Have I been hacked?

af_dave · 07-12-2004, 08:58 PM

I ran chrootkit and found the following:
Checking `amd'... not found
Checking `ldsopreload'... can't exec ./strings-static, not tested
Checking `sniffer'... eth0: PF_PACKET(/sbin/dhclient)

then I ran nmap and found the following:

Starting nmap 3.50 ( http://www.insecure.org/nmap/ ) at 2004-07-13 10:55 EDT
Host localhost (127.0.0.1) appears to be up ... good.
Initiating SYN Stealth Scan against localhost (127.0.0.1) at 10:55
Adding open port 952/tcp
Adding open port 445/tcp
Adding open port 139/tcp
Adding open port 908/tcp
Adding open port 111/tcp
Adding open port 2049/tcp
Adding open port 25/tcp
Adding open port 6000/tcp
The SYN Stealth Scan took 2 seconds to scan 1659 ports.
Interesting ports on localhost (127.0.0.1):
(The 1651 ports scanned but not shown below are in state: closed)
PORT STATE SERVICE
25/tcp open smtp
111/tcp open rpcbind
139/tcp open netbios-ssn
445/tcp open microsoft-ds
908/tcp open unknown
952/tcp open unknown
2049/tcp open nfs
6000/tcp open X11

I have shorewall installed and just a few weeks ago i installed tripwire

Capt_Caveman · 07-12-2004, 09:05 PM

I've seen dhclient set off the PF_PACKET check before. The others are common false alarms as well. try using netstat -pantu to check what ports are really open (doing an nmap of localhost aka 127.0.0.1 doesn't tell you much that's usefull) or nmap the machine from a remote host. If you have tripwire installed, go ahead and run a check.

af_dave · 07-14-2004, 04:06 AM

Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 127.0.0.1:32768 0.0.0.0:* LISTEN 3174/xinetd
tcp 0 0 0.0.0.0:32769 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:2049 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:962 0.0.0.0:* LISTEN 2900/rpc.statd
tcp 0 0 0.0.0.0:869 0.0.0.0:* LISTEN 3234/rpc.mountd
tcp 0 0 127.0.0.1:10026 0.0.0.0:* LISTEN 3390/master
tcp 0 0 0.0.0.0:139 0.0.0.0:* LISTEN 3505/smbd
tcp 0 0 0.0.0.0:111 0.0.0.0:* LISTEN 2808/portmap
tcp 0 0 0.0.0.0:6000 0.0.0.0:* LISTEN 3899/X
tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN 3390/master
tcp 0 0 0.0.0.0:445 0.0.0.0:* LISTEN 3505/smbd
tcp 0 0 61.34.52.101:38821 211.53.215.168:80 ESTABLISHED 6419/opera
tcp 0 0 61.34.52.101:38851 216.239.57.104:80 ESTABLISHED 6419/opera
tcp 0 0 61.34.52.101:32778 205.188.5.224:5190 ESTABLISHED 4123/gaim
tcp 1 0 61.34.52.101:38845 207.44.182.114:80 CLOSE_WAIT 6419/opera
tcp 0 0 61.34.52.101:38861 64.70.61.129:80 ESTABLISHED 6419/opera
udp 0 0 0.0.0.0:32768 0.0.0.0:* -
udp 0 0 0.0.0.0:2049 0.0.0.0:* -
udp 0 0 61.34.52.101:137 0.0.0.0:* 3515/nmbd
udp 0 0 0.0.0.0:137 0.0.0.0:* 3515/nmbd
udp 0 0 61.34.52.101:138 0.0.0.0:* 3515/nmbd
udp 0 0 0.0.0.0:138 0.0.0.0:* 3515/nmbd
udp 0 0 0.0.0.0:956 0.0.0.0:* 2900/rpc.statd
udp 0 0 0.0.0.0:959 0.0.0.0:* 2900/rpc.statd
udp 0 0 0.0.0.0:68 0.0.0.0:* 2748/dhclient
udp 0 0 0.0.0.0:866 0.0.0.0:* 3234/rpc.mountd
udp 0 0 0.0.0.0:111 0.0.0.0:* 2808/portmap

I'm worried because for about a week my firewall was misconfigured. And i installed tripwire after it. Even though I am running a fully patched (that i know of anyway) Mandrake 10 machine

unSpawn · 07-14-2004, 02:02 PM

Filesystem integrity tools should be installed *before* connecting a box to a network, anything else kinda defeats their purpose. Your network stats don't show anything weird except something listening on high ports. Take the port and try "lsof -lMnP -i tcp:2049" or "fuser -n tcp 2049" to see process info.

Checking `ldsopreload'... can't exec ./strings-static, not tested
...so you didn't compile Chkrootkit's binary helpers or didn't install Chkrootkit like it should.
Checking `sniffer'... eth0: PF_PACKET(/sbin/dhclient)
Like CC already said it's an FP. DHCP clients usually are (of course this assumes /sbin/dhclient is a legitimate binary: something you can't tell from the name but from the MD5/SHA1sum your distro (should) provide).