Welcome to LQ. Please note tool output should be accompanied by the version of Chkrootkit you're running, general information about the machine like distribution, release, network placement, preferably an indication of location (physical access vs colo), services it provides, any previous signs of anomalous behaviour (if any), and what you have done after reading the Chkrootkit output. Basically any factual information that helps us help you.
Before you start please:
- read the
CERT Intruder Detection Checklist,
- disregard any replies telling you "don't worry" only,
- do not delete anything, and
- do not install anything.
Quote:
Originally Posted by mar0der
Code:
Checking `ifconfig'... INFECTED
Checking `netstat'... INFECTED
Checking `pstree'... INFECTED
Checking `top'... INFECTED
Searching for t0rn's v8 defaults... Possible t0rn v8 (or variation) rootkit installed
|
These four are part of a list of system utilities that were commonly targeted by traditional rootkits to enable hiding of processes and such. To verify there are a few things you should do:
- if you trust your machines package management then verify the state of packages and package contents using the available package management tools else download the packages these binaries are in to another machine and compare hashes from there (do not use ,
- verify Chkrootkit output using it's debug mode or common tools like 'strings' and 'egrep': like 'strings -an4 /path/to/binary|egrep ${STRINGS}'. The STRINGS values you find by grepping the chkrootkit script. For 'netstat find the string NETSTAT_I_L= and use it's value, for 'ps' find PS_I_L=, 'top' needs TOP_INFECTED_LABEL= and for 'pstree' see PSTREE_INFECTED_LABEL=.
- The "Possible t0rn v8" points to existence of a file named "libproc.a" which you should be able to find using 'find / -type f -name libproc.a -ls.
* If you do not trust the machine then if it is local to you start your investigation by booting a Live CD like HELIX or KNOPPIX.
Quote:
Originally Posted by mar0der
Code:
Searching for suspicious files and dirs, it may take a while...
/usr/lib/jvm/.java-gcj.jinfo /usr/lib/jvm/.java-6-sun.jinfo /usr/lib/jvm/java-6-sun-1.6.0.20/lib/visualvm/profiler3/.lastModified /usr/lib/jvm/java-6-sun-1.6.0.20/lib/visualvm/visualvm/.lastModified /usr/lib/jvm/java-6-sun-1.6.0.20/lib/visualvm/platform10/.lastModified /usr/lib/jvm/java-6-sun-1.6.0.20/.systemPrefs /lib/init/rw/.mdadm /lib/init/rw/.ramfs
/lib/init/rw/.mdadm
|
By name only these are possibly false positives. Please see the Chkrootkit FAQ.
Quote:
Originally Posted by mar0der
Code:
Searching for Showtee... Warning: Possible Showtee Rootkit installed
|
According to Chkrootkit Showtee comprises of these files you can search for using 'find': /usr/lib/.egcs /usr/lib/.wormie /usr/lib/.kinetic /usr/lib/liblog.o /usr/include/addr.h /usr/include/cron.h /usr/include/file.h /usr/include/proc.h /usr/include/syslogs.h /usr/include/chk.h.
Quote:
Originally Posted by mar0der
Code:
Searching for Romanian rootkit... /usr/include/file.h /usr/include/proc.h
|
According to Chkrootkit the Romanian rootkit comprises of these files you can search for using 'find': /usr/include/file.h /usr/include/proc.h /usr/include/addr.h /usr/include/syslogs.h. In addition find out which package the /usr/include/file.h and /usr/include/proc.h file belong to and verify their contents to get an indication of false positives.
Quote:
Originally Posted by mar0der
Code:
Checking `bindshell'... INFECTED (PORTS: 465)
|
If you 'getent services 465' you should find that port TCP/465 is assigned by IANA to the SMTPS service. Even without using 'netstat' or 'lsof' you should know if your machine provides secure SMTP access.
Quote:
Originally Posted by mar0der
Code:
Checking `lkm'... You have 20 process hidden for readdir command
You have 22 process hidden for ps command
chkproc: Warning: Possible LKM Trojan installed
|
Tracking short-lived processes are a known problem with any tool relying on 'ps' and possibly result in false positives. Please see the Chkrootkit FAQ.
Keep us informed, post your findings and please be as verbose as possible.
