LinuxQuestions.org
Review your favorite Linux distribution.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 10-18-2006, 04:12 PM   #1
Old_Fogie
Senior Member
 
Registered: Mar 2006
Distribution: SLACKWARE 4TW! =D
Posts: 1,515

Rep: Reputation: 62
OSSEC report - is this OKAy?


I'm getting this logged by OSSEC, I believe it's for ATI driver's and should be normal? but wanted to verify if you all thought this was OK or not.

I do use the latest ATI drivers on this pc that is logging this message.

Quote:
OSSEC HIDS Notification.
2006 Oct 18 17:05:29

Received From: pooter->rootcheck
Rule: 14 fired (level 8) -> "Rootkit detection engine message"
Portion of the log(s):

File '/dev/shm/ATISHM00' present on /dev. Possible hidden file.
 
Old 10-19-2006, 06:27 AM   #2
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,140
Blog Entries: 54

Rep: Reputation: 2791Reputation: 2791Reputation: 2791Reputation: 2791Reputation: 2791Reputation: 2791Reputation: 2791Reputation: 2791Reputation: 2791Reputation: 2791Reputation: 2791
I believe it's for ATI driver's and should be normal?
Determination can be done by different means. One is to use a file integrity checker like Aide, Samhain or even tripwire, of course in the case of /dev files this won't work. So if your distro's (you didn't fill in that info in your control panel) package manager supports verification then most of the time you can fall back on that to check (provided you have an off-site backup of the database), and since this is a /dev/ file you would probably have to look in the packages (post)install scripts. If it's Udev, then it could be a rule has been set up in your Udev ruledir. These are more or less authoritative means for verification.

Non-authoritative means (call it "circumstancial evidence" due to the dynamics of a Live system and probability for manipulation) would be to look for instance at "lsmod", "stat", "fuser" (fuser -v /dev/* | grep ^/|sort|uniq) and "lsof" (lsof -n +D /dev|awk '{print $NF}'|sort|uniq) output for clues wrt rights, usage, MAC times and such. The worst and most flawed way would be to assume that because the name contains the string "ati" and "shm" this is a device linked to ATI. Names don't mean a thing.
 
Old 10-19-2006, 01:43 PM   #3
Old_Fogie
Senior Member
 
Registered: Mar 2006
Distribution: SLACKWARE 4TW! =D
Posts: 1,515

Original Poster
Rep: Reputation: 62
Hi Unspawn,

Yeah I've been rooted Thank you for the reply. Back to damage control, bye for now. Thanks again.
 
Old 10-20-2006, 05:34 AM   #4
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,140
Blog Entries: 54

Rep: Reputation: 2791Reputation: 2791Reputation: 2791Reputation: 2791Reputation: 2791Reputation: 2791Reputation: 2791Reputation: 2791Reputation: 2791Reputation: 2791Reputation: 2791
Not so fast. What indications do you have you're rooted?
 
Old 10-20-2006, 11:45 AM   #5
Old_Fogie
Senior Member
 
Registered: Mar 2006
Distribution: SLACKWARE 4TW! =D
Posts: 1,515

Original Poster
Rep: Reputation: 62
Hi Unspawn,

I believe that I was rooted because rkhunter was reporting the rootkit ports being open, and I verified that they were using netstat -l. However the rootkit did not create the "/usr/src/.puta" folder, but maybe this is a modified rootkit, or maybe the rootkit didnt get fully installed. I don't run any server's of any kind (well, samba, nfs and cups but only for the lan pc's), and there were no files or daemons listed next to the port's output of 47107 or 41707 (i forget off the top of my head the torn port) in netstat.

Initially I started a thread here on LQ a while back regaring rc.statd running as root on my pc...located here

http://www.linuxquestions.org/questi...d.php?t=489929

Since opening that thread up here a few weeks ago, I install started using OSSEC and really only had the one message, and that is why I started this thread.

But then all of the sudden a few days ago OSSEC starting logging/emailing to me that some of my daemons were having their md5sum values change over and over, cups, samba, to be particular. Becuase the OSSEC sends out the email alerts I got them right away, and well here I am.

From what I read the TOrn rootkit uses that rc.statd daemon, again, I'm trying to figure out what other slacker's do for this daemon, do they chown it to a different user or not.

I'm using slackware 11.0 on the pc that got compromised, and I did gpg verify that cd and md5 checksum it.

Maybe? when I reloaded the pc with slack 11 from 10.2 I used some packages that I had downloaded from linuxpackages, or made myself, that sat locally on the pc, and they got "reworked" somehow and I put them in on my fresh install of slackware? Not sure, but I'm going to download all new sources and make new pack's when this is all said and done.

So for now I DoD wiped the entire pc, but it takes soo long to wipe
 
Old 10-21-2006, 05:54 AM   #6
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,140
Blog Entries: 54

Rep: Reputation: 2791Reputation: 2791Reputation: 2791Reputation: 2791Reputation: 2791Reputation: 2791Reputation: 2791Reputation: 2791Reputation: 2791Reputation: 2791Reputation: 2791
So for now I DoD wiped the entire pc, but it takes soo long to wipe
I was going to write about the necessity for second opinions, but that's mooted by you wiping the drive.
Shame. Did you make a backup? Anyway. Zeroing out should be enough most of the times IMHO.
 
Old 10-22-2006, 12:23 PM   #7
Old_Fogie
Senior Member
 
Registered: Mar 2006
Distribution: SLACKWARE 4TW! =D
Posts: 1,515

Original Poster
Rep: Reputation: 62
Hi unspawn.

I made a backup of my various .config files and put them into a tar.gz. Mostly my samba, cups, hosts.allow/deny, and inetd.conf, fstab. I made a backup of the home folder. But I did not make an "image" forensic copy of the entire "/" partition.

My partition was "xfs" and I do not know of a way to make a "norton ghost" or "powerquest drive image" like image of an xfs partition that I can read at a later time. Norton and drive image let me back up the xfs partition, but I cannot read files in them.

I own norton and drive image, so I think this time around when I reload the pc. I'm going to make the "/" in an ext3 format, that way I can use norton or powerquest at a later date to open up the image and view/read files from the logs for forensic reasons like this so I can learn how something got in, etc. Tho, I'm still new to linux, so not very much stuff in log files makes sense to me.

I used a "script" file to wipe the boot sector of the drives, then I used nortons boot disk to DoD wipe the drive.
 
Old 10-23-2006, 06:03 AM   #8
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,140
Blog Entries: 54

Rep: Reputation: 2791Reputation: 2791Reputation: 2791Reputation: 2791Reputation: 2791Reputation: 2791Reputation: 2791Reputation: 2791Reputation: 2791Reputation: 2791Reputation: 2791
I'm going to make the "/" in an ext3 format, that way I can use norton or powerquest at a later date to open up the image
Norton and PI are dependant on Windows. I'd use them for say FS formats FOSS tools can't understand due to proprietary hassles. I'd say make it any FS you want that *FOSS* tools can read. If you don't want to or can't use "dd" then there's a true cornucopia of tools on Freshmeat and Sourceforge for bit by bit copying disks, making backups etc, etc.


not very much stuff in log files makes sense to me.
So there is a clear necessity for a second opinion. Beats me why you didn't ask for it. I mean, it's what we're here for.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
LQ Status Report jeremy LQ Suggestions & Feedback 62 08-16-2006 09:16 PM
Usage Report sipsipi Linux - Software 1 02-20-2006 03:59 PM
Lire (log analysis, log report) no report in Mandriva 2005 LE (desktop usage) Emmanuel_uk Mandriva 0 01-16-2006 02:11 AM
How can I report the Error Report? domeili Linux - Newbie 1 10-30-2003 05:42 AM
report-in script devhdc Linux - Software 1 09-21-2003 04:16 PM


All times are GMT -5. The time now is 07:25 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration