I logged on as root and found

Quote:
Last login: Mon Jun 28 08:41:48 2004 from dsl093-061-155.pit1.dsl.speakeasy.net


as being the last login for today. I was like WTH???? That wasn't me! So i ran the chkroot and thats what i have so far. I also noticed that two files has been d/l onto my server: 25-meg-file.dat and KNOPPIX_V3.2-2003-04-10-EN.iso

I already contacted that person's isp but no reply as of yet. Any future things to do to prevent this? Thankx in advance...

Quote:
[root@server1 chkrootkit-0.43]# ./chkrootkit
ROOTDIR is `/'
Checking `amd'... not found
Checking `basename'... not infected
Checking `biff'... not found
Checking `chfn'... not infected
Checking `chsh'... not infected
Checking `cron'... not infected
Checking `date'... not infected
Checking `du'... not infected
Checking `dirname'... not infected
Checking `echo'... not infected
Checking `egrep'... not infected
Checking `env'... not infected
Checking `find'... not infected
Checking `fingerd'... not infected
Checking `gpm'... not infected
Checking `grep'... not infected
Checking `hdparm'... not infected
Checking `su'... not infected
Checking `ifconfig'... not infected
Checking `inetd'... not tested
Checking `inetdconf'... not found
Checking `identd'... not found
Checking `init'... not infected
Checking `killall'... not infected
Checking `ldsopreload'... not infected
Checking `login'... not infected
Checking `ls'... not infected
Checking `lsof'... not infected
Checking `mail'... not infected
Checking `mingetty'... not infected
Checking `netstat'... not infected
Checking `named'... not found
Checking `passwd'... not infected
Checking `pidof'... not infected
Checking `pop2'... not found
Checking `pop3'... not found
Checking `ps'... not infected
Checking `pstree'... not infected
Checking `rpcinfo'... not infected
Checking `rlogind'... not infected
Checking `rshd'... not infected
Checking `slogin'... not infected
Checking `sendmail'... not infected
Checking `sshd'... not infected
Checking `syslogd'... not infected
Checking `tar'... not infected
Checking `tcpd'... not infected
Checking `tcpdump'... not infected
Checking `top'... not infected
Checking `telnetd'... not infected
Checking `timed'... not found
Checking `traceroute'... not infected
Checking `vdir'... not infected
Checking `w'... not infected
Checking `write'... not infected
Checking `aliens'... no suspect files
Searching for sniffer's logs, it may take a while... nothing found
Searching for HiDrootkit's default dir... nothing found
Searching for t0rn's default files and dirs... nothing found
Searching for t0rn's v8 defaults... nothing found
Searching for Lion Worm default files and dirs... nothing found
Searching for RSHA's default files and dir... nothing found
Searching for RH-Sharpe's default files... nothing found
Searching for Ambient's rootkit (ark) default files and dirs... nothing found
Searching for suspicious files and dirs, it may take a while...
/usr/lib/perl5/5.8.0/i386-linux-thread-multi/.packlist /usr/lib/perl5/site_perl/
5.8.0/i386-linux-thread-multi/auto/mod_perl/.packlist /usr/lib/perl5/site_perl/5
.8.0/i386-linux-thread-multi/auto/Image/Magick/.packlist

Searching for LPD Worm files and dirs... nothing found
Searching for Ramen Worm files and dirs... nothing found
Searching for Maniac files and dirs... nothing found
Searching for RK17 files and dirs... nothing found
Searching for Ducoci rootkit... nothing found
Searching for Adore Worm... nothing found
Searching for ShitC Worm... nothing found
Searching for Omega Worm... nothing found
Searching for Sadmind/IIS Worm... nothing found
Searching for MonKit... nothing found
Searching for Showtee... nothing found
Searching for OpticKit... nothing found
Searching for T.R.K... nothing found
Searching for Mithra... nothing found
Searching for LOC rootkit ... nothing found
Searching for Romanian rootkit ... nothing found
Searching for HKRK rootkit ... nothing found
Searching for Suckit rootkit ... nothing found
Searching for Volc rootkit ... nothing found
Searching for Gold2 rootkit ... nothing found
Searching for TC2 Worm default files and dirs... nothing found
Searching for Anonoying rootkit default files and dirs... nothing found
Searching for ZK rootkit default files and dirs... nothing found
Searching for ShKit rootkit default files and dirs... nothing found
Searching for AjaKit rootkit default files and dirs... nothing found
Searching for zaRwT rootkit default files and dirs... nothing found
Searching for anomalies in shell history files... nothing found
Checking `asp'... not infected
Checking `bindshell'... not infected
Checking `lkm'... nothing detected
Checking `rexedcs'... not found
Checking `sniffer'... eth1: not promisc and no PF_PACKET sockets
eth1:1: not promisc and no PF_PACKET sockets
eth1:2: not promisc and no PF_PACKET sockets
eth1:3: not promisc and no PF_PACKET sockets
eth1:4: not promisc and no PF_PACKET sockets
eth1:5: not promisc and no PF_PACKET sockets
eth1:6: not promisc and no PF_PACKET sockets
eth1:7: not promisc and no PF_PACKET sockets
eth1:8: not promisc and no PF_PACKET sockets
eth1:9: not promisc and no PF_PACKET sockets
Checking `w55808'... not infected
Checking `wted'... nothing deleted
Checking `scalper'... not infected
Checking `slapper'... not infected
Checking `z2'... nothing deleted



I have no idea how to make sense of it and should i be worried?

Ouch that has to hurt. From everything I've read once you've been "rooted" the only way to totally undo it is to reinstall.
Maybe others have other suggestions. In the meantime I strongly suggest taking the machine off the web to avoid further problems.
What distro are you using?? I might be able to help you secure a future install. Also the security and networking forums on this page
have lots of good info.

I'm running redhat 9. Did you read my input of chkrootkit? Do you see anything wrong with it?
It seems to check out for me though but mostly something is lurking that i dont know about...

In terms of the files that have been downloaded; I assume those were simply to test the speed of your connection - if you have a particularly fast connection then you may be targetted as a warez server or a spam machine.

Still, as with the advise above, get the machine of the net and read unSpawn's stuff :)

Steve

Chkrootkit looks ok but......
Do nmap -vv localhost and see what ports are open. Also if you can, use rkhunter
-c --createlogfile it will let you know if remote root access is possible on your system

1 u can turn on the firewall and close everything off, and reinstall. Install tripwire next time around.

2 leave everything in place and connect your computer to a hub and have a laptop or computer sniff the wires to see where and what traffic the computer is sending and recieving.

I prefer the second method but it is up to u.

Starting nmap V. 3.00 ( www.insecure.org/nmap/ )
No tcp,udp, or ICMP scantype specified, assuming SYN Stealth scan. Use -sP if
you really don't want to portscan (and just want to see what hosts are up).
Host localhost.localdomain (127.0.0.1) appears to be up ... good.
Initiating SYN Stealth Scan against localhost.localdomain (127.0.0.1)
Adding open port 53/tcp
Adding open port 110/tcp
Adding open port 25/tcp
Adding open port 80/tcp
Adding open port 22/tcp
Adding open port 443/tcp
Adding open port 993/tcp
Adding open port 995/tcp
Adding open port 143/tcp
Adding open port 3306/tcp
Adding open port 21/tcp
The SYN Stealth Scan took 2 seconds to scan 1601 ports.
Interesting ports on localhost.localdomain (127.0.0.1):
(The 1590 ports scanned but not shown below are in state: closed)
Port State Service
21/tcp open ftp
22/tcp open ssh
25/tcp open smtp
53/tcp open domain
80/tcp open http
110/tcp open pop-3
143/tcp open imap2
443/tcp open https
993/tcp open imaps
995/tcp open pop3s
3306/tcp open mysql

thats what I have so far when i did the command... any thoughts?

I'm so frustrated really, but everything seems to check out with chkroot as it seems.. I really do not want a whole new install- that would totally sucks! Any other commands to try? On a side note,... i tried this a tech told me to do but i can't seem to get it right b/c everytime i do the command below, it always comes to an error- any thoughts on how to succesfully execute the command?

__________________________________________
rpm -Va >> rpmtest.txt

Check the rpmtest.txt file. If your rpms (not the conf files) for S's and 5's. That means that the rpm got modified by an outside source.
_____________________________________________

I'm sorry, but how would i utilize rkhunter joe? thankx

What do your logs say?

Download it from freshmeat.net compile &install
type rkhunter -c --createlogfile
then go to /var/log and read the rkhunter.log file
were you able to nmap your system ???

ok saw your nmap log More than likely 21 22 or 25 were the way in.
create these scripts to switch network on / off while you work on it
cd /bin
vi netup
ifconfig eth0 up
route add default gw 192.168.8.1
(save)
now create:
vi netdown
ifconfig eth0 down
(save)
make executable root only :
chmod 0700 netup netdown
type netdown <return> to shut down network netup <return> to turn back on
now:
type netstat -tan
and see if any others are listening etc.
if so then fuser -v -n tcp (or udp) : port # this will tell you what service uses / listens on the port
I strongly recommend closing / filtering ports removing unneccesary services
If you need ssh access make sure it is set to protocol 2 with no remote root access.

alright let me get to work on those and i'll post my findings...

the heck with it heheh i got the new nix on (fresh install). Thank you guys for helping me out. I appreciate it.

hope you have not already connected to the internet without configuring firewall / tcpwrappers.

Yeah, it's running... tcp wrappers is made for redhat 9 too? I searched for it but didnt see anything for rh9. I'm in the process of installing tripwire, rkhunter.

I like the sound of tcp wrapper btw logs everthing Any other progs you rec. that would work nicely on the redhat9 serv? Thankx