Have I been hacked? Take a look at this...

Ausar · 08-24-2004, 11:31 PM

I ran the ./chkrootkit and got this... The last few lines are suspect to me. I recently had to do a fresh install. I usually have a 21 charachter root password that consists of letters, numbers and charachters not in an easily guessable order, but this time my wife wanted to be able to dibble and dabble with Linux so she wanted me to use an easier root password. That one had only 10 characters and (I can tell you now since I have changed it) was easily guessable as it was a date.

Also, lately, my box has been running a little slow and crashes sometimes (when I had the long root passwordm it never did this). Also, when I use a Karamba theme that shows how much ram is being used, it shows a LOT of RAM is being used, usually between 460+ of 512. Is that abnormal? Should that much ram be used even though I don't have much on my box? I have 80 gigs and have only used like 20 of those. I don't keep internet history so I don't think it is that. And I have only used gtk-gnutella to download dci drum corps concerts for my father. Can anyone help me?

Checking `amd'... not found
Checking `basename'... not infected
Checking `biff'... not found
Checking `chfn'... not infected
Checking `chsh'... not infected
Checking `cron'... not infected
Checking `date'... not infected
Checking `du'... not infected
Checking `dirname'... not infected
Checking `echo'... not infected
Checking `egrep'... not infected
Checking `env'... not infected
Checking `find'... not infected
Checking `fingerd'... not found
Checking `gpm'... not found
Checking `grep'... not infected
Checking `hdparm'... not infected
Checking `su'... not infected
Checking `ifconfig'... not infected
Checking `inetd'... not tested
Checking `inetdconf'... not found
Checking `identd'... not found
Checking `init'... not infected
Checking `killall'... not infected
Checking `ldsopreload'... can't exec ./strings-static, not tested
Checking `login'... not infected
Checking `ls'... not infected
Checking `lsof'... not found
Checking `mail'... not infected
Checking `mingetty'... not infected
Checking `netstat'... not infected
Checking `named'... not found
Checking `passwd'... not infected
Checking `pidof'... not infected
Checking `pop2'... not found
Checking `pop3'... not found
Checking `ps'... not infected
Checking `pstree'... not infected
Checking `rpcinfo'... not infected
Checking `rlogind'... not found
Checking `rshd'... not found
Checking `slogin'... not infected
Checking `sendmail'... not infected
Checking `sshd'... not infected
Checking `syslogd'... not infected
Checking `tar'... not infected
Checking `tcpd'... not infected
Checking `tcpdump'... not infected
Checking `top'... not infected
Checking `telnetd'... not found
Checking `timed'... not found
Checking `traceroute'... not infected
Checking `vdir'... not infected
Checking `w'... not infected
Checking `write'... not infected
Checking `aliens'... no suspect files
Searching for sniffer's logs, it may take a while... nothing found
Searching for HiDrootkit's default dir... nothing found
Searching for t0rn's default files and dirs... nothing found
Searching for t0rn's v8 defaults... nothing found
Searching for Lion Worm default files and dirs... nothing found
Searching for RSHA's default files and dir... nothing found
Searching for RH-Sharpe's default files... nothing found
Searching for Ambient's rootkit (ark) default files and dirs... nothing found
Searching for suspicious files and dirs, it may take a while... nothing found
Searching for LPD Worm files and dirs... nothing found
Searching for Ramen Worm files and dirs... nothing found
Searching for Maniac files and dirs... nothing found
Searching for RK17 files and dirs... nothing found
Searching for Ducoci rootkit... nothing found
Searching for Adore Worm... nothing found
Searching for ShitC Worm... nothing found
Searching for Omega Worm... nothing found
Searching for Sadmind/IIS Worm... nothing found
Searching for MonKit... nothing found
Searching for Showtee... nothing found
Searching for OpticKit... nothing found
Searching for T.R.K... nothing found
Searching for Mithra... nothing found
Searching for OBSD rk v1... nothing found
Searching for LOC rootkit ... nothing found
Searching for Romanian rootkit ... nothing found
Searching for HKRK rootkit ... nothing found
Searching for Suckit rootkit ... nothing found
Searching for Volc rootkit ... nothing found
Searching for Gold2 rootkit ... nothing found
Searching for TC2 Worm default files and dirs... nothing found
Searching for Anonoying rootkit default files and dirs... nothing found
Searching for ZK rootkit default files and dirs... nothing found
Searching for ShKit rootkit default files and dirs... nothing found
Searching for AjaKit rootkit default files and dirs... nothing found
Searching for zaRwT rootkit default files and dirs... nothing found
Searching for anomalies in shell history files... nothing found
Checking `asp'... not infected
Checking `bindshell'... not infected
Checking `lkm'... You have 2 process hidden for readdir command
You have 2 process hidden for ps command
Warning: Possible LKM Trojan installed
Checking `rexedcs'... not found
Checking `sniffer'... eth0: PF_PACKET(/sbin/dhclient)
Checking `w55808'... not infected
Checking `wted'... nothing deleted
Checking `scalper'... not infected
Checking `slapper'... not infected
Checking `z2'... nothing deleted

Ausar · 08-24-2004, 11:48 PM

Now, I just ran this command: # ./chkrootkit -x | more and scrolled down (a whole lot) and found this. Is this bad?

@(#) init 2.85 15-Apr-2003 miquels@cistron.nl
PANIC: segmentation violation at %p%s! sleeping for 30 seconds.
Id "%s" respawning too fast: disabled for %d minutes
rlevel field too long (max 11 characters)
Sending processes the TERM signal
Sending processes the KILL signal
id field too long (max %d characters)
%s[%d]: %s: unknown action field
%s[%d]: duplicate ID field "%s"
Initdefault level '%c' is invalid
Activating demand-procedures for '%c'
got unimplemented initrequest.
no more processes left in this runlevel
PATH=/usr/local/sbin:/sbin:/bin:/usr/sbin:/usr/bin
Usage: %s 0123456SsQqAaBbCcUu
timeout opening/writing control channel %s
version 2.85 %s
/sbin/init
12567362
respawn
once
bootwait
powerfail

More as I scorlled even further down:

FATAL: can't reopen tty: %s
FATAL: bad tty
/dev/
/var/log/btmp
(unknown)
util-linux
/usr/share/locale
fh

/dev/tty
%s??
login:
Login incorrect
main
login: Out of memory
Out of memory
.hushlogin
%s/%s
/var/run/utmp
/var/log/wtmp
/bin/sh
TERM
HOME
/usr/local/bin:/bin:/usr/bin
PATH
SHELL
/var/mail
MAIL
LOGNAME
ttyS
DIALUP AT %s BY %s
ROOT LOGIN ON %s FROM %s
TIOCSCTTY failed: %m
Couldn't initialize PAM: %s
Login incorrect
login: no shell: %s.
login: failure forking: %s
initgroups: %m
No directory %s!
Logging in with home = "/".
setuid() failed
You have new mail.
ROOT LOGIN ON %s
You have mail.
LOGIN ON %s BY %s FROM %s
LOGIN ON %s BY %s
dumb
/etc/motd
/var/log/lastlog
Last login: %.*s
from %.*s
on %.*s
%d LOGIN FAILURES FROM %s, %s
%d LOGIN FAILURES ON %s, %s
LOGIN FAILURE FROM %s, %s
LOGIN FAILURE ON %s, %s
usage: login [-fp] [username]
FAILED LOGIN %d FROM %s FOR %s, %s
Session setup problem, abort.
NULL user name in %s:%d. Abort.
login: -h for super-user only.
login: couldn't exec shell script: %s.
login: PAM Failure, aborting: %s
FAILED LOGIN SESSION FROM %s FOR %s, %s
TOO MANY LOGIN TRIES (%d) FROM %s FOR %s, %s
Invalid user name "%s" in %s:%d. Abort.
login: no memory for shell script.
/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
Login timed out after %d seconds

The bold section is what bothers me...

Ausar · 08-25-2004, 12:12 AM

This section is really scary:

Warning: the %s host key for '%.200s' differs from the key for the IP address '%
.128s'
Offending key for IP in %s:%d
Forcing accepting of host key for loopback/localhost.
check_host_key: getnameinfo failed
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ WARNING: POSSIBLE DNS SPOOFING DETECTED! @
The %s host key for %s has changed,
and the key for the according IP address %s
%s. This could either mean that
DNS SPOOFING is happening or the IP address for the host
and its host key have changed at the same time.
@ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that the %s host key has just been changed.
The fingerprint for the %s key sent by the remote host is
Please contact your system administrator.
Add correct host key in %.100s to get rid of this message.
Port forwarding is disabled to avoid man-in-the-middle attacks.
Warning: Permanently added '%.200s' (%s) to the list of known hosts.
Failed to add the %s host key for IP address '%.128s' to the list of known hosts
(%.30s).
Agent forwarding is disabled to avoid man-in-the-middle attacks.
Password authentication is disabled to avoid man-in-the-middle attacks.
X11 forwarding is disabled to avoid man-in-the-middle attacks.
Warning: Permanently added the %s host key for IP address '%.128s' to the list o
f known hosts.
Are you sure you want to continue connecting (yes/no)?
but keys of different type are already known for this host.
The authenticity of host '%.200s (%s)' can't be established%s
%s key fingerprint is %s.
Are you sure you want to continue connecting (yes/no)?
%s host key for %.200s has changed and you have requested strict checking.
No %s host key is known for %.200s and you have requested strict checking.
Exiting, you have requested strict checking.
WARNING: %s key found for host %s
in %s:%d
%s key fingerprint %s.
exec
fork failed: %.100s
/bin/sh
dup2 stdout
dup2 stdin
Allocated local port %d.
rresvport: af=%d %.100s
socket: %.100s
getaddrinfo: %s: %s
bind: %s: %s
ssh_connect: needpriv %d
Trying again...
%s: %.100s: %s
Connection established.
SSH-
SSH-%d.%d-%[^
SSH-%d.%d-%.100s
write: %.100s
Local version string %.100s
Please type 'yes' or 'no':
<no hostip for proxy command>
using hostkeyalias: %s
Found key in %s:%d
Matching host key in %s:%d
is unknown
is unchanged
has a different value
Offending key for IP in %s:%d
Offending key in %s:%d
%s,%s
internal error
no key of type %d for host %s
@(#)$OpenBSD: sshconnect1.c,v 1.52 2002/08/08 13:50:23 aaron Exp $
Trying RSA authentication via agent with '%.100s'
Protocol error during RSA authentication: %d
Received RSA challenge from server.
Sending response to RSA challenge.
Protocol error waiting RSA auth response: %d
RSA authentication using agent refused.

W T F!?!?!?!? OPEN BSD?!?!?!? I HAVE MANDRAKE LINUX!?!?!?!? CAN SOMEONE PLEASE HELP ME?

Ausar · 08-25-2004, 12:15 AM

@(#)$OpenBSD: bufaux.c,v 1.28 2002/10/23 10:40:16 markus Exp $
buffer_put_bignum: BN_bn2bin() failed: oi %d != bin_size %d
buffer_get_bignum: cannot handle BN of size %d
buffer_get_bignum: input buffer too small
buffer_get_bignum2: cannot handle BN of size %d
buffer_get_string: bad string length %u
negativ!
buffer_put_cstring: s == NULL
@(#)$OpenBSD: buffer.c,v 1.16 2002/06/26 08:54:18 markus Exp $
buffer_append_space: alloc %u not supported
buffer_append_space: len %u not supported
buffer_get: trying to get more bytes %d than in buffer %d
buffer_consume: trying to get more bytes than in buffer
buffer_consume_end: trying to get more bytes than in buffer
@(#)$OpenBSD: canohost.c,v 1.35 2002/11/26 02:38:54 stevesk Exp $
Trying to reverse map address %.100s.
get_remote_hostname: getnameinfo NI_NUMERICHOST failed
reverse mapping checking getaddrinfo for %.700s failed - POSSIBLE BREAKIN ATTEMP
T!
Address %.100s maps to %.600s, but this does not map back to the address - POSSI
BLE BREAKIN ATTEMPT!
Connection from %.100s with IP options:%.800s
get_socket_address: getnameinfo %d failed
get_sock_port: getnameinfo NI_NUMERICSERV failed
getpeername failed: %.100s
%2.2x
UNKNOWN
getsockname failed: %.100s
@(#)$OpenBSD: channels.c,v 1.187 2003/03/05 22:33:43 markus Exp $
channel_lookup: %d: bad id: channel free
channel %d: wfd %d is not a tty?
channel_new: internal error: channels_alloc %d too big.
channel_close_fds: channel %d: r %d w %d e %d
channel_free: channel %d: %s, nchannels %d
channel %d: big output buffer %d > %d

Even further down:

### Output of: /bin/find /tmp -name xp -o -name kidd0.c

btmiller · 08-25-2004, 01:08 AM

First off, don't panic! This is a situation you need to investigate carefully. One thing right off, the positive return for the sniffer test (showing eth0 is PF_PACKET) is a common false positive. As near as I can tell, all ethernet interfaces that get their addresses via DHCP will return positive on this test. The test that shows hidden processes is a bit more worrisome, and deserves further investigation. Maybe you can determine, by looking at the output from ps, which processes exist in /proc but not in ps. Also check for new accounts in your /etc/passwd file, particularly if they have UID 0. Also see who's been logging onto your system with last and who, and see if there are any abnormalities.

BTW it looks like chkrootkit -x does a string dump of all the executables it scans, so that's what your seeing. OpenSSL and OpenSSH are both from the OpenBSD project, hence the OpenBSD banners in your output.

Ausar · 08-25-2004, 01:48 AM

btmiller, thanx for the reply. However, i am a newbie to linux security and have no idea how to do what you stated. Can you give me some newbie freindly instructions?

Ausar · 08-25-2004, 02:13 AM

This is my etc/passwd file. Does it look normal? (The shannon and utility are my wife's and mine)

root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/bin/sh
daemon:x:2:2:daemon:/sbin:/bin/sh
adm:x:3:4:adm:/var/adm:/bin/sh
lp:x:4:7:lp:/var/spool/lpd:/bin/sh
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
mail:x:8:12:mail:/var/spool/mail:/bin/sh
news:x:9:13:news:/var/spool/news:/bin/sh
uucp:x:10:14:uucp:/var/spool/uucp:/bin/sh
operator:x:11:0

perator:/var:/bin/sh
games:x:12:100:games:/usr/games:/bin/sh
nobody:x:65534:65534:Nobody:/:/bin/sh
rpm:x:13:101:system user for rpm:/var/lib/rpm:/bin/false
vcsa:x:69:69:virtual console memory owner:/dev:/sbin/nologin
rpc:x:70:70:system user for portmap:/:/bin/false
xfs:x:71:71:system user for XFree86:/etc/X11/fs:/bin/false
apache:x:72:72:system user for apache2:/var/www:/bin/sh
postfix:x:73:73:system user for postfix:/var/spool/postfix:/bin/false
rpcuser:x:74:74:system user for nfs-utils:/var/lib/nfs:/bin/false
ups:x:75:75:system user for nut:/var/state/ups:/bin/false
postgres:x:76:76:system user for postgresql:/var/lib/pgsql:/bin/bash
shannon:x:501:501:shannon:/home/shannon:/bin/bash
utility:x:500:500:utility:/home/utility:/bin/bash

btmiller · 08-25-2004, 03:37 PM

What, exactly, are you having trouble understanding? Looking at your password file, I don't see anything overtly wrong, but that doesn't mean you're safe. You're just going to have to do a little detective work here. I forgot to mention that you should look at your log files in /var/log and see if there are any suspicious entries -- post if you're in doubt about something.

Oh, I whipped up a quick Perl script to look for hidden processes, I've put it on the Web here -- it's not foolproof, but it might help you. BTW if anyone else would like to comment on the script, I'd like to hear it.