LinuxQuestions.org
LinuxAnswers - the LQ Linux tutorial section.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 09-25-2010, 03:14 PM   #1
brownflamigo1
Member
 
Registered: Jun 2007
Distribution: Ubuntu
Posts: 90

Rep: Reputation: 15
Possible connection between traffic control rules & chkrootkit threat notifications


Hello,

Two days ago we started to receive the following message:

/etc/cron.daily/chkrootkit:
The following suspicious files and directories were found:
/lib/init/rw/.mdadm /lib/init/rw/.ramfs
/lib/init/rw/.mdadm
INFECTED (PORTS: 4369)
You have 2 process hidden for ps command
chkproc: Warning: Possible LKM Trojan installed

And about at the same time (a day before that) we have set up new rules for the queueing disciplines using 'tc' on our Debian lenny box (these rules are for some of the experiments we are carrying out).

I have ran the chkrootkit manually and this message (as above) keeps appearing, while the rkhunter tool does not complain about these items.

Could there be a connection between setting up the new qdisc's and the chkrootkit "INFECTED" messages?

Thank you
 
Old 09-25-2010, 04:59 PM   #2
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,561
Blog Entries: 54

Rep: Reputation: 2927Reputation: 2927Reputation: 2927Reputation: 2927Reputation: 2927Reputation: 2927Reputation: 2927Reputation: 2927Reputation: 2927Reputation: 2927Reputation: 2927
Wrt "chkproc: Warning: Possible LKM Trojan installed" see the chkrootkit.org FAQ entry. Wrt port 4369 this points to the Remote Shell Trojan RST.b but only if it's UDP traffic. (An active backdoor may use /dev/hdx.* files which Chkrootkit doesn't check for but Rootkit Hunter does.) Looking at process information and dumping traffic should show it's a remote shell or not. If you want to add port white-listing to Chkrootkit, so you don't have to edit the chkrootkit script itself each time you need to add a port exclusion, you could use a patch.

Last edited by unSpawn; 09-25-2010 at 05:00 PM.
 
Old 09-26-2010, 10:55 AM   #3
brownflamigo1
Member
 
Registered: Jun 2007
Distribution: Ubuntu
Posts: 90

Original Poster
Rep: Reputation: 15
I checked the FAQ section of chkrootkit.

This is what I get when running fuser on 4369:

Quote:
abc:~# fuser -vn udp 4369
USER PID ACCESS COMMAND
4369/udp: root 16198 F.... epmd
abc:~# fuser -vn tcp 4369
USER PID ACCESS COMMAND
4369/tcp: root 16198 F.... epmd
The process with this PID is:
Quote:
root 16198 0.0 0.0 1964 352 ? S May06 1:01 /usr/lib/erlang/erts-5.6.3/bin/epmd -daemon
The rkhunter outcome is a bit worrisome, especially now that you mentioned a possible backdoor through /dev/hdx.*, since I am getting warnings on /dev and some other checks. Here is a snippet of the rkhunter output:


Code:
Checking the local host...
  Performing system boot checks
    Checking for local host name                             [ Found ]
    Checking for local startup files                         [ Found ]
    Checking local startup files for malware                 [ None found ]
    Checking system startup files for malware                [ None found ]

  Performing group and account checks
    Checking for passwd file                                 [ Found ]
    Checking for root equivalent (UID 0) accounts            [ None found ]
    Checking for passwordless accounts                       [ Warning ]
    Checking for passwd file changes                         [ None found ]
    Checking for group file changes                          [ None found ]
    Checking root account shell history files                [ OK ]

  Performing system configuration file checks
    Checking for SSH configuration file                      [ Found ]
    Checking if SSH root access is allowed                   [ Not allowed ]
    Checking if SSH protocol v1 is allowed                   [ Not allowed ]
    Checking for running syslog daemon                       [ Found ]
    Checking for syslog configuration file                   [ Found ]
    Checking if syslog remote logging is allowed             [ Not allowed ]

  Performing filesystem checks
    Checking /dev for suspicious file types                  [ Warning ]
    Checking for hidden files and directories                [ None found ]

[Press <ENTER> to continue]


Checking application versions...

    Checking version of GnuPG                                [ Warning ]
    Checking version of OpenSSL                              [ Warning ]
    Checking version of PHP                                  [ OK ]
    Checking version of OpenSSH                              [ Warning ]
I haven't noticed RST.b type trojan being mentioned by neither the chkrootkit nor the rkhunter.

The /var/logrkhunter.log shows that the warning associated with /dev is the following:

Quote:
[16:45:02] Checking /dev for suspicious file types [ Warning ]
[16:45:02] Warning: Suspicious file types found in /dev:
[16:45:02] /dev/shm/network/ifstate: ASCII text
[16:45:02] Checking for hidden files and directories [ None found ]
The same log file also tells me that my and another colegaue's account is passwordless on this machine, even though we use passwords to log in, and have the following two rules in our sshd_config file:
Quote:
PermitEmptyPasswords no
PasswordAuthentication yes
Please suggest what should I do next.

Thank you
 
Old 09-26-2010, 04:44 PM   #4
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,561
Blog Entries: 54

Rep: Reputation: 2927Reputation: 2927Reputation: 2927Reputation: 2927Reputation: 2927Reputation: 2927Reputation: 2927Reputation: 2927Reputation: 2927Reputation: 2927Reputation: 2927
Quote:
Originally Posted by brownflamigo1 View Post
The process with this PID is
If you've verified the binary to be "known good" then it's all good.


Quote:
Originally Posted by brownflamigo1 View Post
The /var/log/rkhunter.log shows that the warning associated with /dev is the following:
Code:
[16:45:02] /dev/shm/network/ifstate: ASCII text
If "/dev/shm/network/ifstate" is a "known good" file (Debian, Ubuntu?) then you could white-list it. For white-listing options please see the RKH config, docs or rkhunter-user mailing list archives.


Quote:
Originally Posted by brownflamigo1 View Post
The same log file also tells me that my and another colleague's account is password-less on this machine, even though we use passwords to log in
If you do not run RKH 1.3.6 then please upgrade and test again, elif you run RKH 1.3.6 then please open a ticket at Sourceforge and attach your debug log.
 
Old 09-27-2010, 12:38 PM   #5
Noway2
Senior Member
 
Registered: Jul 2007
Distribution: Ubuntu 10.10, Slackware 64-current
Posts: 2,124

Rep: Reputation: 776Reputation: 776Reputation: 776Reputation: 776Reputation: 776Reputation: 776Reputation: 776
On a couple of past occasions, I have seen an update to an Ubuntu system leave "stubs" in /dev that causes chrootkit to declare Trojan warnings. Rebooting the system clears out those files and the warnings disappear.
 
Old 09-28-2010, 06:57 AM   #6
brownflamigo1
Member
 
Registered: Jun 2007
Distribution: Ubuntu
Posts: 90

Original Poster
Rep: Reputation: 15
Quote:
If you do not run RKH 1.3.6 then please upgrade and test again, elif you run RKH 1.3.6 then please open a ticket at Sourceforge and attach your debug log.
Have done so, and still get the message regarding "passwordless users".
In addition, I started to get the following message:

Quote:
Rootkit checks...
Rootkits checked : 248
Possible rootkits: 2
Rootkit names : Xzibit Rootkit, Xzibit Rootkit
I have also ran debsums, and no changed or missing sums were detected.

Just posted the log file from a debug mode (--debug) rkhunter check.
 
Old 09-28-2010, 03:21 PM   #7
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,561
Blog Entries: 54

Rep: Reputation: 2927Reputation: 2927Reputation: 2927Reputation: 2927Reputation: 2927Reputation: 2927Reputation: 2927Reputation: 2927Reputation: 2927Reputation: 2927Reputation: 2927
Quote:
Originally Posted by brownflamigo1 View Post
I have also ran debsums, and no changed or missing sums were detected.
Good. Now you can safely white-list file locations.


Quote:
Originally Posted by brownflamigo1 View Post
Code:
Possible rootkits: 2
Rootkit names : Xzibit Rootkit, Xzibit Rootkit
The rkhunter.log holds the details. Same procedure: verify integrity, white-list target if "known good".


Quote:
Originally Posted by brownflamigo1 View Post
(..) still get the message regarding "passwordless users".(..) Just posted the log file from a debug mode (--debug) rkhunter check.
You didn't add the *debug* log but the regular rkhunter.log. Try a white-list of "PWDLESS_ACCOUNTS=+". If that works then there is no apparent need to attach the debug log.

Last edited by unSpawn; 09-28-2010 at 06:06 PM.
 
Old 09-30-2010, 05:40 AM   #8
brownflamigo1
Member
 
Registered: Jun 2007
Distribution: Ubuntu
Posts: 90

Original Poster
Rep: Reputation: 15
Quote:
Try a white-list of "PWDLESS_ACCOUNTS=+". If that works then there is no apparent need to attach the debug log.
Have done so, and there are no more warnings

Quote:
The rkhunter.log holds the details. Same procedure: verify integrity, white-list target if "known good".
The originator packages passed the integrity test.

Thank you for the help.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
LXer: Microsoft rules netbooks now, but ARM/Linux threat grows LXer Syndicated Linux News 0 03-28-2009 08:30 AM
tc traffic control tc traffic control Linux QoS control tool(noob help) inv|s|ble Linux - General 1 07-26-2007 12:12 PM
Is this message from chkrootkit a threat (SUSE 10.1)? DeekBeek Linux - Security 2 07-25-2006 09:28 AM
Postfix: rate & connection control£¿ Chowroc Linux - Software 1 11-16-2005 03:41 AM
traffic- flow control (speed)&(access) N_A_J_M Linux - General 2 08-22-2003 09:29 AM


All times are GMT -5. The time now is 08:42 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration