Afraid of system being compromised - is true? how to solve? Newbie
Remember Me?
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Registered: Mar 2013
Afraid of system being compromised - is true? how to solve? Newbie
There are two computers. Computer A uses openSuse and it is usually used for common tasks (not risk at all), suddenly, one day some &markers& from Mozilla Firefox were modified but not by the legitimate users. The firewall rules were for the Eth0 (unique interface) in External zone, and the router is connected directly to the DSL line (no other computers in LAN).
I extract also here the iptables -L rules.
userA@computerA:~& sudo /usr/sbin/iptables -L
Chain INPUT (policy DROP)
prot opt source
destination
ctstate ESTABLISHED
ctstate RELATED
limit: avg 3/min burst 5 LOG level warning tcp-options ip-options prefix &SFW2-IN-ILL-TARGET &
Chain FORWARD (policy DROP)
prot opt source
destination
limit: avg 3/min burst 5 LOG level warning tcp-options ip-options prefix &SFW2-FWD-ILL-ROUTING &
Chain OUTPUT (policy ACCEPT)
prot opt source
destination
Chain forward_ext (0 references)
prot opt source
destination
Chain input_ext (1 references)
prot opt source
destination
PKTTYPE = broadcast
icmp source-quench
icmp echo-request
PKTTYPE = multicast
PKTTYPE = broadcast
limit: avg 3/min burst 5 tcpflags: FIN,SYN,RST,ACK/SYN LOG level warning tcp-options ip-options prefix &SFW2-INext-DROP-DEFLT &
limit: avg 3/min burst 5 LOG level warning tcp-options ip-options prefix &SFW2-INext-DROP-DEFLT &
limit: avg 3/min burst 5 ctstate NEW LOG level warning tcp-options ip-options prefix &SFW2-INext-DROP-DEFLT &
Chain reject_func (0 references)
prot opt source
destination
reject-with tcp-reset
reject-with icmp-port-unreachable
reject-with icmp-proto-unreachable
The modification in the markers of Firefox is not possible to be done by us, is not so easy to do it by error, because the markers where modified specifically in a tree of folders, deleting two URL markers and adding other two.
I know by the language and the context of the new URL that the &intruder& is from my nationality.
The problem is that the legitimate users of the computer just delete both fake URL and add the original ones. After that, they just continue using normally the computer. That day, none of that URL webpages where under attack (like DNS or sth like that and that maybe the auto-refresh, i don't know if it exists, of Firefox just updated both of them in the moment of the attack of the webpages). Also, they didn't say anything about a possible attack. And because is in the markers of Firefox (something that is locally located) I thought was a direct and specified attack to the computer A and its users.
Question A: Was my supposition correct? Or there is still any possibility to be a general attack? I dismiss any possibility of popular worm/virus because the modification of the markers were really specific and on national context.
Question B: What is the best procedure to analyze the source of the attack and how to protect against it? How to know what things have been modified? I think it is weird that the intruder shows himself modified something in the system (like markers in Firefox), so, he/she wants to be known, like a threat.
I have installed and started the Clamav antivirus. I can show so far that there are:
Windows and Data NTFS partitions (Windows not really used, Data used from Linux):
- hundreds of Heuristics.Encrypted.ZIP (or PDF, RAR), Heuristics.Broken.Executable
- file .htm with Exploit.HTML.MHTRedir.4n
- file .pdf with Exploit.PDF-1745
- file .rar with Trojan.W32.HotKeysHook.A
- 5 files .js with Worm.JS.Redlof.A
Linux (normally used):
- /boot/vmlinux-3.1.10-1.16-desktop.gz
Heuristics.Broken.Executable
- /home/userA/Applications/jDownloaders/JDownlaoder/libs/jna.jar
Heuristics.Broken.Executable
- /home/userA/.jd/libs/jna.jar
Heuristics.Broken.Executable
- /home/userA/.thunderbird/ct5dfrhd.default/training.dat
Heuristics.Broken.Executable
- /lib/firmware/vxge/X3fw.ncf
Heuristics.Encrypted.Zip
- /lib/firmware/vxge/X3fw-pxe.ncf
Heuristics.Encrypted.Zip
In the time the detection was notified, Windows wasn't used in the days before. Therefore, Linux was the O.S. in the time of the intrusion.
Registered: Mar 2013
Original Poster
Now I have access to the main computerA, were the &intrusion& was done 2 weeks and half ago, but I really don't know what to do and how to proceed. At least I have installed clamav and I have shown the results above.
The problem is that I come with the computerB with ArchLinux, and I needed internet to start checking how to perform with all this. The problem is that after activate eth0 and send dhcp client to get the IP, I get the connection and just after that I saw a really weird behaviour. Suddenly, the computer got a little freeze, well, not really freeze, but slow for some moments, and when I check in terminal what happend, my prompt was modified.
Before was:
ussr@localhost
ussr@unknown
That put my alarms on, so I quickly disconnect ethernet. Because I don't know how to proceed, and really scared of the situation, I just post the below &captures&.
iptables of computerB ( I followed the Arch Linux Simple Stateful Firewall.... I think I got it correctly )
Chain INPUT (policy DROP)
prot opt source
destination
ctstate RELATED,ESTABLISHED
ctstate INVALID
icmp echo-request ctstate NEW
ctstate NEW
tcp flags:FIN,SYN,RST,ACK/SYN ctstate NEW
reject-with icmp-proto-unreachable
icmp echo-request recent: SET name: ping_limiter side: source mask: 255.255.255.255
icmp echo-request recent: UPDATE seconds: 4 hit_count: 6 name: ping_limiter side: source mask: 255.255.255.255
icmp echo-request
recent: SET name: TCP-PORTSCAN side: source mask: 255.255.255.255 reject-with tcp-reset
recent: SET name: UDP-PORTSCAN side: source mask: 255.255.255.255 reject-with icmp-port-unreachable
Chain FORWARD (policy DROP)
prot opt source
destination
Chain OUTPUT (policy ACCEPT)
prot opt source
destination
Chain TCP (1 references)
prot opt source
destination
recent: UPDATE seconds: 60 name: TCP-PORTSCAN side: source mask: 255.255.255.255 reject-with tcp-reset
tcp dpt:http
Chain UDP (1 references)
prot opt source
destination
recent: UPDATE seconds: 60 name: UDP-PORTSCAN side: source mask: 255.255.255.255 reject-with icmp-port-unreachable
udp dpt:domain
sudo cat /var/log/everything.log [more info maybe]
Mar 12 21:46:46 localhost dbus[340]: [system] Activating via systemd: service name='org.freedesktop.Avahi' unit='dbus-org.freedesktop.Avahi.service'
Mar 12 21:46:46 localhost dbus[340]: [system] Activation via systemd failed for unit 'dbus-org.freedesktop.Avahi.service': Unit dbus-org.freedesktop.Avahi.service failed to load: No such file or directory. See system logs and 'systemctl status dbus-org.freedesktop.Avahi.service' for details.
Mar 12 21:46:46 localhost dbus-daemon[340]: dbus[340]: [system] Activation via systemd failed for unit 'dbus-org.freedesktop.Avahi.service': Unit dbus-org.freedesktop.Avahi.service failed to load: No such file or directory. See system logs and 'systemctl status dbus-org.freedesktop.Avahi.service' for details.
Mar 12 21:46:55 localhost dbus-daemon[340]: dbus[340]: [system] Activating service name='org.kde.powerdevil.backlighthelper' (using servicehelper)
Mar 12 21:46:55 localhost dbus[340]: [system] Activating service name='org.kde.powerdevil.backlighthelper' (using servicehelper)
Mar 12 21:46:55 localhost org.kde.powerdevil.backlighthelper: QDBusConnection: system D-Bus connection created before QCoreApplication. Application may misbehave.
Mar 12 21:46:55 localhost dbus-daemon[340]: dbus[340]: [system] Successfully activated service 'org.kde.powerdevil.backlighthelper'
Mar 12 21:46:55 localhost dbus[340]: [system] Successfully activated service 'org.kde.powerdevil.backlighthelper'
Mar 12 21:50:43 localhost kernel: [
282.346749] usb 4-1: USB disconnect, device number 2
Mar 12 21:50:44 localhost kernel: [
283.346743] usb 1-1: USB disconnect, device number 2
Mar 12 21:50:46 localhost dbus-daemon[340]: dbus[340]: [system] Activating service name='org.kde.powerdevil.backlighthelper' (using servicehelper)
Mar 12 21:50:46 localhost dbus[340]: [system] Activating service name='org.kde.powerdevil.backlighthelper' (using servicehelper)
Mar 12 21:50:46 localhost org.kde.powerdevil.backlighthelper: QDBusConnection: system D-Bus connection created before QCoreApplication. Application may misbehave.
Mar 12 21:50:46 localhost dbus-daemon[340]: dbus[340]: [system] Successfully activated service 'org.kde.powerdevil.backlighthelper'
Mar 12 21:50:46 localhost dbus[340]: [system] Successfully activated service 'org.kde.powerdevil.backlighthelper'
Mar 12 21:50:46 localhost kernel: [
284.773394] Monitor-Mwait will be used to enter C-3 state
Mar 12 21:50:46 localhost kernel: [
285.600790] EXT4-fs (sda5): re-mounted. Opts: data=ordered,commit=600
Mar 12 21:51:46 localhost dbus-daemon[340]: dbus[340]: [system] Activating service name='org.kde.powerdevil.backlighthelper' (using servicehelper)
Mar 12 21:51:46 localhost dbus[340]: [system] Activating service name='org.kde.powerdevil.backlighthelper' (using servicehelper)
Mar 12 21:51:46 localhost org.kde.powerdevil.backlighthelper: QDBusConnection: system D-Bus connection created before QCoreApplication. Application may misbehave.
Mar 12 21:51:46 localhost dbus-daemon[340]: dbus[340]: [system] Successfully activated service 'org.kde.powerdevil.backlighthelper'
Mar 12 21:51:46 localhost dbus[340]: [system] Successfully activated service 'org.kde.powerdevil.backlighthelper'
Mar 12 21:52:03 localhost kernel: [
361.720026] usb 4-1: new low-speed USB device number 3 using uhci_hcd
Mar 12 21:52:03 localhost kernel: [
362.021197] input:
USB Keyboard as /devices/pci0:00:1d.0/usb4/4-1/4-1:1.0/input/input15
Mar 12 21:52:03 localhost kernel: [
362.021535] hid-generic 0003:05AF:: input,hidraw0: USB HID v1.10 Keyboard [
USB Keyboard] on usb-d.0-1/input0
Mar 12 21:52:03 localhost kernel: [
362.113907] input:
USB Keyboard as /devices/pci0:00:1d.0/usb4/4-1/4-1:1.1/input/input16
Mar 12 21:52:03 localhost kernel: [
362.114113] hid-generic 0003:05AF:: input,hidraw1: USB HID v1.10 Device [
USB Keyboard] on usb-d.0-1/input1
Mar 12 21:52:03 localhost dbus-daemon[340]: dbus[340]: [system] Activating service name='org.kde.powerdevil.backlighthelper' (using servicehelper)
Mar 12 21:52:03 localhost dbus[340]: [system] Activating service name='org.kde.powerdevil.backlighthelper' (using servicehelper)
Mar 12 21:52:04 localhost org.kde.powerdevil.backlighthelper: QDBusConnection: system D-Bus connection created before QCoreApplication. Application may misbehave.
Mar 12 21:52:04 localhost dbus-daemon[340]: dbus[340]: [system] Successfully activated service 'org.kde.powerdevil.backlighthelper'
Mar 12 21:52:04 localhost dbus[340]: [system] Successfully activated service 'org.kde.powerdevil.backlighthelper'
Mar 12 21:53:36 localhost dbus-daemon[340]: dbus[340]: [system] Activating service name='org.kde.powerdevil.backlighthelper' (using servicehelper)
Mar 12 21:53:36 localhost dbus[340]: [system] Activating service name='org.kde.powerdevil.backlighthelper' (using servicehelper)
Mar 12 21:53:36 localhost org.kde.powerdevil.backlighthelper: QDBusConnection: system D-Bus connection created before QCoreApplication. Application may misbehave.
Mar 12 21:53:36 localhost dbus-daemon[340]: dbus[340]: [system] Successfully activated service 'org.kde.powerdevil.backlighthelper'
Mar 12 21:53:36 localhost dbus[340]: [system] Successfully activated service 'org.kde.powerdevil.backlighthelper'
Mar 12 21:53:36 localhost kernel: [
455.631890] EXT4-fs (sda5): re-mounted. Opts: data=ordered,commit=0
Mar 12 21:54:15 localhost kernel: [
494.630014] usb 1-1: new low-speed USB device number 3 using uhci_hcd
Mar 12 21:54:16 localhost kernel: [
494.819169] input: Logitech USB Optical Mouse as /devices/pci0:00:1a.0/usb1/1-1/1-1:1.0/input/input17
Mar 12 21:54:16 localhost kernel: [
494.819483] hid-generic D:C05B.0006: input,hidraw2: USB HID v1.11 Mouse [Logitech USB Optical Mouse] on usb-a.0-1/input0
Mar 12 21:56:16 localhost kernel: [
615.359568] sky2 .0 eth0: enabling interface
Mar 12 21:56:16 localhost kernel: [
615.359925] IPv6: ADDRCONF(NETDEV_UP): eth0: link is not ready
Mar 12 21:56:18 localhost kernel: [
617.200722] sky2 .0 eth0: Link is up at 100 Mbps, full duplex, flow control rx
Mar 12 21:56:18 localhost kernel: [
617.200761] IPv6: ADDRCONF(NETDEV_CHANGE): eth0: link becomes ready
Mar 12 21:57:01 localhost kernel: [
659.837395] sky2 .0 eth0: Link is down
Mar 12 21:57:03 localhost kernel: [
662.485483] sky2 .0 eth0: Link is up at 100 Mbps, full duplex, flow control rx
Mar 12 21:58:03 localhost dhcpcd[1072]: version 5.6.4 starting
Mar 12 21:58:03 localhost kernel: [
722.424132] IPv6: ADDRCONF(NETDEV_UP): wlan0: link is not ready
Mar 12 21:58:03 localhost dhcpcd[1072]: eth0: sending IPv6 Router Solicitation
Mar 12 21:58:03 localhost dhcpcd[1072]: eth0: broadcasting for a lease
Mar 12 21:58:03 localhost dhcpcd[1072]: wlan0: waiting for carrier
Mar 12 21:58:03 localhost dhcpcd[1072]: wlan0: carrier acquired
Mar 12 21:58:03 localhost dhcpcd[1072]: wlan0: carrier lost
Mar 12 21:58:03 localhost dhcpcd[1072]: wlan0: waiting for carrier
Mar 12 21:58:04 localhost dhcpcd[1072]: eth0: offered 192.168.1.35 from 192.168.1.1
Mar 12 21:58:04 localhost dhcpcd[1072]: eth0: acknowledged 192.168.1.35 from 192.168.1.1
Mar 12 21:58:04 localhost dhcpcd[1072]: eth0: checking for 192.168.1.35
Mar 12 21:58:07 localhost dhcpcd[1072]: eth0: sending IPv6 Router Solicitation
Mar 12 21:58:10 localhost dhcpcd[1072]: eth0: leased 192.168.1.35 for 43200 seconds
Mar 12 21:58:10 localhost dhcpcd[1072]: forked to background, child pid 1119
Mar 12 21:58:11 localhost dhcpcd[1119]: eth0: sending IPv6 Router Solicitation
Mar 12 21:58:15 localhost dhcpcd[1119]: eth0: sending IPv6 Router Solicitation
Mar 12 21:58:15 localhost dhcpcd[1119]: eth0: no IPv6 Routers available
Mar 12 21:59:33 localhost kernel: [
812.425190] konsole[1156]: segfault at 84 ip b73128d4 sp bf9e00c0 error 4 in libkdeui.so.5.10.0[b6fcb000+42b000]
Mar 12 21:59:33 localhost systemd-coredump[1158]: Process 1156 (konsole) dumped core.
Mar 12 21:59:47 localhost kernel: [
826.338582] konsole[1164]: segfault at 84 ip b761e8d4 sp bfb066b0 error 4 in libkdeui.so.5.10.0[b72d]
Mar 12 21:59:48 localhost systemd-coredump[1165]: Process 1164 (konsole) dumped core.
Mar 12 22:00:32 localhost kernel: [
870.727165] konsole[1174]: segfault at 84 ip b761e8d4 sp bfb066b0 error 4 in libkdeui.so.5.10.0[b72d]
Mar 12 22:00:32 localhost systemd-coredump[1175]: Process 1174 (konsole) dumped core.
Mar 12 22:01:01 localhost systemd[1]: Starting Cleanup of Temporary Directories...
Mar 12 22:01:01 localhost CROND[1186]: (root) CMD (run-parts /etc/cron.hourly)
Mar 12 22:01:01 localhost anacron[1192]: Anacron started on
Mar 12 22:01:01 localhost anacron[1192]: Normal exit (0 jobs run)
Mar 12 22:01:01 localhost systemd[1]: Started Cleanup of Temporary Directories.
Mar 12 22:01:04 localhost kernel: [
902.743018] konsole[1196]: segfault at 84 ip b761e8d4 sp bfb066b0 error 4 in libkdeui.so.5.10.0[b72d]
Mar 12 22:01:04 localhost systemd-coredump[1197]: Process 1196 (konsole) dumped core.
Mar 12 22:01:21 localhost dbus[340]: [system] Activating service name='org.kde.powerdevil.backlighthelper' (using servicehelper)
Mar 12 22:01:21 localhost org.kde.powerdevil.backlighthelper: QDBusConnection: system D-Bus connection created before QCoreApplication. Application may misbehave.
Mar 12 22:01:21 localhost dbus[340]: [system] Successfully activated service 'org.kde.powerdevil.backlighthelper'
Mar 12 22:01:22 localhost dbus[340]: [system] Activating via systemd: service name='org.freedesktop.Avahi' unit='dbus-org.freedesktop.Avahi.service'
Mar 12 22:01:22 localhost dbus[340]: [system] Activation via systemd failed for unit 'dbus-org.freedesktop.Avahi.service': Unit dbus-org.freedesktop.Avahi.service failed to load: No such file or directory. See system logs and 'systemctl status dbus-org.freedesktop.Avahi.service' for details.
Mar 12 22:01:26 localhost dbus-daemon[340]: dbus[340]: [system] Activating service name='org.kde.powerdevil.backlighthelper' (using servicehelper)
Mar 12 22:01:26 localhost dbus-daemon[340]: dbus[340]: [system] Successfully activated service 'org.kde.powerdevil.backlighthelper'
Mar 12 22:01:26 localhost dbus-daemon[340]: dbus[340]: [system] Activating via systemd: service name='org.freedesktop.Avahi' unit='dbus-org.freedesktop.Avahi.service'
Mar 12 22:01:26 localhost dbus-daemon[340]: dbus[340]: [system] Activation via systemd failed for unit 'dbus-org.freedesktop.Avahi.service': Unit dbus-org.freedesktop.Avahi.service failed to load: No such file or directory. See system logs and 'systemctl status dbus-org.freedesktop.Avahi.service' for details.
Mar 12 22:01:46 localhost dhcpcd[1119]: eth0: carrier lost
Mar 12 22:01:46 localhost kernel: [
945.353892] sky2 .0 eth0: Link is down
[ussr@unknown ~]$ ps aux
PID %CPU %MEM
STAT START
TIME COMMAND
0:00 /bin/systemd
0:00 [kthreadd]
0:01 [ksoftirqd/0]
0:00 [kworker/0:0H]
0:00 [kworker/u:0H]
0:00 [migration/0]
0:01 [rcu_preempt]
0:00 [rcu_bh]
0:00 [rcu_sched]
0:00 [watchdog/0]
0:00 [watchdog/1]
0:01 [ksoftirqd/1]
0:00 [migration/1]
0:00 [kworker/1:0H]
0:00 [cpuset]
0:00 [khelper]
0:00 [kdevtmpfs]
0:00 [netns]
0:00 [bdi-default]
0:00 [kblockd]
0:00 [khungtaskd]
0:00 [kswapd0]
0:00 [ksmd]
0:00 [khugepaged]
0:00 [fsnotify_mark]
0:00 [crypto]
0:00 [kthrotld]
0:00 [deferwq]
0:00 [khubd]
0:00 [ata_sff]
0:00 [scsi_eh_0]
0:00 [scsi_eh_1]
0:00 [scsi_eh_2]
0:00 [scsi_eh_3]
0:00 [scsi_eh_4]
0:00 [scsi_eh_5]
0:00 [kworker/u:4]
0:00 [kworker/1:1H]
0:00 [kworker/0:1H]
0:00 [jbd2/sda5-8]
0:00 [ext4-dio-unwrit]
0:00 /usr/lib/systemd/systemd-udevd
1:04 /usr/lib/systemd/systemd-journald
0:00 [iprt]
0:00 [led_workqueue]
0:00 [kpsmoused]
0:00 [cfg80211]
0:00 [ttm_swap]
0:00 [hd-audio0]
0:00 [hd-audio1]
0:00 /usr/bin/mount.ntfs-3g /dev/sda4 /media/Datos -o rw,relatime
0:00 /usr/sbin/syslog-ng -F
0:00 /usr/sbin/crond -n
0:00 /usr/bin/dbus-daemon --system --address=systemd: --nofork --nopidfile --systemd-activation
0:00 /usr/lib/systemd/systemd-logind
0:00 /sbin/agetty --noclear tty1 38400 linux
0:00 /usr/bin/kdm -nodaemon
0:01 /usr/lib/upower/upowerd
0:00 /usr/lib/polkit-1/polkitd --no-debug
0:01 /usr/lib/udisks2/udisksd --no-debug
0:00 dhcpcd
Ssl+ 22:01
0:27 /usr/bin/X :0 vt7 -nolisten tcp -auth /var/run/xauth/A:0-WnL9Aa
0:00 /bin/sh /usr/bin/startkde
0:00 /usr/bin/dbus-launch --sh-syntax --exit-with-session
0:01 /usr/bin/dbus-daemon --fork --print-pid 4 --print-address 6 --session
0:00 /usr/bin/gpg-agent -s --daemon --pinentry-program /usr/bin/pinentry-qt4 --write-env-file
0:00 /usr/bin/ssh-agent -s
0:00 /usr/lib/kde4/libexec/start_kdeinit +kcminit_startup
0:00 kdeinit4: kdeinit4 Running...
0:00 kdeinit4: klauncher [kdeinit] --fd=9
0:01 kdeinit4: kded4 [kdeinit]
0:00 kdeinit4: kglobalaccel [kdeinit]
0:00 /usr/bin/kactivitymanagerd
0:00 kwrapper4 ksmserver
0:00 kdeinit4: ksmserver [kdeinit]
0:19 kwin -session d074_66050
0:00 /usr/bin/knotify4
0:27 kdeinit4: plasma-desktop [kdeinit]
0:00 /usr/bin/kuiserver
0:00 /usr/bin/akonadi_control
0:00 akonadiserver
0:01 /usr/bin/mysqld --defaults-file=/home/ussr/.local/share/akonadi/mysql.conf --datadir=/home/ussr/.local/
0:00 /usr/bin/akonadi_agent_launcher akonadi_akonotes_resource akonadi_akonotes_resource_0
0:00 /usr/bin/akonadi_archivemail_agent --identifier akonadi_archivemail_agent
0:00 /usr/bin/akonadi_agent_launcher akonadi_ical_resource akonadi_ical_resource_0
0:00 /usr/bin/akonadi_agent_launcher akonadi_maildir_resource akonadi_maildir_resource_0
0:00 /usr/bin/akonadi_maildispatcher_agent --identifier akonadi_maildispatcher_agent
0:00 /usr/bin/akonadi_mailfilter_agent --identifier akonadi_mailfilter_agent
0:00 /usr/bin/akonadi_nepomuk_feeder --identifier akonadi_nepomuk_feeder
0:00 kdeinit4: kio_http_cache_cleaner [kdeinit]
0:00 /usr/bin/nepomukserver
0:12 /usr/bin/nepomukservicestub nepomukstorage
0:35 /usr/bin/virtuoso-t +foreground +configfile /tmp/virtuoso_ZT1461.ini +wait
0:00 kdeinit4: krunner [kdeinit]
0:00 kdeinit4: kmix [kdeinit] -session d850000
0:00 /usr/bin/nepomukcontroller -session d074_36315
0:04 yakuake -session d074_36424
0:00 /bin/bash
0:00 /usr/lib/kde4/libexec/polkit-kde-authentication-agent-1
0:00 /usr/bin/korgac --icon korgac
0:00 kdeinit4: klipper [kdeinit]
0:12 kdeinit4: konsole [kdeinit]
0:00 /bin/bash
0:00 /usr/bin/nepomukservicestub nepomukfilewatch
0:08 /usr/bin/nepomukservicestub nepomukfileindexer
0:01 [kworker/1:1]
0:00 [flush-8:0]
0:00 [kworker/0:1]
0:00 [scsi_eh_6]
0:00 [usb-storage]
0:00 [kworker/1:0]
0:00 [kworker/u:0]
0:00 /usr/lib/at-spi2-core/at-spi-bus-launcher
0:00 /usr/bin/dbus-daemon --config-file=/etc/at-spi2/accessibility.conf --nofork --print-address 3
0:00 /usr/lib/at-spi2-core/at-spi2-registryd --use-gnome-session
0:00 /usr/lib/GConf/gconfd-2
0:00 [kworker/0:0]
0:00 [kworker/0:2]
0:00 [flush-8:16]
0:00 ps aux
I have checked in .bashrc and the prompt is still:
PS1='[\u@\h \W]\$ '
And \h means hostname... And if I check in /etc/hosts:
localhost.localdomain
localhost.localdomain
So, something is wrong..
I don't know how to proceed, nor in the computer A, neither in the computer B.
Question C: Is possible to have any mechanism to know every file that is modified, add or delete on the whole system? Something like the log but for every file? I think is the only way to know what is going on.
Any help? Please, I'm so lost in this area..
Senior Member
Registered: Jul 2007
Distribution: Ubuntu 10.10, Slackware 64-current
Posts: 2,124
ZZipo, I have sent you a private message regarding your situation.
We at LQSecurity will certainly help you with this situation.
Please try to disturb the situations as little as possible and avoid rebooting, etc.
Would you please tell me what distribution your running, an estimate of the patch level (how judicious have you been in performing updates), what server processes you are running, if you are running any control panels such as plesk, etc.
I would also ask that you please run the following command as root to capture a process tree, open file list, and network connection status:
( \ps axfwwwe 2&&1; lsof -Pwln 2&&1; netstat -antTupe 2&&1; lastlog 2&&1; last 2&&1; who -wa 2&&1; find /tmp /var/tmp /usr/tmp /var/spool/cron -printf &%T@ %A@ %C@ %u %g %m %y \&%p\&\n& 2&&1 ) & /tmp/output.log
Please obtain copies of your log files and transfer them to a safe location.
I would like to ask how far back your log files go and do they predate the suspected compromise?
Are you familiar with the logwatch utility?
Please obtain it and run it with the following options
--detail High --service All --range All --archives --numeric --save /path/to/logwatch.log
These commands should be run as root.
The two coammands above will create a file called output.log in your /tmp folder and a file called logwatch.log.
We will need to evaluate the output of these commands to gather information regarding the state of your system.
We can make arrangements for you to either upload them or email them to us for analysis.
While you are obtaining this information, I will review what you have posted above and get back with you as soon as possible.
Lastly, I would like for you to review the dated, but still valid,
as it will give you an idea of the steps involved in investigating your situation.
In essence, we will gather information regarding what is running on the system, open network connections, history information, look for hidden and modified files.
2 members found this post helpful.
Senior Member
Registered: Jul 2007
Distribution: Ubuntu 10.10, Slackware 64-current
Posts: 2,124
Here is some follow up information for you.
First, about computer A.
Clamav is pretty good at detecting Windows viruses.
It is not likely to tell you much about Linux infections, though.
The Heuristics.Broken.Executable which you are getting on both systems means that the scanner has trouble following the executable machine code.
from Ubuntu's Launchpad bug system regarding this message.
Apparently this heuristic was intended to be a form of mail worm scanner.
It does look like there is some garbage on the Windows system.
I haven't investigated these items yet, but that is one thing we should check, however, Windows tends to ignore non Windows drive partitions and I doubt that Windows malware would take over a Linux system on the machine.
It is more likely to have an issue directly with it.
On computer A, when you say connected directly to DSL is there a router in between and when you connected computer B was it in the same LAN or directly connceted to the DSL?
I am curious as to where the DHCP server connection originated.
My suspicion is that no, it is unlikely that the markers (bookmarks?) in Firefox would have been accidentally modified in the manner you describe without some form of intrusion.
Have a look at
which discusses where the marker files are stored.
This gives us an idea of an area to investigate.
Your firewall settings look ok and indicate that your not running any server process.
This is good and helps to limit your exposure.
You will still need to investigate this machine THOROUGHLY.
I understand your concerns with what happened with machine B, lets discuss that now.
One thing I would suggest you do is look at your /etc/dhcp/dhclient.conf.
One of the things that is possible is to get the hostname via DHCP and it looks like the hostname was changed on your system.
This can also have side effects and from googling this function it looks like the underlying X window system and display managers don't take kindly to it.
Do you have a request line with host-name in it?
If so, this is probably what happened.
You can also look at your /etc/hostname file to see what is in there.
Looking at the log files, you can see where your system obtained a DHCP lease.
Immediatly following this part of your KDE system crashed, &konsole[1156]: segfault at 84 ip b73128d4&
Note the pid number 1156.
Pids in this range are missing in your process list, but are immediately followed by /usr/bin/X :0 vt7 -nolisten tcp -auth /var/run/xauth/A:0-WnL9Aa, which looks like a restart of X, fitting with the theory that changing hostname conflicts with the display manager.
The pause you saw was likely this crashing, restarting, and trying to generate a core dump.
Looking over your process list, I don't see anything particularly out of the ordinary.
The -:0 with the PID immediately following the restart of X is a little odd, but I think it is part of the X system.
The only thing I can see out of the ordinary on the process list is that your running KDE with some Gnome3 process, e.g.
/etc/at-spi2/accessibility.conf and the following two lines.
Googling these process pull up information about Arch packages and having both KDE and Gnome libraries and applications on the same system is not uncommon.
I don't think that there is anything malicious about it.
So, as it stands, you still need to investigate computer A.
I think we have a good theory as to what happened when you tried to connect with computer B.
I would recommend that you change the network settings to use a static IP instead of DHCP next time you connect.
You can also use a livecd for extra precaution as that can't be permanently written.
The commands I provided earlier should be run in investigating machine A and we should start by capturing information about it.
1 members found this post helpful.
Registered: Mar 2013
Original Poster
I'm going to post some other new information and in the last part I answer both posts. Thank you in advance
Because of the maximum limit of chars I will post again and again.
Computer A
3.1.10-1.16-desktop
openSUSE 12.1 (i586)
VERSION = 12.1
CODENAME = Asparagus
Last updated: Probably 6 months ago. (I don't know how to check it now)
Processes (ps -Al)
PID %CPU %MEM
STAT START
TIME COMMAND
0:02 /sbin/init showopts
0:00 [kthreadd]
0:00 [ksoftirqd/0]
0:00 [migration/0]
0:16 [rcuc0]
0:00 [rcun0]
0:00 [rcub0]
0:00 [rcun1]
0:00 [rcub1]
0:00 [watchdog/0]
0:00 [migration/1]
0:14 [rcuc1]
0:00 [ksoftirqd/1]
0:00 [watchdog/1]
0:00 [migration/2]
0:12 [rcuc2]
0:00 [ksoftirqd/2]
0:00 [watchdog/2]
0:00 [migration/3]
0:09 [rcuc3]
0:04 [ksoftirqd/3]
0:00 [watchdog/3]
0:00 [cpuset]
0:00 [khelper]
0:00 [kdevtmpfs]
0:00 [netns]
0:00 [sync_supers]
0:00 [bdi-default]
0:00 [kintegrityd]
0:00 [kblockd]
0:00 [ata_sff]
0:00 [khubd]
0:00 [khungtaskd]
3:02 [kswapd0]
0:00 [ksmd]
0:02 [khugepaged]
0:00 [fsnotify_mark]
0:00 [crypto]
0:00 [kthrotld]
0:00 [scsi_eh_0]
0:00 [scsi_eh_1]
0:00 [scsi_eh_2]
0:00 [scsi_eh_3]
0:00 [kworker/u:3]
0:00 [kpsmoused]
0:00 [scsi_eh_4]
0:03 [usb-storage]
0:00 [kworker/u:5]
0:00 [scsi_eh_5]
0:00 [scsi_eh_6]
0:00 [scsi_eh_7]
0:20 [usb-storage]
0:00 [scsi_eh_8]
0:00 [scsi_eh_9]
0:00 [ttm_swap]
0:01 [jbd2/sda5-8]
0:00 [ext4-dio-unwrit]
0:00 /sbin/udevd
0:00 [kauditd]
0:00 /lib/systemd/systemd-stdout-syslog-bridge
0:00 /sbin/udevd
0:00 /sbin/udevd
0:00 [firewire]
0:00 [hd-audio1]
0:00 [hd-audio2]
7:49 /sbin/mount.ntfs-3g /dev/sdc1 /windows/datos -o rw,locale=es_ES.UTF-8
13:31 /sbin/mount.ntfs-3g /dev/sda3 /windows/othe -o rw,noexec,nosuid,nodev,users,gid=10
6:36 /sbin/mount.ntfs-3g /dev/sda4 /windows/caviarblue -o rw,locale=es_ES.UTF-8
0:12 [jbd2/sda6-8]
0:00 [ext4-dio-unwrit]
0:00 /lib/systemd/systemd-logind
0:00 /sbin/rsyslogd -c 5 -f /etc/rsyslog.conf
0:00 /sbin/acpid
0:00 avahi-daemon: running [linux-7sgr.local]
0:00 /usr/sbin/nscd
0:12 /bin/dbus-daemon --system --address=systemd: --nofork --systemd-activation
0:03 /sbin/haveged -w 1024 -v 1
0:00 /usr/sbin/cupsd -C /etc/cups/cupsd.conf
0:00 /usr/bin/kdm
50:26 /usr/bin/Xorg -br :0 vt7 -nolisten tcp -auth /var/lib/xdm/authdir/authfiles/A:0-Fx
0:00 /sbin/agetty tty1 38400
0:00 /usr/sbin/console-kit-daemon --no-daemon
0:01 /usr/lib/polkit-1/polkitd --no-debug
0:00 /bin/sh /usr/bin/startkde
0:00 /sbin/dhclient6 -6 -cf /var/lib/dhcp6/dhclient6.eth0.conf -lf /var/lib/dhcp6/dhcli
0:01 /usr/bin/gpg-agent --sh --daemon --write-env-file /home/userA/.gnupg/agent.info /et
0:00 dbus-launch --sh-syntax --exit-with-session
0:02 /bin/dbus-daemon --fork --print-pid 5 --print-address 7 --session
0:00 /usr/lib/kde4/libexec/start_kdeinit +kcminit_startup
0:00 kdeinit4: kdeinit4 Running...
0:00 kdeinit4: klauncher [kdeinit] --fd=9
0:06 kdeinit4: kded4 [kdeinit]
0:00 /sbin/dhcpcd --netconfig -L -E -HHH -c /etc/sysconfig/network/scripts/dhcpcd-hook
0:01 kdeinit4: kglobalaccel [kdeinit]
0:00 /usr/lib/upower/upowerd
0:00 kwrapper4 ksmserver
0:01 kdeinit4: ksmserver [kdeinit]
0:11 /usr/lib/udisks/udisks-daemon
0:00 udisks-daemon: not polling any devices
12:35 kwin -session e313_870095
0:01 /usr/bin/kactivitymanagerd
0:02 /usr/bin/knotify4
2:09 kdeinit4: plasma-desktop [kdeinit]
0:01 /usr/bin/kuiserver
0:03 kdeinit4: kaccess [kdeinit]
0:00 kdeinit4: nepomukserver [kdeinit]
2:27 kdeinit4: krunner [kdeinit]
0:01 /usr/bin/nepomukservicestub nepomukstorage
0:10 /usr/bin/virtuoso-t +foreground +configfile /tmp/virtuoso_Ti3064.ini +wait
0:01 /usr/bin/akonadi_control
0:03 akonadiserver
0:19 /usr/sbin/mysqld --defaults-file=/home/userA/.local/share/akonadi//mysql.conf --dat
0:01 /usr/bin/nepomukcontroller -session e
0:02 kdeinit4: kmix [kdeinit] -session e87000
0:01 /usr/bin/kget -session e313_756240
0:00 /usr/bin/nepomukservicestub nepomukbackupsync
0:00 /usr/bin/nepomukservicestub digikamnepomukservice
0:02 /usr/bin/nepomukservicestub nepomukfilewatch
0:00 /usr/bin/nepomukservicestub nepomukqueryservice
0:42 /usr/bin/pulseaudio --start --log-target=syslog
0:01 /usr/lib/rtkit/rtkit-daemon
0:01 /usr/bin/akonadi_agent_launcher akonadi_akonotes_resource akonadi_akonotes_resourc
0:00 /usr/bin/akonadi_agent_launcher akonadi_akonotes_resource akonadi_akonotes_resourc
0:00 /usr/bin/akonadi_agent_launcher akonadi_contacts_resource akonadi_contacts_resourc
0:00 /usr/bin/akonadi_agent_launcher akonadi_contacts_resource akonadi_contacts_resourc
0:00 /usr/bin/akonadi_agent_launcher akonadi_contacts_resource akonadi_contacts_resourc
0:00 /usr/bin/akonadi_agent_launcher akonadi_contacts_resource akonadi_contacts_resourc
0:00 /usr/bin/akonadi_agent_launcher akonadi_contacts_resource akonadi_contacts_resourc
0:00 /usr/bin/akonadi_agent_launcher akonadi_contacts_resource akonadi_contacts_resourc
0:00 /usr/bin/akonadi_agent_launcher akonadi_contacts_resource akonadi_contacts_resourc
0:00 /usr/bin/akonadi_agent_launcher akonadi_contacts_resource akonadi_contacts_resourc
0:00 /usr/bin/akonadi_agent_launcher akonadi_contacts_resource akonadi_contacts_resourc
0:00 /usr/bin/akonadi_agent_launcher akonadi_contacts_resource akonadi_contacts_resourc
0:00 /usr/bin/akonadi_agent_launcher akonadi_ical_resource akonadi_ical_resource_0
0:00 /usr/bin/akonadi_agent_launcher akonadi_ical_resource akonadi_ical_resource_1
0:00 /usr/bin/akonadi_agent_launcher akonadi_ical_resource akonadi_ical_resource_2
0:01 /usr/bin/akonadi_agent_launcher akonadi_maildir_resource akonadi_maildir_resource_
0:01 /usr/bin/akonadi_maildispatcher_agent --identifier akonadi_maildispatcher_agent
0:01 /usr/bin/akonadi_nepomuk_calendar_feeder --identifier akonadi_nepomuk_calendar_fee
0:01 /usr/bin/akonadi_nepomuk_contact_feeder --identifier akonadi_nepomuk_contact_feede
0:01 /usr/bin/akonadi_nepomuk_email_feeder --identifier akonadi_nepomuk_email_feeder
0:00 /usr/lib/kde4/libexec/polkit-kde-authentication-agent-1
0:00 /usr/lib/gvfs/gvfsd
0:00 /usr/lib/gvfs//gvfs-fuse-daemon /home/userA/.gvfs
0:00 /usr/sbin/cron -n
0:00 /usr/lib/GConf/2/gconfd-2
0:08 [kworker/1:2]
0:03 [kworker/2:3]
0:00 [flush-8:0]
1:33 /usr/lib/firefox/firefox
0:00 /usr/lib/mozilla/kmozillahelper
6:58 kdeinit4: konsole [kdeinit]
0:00 /bin/bash
0:00 sudo clamscan -r -l logclamav.log / --exclude-dir=/media/
3.0 808 pts/1
50:19 clamscan -r -l logclamav.log / --exclude-dir=/media/
0:01 [kworker/2:2]
0:03 [kworker/3:0]
0:10 [kworker/0:0]
0:01 [kworker/2:0]
0:00 /bin/bash
0:01 [kworker/1:0]
0:03 [kworker/0:3]
0:12 kdeinit4: kwrite [kdeinit]
0:00 [kworker/3:1]
0:00 [kworker/0:2]
0:00 [flush-8:32]
0:01 scdaemon --multi-server
0:31 /usr/bin/vlc /windows/datos/Música/Caro emerald - Deleted scenes from the cutting
0:00 [kworker/3:2]
0:00 [kworker/2:1]
0:00 kdeinit4: kio_trash [kdeinit] trash local:/tmp/ksocket-userA/kl
0:00 kdeinit4: kio_file [kdeinit] file local:/tmp/ksocket-userA/klau
0:00 kdeinit4: kio_file [kdeinit] file local:/tmp/ksocket-userA/klau
0:00 kdeinit4: kio_thumbnail [kdeinit] thumbnail local:/tmp/ksocket
0:00 [kworker/0:1]
0:01 /usr/lib/firefox/plugin-container /usr/lib/browser-plugins/libflashplayer.so -greo
0:00 [scdaemon] &defunct&
0:00 ps aux
I don't see above any process related with ftp, telnet, sshd (inactive below), etc. But above and below we can see dhcp6/dhcpcd/dhclient6 active.
[Continue..]
Registered: Mar 2013
Original Poster
[..Continue]
Services (sudo /sbin/service --status-all)
redirecting to systemctl
SuSEfirewall2_init.service - LSB: SuSEfirewall2 phase 1
Loaded: loaded (/etc/init.d/SuSEfirewall2_init)
Active: active (exited) since Tue, 12 Mar :30 +0000; 14h ago
Process: 938 ExecStart=/etc/init.d/SuSEfirewall2_init start (code=exited, status=0/SUCCESS)
CGroup: name=systemd:/system/SuSEfirewall2_init.service
Checking the status of SuSEfirewall2
redirecting to systemctl
acpid.service - ACPI Event Daemon
Loaded: loaded (/lib/systemd/system/acpid. enabled)
Active: active (running) since Tue, 12 Mar :30 +0000; 14h ago
Process: 993 ExecStart=/sbin/acpid (code=exited, status=0/SUCCESS)
Main PID: 994 (acpid)
CGroup: name=systemd:/system/acpid.service
&# /sbin/acpid
redirecting to systemctl
alsa-restore.service - Restore Sound Card State
Loaded: loaded (/lib/systemd/system/alsa-restore. static)
Active: inactive (dead) since Tue, 12 Mar :29 +0000; 14h ago
Process: 909 ExecStart=/usr/sbin/alsactl restore (code=exited, status=0/SUCCESS)
CGroup: name=systemd:/system/alsa-restore.service
redirecting to systemctl
atd.service - LSB: Start AT batch job daemon
Loaded: loaded (/etc/init.d/atd)
Active: inactive (dead)
CGroup: name=systemd:/system/atd.service
redirecting to systemctl
autofs.service - LSB: automatic mounting of filesystems
Loaded: loaded (/etc/init.d/autofs)
Active: inactive (dead)
CGroup: name=systemd:/system/autofs.service
redirecting to systemctl
avahi-daemon.service - Avahi mDNS/DNS-SD Stack
Loaded: loaded (/lib/systemd/system/avahi-daemon. enabled)
Active: active (running) since Tue, 12 Mar :30 +0000; 14h ago
Main PID: 1010 (avahi-daemon)
Status: &Server startup complete. Host name is linux-7sgr.local. Local service cookie is .&
CGroup: name=systemd:/system/avahi-daemon.service
&# avahi-daemon: running [linux-7sgr.local]
redirecting to systemctl
avahi-dnsconfd.service - Avahi DNS Configuration Daemon
Loaded: loaded (/lib/systemd/system/avahi-dnsconfd. disabled)
Active: inactive (dead)
CGroup: name=systemd:/system/avahi-dnsconfd.service
redirecting to systemctl
bluez-coldplug.service - LSB: handles udev coldplug of bluetooth dongles
Loaded: loaded (/etc/init.d/bluez-coldplug)
Active: active (exited) since Tue, 12 Mar :52 +0000; 14h ago
Process: 3920 ExecStart=/etc/init.d/bluez-coldplug start (code=exited, status=0/SUCCESS)
CGroup: name=systemd:/system/bluez-coldplug.service
redirecting to systemctl
cgroup.service
Loaded: masked (/dev/null)
Active: inactive (dead)
redirecting to systemctl
systemd-tmpfiles-setup.service - Recreate Volatile Files and Directories
Loaded: loaded (/lib/systemd/system/systemd-tmpfiles-setup. static)
Active: active (exited) since Tue, 12 Mar :29 +0000; 14h ago
Process: 906 ExecStart=/bin/systemd-tmpfiles --create --remove (code=exited, status=0/SUCCESS)
CGroup: name=systemd:/system/systemd-tmpfiles-setup.service
redirecting to systemctl
clock.service
Loaded: masked (/dev/null)
Active: inactive (dead)
redirecting to systemctl
crypto.service
Loaded: masked (/dev/null)
Active: inactive (dead)
redirecting to systemctl
crypto-early.service
Loaded: masked (/dev/null)
Active: inactive (dead)
redirecting to systemctl
cycle.service - LSB: Set default boot entry if called
Loaded: loaded (/etc/init.d/boot.cycle)
Active: active (exited) since Tue, 12 Mar :19 +0000; 14h ago
Process: 470 ExecStart=/etc/init.d/boot.cycle start (code=exited, status=6/NOTCONFIGURED)
CGroup: name=systemd:/system/cycle.service
redirecting to systemctl
device-mapper.service
Loaded: masked (/dev/null)
Active: inactive (dead)
Warning: Unit file changed on disk, 'systemctl --system daemon-reload' recommended.
redirecting to systemctl
dmraid.service - LSB: start dmraid
Loaded: loaded (/etc/init.d/boot.dmraid)
Active: inactive (dead)
CGroup: name=systemd:/system/dmraid.service
redirecting to systemctl
klog.service - Early Kernel Boot Messages
Loaded: loaded (/lib/systemd/system/klog. disabled)
Active: inactive (dead)
CGroup: name=systemd:/system/klog.service
redirecting to systemctl
ldconfig.service
Loaded: masked (/dev/null)
Active: inactive (dead)
redirecting to systemctl
loadmodules.service
Loaded: masked (/dev/null)
Active: inactive (dead)
Warning: Unit file changed on disk, 'systemctl --system daemon-reload' recommended.
redirecting to systemctl
localfs.service - Shadow /etc/init.d/boot.localfs
Loaded: loaded (/lib/systemd/system/localfs. static)
Active: inactive (dead)
CGroup: name=systemd:/system/localfs.service
redirecting to systemctl
localnet.service - LSB: setup hostname and yp
Loaded: loaded (/etc/init.d/boot.localnet)
Active: active (exited) since Tue, 12 Mar :20 +0000; 14h ago
Process: 503 ExecStart=/etc/init.d/boot.localnet start (code=exited, status=0/SUCCESS)
CGroup: name=systemd:/system/localnet.service
redirecting to systemctl
lvm.service - LSB: start logical volumes
Loaded: loaded (/etc/init.d/boot.lvm)
Active: inactive (dead)
CGroup: name=systemd:/system/lvm.service
redirecting to systemctl
lvm_monitor.service - LSB: start monitoring of LVM VGs now filesystems are mounted rw
Loaded: loaded (/etc/init.d/boot.lvm_monitor)
Active: inactive (dead)
CGroup: name=systemd:/system/lvm_monitor.service
redirecting to systemctl
md.service - LSB: Multiple Device RAID
Loaded: loaded (/etc/init.d/boot.md)
Active: inactive (dead)
CGroup: name=systemd:/system/md.service
redirecting to systemctl
multipath.service - LSB: Create multipath device targets
Loaded: loaded (/etc/init.d/boot.multipath)
Active: inactive (dead)
CGroup: name=systemd:/system/multipath.service
redirecting to systemctl
fsck-root.service - File System Check on Root Device
Loaded: loaded (/lib/systemd/system/fsck-root. static)
Active: inactive (dead)
start condition failed at Tue, 12 Mar :19 +0000; 14h ago
CGroup: name=systemd:/system/fsck-root.service
redirecting to systemctl
swap.service
Loaded: masked (/dev/null)
Active: inactive (dead)
redirecting to systemctl
systemd-sysctl.service - Apply Kernel Variables
Loaded: loaded (/lib/systemd/system/systemd-sysctl. static)
Active: active (exited) since Tue, 12 Mar :20 +0000; 14h ago
Process: 528 ExecStart=/lib/systemd/systemd-sysctl (code=exited, status=0/SUCCESS)
CGroup: name=systemd:/system/systemd-sysctl.service
redirecting to systemctl
udev.service - udev Kernel Device Manager
Loaded: loaded (/lib/systemd/system/udev. static)
Active: active (running) since Tue, 12 Mar :19 +0000; 14h ago
Main PID: 471 (udevd)
CGroup: name=systemd:/system/udev.service
&# /sbin/udevd
&# /sbin/udevd
&# /sbin/udevd
redirecting to systemctl
cifs.service - LSB: Import remote SMB/ CIFS (MS Windows) file systems
Loaded: loaded (/etc/init.d/cifs)
Active: inactive (dead)
CGroup: name=systemd:/system/cifs.service
redirecting to systemctl
clamav-milter.service - LSB: milter compatible mail scanner
Loaded: loaded (/etc/init.d/clamav-milter)
Active: inactive (dead)
CGroup: name=systemd:/system/clamav-milter.service
redirecting to systemctl
clamd.service - LSB: virus scanner daemon
Loaded: loaded (/etc/init.d/clamd)
Active: inactive (dead)
CGroup: name=systemd:/system/clamd.service
redirecting to systemctl
cpufreq.service - LSB: CPUFreq modules loader
Loaded: loaded (/etc/init.d/cpufreq)
Active: active (exited) since Tue, 12 Mar :29 +0000; 14h ago
Process: 916 ExecStart=/etc/init.d/cpufreq start (code=exited, status=0/SUCCESS)
CGroup: name=systemd:/system/cpufreq.service
redirecting to systemctl
cron.service - Command Scheduler
Loaded: loaded (/lib/systemd/system/cron. enabled)
Active: active (running) since Tue, 12 Mar :52 +0000; 14h ago
Main PID: 3923 (cron)
CGroup: name=systemd:/system/cron.service
&# /usr/sbin/cron -n
redirecting to systemctl
cups.service - LSB: CUPS printer daemon
Loaded: loaded (/etc/init.d/cups)
Active: active (running) since Tue, 12 Mar :30 +0000; 14h ago
Process: 1062 ExecStart=/etc/init.d/cups start (code=exited, status=0/SUCCESS)
CGroup: name=systemd:/system/cups.service
&# /usr/sbin/cupsd -C /etc/cups/cupsd.conf
redirecting to systemctl
dbus.service - D-Bus System Message Bus
Loaded: loaded (/lib/systemd/system/dbus. static)
Active: active (running) since Tue, 12 Mar :30 +0000; 14h ago
Process: 1024 ExecStartPre=/bin/rm -f /var/run/dbus/pid (code=exited, status=0/SUCCESS)
Process: 1003 ExecStartPre=/bin/dbus-uuidgen --ensure (code=exited, status=0/SUCCESS)
Main PID: 1043 (dbus-daemon)
CGroup: name=systemd:/system/dbus.service
&# /bin/dbus-daemon --system --address=systemd: --nofork --systemd-activation
&# /usr/lib/polkit-1/polkitd --no-debug
&# /usr/lib/upower/upowerd
&# /usr/lib/udisks/udisks-daemon
&# udisks-daemon: not polling any devices
&# /usr/lib/rtkit/rtkit-daemon
redirecting to systemctl
dnsmasq.service - LSB: Starts internet name service masq caching server (DNS)
Loaded: loaded (/etc/init.d/dnsmasq)
Active: inactive (dead)
CGroup: name=systemd:/system/dnsmasq.service
Checking for service syslog:
redirecting to systemctl
freshclam.service - LSB: virus scanner daemon
Loaded: loaded (/etc/init.d/freshclam)
Active: inactive (dead)
CGroup: name=systemd:/system/freshclam.service
Neither the variables MOUSEDEVICE and MOUSETYPE nor the variable GPM_PARAM
is set in /etc/sysconfig/mouse
Run 'yast mouse' to set up gpm
redirecting to systemctl
haveged.service - Haveged Entropy Gathering Daemon
Loaded: loaded (/lib/systemd/system/haveged. enabled)
Active: active (running) since Tue, 12 Mar :30 +0000; 14h ago
Process: 995 ExecStart=/sbin/haveged -w 1024 -v 1 (code=exited, status=0/SUCCESS)
Main PID: 1058 (haveged)
CGroup: name=systemd:/system/haveged.service
&# /sbin/haveged -w 1024 -v 1
redirecting to systemctl
joystick.service - LSB: Set up analog joysticks
Loaded: loaded (/etc/init.d/joystick)
Active: inactive (dead)
CGroup: name=systemd:/system/joystick.service
redirecting to systemctl
kbd.service
Loaded: masked (/dev/null)
Active: inactive (dead)
Warning: Unit file changed on disk, 'systemctl --system daemon-reload' recommended.
redirecting to systemctl
kexec.service - Reboot via kexec
Loaded: loaded (/lib/systemd/system/kexec. static)
Active: inactive (dead)
CGroup: name=systemd:/system/kexec.service
redirecting to systemctl
ksysguardd.service - LSB: KDE ksysguard daemon
Loaded: loaded (/etc/init.d/ksysguardd)
Active: inactive (dead)
CGroup: name=systemd:/system/ksysguardd.service
redirecting to systemctl
lirc.service - LSB: lirc daemon
Loaded: loaded (/etc/init.d/lirc)
Active: inactive (dead)
CGroup: name=systemd:/system/lirc.service
redirecting to systemctl
mdadmd.service - LSB: mdadmd daemon monitoring MD devices
Loaded: loaded (/etc/init.d/mdadmd)
Active: inactive (dead)
CGroup: name=systemd:/system/mdadmd.service
redirecting to systemctl
microcode.ctl.service - LSB: CPU microcode updater
Loaded: loaded (/etc/init.d/microcode.ctl)
Active: active (exited) since Tue, 12 Mar :29 +0000; 14h ago
Process: 914 ExecStart=/etc/init.d/microcode.ctl start (code=exited, status=0/SUCCESS)
CGroup: name=systemd:/system/microcode.ctl.service
redirecting to systemctl
multipathd.service - LSB: Starts multipath daemon
Loaded: loaded (/etc/init.d/multipathd)
Active: inactive (dead)
CGroup: name=systemd:/system/multipathd.service
redirecting to systemctl
mysql.service - LSB: Start the MySQL database server
Loaded: loaded (/etc/init.d/mysql)
Active: inactive (dead)
CGroup: name=systemd:/system/mysql.service
redirecting to systemctl
network.service - LSB: Configure the localfs depending network interfaces
Loaded: loaded (/etc/init.d/network)
Active: active (running) since Tue, 12 Mar :52 +0000; 14h ago
Process: 1061 ExecStart=/etc/init.d/network start (code=exited, status=0/SUCCESS)
CGroup: name=systemd:/system/network.service
&# /sbin/dhclient6 -6 -cf /var/lib/dhcp6/dhclient6.eth0.conf -lf /var/lib/dhcp6/dhclient6.eth0.lease -pf /var/run/dhclie...
&# /sbin/dhcpcd --netconfig -L -E -HHH -c /etc/sysconfig/network/scripts/dhcpcd-hook -t 0 -h linux-7sgr eth0
redirecting to systemctl
network-remotefs.service - LSB: Configure the remote-fs depending network interfaces
Loaded: loaded (/etc/init.d/network-remotefs)
Active: active (exited) since Tue, 12 Mar :52 +0000; 14h ago
Process: 3935 ExecStart=/etc/init.d/network-remotefs start (code=exited, status=0/SUCCESS)
CGroup: name=systemd:/system/network-remotefs.service
redirecting to systemctl
nfs.service - LSB: NFS client services
Loaded: loaded (/etc/init.d/nfs)
Active: inactive (dead)
CGroup: name=systemd:/system/nfs.service
redirecting to systemctl
nmb.service - LSB: Samba NetBIOS naming service over IP
Loaded: loaded (/etc/init.d/nmb)
Active: inactive (dead)
CGroup: name=systemd:/system/nmb.service
redirecting to systemctl
nscd.service - LSB: Start Name Service Cache Daemon
Loaded: loaded (/etc/init.d/nscd)
Active: active (running) since Tue, 12 Mar :30 +0000; 14h ago
Process: 1008 ExecStart=/etc/init.d/nscd start (code=exited, status=0/SUCCESS)
CGroup: name=systemd:/system/nscd.service
&# /usr/sbin/nscd
redirecting to systemctl
ntp.service - LSB: Network time protocol daemon (ntpd)
Loaded: loaded (/etc/init.d/ntp)
Active: inactive (dead)
CGroup: name=systemd:/system/ntp.service
redirecting to systemctl
openvpn.service - LSB: OpenVPN tunnel
Loaded: loaded (/etc/init.d/openvpn)
Active: inactive (dead)
CGroup: name=systemd:/system/openvpn.service
redirecting to systemctl
pm-profiler.service - LSB: Script infrastructure to enable/disable certain power management functions
Loaded: loaded (/etc/init.d/pm-profiler)
Active: inactive (dead)
CGroup: name=systemd:/system/pm-profiler.service
redirecting to systemctl
Failed to issue method call: Unknown unit
redirecting to systemctl
powerd.service - LSB: Start the UPS monitoring daemon
Loaded: loaded (/etc/init.d/powerd)
Active: inactive (dead)
CGroup: name=systemd:/system/powerd.service
redirecting to systemctl
systemd-random-seed-load.service - Load Random Seed
Loaded: loaded (/lib/systemd/system/systemd-random-seed-load. static)
Active: inactive (dead) since Tue, 12 Mar :22 +0000; 14h ago
Process: 533 ExecStart=/lib/systemd/systemd-random-seed load (code=exited, status=0/SUCCESS)
CGroup: name=systemd:/system/systemd-random-seed-load.service
redirecting to systemctl
raw.service - LSB: raw devices
Loaded: loaded (/etc/init.d/raw)
Active: inactive (dead)
CGroup: name=systemd:/system/raw.service
redirecting to systemctl
rpcbind.service - LSB: TI-RPC program number mapper
Loaded: loaded (/etc/init.d/rpcbind)
Active: inactive (dead)
CGroup: name=systemd:/system/rpcbind.service
redirecting to systemctl
rpmconfigcheck.service - LSB: rpm config file scan
Loaded: loaded (/etc/init.d/rpmconfigcheck)
Active: inactive (dead)
CGroup: name=systemd:/system/rpmconfigcheck.service
redirecting to systemctl
rsyncd.service - LSB: Start the rsync server daemon
Loaded: loaded (/etc/init.d/rsyncd)
Active: inactive (dead)
CGroup: name=systemd:/system/rsyncd.service
redirecting to systemctl
setserial.service - LSB: Initializes the serial ports
Loaded: loaded (/etc/init.d/setserial)
Active: inactive (dead)
CGroup: name=systemd:/system/setserial.service
/usr/sbin/FOO not installed
redirecting to systemctl
smartd.service - Self Monitoring and Reporting Technology (SMART) Daemon
Loaded: loaded (/lib/systemd/system/smartd. disabled)
Active: inactive (dead)
CGroup: name=systemd:/system/smartd.service
redirecting to systemctl
smb.service - LSB: Samba SMB/CIFS file and print server
Loaded: loaded (/etc/init.d/smb)
Active: inactive (dead)
CGroup: name=systemd:/system/smb.service
redirecting to systemctl
smolt.service - LSB: Enables automated checkins with smolt
Loaded: loaded (/etc/init.d/smolt)
Active: inactive (dead)
CGroup: name=systemd:/system/smolt.service
redirecting to systemctl
splash.service - LSB: Splash screen setup
Loaded: loaded (/etc/init.d/splash)
Active: active (exited) since Tue, 12 Mar :30 +0000; 14h ago
Process: 971 ExecStart=/etc/init.d/splash start (code=exited, status=0/SUCCESS)
CGroup: name=systemd:/system/splash.service
redirecting to systemctl
splash_early.service - LSB: kills animation after network start
Loaded: loaded (/etc/init.d/splash_early)
Active: active (exited) since Tue, 12 Mar :52 +0000; 14h ago
Process: 3921 ExecStart=/etc/init.d/splash_early start (code=exited, status=0/SUCCESS)
CGroup: name=systemd:/system/splash_early.service
redirecting to systemctl
sshd.service - LSB: Start the sshd daemon
Loaded: loaded (/etc/init.d/sshd)
Active: inactive (dead)
CGroup: name=systemd:/system/sshd.service
redirecting to systemctl
syslog.service - System Logging Service
Loaded: loaded (/lib/systemd/system/syslog. enabled)
Active: active (running) since Tue, 12 Mar :30 +0000; 14h ago
Process: 984 ExecStart=/sbin/rsyslogd -c 5 -f /etc/rsyslog.conf (code=exited, status=0/SUCCESS)
Process: 982 ExecStartPre=/var/run/rsyslog/addsockets (code=exited, status=0/SUCCESS)
Process: 923 ExecStartPre=/bin/systemctl stop systemd-kmsg-syslogd.service (code=exited, status=0/SUCCESS)
Main PID: 988 (rsyslogd)
CGroup: name=systemd:/system/syslog.service
&# /sbin/rsyslogd -c 5 -f /etc/rsyslog.conf
redirecting to systemctl
xdm.service - LSB: X Display Manager
Loaded: loaded (/etc/init.d/xdm)
Active: active (running) since Tue, 12 Mar :31 +0000; 14h ago
Process: 1068 ExecStart=/etc/init.d/xdm start (code=exited, status=0/SUCCESS)
CGroup: name=systemd:/system/xdm.service
&# /usr/bin/kdm
&# /usr/bin/Xorg -br :0 vt7 -nolisten tcp -auth /var/lib/xdm/authdir/authfiles/A:0-FxZ3mb
redirecting to systemctl
xfs.service - LSB: X Font Server
Loaded: loaded (/etc/init.d/xfs)
Active: inactive (dead)
CGroup: name=systemd:/system/xfs.service
redirecting to systemctl
xinetd.service - LSB: Starts the xinet daemon. Be aware that xinetd doesn't start if no service is configured to run under it. To enable xinetd services go to YaST Network Services (xinetd) section.
Loaded: loaded (/etc/init.d/xinetd)
Active: inactive (dead)
CGroup: name=systemd:/system/xinetd.service
redirecting to systemctl
ypbind.service - LSB: Start ypbind (necessary for a NIS client)
Loaded: loaded (/etc/init.d/ypbind)
Active: inactive (dead)
CGroup: name=systemd:/system/ypbind.service
Mozilla Firefox 14.0.1
- IcedTea-Web Plugin (using IcedTea-Web 1.2 (suse-3.1-i386)) - to execute Java Applets
- PackageKit - for installing Applications (new) - First time I see this plugin, but probably always have been here in the Firefox of Opensuse.
- Shockwave Flash 11.2 r202
- Silverlight Plug-In 4.0.51204.0
- Adblock Plus
- All-in-One Sidebar
- Blank Your Monitor + Easy Reading
- DownloadHelper
- Novell Moonlight
- openSUSE Firefox extensions
- Personas
- Wiktionary and Google Translate
The computerA is usually connected (nearly 24/7) and between the normal using (not attack identified) and the notification of modification of the bookmarks (possible attack performed) it was 1 day in between. They didn't need to log in again, because the computer was switched on and only with the screen blacked out.
[Continue..]
Registered: Mar 2013
Original Poster
[..Continue]
The router has the possibility to be used by wireless, but is deactivated. The only wires connected directly to the router goes to the computerA. There is no way to be tapped. Impossible to be other users (intruders) from the same LAN.
Only two possibilities:
- tap the wire in some point from our house to the DSLAM (telco's), the wires of the neighborhood.
- attack from outside
Router has a easy password to access, but I think first it has to be in the LAN to can connect, isn't it?
For sure none of the legitimate users access the router.
I have to say, I trust in the legitimate users 120%.
I have changed the physical address to show it here.
IP address
Physical Address
192.168.1.33 sf:sf:sf:sf:sf:sf eth0
Routing Table
Destination
IP Filter Configuration
IP Filtering: Disabled
Port Forwarding Configuration
External Port
Internal IP
Internal Port
192.168.1.33
192.168.1.33
Vitual Server Configuration
MAC Filtering
Quality of Service Configuration
Traffic Name
VLAN ID Min-Max
[Source IP] AddressNetmask
Start Port End Port
[Destination IP] AddressNetmask
Start Port End Port
Profile Name: voip
Rule: voip
Normal Service
81.47.224.0 255.255.252.0
NMAP in Computer A
sudo nmap -v -sT 192.168.1.0/24
Starting Nmap 5.61TEST2 ( http://nmap.org ) at
Initiating ARP Ping Scan at 10:43
Scanning 33 hosts [1 port/host]
Completed ARP Ping Scan at 10:43, 0.65s elapsed (33 total hosts)
Initiating Parallel DNS resolution of 33 hosts. at 10:43
Completed Parallel DNS resolution of 33 hosts. at 10:43, 0.06s elapsed
Initiating Parallel DNS resolution of 1 host. at 10:43
Completed Parallel DNS resolution of 1 host. at 10:43, 0.06s elapsed
Initiating Connect Scan at 10:43
Scanning 192.168.1.1 [1000 ports]
Discovered open port 80/tcp on 192.168.1.1
Discovered open port 23/tcp on 192.168.1.1
Discovered open port 21/tcp on 192.168.1.1
Discovered open port 53/tcp on 192.168.1.1
Discovered open port 8008/tcp on 192.168.1.1
Discovered open port 2800/tcp on 192.168.1.1
Completed Connect Scan at 10:43, 1.11s elapsed (1000 total ports)
Nmap scan report for 192.168.1.1
Host is up (0.58s latency).
Not shown: 994 closed ports
STATE SERVICE
2800/tcp open
8008/tcp open
MAC Address: sf:sf:sf:sf:sf:sf (sfsfsfs.)
Initiating ARP Ping Scan at 10:43
Scanning 222 hosts [1 port/host]
Completed ARP Ping Scan at 10:43, 9.24s elapsed (222 total hosts)
Initiating Connect Scan at 10:43
Scanning 192.168.1.33 [1000 ports]
Completed Connect Scan at 10:43, 0.01s elapsed (1000 total ports)
Nmap scan report for 192.168.1.33
Host is up (0.00022s latency).
All 1000 scanned ports on 192.168.1.33 are closed
Read data files from: /usr/bin/../share/nmap
Nmap done: 256 IP addresses (2 hosts up) scanned in 11.26 seconds
Raw packets sent: 509 (14.252KB) | Rcvd: 1 (28B)
sudo nmap -sT -O localhost
Starting Nmap 5.61TEST2 ( http://nmap.org ) at
Nmap scan report for localhost (127.0.0.1)
Host is up (0.000071s latency).
Not shown: 999 closed ports
STATE SERVICE
631/tcp open
No exact OS matches for host (If you know what OS is running on it, see http://nmap.org/submit/ ).
TCP/IP fingerprint:
Network Distance: 0 hops
OS detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 12.63 seconds
I see in port forwarding two ports for emule (really weird... several years without using that program), but then nmap doesn't detect open that ports. Why?
Computer B - The next results is without internet connection. (If I connect ethernet I will need other services like iptables, dhcpcd,... that are not listed now)
Executed without internet connection:
systemctl list-units --full | grep active
proc-sys-fs-binfmt_misc.automount
loaded active waiting
Arbitrary Executable File Formats File System Automount Point
sys-devices-pci0:00:01.0-.1-sound-card1.device
loaded active plugged
/sys/devices/pci0:00:01.0/.1/sound/card1
sys-devices-pci0:00:1b.0-sound-card0.device
loaded active plugged
/sys/devices/pci0:00:1b.0/sound/card0
sys-devices-pci0:00:1c.0-.0-net-wlan0.device
loaded active plugged
/sys/devices/pci0:00:1c.0/.0/net/wlan0
sys-devices-pci0:00:1c.3-.0-net-eth0.device
loaded active plugged
/sys/devices/pci0:00:1c.3/.0/net/eth0
sys-devices-pci0:00:1f.2-ata1-host0-target0:0:0-0:0:0:0-block-sda-sda1.device loaded active plugged
ST9500325AS
sys-devices-pci0:00:1f.2-ata1-host0-target0:0:0-0:0:0:0-block-sda-sda2.device loaded active plugged
ST9500325AS
sys-devices-pci0:00:1f.2-ata1-host0-target0:0:0-0:0:0:0-block-sda-sda3.device loaded active plugged
ST9500325AS
sys-devices-pci0:00:1f.2-ata1-host0-target0:0:0-0:0:0:0-block-sda-sda4.device loaded active plugged
ST9500325AS
sys-devices-pci0:00:1f.2-ata1-host0-target0:0:0-0:0:0:0-block-sda-sda5.device loaded active plugged
ST9500325AS
sys-devices-pci0:00:1f.2-ata1-host0-target0:0:0-0:0:0:0-block-sda-sda6.device loaded active plugged
ST9500325AS
sys-devices-pci0:00:1f.2-ata1-host0-target0:0:0-0:0:0:0-block-sda.device
loaded active plugged
ST9500325AS
sys-devices-platform-serial8250-tty-ttyS0.device
loaded active plugged
/sys/devices/platform/serial8250/tty/ttyS0
sys-devices-platform-serial8250-tty-ttyS1.device
loaded active plugged
/sys/devices/platform/serial8250/tty/ttyS1
sys-devices-platform-serial8250-tty-ttyS2.device
loaded active plugged
/sys/devices/platform/serial8250/tty/ttyS2
sys-devices-platform-serial8250-tty-ttyS3.device
loaded active plugged
/sys/devices/platform/serial8250/tty/ttyS3
sys-module-configfs.device
loaded active plugged
/sys/module/configfs
sys-module-fuse.device
loaded active plugged
/sys/module/fuse
sys-subsystem-net-devices-eth0.device
loaded active plugged
/sys/subsystem/net/devices/eth0
sys-subsystem-net-devices-wlan0.device
loaded active plugged
/sys/subsystem/net/devices/wlan0
loaded active mounted
dev-hugepages.mount
loaded active mounted
Huge Pages File System
dev-mqueue.mount
loaded active mounted
POSIX Message Queue File System
media-Datos.mount
loaded active mounted
/media/Datos
sys-fs-fuse-connections.mount
loaded active mounted
FUSE Control File System
sys-kernel-config.mount
loaded active mounted
Configuration File System
sys-kernel-debug.mount
loaded active mounted
Debug File System
loaded active mounted
systemd-ask-password-console.path
loaded active waiting
Dispatch Password Requests to Console Directory Watch
systemd-ask-password-wall.path
loaded active waiting
Forward Password Requests to Wall Directory Watch
cronie.service
loaded active running
Periodic Command Scheduler
dbus.service
loaded active running
D-Bus System Message Bus
getty@tty1.service
loaded active running
Getty on tty1
iptables.service
loaded active exited
Packet Filtering Framework
kdm.service
loaded active running
K Display Manager
lm_sensors.service
loaded active exited
Initialize hardware monitoring sensors
polkit.service
loaded active running
Authorization Manager
rc-local.service
loaded active exited
/etc/rc.local Compatibility
syslog-ng.service
loaded active running
System Logger Daemon
systemd-journald.service
loaded active running
Journal Service
systemd-logind.service
loaded active running
Login Service
systemd-modules-load.service
loaded active exited
Load Kernel Modules
systemd-remount-fs.service
loaded active exited
Remount Root and Kernel File Systems
systemd-sysctl.service
loaded active exited
Apply Kernel Variables
systemd-tmpfiles-setup.service
loaded active exited
Recreate Volatile Files and Directories
systemd-udev-trigger.service
loaded active exited
udev Coldplug all Devices
systemd-udevd.service
loaded active running
udev Kernel Device Manager
systemd-user-sessions.service
loaded active exited
Permit User Sessions
systemd-vconsole-setup.service
loaded active exited
Setup Virtual Console
udisks2.service
loaded active running
Disk Manager
upower.service
loaded active running
Daemon for power management
dbus.socket
loaded active running
D-Bus System Message Bus Socket
dmeventd.socket
loaded active listening Device-mapper event daemon FIFOs
lvmetad.socket
loaded active listening LVM2 metadata daemon socket
syslog.socket
loaded active running
Syslog Socket
systemd-initctl.socket
loaded active listening /dev/initctl Compatibility Named Pipe
systemd-journald.socket
loaded active running
Journal Socket
systemd-shutdownd.socket
loaded active listening Delayed Shutdown Socket
systemd-udevd-control.socket
loaded active listening udev Control Socket
systemd-udevd-kernel.socket
loaded active running
udev Kernel Socket
dev-sda6.swap
loaded active active
arch-daemons.target
loaded active active
Arch Daemons
basic.target
loaded active active
Basic System
cryptsetup.target
loaded active active
Encrypted Volumes
getty.target
loaded active active
Login Prompts
graphical.target
loaded active active
Graphical Interface
local-fs-pre.target
loaded active active
Local File Systems (Pre)
local-fs.target
loaded active active
Local File Systems
multi-user.target
loaded active active
Multi-User
remote-fs.target
loaded active active
Remote File Systems
sockets.target
loaded active active
sound.target
loaded active active
Sound Card
swap.target
loaded active active
sysinit.target
loaded active active
System Initialization
syslog.target
loaded active active
systemd-tmpfiles-clean.timer
loaded active waiting
Daily Cleanup of Temporary Directories
76 loaded units listed. Pass --all to see loaded but inactive units, too.
sudo nmap -v -sT localhost
Starting Nmap 6.25 ( http://nmap.org ) at
mass_dns: warning: Unable to determine any DNS servers. Reverse DNS is disabled. Try using --system-dns or specify valid servers with --dns-servers
Initiating Connect Scan at 13:01
Scanning localhost (127.0.0.1) [1000 ports]
Completed Connect Scan at 13:01, 0.03s elapsed (1000 total ports)
Nmap scan report for localhost (127.0.0.1)
Host is up (0.00058s latency).
Other addresses for localhost (not scanned): 127.0.0.1
rDNS record for 127.0.0.1: localhost.localdomain
All 1000 scanned ports on localhost (127.0.0.1) are closed
Read data files from: /usr/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 0.13 seconds
Raw packets sent: 0 (0B) | Rcvd: 0 (0B)
[Connecting to the LAN and therefore to Internet]
If I try to connect to internet now, it doesn't work. I can do sudo ifconfig eth0 up, but sudo dhcpcd eth0 doesn't work.
It says: eth0 sending IPv6 Router Solicitation.... finally no IPv6 Routers available. Timed out.
I know that it has to be IPv4, but yesterday it worked, today not.
If I try to do ping 192.168.1.1 it says: network is unreachable.
I have to edit /etc/dhcpcd.conf manually and modify this lines:
Also, modify the /etc/hosts and comment ::1 line
But as I said, i didn't modified them to the inverse, and yesterday (first time I connect computerB to the LAN of computerA it worked correctly the dhcpcd for ipv4)
As I see, still not network connection... at least dhcpcd has assigned me an ip, etc, but it is not the normal in range 192.168.1.x (as the router 192.168.1.1 and the other pc 192.168.1.33)
but 169.254.67.213, netmask 255.255.0.0 and broadcast 169.254.255.255
Something weird... and of course, still network is unreachable if I try to do ping to google or the router.
I have to reset manually the router to can work properly from the computerB.
Anormal behaviour
The point is after I connect to the Internet (ping that works) the computer get slowly, emacs doesn't work, if I try to open another terminal it says KDEInit could not launch '/usr/bin/konsole'
So, something goes wrong.
[Continue..]
Registered: Mar 2013
Original Poster
[..Continue]
3.7.9-2-ARCH
Updated almost every month. I do it just by pacman -Syu
I don't have really idea if appear errors, because there are hundreds of programs and packages and I'm quite newbie with Linux.
When I beli}