listcomm@ml1.net wrote:
If a port is open, and associated with a program which isn't from a debian package and you don't believe you put it there yourself - its time to consider the possibility your machine has been compromised.Okay... that gives me an opening to try this again. At the risk of provoking the usual "WELL GO RUN WINDOWS THEN!!!" knee-jerk reaction, I will mention that the Gatesware-based firewall packages (like "Zone Alarm") will detect *outgoing* connection attempts and query whether they are legitimate. There has been some dicsuscion on the net w/r/t the fact that apparently the later (per)versions of Gatesware have some "trojans" embedded in the OS, which will connect to Billsoft to report your social security number, sexual preference, etc. etc. - the point being that (allegedly) the commercial firewall products can't detect such attempts to "phone home". In any case, I've as yet been unable to find any way of getting detection and authorization of outgoing requests with any of the Linux firewalls, or with IPtables - although I can hardly say that I've thoroughly done my homework - but I have asked here and there and thus far no one seems to know. The "Paradigm" seems to be that if it's something that got spawned on your machine, and is trying to connect outward, it by definition must be legitimate, so it gets granted a port, unless whatever port it is requesting is *already* explicitly blocked by "iptables" or whatever for some reason.
So what are exactly are you worried about? A program uploading sensitive data to a random server? Well the easiest way for a program to do that is to invoke sendmail to e-mail the information to the server. In which case the program never attempts to open a port, your m-t-a does. Your m-t-a opening a port is the most normal thing in the world. Or if for some reason you don't have your m-t-a properly configured, it could invoke ssh or lynx or ...
Attachment:
signature.asc
Description: OpenPGP digital signature