Chinese IP connected to localhost. Virus alert? or bug ?

[eluser]conradk[/eluser]
Hello guys

I am using CodeIgniter for a PHP project. But today, something weird happened.

The IP 210.42.74.40 seems to have been on my local CodeIgniter installation. It appears in the sessions table of my MySql DB. I am using Nginx 1.0.5, on Ubuntu 11.10 up to date with the latest patches. The IP seems located in China apparently.

The Session line in DB:

Code:

77e093b450d6e4a5df9981b5a848a72a 210.42.74.40 0 1327422670

Does that mean I have a virus ? Should I completely wipe my hard drives and reinstall Linux ?

I have a bunch of important passwords stored my HDD, including SSH passphrases, etc. What are your suggestions ?

If this is due to a possible malware, what firewall / antivirus would you suggest ?

Thanks for your help !
I don't quite know what to do.

[eluser]WanWizard[/eluser]
How is your PC configured?

Iptables installed and running? Is Nginx accessable from the outside (i.e. does it listen to whatever IP address is configured on the eth0 or wlan0 interfaces)? Did you connect to the internet today?

It could simply be an IP sweep, trying to connect to port 80 of an entire range of IP's. If your local machine isn't properly protected, this can happen...

[eluser]conradk[/eluser]
Iptables is installed, but I haven't changed the default settings, so it could just be doing nothing atm.

I did connect to the internet. I was on Skype when the Chinese IP connected.

Here's my server's config file. I guess the root doesn't deny all

Code:

server {
root /home/anon/prog/web/www;
index index.php;
server_name localhost;
location / {
  try_files $uri $uri/ /index.php;
}
location /doc {
  root /usr/share;
  autoindex on;
  allow 127.0.0.1;
  deny all;
}
location /images {
  root /usr/share;
  autoindex off;
}
location ~ \.php$ {
  fastcgi_pass 127.0.0.1:9000;
  fastcgi_index index.php;
  include fastcgi_params;
}
}

I'm not that good with Linux yet is there a way to know what else this IP did on my computer ?

Thanks for your response.

EDIT: I've set up Iptables now Thanks for the tip!

[eluser]WanWizard[/eluser]
Difficult. Go through your logfiles and see if you see something odd. Check your processes, anything odd running? Run a file system check for all changed files in the last 24 hours (find . -mtime -1 -print) and see if there is something odd.

Usually these fly-by guys look for application level weaknesses or Windows systems, but you can never rule out they got in.

As for your firewall: for normal workstations, no incoming connections should be allowed.

This is my default rulebase:

Code:

-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited

[eluser]conradk[/eluser]
Thanks a lot for your help.

Here's what I set up in Iptables:

Code:

-P INPUT DROP
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-P FORWARD DROP
-P OUTPUT ACCEPT

That should REJECT anything coming from the outside, right ?

Nothing seems weird in the processes. Also, I ran the find command as you said. There seems to be nothing weird. I'm not expert sadly, but it seems alright. Everything runs smoothly as well.

[eluser]CroNiX[/eluser]
I'd install and run rootkithunter (and also have it run nightly with cron). System files (like "find") can be modified by the hacker to hide the hackers trail...if this was a hacker.

[eluser]conradk[/eluser]
Thanks I'm gonna have a look at rootkithunter !