LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (https://www.linuxquestions.org/questions/linux-security-4/)
-   -   Afraid I Have Been Compromised (https://www.linuxquestions.org/questions/linux-security-4/afraid-i-have-been-compromised-235270/)

robpom 09-26-2004 12:38 AM
Afraid I Have Been Compromised
 
I have discovered that there has been unauthorized usage of a username/password of mine on a bulletin board. My concern is that it is from an overseas domain name and therefore is not someone I know. The password is unique to this board, so therefore it would be hard to guess or have someone use from another site. I contacted the site and they suggested it could be a "password harvesting trojan"

I have a SuSE 9.1 dual boot with XP. I have SP2, Virus Protection up to date, Adaware, etc running on the XP side. I did a scan and everything appears to check out on the XP box.

My question is - where do I go from here on the Linux side? I have installed all the suggested SuSE updates.

Any help would be appreciated.

RP

Baldrick65 09-26-2004 05:00 AM
Well, for a start, I would install chkrootkit to see if your linux box has any rootkits installed.

Baldrick

robpom 09-26-2004 08:12 AM
I did that - and got a lot of "not installed" "not detected" etc. The only question I had about it was when it came to:

Searching for suspicious files and dirs, it may take a while...

usr/lib/qt3/doc/examples/demo/qasteroids/sprites/.pbm /usr/lib/qt3/doc/examples/toplevel/.ui /usr/lib/qt3/doc/examples/help
demo/.ui /usr/lib/perl5/5.8.3/i586-linux-thread-multi/.packlist /usr/lib/perl5/vendor_perl/5.8.3/i586-linux-thread-multi/aut
o/Tk/.packlist /usr/lib/perl5/vendor_perl/5.8.3/i586-linux-thread-multi/auto/DBI/.packlist /usr/lib/perl5/vendor_perl/5.8.3/
i586-linux-thread-multi/auto/PDA/Pilot/.packlist /usr/lib/perl5/vendor_perl/5.8.3/i586-linux-thread-multi/auto/Net/DNS/.pack
list /usr/lib/perl5/vendor_perl/5.8.3/i586-linux-thread-multi/auto/URI/.packlist /usr/lib/perl5/vendor_perl/5.8.3/i586-linux
-thread-multi/auto/XML/Parser/.packlist /usr/lib/perl5/vendor_perl/5.8.3/i586-linux-thread-multi/auto/ycp/.packlist /usr/lib
/perl5/vendor_perl/5.8.3/i586-linux-thread-multi/auto/DCOP/.packlist /usr/lib/perl5/vendor_perl/5.8.3/i586-linux-thread-mult
i/auto/Date/Manip/.packlist /usr/lib/perl5/vendor_perl/5.8.3/i586-linux-thread-multi/auto/HTML/Parser/.packlist /usr/lib/per
l5/vendor_perl/5.8.3/i586-linux-thread-multi/auto/HTML/Tagset/.packlist /usr/lib/perl5/vendor_perl/5.8.3/i586-linux-thread-m
ulti/auto/Gaim/.packlist /usr/lib/perl5/vendor_perl/5.8.3/i586-linux-thread-multi/auto/Mail/SpamAssassin/.packlist /usr/lib/
perl5/vendor_perl/5.8.3/i586-linux-thread-multi/auto/RRDp/.packlist /usr/lib/perl5/vendor_perl/5.8.3/i586-linux-thread-multi
/auto/RRDs/.packlist /usr/lib/perl5/vendor_perl/5.8.3/i586-linux-thread-multi/auto/Term/ReadKey/.packlist /usr/lib/perl5/ven
dor_perl/5.8.3/i586-linux-thread-multi/auto/Term/ReadLine/Gnu/.packlist /usr/lib/perl5/vendor_perl/5.8.3/i586-linux-thread-m
ulti/auto/Text/Iconv/.packlist /usr/lib/perl5/vendor_perl/5.8.3/i586-linux-thread-multi/auto/Config/Crontab/.packlist /usr/l
ib/perl5/vendor_perl/5.8.3/i586-linux-thread-multi/auto/Digest/HMAC/.packlist /usr/lib/perl5/vendor_perl/5.8.3/i586-linux-th
read-multi/auto/Digest/SHA1/.packlist /usr/lib/perl5/vendor_perl/5.8.3/i586-linux-thread-multi/auto/Crypt/CBC/.packlist /usr
/lib/perl5/vendor_perl/5.8.3/i586-linux-thread-multi/auto/Crypt/DES/.packlist /usr/lib/perl5/vendor_perl/5.8.3/i586-linux-th
read-multi/auto/Crypt/Blowfish/.packlist /usr/lib/perl5/vendor_perl/5.8.3/i586-linux-thread-multi/auto/Irssi/UI/.packlist /u
sr/lib/perl5/vendor_perl/5.8.3/i586-linux-thread-multi/auto/Irssi/Irc/.packlist /usr/lib/perl5/vendor_perl/5.8.3/i586-linux-
thread-multi/auto/Irssi/TextUI/.packlist /usr/lib/perl5/vendor_perl/5.8.3/i586-linux-thread-multi/auto/Irssi/.packlist /usr/
lib/perl5/vendor_perl/5.8.3/i586-linux-thread-multi/auto/SDL_perl/.packlist /usr/lib/perl5/vendor_perl/5.8.3/i586-linux-thre
ad-multi/auto/Parse/RecDescent/.packlist /usr/lib/perl5/vendor_perl/5.8.3/i586-linux-thread-multi/auto/Inline/.packlist /usr
/lib/perl5/vendor_perl/5.8.3/i586-linux-thread-multi/auto/Locale/gettext/.packlist /usr/lib/perl5/vendor_perl/5.8.3/i586-linux-thread-multi/auto/Compress/Zlib/.packlist /usr/lib/perl5/vendor_perl/5.8.3/i586-linux-thread-multi/auto/grepmail/.packlist /usr/lib/perl5/vendor_perl/5.8.3/i586-linux-thread-multi/auto/CDDB_get/.packlist /usr/lib/perl5/vendor_perl/5.8.3/i586-linux-thread-multi/auto/libwww-perl/.packlist /usr/lib/perl5/vendor_perl/5.8.3/i586-linux-thread-multi/auto/TimeDate/.packlist/usr/lib/perl5/vendor_perl/5.8.3/i586-linux-thread-multi/auto/Xmms-Perl/.packlist /usr/lib/uemacs/.emacsrc.3.12 /usr/lib/uem

Is this normal? Is it supposed to list this long list? I have never used this program, so I was just wanting to make sure it wasn't showing me a list of compromised files or something in a cryptic way.

Since it doesn't appear that anything was comprised that this program checks for - where should I go from here? Somebody still got my password and I am not sure how.

Baldrick65 09-26-2004 08:25 AM
No, that seems normal. If it does detect anything, it will throw up a warning. Maybe one of the security gurus can provide more assistance.

Baldrick

robpom 09-26-2004 08:25 AM
One other line I am not clear on:

Checking `sniffer'... eth0: PF_PACKET(/sbin/dhcpcd)


There was no comment listed after this - any ideas?

Thanks - I am new to Linux (but love it).

DrNeil 09-26-2004 09:58 AM
the sniffer on eth0 dhcp is normal

Capt_Caveman 09-26-2004 09:59 AM
That is just the check for packet sniffers. It incorrectly identifed /bin/dhcpd as being a sniffer. This a very common false positive with chkrootkit and isn't anything to be concerned about. If you want to be very sure, you can verify the integrity of the package (with rpm -V <package_name>.

johnnydangerous 03-29-2005 01:40 AM
also there is at least one more chkrootkit alternative you can verify with both :)

penguinlnx 03-30-2005 06:47 PM
You were more likely to have been compromised through the XP Operating system.
From there, anyone could have downloaded a program that can read a Linux file system,
if it is not encrypted....I would first to a complete checkout of your XP system.

twilli227 03-30-2005 09:41 PM
Quote:
I have discovered that there has been unauthorized usage of a username/password of mine on a bulletin board.
Are you sure it is not a problem with the bulletin board and not your system? Is the bulletin board patched and up to date?
Could be a problem on their end?

johnnydangerous 03-30-2005 11:14 PM
I was thinking about the same I want my ext3 to be unreadable from windows because that way anyone could install hdd or boot cd or similar and open /root without a hintch :) how to crypt it?

penguinlnx 03-31-2005 12:28 AM
Afraid I have been compromised...
 
P.S. ..Its important to note that if you have been compromised,
messing around with your computer probably won't help.
What you need is to go to a hospital immediately, and let them
take samples, in case the culprit can be identified through DNA.

Capt_Caveman 03-31-2005 12:50 AM
This thread is over 5 months old now. Let's try to keep it on topic and refrain from posting unless you have something relevant to contribute.


All times are GMT -5. The time now is 06:55 AM.