LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 07-17-2004, 06:26 AM   #1
af_dave
Member
 
Registered: May 2004
Distribution: Slackware 9.1
Posts: 37

Rep: Reputation: 15
Been hacked; info needed


I just ran chkrootkit because i have suspected for ahwile that i've been hacked.

Checking `lkm'... You have 47 process hidden for readdir command
You have 47 process hidden for ps command
Warning: Possible LKM Trojan installed
Checking `rexedcs'... not found
Checking `sniffer'... eth0: PF_PACKET(/sbin/dhclient)


Until I can track down who did this and review the logs, can anyone give me any information on this Trojan...default file names or what have you.


I noticed some files in particular my webcam server files, and anything of interest the users and groups were changed. They were changed to numerical users/groups.

This might explain why my windows machine cant be booted properly. I suspect they may have deleted some files, but left the data.
 
Old 07-17-2004, 06:31 AM   #2
af_dave
Member
 
Registered: May 2004
Distribution: Slackware 9.1
Posts: 37

Original Poster
Rep: Reputation: 15
also in my /tmp i have some anomolies...does this look like anytihng to you guys?

total 3424
drwxrwxrwt 15 root root 4096 Jul 17 20:22 ./
drwxr-xr-x 20 root adm 4096 Jul 15 19:57 ../
-rw-r--r-- 1 david david 1590 Jun 28 20:15 AZU12831.tmp
-rw-r--r-- 1 david david 2361 Jul 9 15:35 AZU9692.tmp
-rw-r--r-- 1 david david 3422118 Jul 9 15:39 Azureus2.1.0.4.jar
srwx------ 1 root nogroup 0 Jul 15 19:58 .fam_socket=
drwxrwxrwt 2 xfs xfs 4096 Jul 15 19:57 .font-unix/
drwx------ 3 david david 4096 Jul 15 19:58 gconfd-david/
drwx------ 2 root root 4096 Jul 7 17:21 gconfd-root/
drwxr-xr-x 2 david david 4096 Jul 17 20:30 hsperfdata_david/
drwxr-xr-x 2 root root 4096 Jul 10 16:24 hsperfdata_root/
drwxrwxrwt 2 root root 4096 Jul 17 14:46 .ICE-unix/
drwx------ 2 david david 4096 Jul 15 20:00 kde-david/
drwx------ 2 root root 4096 Jul 17 14:45 kde-root/
drwx------ 2 david david 4096 Jul 17 20:31 ksocket-david/
drwx------ 2 root root 4096 Jul 17 14:46 ksocket-root/
drwx------ 3 david david 4096 Jul 15 19:58 mcop-david/
drwx------ 2 root root 4096 Jun 21 20:21 scrollkeeper-root/
-r--r--r-- 1 root david 11 Jul 15 19:58 .X0-lock
drwxrwxrwt 2 root david 4096 Jul 15 19:58 .X11-unix/
-rw------- 1 root root 58 Jul 17 20:07 xauth.XXXXniF75f
 
Old 07-17-2004, 07:11 AM   #3
af_dave
Member
 
Registered: May 2004
Distribution: Slackware 9.1
Posts: 37

Original Poster
Rep: Reputation: 15
I found these in my apache logs. I was testing some things with apache and had it open for a few days.

61.42.74.111 - - [03/Jul/2004:22:04:14 -0400] "GET /default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucb d3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a HTTP/1.0" 404 391 "-" "-"


18.80.230.150 - - [02/Jul/2004:13:58:58 -0400] "CONNECT 64.156.215.18:25 HTTP/1.1" 403 399 "-" "-"
 
Old 07-17-2004, 07:14 PM   #4
btmiller
Senior Member
 
Registered: May 2004
Location: In the DC 'burbs
Distribution: Arch, Scientific Linux, Debian, Ubuntu
Posts: 4,082

Rep: Reputation: 299Reputation: 299Reputation: 299
The first entry from your Webserver log is just an IIS Code Red exploit attempt, not the source of your problem. Your /tmp files don't show anything that to me immediately looks out of place. But the chkrootkit result is troubling. Until you can get a handle on things, you should disconnect the machine from the Internet (the dhclient PF_PACKET is probably a false positive -- unless you don't intend to be using DHCP on that interface). How long do you feel you've been hacked? If the event occured more than a few weeks ago, then the relevant log(s) will have been overwritten, assuming the cracker didn't just whitewash them himself. In any case: when you disconnect the machine look for new/strange accounts, particularly with UID 0. Ultimately, though, I think you'll have to reinstall the OS from known good media.

A LKM trojan is particularly insidious because it runs as part of the Linux kernel proper, making it tough to detect. As you can see, there are processes running on your system that are hidden from the ps command -- that's not good. One of these processes may be giving a root shell to anyone who connects to a particular port or doing something equally nasty. You shouldn't take chances -- disconnect the box and try to see if you can figure out who did this, back up any important data (and be sure to check it and don't back up any executables or odd looking files/scripts, you don't want to back up any of the intruder's stuff and put it on your new install), reinstall, and apply ALL relevant security patches before connecting the machine back.
 
Old 07-18-2004, 10:34 PM   #5
comp12345
Member
 
Registered: Feb 2004
Posts: 467

Rep: Reputation: 30
chkrootkit is not always reliable. On my system, when apache2 is running, it shows up as a hidden process.
 
Old 07-19-2004, 12:00 AM   #6
ppuru
Senior Member
 
Registered: Mar 2003
Location: Beautiful BC
Distribution: RedHat & clones, Slackware, SuSE, OpenBSD
Posts: 1,791

Rep: Reputation: 46
try running rkhunter.

#netstat -pl

will give you a list of processes that are listening. BUT, if your system is compromised, the output may not be showing you the exact state.
 
Old 07-19-2004, 12:29 AM   #7
v00d00101
Member
 
Registered: Jun 2003
Location: UK
Distribution: Fedora 8, Centos 5.1
Posts: 480

Rep: Reputation: 30
Ive had a similar problem and i was running azureus and i think that accounted for maybe 20 of my hidden processes. After bed, i'll have to consider whether or not to reinstall, but if rkhunter isnt showing anything later on i'll probably leave it for the minute.

On the same topic is it possible to just rebuild a new kernel using new source, and copy over the /bin, and /sbin, files from another system that hasnt been compromised.
 
Old 07-19-2004, 01:02 AM   #8
ppuru
Senior Member
 
Registered: Mar 2003
Location: Beautiful BC
Distribution: RedHat & clones, Slackware, SuSE, OpenBSD
Posts: 1,791

Rep: Reputation: 46
Quote:
On the same topic is it possible to just rebuild a new kernel using new source, and copy over the /bin, and /sbin, files from another system that hasnt been compromised.
Can ... but how can you be sure that the attacker's tools are not lying around elsewhere on your disks and that there are no accesspoints that would enable the attacker to regain control of your system.

Last edited by ppuru; 07-19-2004 at 01:07 AM.
 
Old 07-19-2004, 03:18 AM   #9
af_dave
Member
 
Registered: May 2004
Distribution: Slackware 9.1
Posts: 37

Original Poster
Rep: Reputation: 15
I re-installed and opera / azarus were the source of the ps's.

does anyone have a good tutorial on tripwire? i'll be keeping it up to date first this time.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Info needed on Linux in general Ansur Linux - Distributions 12 07-27-2004 03:20 AM
Would like to switch to Slack... info needed. spiffdoodle Slackware - Installation 7 02-29-2004 12:53 AM
More info on groups needed pjdepasq Mandriva 0 02-26-2004 07:49 AM
Mandrake Club Info needed chuckeff Mandriva 3 10-05-2003 09:09 AM
CISSP info needed !!! hitesh_linux Linux - General 3 07-28-2003 01:11 PM


All times are GMT -5. The time now is 06:09 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration