system, or at least reading
> up on Linux before installing.
>

Well, I have several Linux books that I've looked through and none of
them warned me about needing more extensive security (though if this
rootkit exploit is new, that would be understandable since these books
are several years old).

> If you're a Linux beginner and don't want to go back to Windows, may
> I suggest Ubuntu Linux? It's not the most hand-holding distribution,
> but a very simple command ("aptitude update && aptitude upgrade") can
> install every security fix known to the developers in a matter of
> minutes, and being a Debian-derived distro it's very quick on the
> update.

I really like Mandrake, I would just like to be able to reinstall the OS
with whatever security configurations I need to avoid this problem in
the future.

--

----- BEGIN GEEK CODE BLOCK -----
Version 3.1
GAT d? !s !a C++++ UL+ P L++ E- W+ N+ o-- K- w--
O- !M !V PS-- PE++ Y+ PGP- t++>++++* 5? !X-- R- tv b++ DI+ D++
G e !h !r !y
...... END GEEK CODE BLOCK ----