[SATLUG] Need some help...

Daniel J. Givens daniel at rugmonster.org
Thu Sep 27 21:06:47 CDT 2007 

Ed wrote:
> I don't recall Seahorse.  Is that an Ubuntu/Debian function?

It's the menu item Applications -> Accessories -> Passwords and
Encryption Keys. It's an app installed by default with standard
Ubuntu and may or may not be included as a startup application by
default. I don't remember and I'm running Xubuntu at the moment, so I
can't look and see.

> Ok...  Here's mine:
<snip>

Nothing out of the ordinary, but that would be expected. I would be
shocked to see if it was listed there. Doesn't hurt to look though.

> I'm also seeing 169.254.10.251, which suggests ICS, but I haven't set
> that up...

That's Avahi, an app that provides zeroconf networking services. I hate
that thing. It's installed by default with Ubuntu and mostly useless to
me. It's chatty and can get in the way of other network resources. Give
me a year and I'll probably have changed my mind, but this is today and
I don't like it.

> Ok...  1. I've downloaded and installed both root kit packages via
> Synaptic package manager.  Is there a GUI location for them?

Not that I know of. They're run a lot of times in cronjobs on a daily
basis with results being sent to a configured email address.

> From the command line:
> 
> Faq suggested command (I loaded the Ubuntu 6.10 live disk in CDROM):
> # ./chkrootkit -p /cdrom/bin

Try that without "./". That tells your shell to look in the current
directory rather than consider your $PATH.

>>>> $ sudo netstat -ancp46 --ip | tee netstat.log
>>>>       
> Ok...  This one runs forever, and won't let me copy it.  Where does it
> store its log?

Where ever you run that command, it will create the file netstat.log.
The reason it runs forever is because the -c flag on netstat makes it
continuously check once every second until you stop it with a kill or
Ctrl+C.

If you have an idea of what you're looking for, just search for it using
grep or open the log in gedit and use the search tool. You'll get a lot
of stuff you don't care about. If you can identify something from your
firewall logs in particular, you can use that to start with for
searching. Remember, you're looking for the process that is opening the
connection.

Seeing that you have Avahi running, I really think the stuff you are
seeing is traffic generated by that. I wouldn't take that as gospel
until you've confirmed or eliminated that hunch.

Regards,
Daniel

More information about the SATLUG mailing list