Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here. |
| Notices |
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
 |
GNU/Linux Basic Guide
This 255-page guide will provide you with the keys to understand the philosophy of free software, teach you how to use and handle it, and give you the tools required to move easily in the world of GNU/Linux. Many users and administrators will be taking their first steps with this GNU/Linux Basic guide and it will show you how to approach and solve the problems you encounter.
Click Here to receive this Complete Guide absolutely free. |
Due to network maintenance being performed by our provider, LQ will be down starting at 05:01 AM UTC. The exact duration of the downtime isn't currently known. We apologize for the inconvenience.
|
 |
09-25-2010, 02:14 PM
|
#1
|
|
Member
Registered: Jun 2007
Distribution: Ubuntu
Posts: 90
Rep: 
|
Possible connection between traffic control rules & chkrootkit threat notifications
Hello,
Two days ago we started to receive the following message:
/etc/cron.daily/chkrootkit:
The following suspicious files and directories were found:
/lib/init/rw/.mdadm /lib/init/rw/.ramfs
/lib/init/rw/.mdadm
INFECTED (PORTS: 4369)
You have 2 process hidden for ps command
chkproc: Warning: Possible LKM Trojan installed
And about at the same time (a day before that) we have set up new rules for the queueing disciplines using 'tc' on our Debian lenny box (these rules are for some of the experiments we are carrying out).
I have ran the chkrootkit manually and this message (as above) keeps appearing, while the rkhunter tool does not complain about these items.
Could there be a connection between setting up the new qdisc's and the chkrootkit "INFECTED" messages?
Thank you
|
|
|
|
|
09-25-2010, 03:59 PM
|
#2
|
|
Moderator
Registered: May 2001
Posts: 24,805
|
Wrt "chkproc: Warning: Possible LKM Trojan installed" see the chkrootkit.org FAQ entry. Wrt port 4369 this points to the Remote Shell Trojan RST.b but only if it's UDP traffic. (An active backdoor may use /dev/hdx.* files which Chkrootkit doesn't check for but Rootkit Hunter does.) Looking at process information and dumping traffic should show it's a remote shell or not. If you want to add port white-listing to Chkrootkit, so you don't have to edit the chkrootkit script itself each time you need to add a port exclusion, you could use a patch.
Last edited by unSpawn; 09-25-2010 at 04:00 PM.
|
|
|
|
|
09-26-2010, 09:55 AM
|
#3
|
|
Member
Registered: Jun 2007
Distribution: Ubuntu
Posts: 90
Original Poster
Rep:
|
I checked the FAQ section of chkrootkit.
This is what I get when running fuser on 4369:
Quote:
abc:~# fuser -vn udp 4369
USER PID ACCESS COMMAND
4369/udp: root 16198 F.... epmd
abc:~# fuser -vn tcp 4369
USER PID ACCESS COMMAND
4369/tcp: root 16198 F.... epmd
|
The process with this PID is:
Quote:
|
root 16198 0.0 0.0 1964 352 ? S May06 1:01 /usr/lib/erlang/erts-5.6.3/bin/epmd -daemon
|
The rkhunter outcome is a bit worrisome, especially now that you mentioned a possible backdoor through /dev/hdx.*, since I am getting warnings on /dev and some other checks. Here is a snippet of the rkhunter output:
Code:
Checking the local host...
Performing system boot checks
Checking for local host name [ Found ]
Checking for local startup files [ Found ]
Checking local startup files for malware [ None found ]
Checking system startup files for malware [ None found ]
Performing group and account checks
Checking for passwd file [ Found ]
Checking for root equivalent (UID 0) accounts [ None found ]
Checking for passwordless accounts [ Warning ]
Checking for passwd file changes [ None found ]
Checking for group file changes [ None found ]
Checking root account shell history files [ OK ]
Performing system configuration file checks
Checking for SSH configuration file [ Found ]
Checking if SSH root access is allowed [ Not allowed ]
Checking if SSH protocol v1 is allowed [ Not allowed ]
Checking for running syslog daemon [ Found ]
Checking for syslog configuration file [ Found ]
Checking if syslog remote logging is allowed [ Not allowed ]
Performing filesystem checks
Checking /dev for suspicious file types [ Warning ]
Checking for hidden files and directories [ None found ]
[Press <ENTER> to continue]
Checking application versions...
Checking version of GnuPG [ Warning ]
Checking version of OpenSSL [ Warning ]
Checking version of PHP [ OK ]
Checking version of OpenSSH [ Warning ]
I haven't noticed RST.b type trojan being mentioned by neither the chkrootkit nor the rkhunter.
The /var/logrkhunter.log shows that the warning associated with /dev is the following:
Quote:
[16:45:02] Checking /dev for suspicious file types [ Warning ]
[16:45:02] Warning: Suspicious file types found in /dev:
[16:45:02] /dev/shm/network/ifstate: ASCII text
[16:45:02] Checking for hidden files and directories [ None found ]
|
The same log file also tells me that my and another colegaue's account is passwordless on this machine, even though we use passwords to log in, and have the following two rules in our sshd_config file:
Quote:
PermitEmptyPasswords no
PasswordAuthentication yes
|
Please suggest what should I do next.
Thank you |
|
|
|
|
09-26-2010, 03:44 PM
|
#4
|
|
Moderator
Registered: May 2001
Posts: 24,805
|
Quote:
Originally Posted by brownflamigo1
The process with this PID is
|
If you've verified the binary to be "known good" then it's all good.
Quote:
Originally Posted by brownflamigo1
The /var/log/rkhunter.log shows that the warning associated with /dev is the following:
Code:
[16:45:02] /dev/shm/network/ifstate: ASCII text
|
If "/dev/shm/network/ifstate" is a "known good" file (Debian, Ubuntu?) then you could white-list it. For white-listing options please see the RKH config, docs or rkhunter-user mailing list archives.
Quote:
Originally Posted by brownflamigo1
The same log file also tells me that my and another colleague's account is password-less on this machine, even though we use passwords to log in
|
If you do not run RKH 1.3.6 then please upgrade and test again, elif you run RKH 1.3.6 then please open a ticket at Sourceforge and attach your debug log. |
|
|
|
|
09-27-2010, 11:38 AM
|
#5
|
|
Senior Member
Registered: Jul 2007
Distribution: Ubuntu 10.10, Slackware 64-current
Posts: 2,046
|
On a couple of past occasions, I have seen an update to an Ubuntu system leave "stubs" in /dev that causes chrootkit to declare Trojan warnings. Rebooting the system clears out those files and the warnings disappear.
|
|
|
|
|
09-28-2010, 05:57 AM
|
#6
|
|
Member
Registered: Jun 2007
Distribution: Ubuntu
Posts: 90
Original Poster
Rep:
|
Quote:
|
If you do not run RKH 1.3.6 then please upgrade and test again, elif you run RKH 1.3.6 then please open a ticket at Sourceforge and attach your debug log.
|
Have done so, and still get the message regarding "passwordless users".
In addition, I started to get the following message:
Quote:
Rootkit checks...
Rootkits checked : 248
Possible rootkits: 2
Rootkit names : Xzibit Rootkit, Xzibit Rootkit
|
I have also ran debsums, and no changed or missing sums were detected.
Just posted the log file from a debug mode (--debug) rkhunter check. |
|
|
|
|
09-28-2010, 02:21 PM
|
#7
|
|
Moderator
Registered: May 2001
Posts: 24,805
|
Quote:
Originally Posted by brownflamigo1
I have also ran debsums, and no changed or missing sums were detected.
|
Good. Now you can safely white-list file locations.
Quote:
Originally Posted by brownflamigo1
Code:
Possible rootkits: 2
Rootkit names : Xzibit Rootkit, Xzibit Rootkit
|
The rkhunter.log holds the details. Same procedure: verify integrity, white-list target if "known good".
Quote:
Originally Posted by brownflamigo1
(..) still get the message regarding "passwordless users".(..) Just posted the log file from a debug mode (--debug) rkhunter check.
|
You didn't add the *debug* log but the regular rkhunter.log. Try a white-list of "PWDLESS_ACCOUNTS=+". If that works then there is no apparent need to attach the debug log.
Last edited by unSpawn; 09-28-2010 at 05:06 PM.
|
|
|
|
|
09-30-2010, 04:40 AM
|
#8
|
|
Member
Registered: Jun 2007
Distribution: Ubuntu
Posts: 90
Original Poster
Rep:
|
Quote:
|
Try a white-list of "PWDLESS_ACCOUNTS=+". If that works then there is no apparent need to attach the debug log.
|
Have done so, and there are no more warnings 
Quote:
|
The rkhunter.log holds the details. Same procedure: verify integrity, white-list target if "known good".
|
The originator packages passed the integrity test.
Thank you for the help. |
|
|
|
| Thread Tools |
Search this Thread |
|
|
|
Posting Rules
|
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
HTML code is Off
|
|
|
All times are GMT -5. The time now is 08:17 PM.
|
|
|
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
|
|
 Latest Threads
LQ News
|
|
