Two Issues - Zombies and Security...

[Cuddles]

As the subject suggests, I have a "two-fold" questions:

( 1 ) Zombies - it appears that after running a few days in Knoppix, v3.4, with kernel 2.6.6, I begin to get zombie processes. The one that bugs me the most is a smail process. What appears to happen is, the system boots up a single smail process, and then starts a second smail process, the first process goes zombie, and lists out in a ps -auxww as never using any process / usage time, and shows as <defunct> -=- the hard thing about all of this is, if I kill the <defunct> smail process, within a few minutes, the smail process that was running, goes <defunct> and creates a new smail process... Output of the ps -auxww command is below, has anyone any clues why this is happening, or a resolve???

Code:

root      9294  0.0  0.1  2284  996 ?        Ss   09:52   0:00 /usr/sbin/smail -bd -q10m
root      9295  0.0  0.0     0    0 ?        Zs   09:52   0:00 [smail] <defunct>

( 2 ) Security - after reading a System Administrator book on Linux, mostly about Red Hat distro, I am worried about the random acts of security intrusion that someone may decide to "pick on" any system they feel is "fun". I have a firewall program running ( guarddog ), and I have nothing checked in the "receive" from internet, and only what I need on the "sending" checked ( mostly ftp, http, auth, pop3, and smtp )... I have even had someone check my IP address when I enter a chat room, when it shows where I am coming from, and that "address" is showing up as something that isnt even recognizable as an IP address... My question is, even with a firewall, someone can "tunnel" under that firewall, right? I know many "security" posts have been made in this, and the other, forums, but, short of never connecting to the internet, how can one ensure that they are as "secure" as they can be?

I have gone to the "Shields Up" test site, and most of the time, I just get an error that the site can not display a page, when I ask it to test, is that a good sign?

Ever since I moved to Linux, through Knoppix, the idea of running my system for days, weeks, and even months, at a time, has been a blessing, but, as I have found out, it isnt when I get zombies showing up, and intrusions ( possible ), though I have yet to find that I have been "picked on" by anyone - cant imagine why, I really dont have anything that interesting on my system anyway...

Thanks for any advice, ideas, or suggestions, on these matters,
Ms. Cuddles

[turbinater]

As the subject suggests, I have a "two-fold" questions:

( 1 ) Zombies - it appears that after running a few days in Knoppix, v3.4, with kernel 2.6.6, I begin to get zombie processes. The one that bugs me the most is a smail process. What appears to happen is, the system boots up a single smail process, and then starts a second smail process, the first process goes zombie, and lists out in a ps -auxww as never using any process / usage time, and shows as <defunct> -=- the hard thing about all of this is, if I kill the <defunct> smail process, within a few minutes, the smail process that was running, goes <defunct> and creates a new smail process... Output of the ps -auxww command is below, has anyone any clues why this is happening, or a resolve???

Code:

root      9294  0.0  0.1  2284  996 ?        Ss   09:52   0:00 /usr/sbin/smail -bd -q10m
root      9295  0.0  0.0     0    0 ?        Zs   09:52   0:00 [smail] <defunct>

( 2 ) Security - after reading a System Administrator book on Linux, mostly about Red Hat distro, I am worried about the random acts of security intrusion that someone may decide to "pick on" any system they feel is "fun". I have a firewall program running ( guarddog ), and I have nothing checked in the "receive" from internet, and only what I need on the "sending" checked ( mostly ftp, http, auth, pop3, and smtp )... I have even had someone check my IP address when I enter a chat room, when it shows where I am coming from, and that "address" is showing up as something that isnt even recognizable as an IP address... My question is, even with a firewall, someone can "tunnel" under that firewall, right? I know many "security" posts have been made in this, and the other, forums, but, short of never connecting to the internet, how can one ensure that they are as "secure" as they can be?

I have gone to the "Shields Up" test site, and most of the time, I just get an error that the site can not display a page, when I ask it to test, is that a good sign?

Ever since I moved to Linux, through Knoppix, the idea of running my system for days, weeks, and even months, at a time, has been a blessing, but, as I have found out, it isnt when I get zombies showing up, and intrusions ( possible ), though I have yet to find that I have been "picked on" by anyone - cant imagine why, I really dont have anything that interesting on my system anyway...

Thanks for any advice, ideas, or suggestions, on these matters,
Ms. Cuddles

A few things to try:

ethereal - Ethereal is a network traffic analyzer, or "sniffer", for Unix and Unix-like operating systems. A sniffer is a tool used to capture packets off the wire. Ethereal decodes numerous protocols (too many to list).

Code:

apt-get install ethereal

acidlab - The Analysis Console for Intrusion Databases (ACID) is a PHP-based analysis engine to search and process a database of security events generated by various IDSes, firewalls, and network monitoring tools.

Code:

apt-get install acidlab

fwatch - Allows you to seamlessly follow the file activity (open, close, stat) by hooking directly into the Linux kernel and reporting every operation to /dev/fwatch. Can help debugging and tuning. Fwatch is distributed as a Linux kernel module.

Code:

apt-get install fwatch

A few tips:

Persistantly run users to check if anyone new is logging on to your box, if someone is, you should know, and likewise be able to disable any processes they may start. If you find that someone is logging on to your box, try turning off anything like secure shell server that would allow one to remotely loggin.

You may want to change all your passwords, and ensure that correct permissions are in place for all your /dev devices.

Run kuser to check group permissions.

Make sure your zombies aren't being started by init.


If you still have problems, and can't seem to pin them down, try debian: http://www.debian.org/devel/debian-installer, it's more focused on security and stability than knoppix.

Meanwhile, check out my desktop: http://www.ncplus.net/~carer2c/img/desktop.png

Hope I could help you become more paranoid.

[Cuddles]

Turbinater,

Thanks for, what I assume, is information on "security" - I went back to the Gibson site, and did a "Shields Up" test again, this time, "everything" I could test, came back as "Stealth", and "Perfect", so I guess my firewall is set up to block and not report anything back that it shouldn't...

As for the <defunct> and "zombie" processes - I looked at the man pages for ps, and appears that "most" defunct processes are reported as such when a process "spawns" a subprocess, and doesnt properly shutdown the subprocess correctly - then it becomes a zombie, or <defunct> -=- dont know why I get this with smail though??? Or, why when I kill the smail defunct process, the main process dies, then starts a new smail process and a <defunct> one, again???

I think my security is ok now, thanks for the information as well, all I need now is this defunct zombie thing to be isolated why it happens...

Ms. Cuddles
ADDED:
As a side note, I created a script called sysstat, run-able only by root user, that performs a combination of system statistics, ps -auxw, netstat -natu, rpcinfo -p, and the users commands to stdout, I might change it to a file, and then maybe create a "program", either in Perl or Python, that interogates the output to what is expected, and then outputs to stdout any discrepencies; like unknown users, defunct processes, established connections, etc... ( that SysAdmin book is paying off, considering the cost was around $45 USD, lots of the above commands, and command line options were taken from its pages )
END ADDED

[Mister_Dickens]

Just a little information if you are interested in some of the ways that one may get around your firewall...

Firstly, an attacker will need to gain access to your system through methods (known or unknown) in order to consistently go around your firewall... by this I mean, if the attacker gets in, he/she will need to then go through the clean up process so as you dont discover the actions in your logs. This is OK from the attackers point of view to have to do this once, but they dont want to have to do it every time.

They may then implant a small shell application, similar to netcat, but maybe customised just for them.

It is fairly easy to place data inside ping packets and many other types of packets that your firewall will see as "normal" traffic and therefore just let it go, but this is very difficult for you to detect unless you are really looking at it hard. As turbinater suggested, you may try etherreal which will enable you to drill right down to the heart of every packet.

Try not to get too paranoid about it.. it can rule your life, but its good to see that you have noticed the rogue processes and are asking questions about it.

A thought process that you may like to take into consideration is... I should also look at what is going out through my firewall and how I go about stopping it. To many people are only concerned about what can come in....

Good luck.

[Markus]

I would start at the basics like checking which files are world writable with: find / -perm -2 -type f -print Especially pay attention to ones that are also executable.
whowatch is another handy tool you can leave running in a shell.
For rootkits you might want to run chkrootkit or install rkhunter which I prefer.

Security is a difficult thing. As Mister_Dickens pointed out, it can rule your life, but it's also something I feel strongly about. Just think about last winter when the debian repositories were down due to having been hacked. Surely it's a lot more "glamorous" to hack debian than your homebox, but these were computers set up and checked by the people who understand/wrote the Securing Debian Manual...
I'm sitting here behind a NATting/stealthed router, an IPtables script and not even cups running unless I need it, and feel confident about one thing only, if someone wants to hack into my computer, they will be able to. It's just a matter of time.