Hi. Can anyone direct me to a suitable FAQ on what to do if your linux machine (rh9) may have been compromised? My machine was tracked this morning accessing a web site (login page for University of Auckland library) once per minute for two hours this morning before I arrived at work. I haven't tried accessing the University of Auckland page at all for a long time.

This could be innocent, but sounds suspicious. I'm looking around on the net to see what I can do to check for trojans, but haven't found any obvious solution yet.

Thanks in advance,

Ross-c

chkrootkit is one thing to start with.

another rootkit detector can be found at

http://sourceforge.net/projects/checkps/


you probably don't want to hear this, but
if you have been compromised the only way I know of removing the hackers backdoor to your box that is 100% successfull is fdisk and re-install from scratch.

Thanks. Chkrootkit goes through a lot of tests, all of which appear to be negative. Under the suspicious files heading it does list a large number of hidden files. Having a look at a random selection of them, I can't see anything suspicious. Mainly text .directory and .packlist files. I had to change the source of chklastlog to find my wtmp and lastlog files, but afer that nothing suspicious was found.

The network people here have my machine flagged for quick reporting of future suspicious behaviour. Is there anything else I can look for in the meantime?

One thing I noticed is that cron is running an hourly job "cron.hourly". /etc/cron.hourly has two entries that appear to be related to a news server, which I am not running.

inn-cron-nntpsend
inn-cron-rnews

I presume that I can delete these.

Cheers,

Ross-c

Thanks. check_ps reports a number of hidden processes. However, how can I know if these processes are evidence of a trojan/intrusion or not?

If I have to reformat my disk and reinstall, so be it. I've been meaning to upgrade to a more recent OS for over a year but never get around to it.

Cheers,

Ross-c

PS: I now find that if I run check_ps as root that I get no output at all. Is this correct? Also, some of the hidden pids previously had the same pids as known processes, including check_ps itself.

Now running it as root I usually get no output. I occasionally get

Mar 22 16:37:51 Some pids seem to be fake
Mar 22 16:37:52 rechecking ps

but that's it. Does this suggest that I may be in the clear?

Cheers,

Ross-c

I run redhat 9 as well & have cron scripts set (as root) to run chkrootkit & rkhunter every night (as well as a few other programs) - they can give you a pretty good idea if anything is wrong. But, even so I think you may be in need of a new install just to be on the safe side. I'd like to know though how you got chkrootkit to check lastlog & wtmp files because I always see these in my daily reports (can't check them errors) & wondered what was wrong - thought it was an rh9 problem.

HI.

I have only weak evidence that my box was compromised --- yet. Though, I am going to try for a clean install anyhow just to be on the safe side.

To get chklastlog to run, I had to hand edit the source code. There are a whole lot of #defines saying where the lastlog and wtmp files are. The last (default) ones seem to be the ones used on my machine, and point to /var/adm/wtmp and /var/adm/lastlog. On my machine these files are in the directory /var/log. I changed the filenames in the #defines to be /var/log/lastlog and /var/log/wtmp, recompiled, and the command now runs with no errors. All filenames in this paragraph are from my notably imperfect memory, but I'm sure you can fix any errors.

I'll look into rkhunter as well.

Cheers,

Ross-c

Look up any PIDs it finds in /proc/<PID>/cmdline to see what the actuall process is. Most checks like this suffer from false positives if a short lived process terminates in the middle of the check (some of the tests show the process others don't cause it finshed running, the conflicting results then generate a warning). A good indication that it's a false positive is if running the scan multiple times doesn't consistently show the same "hidden" process. Running chkrootkits helper app: chkproc -x lkm will give a listing of any hidden processes and there PIDS. Take a look at the process and see if they're normal.

Similarly the chkrootkit warning about hidden files is simply a check for filenames that begin with a '.' and are outside of standard home directories. Chkrootkit will usually find files like that on most linux distros regardless. It's advisable to always check the contents though and verify that they aren't malicious in nature.

I think the first step is to even verify that the traffic is coming from your machine. Setup tcpdump to listen for any traffic going to or from that host. As root use: tcpdump -xv host x.x.x.x (where x.x.x.x is the IP of the uni 'target'). You can also use ethereal.

Obviously a clean wipe and reinstall is the safest option, but you may want to look into the origin.