LinuxQuestions.org
View the Most Wanted LQ Wiki articles.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 02-20-2005, 10:47 PM   #1
Aeiri
Member
 
Registered: Feb 2004
Posts: 307

Rep: Reputation: 30
Possibly Cracked....


Earlier today (~5 PM), I noticed my computer running very slowly. I opened top, saw "basename" running using 99% CPU. I looked at the tree view in ksysguard and saw that crond was running it. I took a look at my crontab, nothing out of the ordinary. Took a look at the contents of /etc/cron.*/* (this is on Slackware, daily, hourly, and weekly auto scripts are put in there and run with run-parts, which is how this was being run), and saw this:

Code:
#!/bin/sh
/usr/sbin/logrotate /etc/logrotate.conf
#!/bin/sh
/usr/bin/updatedb -c
#!/bin/sh
/sbin/rmmod -as
Nothing out of the ordinary at ALL, but basename was running (not in there) at a weird time (5 PM shouldn't have anything running via cron)... at this point I didn't think much of it, and killed the process and went on with what I was doing.

Later, (~8:30 PM) while I was working on my log analyser (in pygtk, tails logs, hilights IPs, click IPs to get info on them such as reverse DNS), I noticed a lot of packets being dropped by my egress firewall rules going OUT of my computer to IPs that were standard DSL, cable, etc by looking at the reverse DNSs. I started getting suspicious then. I ran rkhunter, and got this:

Code:
Determining OS... Warning: this operating system is not fully supported!
Ready
Warning: Cannot find md5_not_known
All MD5 checks will be skipped!

Checking binaries
* Selftests
     Strings (command)

...etc...etc...etc...
I immediately locked down my computer at that point (unplugged my ethernet cord, turned on "unplugged" firewall mode so that even if the cord magically plugged itself back in nothing was going to go in or out). I then looked at the processes running, (I know, I have a proper rootkit installed and this doesn't matter), took a look at netstat, etc. I found out that "wget" had a socket open. Looked at "ps aux | grep wget" and saw that wget was running with identical switches to my Slackware updating bash script I wrote, and downloading a file that wget downloads on my updating script. I took a look at the rules again, and noticed that they were on ports tor uses (9030), but I have blocked (I have 9001-9009 or so allowed), and so those logs I've ruled out as false positives, too.

chkrootkit and my own hash databasing script brought up nothing as well.

Right now, I'm only on medium-low alert, and just want explainations for three things, and then I'll be certain that this was a false positive.

1) Why was basename running at a weird time under the crond, run-parts processes? Does updatedb call it? I'm almost certain rmmod and logrotate don't.

2) Why was basename using 99% CPU?

3) Why is rkhunter crippled, and how do I fix it? I haven't run rkhunter in awhile (1-2 weeks, my status cron script is broken right now so it doesn't automatically email me all the status stuff like it used to), so this might be a problem with some updates on Slackware recently.

I tried re-downloading rkhunter, and it's still not working. md5sum is working fine, and rkhunter normally runs fine...

Any ideas for these?

EDIT: I was also thinking of letting my egress filtering go to normal filtering (allow all outgoing) for ~1 week or so and see if my IP shows up on dshield or not.

Last edited by Aeiri; 02-20-2005 at 10:50 PM.
 
Old 02-21-2005, 09:19 PM   #2
Aeiri
Member
 
Registered: Feb 2004
Posts: 307

Original Poster
Rep: Reputation: 30
Guess what, I was...

http://dshield.org/warning_explanati...&Submit=Submit

These are all going in/out on ports that I have allowed. All of that looks like Azureus, so.... fuck me in the ass...

I'm not bullshitting, while I was typing this message Azureus just shut down. This computer is getting yanked as soon as I hit submit.
 
Old 02-21-2005, 09:30 PM   #3
Aeiri
Member
 
Registered: Feb 2004
Posts: 307

Original Poster
Rep: Reputation: 30
Alright, I'm on another box right now.

This is scary stuff.... I need to change EVERYTHING, every password, every secret key, EVERYTHING....

I'm also informing the Azureus team of a possible security hole.

I'm going to try to figure this out through logs.... I'm not immediately wiping that computer. I want to know how it was compromised.

I'll report back here with more information if I get it.
 
Old 02-21-2005, 10:26 PM   #4
gbhil
Member
 
Registered: Jan 2005
Location: /dev/input/chair0
Distribution: Slackware, Gentoo, Vector, Roll-your-own-with-GNU binutils
Posts: 174

Rep: Reputation: 30
Quote:
Originally posted by Aeiri
Guess what, I was...

DELETED URL

These are all going in/out on ports that I have allowed. All of that looks like Azureus, so.... fsck me in the ass...

I'm not bullshitting, while I was typing this message Azureus just shut down. This computer is getting yanked as soon as I hit submit.
You did know that url you posted shows YOUR IP address? Not a wise choice if you think you're being yanked with. I suggest you remove it
 
Old 02-22-2005, 08:15 AM   #5
Aeiri
Member
 
Registered: Feb 2004
Posts: 307

Original Poster
Rep: Reputation: 30
Yes, it's my IP address. That computer isn't plugged in.

When it finally does get plugged in, the DHCP server would have flushed my MAC address and my IP will have changed.

Also, I have a script that changes my IP every time I boot the computer (randomly generated MAC address in memory, instead of the real one).
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
cracked or not cracked (tripwire & chrootkit) ddaas Linux - Security 1 04-27-2005 07:29 AM
Does this mean I have been cracked? BajaNick Linux - Security 4 08-13-2004 10:10 PM
i am cracked :-( adme Linux - Security 20 07-19-2003 12:37 PM
This just cracked me up! CragStar General 2 04-19-2002 11:13 PM
!!! THEMES.ORG gets cracked... rabidundead Linux - General 0 06-10-2001 03:03 AM


All times are GMT -5. The time now is 03:33 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration