LinuxQuestions.org
Visit Jeremy's Blog.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 09-26-2004, 12:38 AM   #1
robpom
LQ Newbie
 
Registered: Jul 2004
Posts: 27

Rep: Reputation: 15
Afraid I Have Been Compromised


I have discovered that there has been unauthorized usage of a username/password of mine on a bulletin board. My concern is that it is from an overseas domain name and therefore is not someone I know. The password is unique to this board, so therefore it would be hard to guess or have someone use from another site. I contacted the site and they suggested it could be a "password harvesting trojan"

I have a SuSE 9.1 dual boot with XP. I have SP2, Virus Protection up to date, Adaware, etc running on the XP side. I did a scan and everything appears to check out on the XP box.

My question is - where do I go from here on the Linux side? I have installed all the suggested SuSE updates.

Any help would be appreciated.

RP
 
Old 09-26-2004, 05:00 AM   #2
Baldrick65
Member
 
Registered: Aug 2003
Location: Dunedin NZ
Distribution: Mint 13 Cinnamon
Posts: 653

Rep: Reputation: 31
Well, for a start, I would install chkrootkit to see if your linux box has any rootkits installed.

Baldrick
 
Old 09-26-2004, 08:12 AM   #3
robpom
LQ Newbie
 
Registered: Jul 2004
Posts: 27

Original Poster
Rep: Reputation: 15
I did that - and got a lot of "not installed" "not detected" etc. The only question I had about it was when it came to:

Searching for suspicious files and dirs, it may take a while...

usr/lib/qt3/doc/examples/demo/qasteroids/sprites/.pbm /usr/lib/qt3/doc/examples/toplevel/.ui /usr/lib/qt3/doc/examples/help
demo/.ui /usr/lib/perl5/5.8.3/i586-linux-thread-multi/.packlist /usr/lib/perl5/vendor_perl/5.8.3/i586-linux-thread-multi/aut
o/Tk/.packlist /usr/lib/perl5/vendor_perl/5.8.3/i586-linux-thread-multi/auto/DBI/.packlist /usr/lib/perl5/vendor_perl/5.8.3/
i586-linux-thread-multi/auto/PDA/Pilot/.packlist /usr/lib/perl5/vendor_perl/5.8.3/i586-linux-thread-multi/auto/Net/DNS/.pack
list /usr/lib/perl5/vendor_perl/5.8.3/i586-linux-thread-multi/auto/URI/.packlist /usr/lib/perl5/vendor_perl/5.8.3/i586-linux
-thread-multi/auto/XML/Parser/.packlist /usr/lib/perl5/vendor_perl/5.8.3/i586-linux-thread-multi/auto/ycp/.packlist /usr/lib
/perl5/vendor_perl/5.8.3/i586-linux-thread-multi/auto/DCOP/.packlist /usr/lib/perl5/vendor_perl/5.8.3/i586-linux-thread-mult
i/auto/Date/Manip/.packlist /usr/lib/perl5/vendor_perl/5.8.3/i586-linux-thread-multi/auto/HTML/Parser/.packlist /usr/lib/per
l5/vendor_perl/5.8.3/i586-linux-thread-multi/auto/HTML/Tagset/.packlist /usr/lib/perl5/vendor_perl/5.8.3/i586-linux-thread-m
ulti/auto/Gaim/.packlist /usr/lib/perl5/vendor_perl/5.8.3/i586-linux-thread-multi/auto/Mail/SpamAssassin/.packlist /usr/lib/
perl5/vendor_perl/5.8.3/i586-linux-thread-multi/auto/RRDp/.packlist /usr/lib/perl5/vendor_perl/5.8.3/i586-linux-thread-multi
/auto/RRDs/.packlist /usr/lib/perl5/vendor_perl/5.8.3/i586-linux-thread-multi/auto/Term/ReadKey/.packlist /usr/lib/perl5/ven
dor_perl/5.8.3/i586-linux-thread-multi/auto/Term/ReadLine/Gnu/.packlist /usr/lib/perl5/vendor_perl/5.8.3/i586-linux-thread-m
ulti/auto/Text/Iconv/.packlist /usr/lib/perl5/vendor_perl/5.8.3/i586-linux-thread-multi/auto/Config/Crontab/.packlist /usr/l
ib/perl5/vendor_perl/5.8.3/i586-linux-thread-multi/auto/Digest/HMAC/.packlist /usr/lib/perl5/vendor_perl/5.8.3/i586-linux-th
read-multi/auto/Digest/SHA1/.packlist /usr/lib/perl5/vendor_perl/5.8.3/i586-linux-thread-multi/auto/Crypt/CBC/.packlist /usr
/lib/perl5/vendor_perl/5.8.3/i586-linux-thread-multi/auto/Crypt/DES/.packlist /usr/lib/perl5/vendor_perl/5.8.3/i586-linux-th
read-multi/auto/Crypt/Blowfish/.packlist /usr/lib/perl5/vendor_perl/5.8.3/i586-linux-thread-multi/auto/Irssi/UI/.packlist /u
sr/lib/perl5/vendor_perl/5.8.3/i586-linux-thread-multi/auto/Irssi/Irc/.packlist /usr/lib/perl5/vendor_perl/5.8.3/i586-linux-
thread-multi/auto/Irssi/TextUI/.packlist /usr/lib/perl5/vendor_perl/5.8.3/i586-linux-thread-multi/auto/Irssi/.packlist /usr/
lib/perl5/vendor_perl/5.8.3/i586-linux-thread-multi/auto/SDL_perl/.packlist /usr/lib/perl5/vendor_perl/5.8.3/i586-linux-thre
ad-multi/auto/Parse/RecDescent/.packlist /usr/lib/perl5/vendor_perl/5.8.3/i586-linux-thread-multi/auto/Inline/.packlist /usr
/lib/perl5/vendor_perl/5.8.3/i586-linux-thread-multi/auto/Locale/gettext/.packlist /usr/lib/perl5/vendor_perl/5.8.3/i586-linux-thread-multi/auto/Compress/Zlib/.packlist /usr/lib/perl5/vendor_perl/5.8.3/i586-linux-thread-multi/auto/grepmail/.packlist /usr/lib/perl5/vendor_perl/5.8.3/i586-linux-thread-multi/auto/CDDB_get/.packlist /usr/lib/perl5/vendor_perl/5.8.3/i586-linux-thread-multi/auto/libwww-perl/.packlist /usr/lib/perl5/vendor_perl/5.8.3/i586-linux-thread-multi/auto/TimeDate/.packlist/usr/lib/perl5/vendor_perl/5.8.3/i586-linux-thread-multi/auto/Xmms-Perl/.packlist /usr/lib/uemacs/.emacsrc.3.12 /usr/lib/uem

Is this normal? Is it supposed to list this long list? I have never used this program, so I was just wanting to make sure it wasn't showing me a list of compromised files or something in a cryptic way.

Since it doesn't appear that anything was comprised that this program checks for - where should I go from here? Somebody still got my password and I am not sure how.
 
Old 09-26-2004, 08:25 AM   #4
Baldrick65
Member
 
Registered: Aug 2003
Location: Dunedin NZ
Distribution: Mint 13 Cinnamon
Posts: 653

Rep: Reputation: 31
No, that seems normal. If it does detect anything, it will throw up a warning. Maybe one of the security gurus can provide more assistance.

Baldrick
 
Old 09-26-2004, 08:25 AM   #5
robpom
LQ Newbie
 
Registered: Jul 2004
Posts: 27

Original Poster
Rep: Reputation: 15
One other line I am not clear on:

Checking `sniffer'... eth0: PF_PACKET(/sbin/dhcpcd)


There was no comment listed after this - any ideas?

Thanks - I am new to Linux (but love it).
 
Old 09-26-2004, 09:58 AM   #6
DrNeil
Member
 
Registered: Aug 2004
Location: Scotland
Distribution: Debian, Suse, Knoppix, Dyna:bolic, Mandrake [couple of years ago], Slackware [1993 or so]
Posts: 150

Rep: Reputation: 15
the sniffer on eth0 dhcp is normal
 
Old 09-26-2004, 09:59 AM   #7
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Rep: Reputation: 57
That is just the check for packet sniffers. It incorrectly identifed /bin/dhcpd as being a sniffer. This a very common false positive with chkrootkit and isn't anything to be concerned about. If you want to be very sure, you can verify the integrity of the package (with rpm -V <package_name>.
 
Old 03-29-2005, 01:40 AM   #8
johnnydangerous
Member
 
Registered: Jan 2005
Location: Sofia, Bulgaria
Distribution: Fedora Core 4 Rawhide
Posts: 431

Rep: Reputation: 30
also there is at least one more chkrootkit alternative you can verify with both
 
Old 03-30-2005, 06:47 PM   #9
penguinlnx
Member
 
Registered: Mar 2005
Location: Ice Station Alert AFB
Distribution: Gentoo
Posts: 166

Rep: Reputation: 30
You were more likely to have been compromised through the XP Operating system.
From there, anyone could have downloaded a program that can read a Linux file system,
if it is not encrypted....I would first to a complete checkout of your XP system.
 
Old 03-30-2005, 09:41 PM   #10
twilli227
Member
 
Registered: May 2003
Location: S.W. Ohio
Distribution: Ubuntu, OS X
Posts: 760

Rep: Reputation: 30
Quote:
I have discovered that there has been unauthorized usage of a username/password of mine on a bulletin board.
Are you sure it is not a problem with the bulletin board and not your system? Is the bulletin board patched and up to date?
Could be a problem on their end?
 
Old 03-30-2005, 11:14 PM   #11
johnnydangerous
Member
 
Registered: Jan 2005
Location: Sofia, Bulgaria
Distribution: Fedora Core 4 Rawhide
Posts: 431

Rep: Reputation: 30
I was thinking about the same I want my ext3 to be unreadable from windows because that way anyone could install hdd or boot cd or similar and open /root without a hintch how to crypt it?
 
Old 03-31-2005, 12:28 AM   #12
penguinlnx
Member
 
Registered: Mar 2005
Location: Ice Station Alert AFB
Distribution: Gentoo
Posts: 166

Rep: Reputation: 30
Afraid I have been compromised...

P.S. ..Its important to note that if you have been compromised,
messing around with your computer probably won't help.
What you need is to go to a hospital immediately, and let them
take samples, in case the culprit can be identified through DNA.
 
Old 03-31-2005, 12:50 AM   #13
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Rep: Reputation: 57
This thread is over 5 months old now. Let's try to keep it on topic and refrain from posting unless you have something relevant to contribute.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Afraid to reboot after upgrade to 10.0 geomatt Slackware - Installation 7 07-28-2006 07:37 AM
Compromised? I can't tell. Chuck23 Linux - Security 11 02-15-2005 07:33 AM
need advice: will reinstall winxp, but afraid of hurting fc2 parv Fedora 4 09-26-2004 05:00 PM
ipupdate.pl (afraid.og) error ;( ilhbutshm Linux - Software 1 05-26-2004 07:26 AM
Am I compromised? dripter Linux - Security 5 01-27-2004 12:31 AM


All times are GMT -5. The time now is 05:14 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration