Possible Server Breach with empty logs, nonstop rkhunter warnings, chkrootkit shows possible LKM Trojan
Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Possible Server Breach with empty logs, nonstop rkhunter warnings, chkrootkit shows possible LKM Trojan
Hello Everyone,
Configuration 1: CSF/LFD (ConfigServer Security and Firewall with Integrated Logon Failure Daemon)
Configuration 2 (Alt Config): (IPTables and Fail2Ban)
I have a Linux server that I use primarily for a variety of uses such as X11 Forwarding, Gaming, and others. Recently, my family got a new modem router that didn't work well with my firewall on the LAN side while I am hosting gaming servers, and I had to implement a simpler solution to as a result (Note Config 2 Above). In the process, I have discovered that my logs were empty (primarily in /var/log/auth.log), a strange previous login from an unidentified IP Address, and rkhunter was spitting out nonstop warnings of just about everything on the system (I am not sure if these are false positives or not). Chkrootkit has picked up a possible unidentified Trojan (LKM Trojan). I have changed the authentication method to require two public keys to authenticate with my other server and range banned the subnet while I get the first one sorted out (With CSF and LFD enabled).
Server 1 (Possibly Compromised Machine):
Pentium 4 Processor: 3.00E GHz Dual Core
Matrox GPU
Ubuntu (Mainly Kubuntu) w/ Ubuntu Server and many Desktop Environments
I could use some help in securing my system and removing the possible trojan.
All help will be greatly appreciated.
P.S.: If all else fails, I guess I might back up my home directory and rebuild my server from scratch.
I could use some help in securing my system and removing the possible trojan.
Sorry to hear things went belly up. But if 0) your logs were cleaned out, 1) logins from unknown IP Addresses occurred, 2) rkhunter questions the integrity of about everything on the system and 3) you have a possible LKM then there is nothing to "clean up". Also I do hope there was no personally identifiable information or clear text credentials on the server?.. Do mark past backups as "tainted, don't use", have every user change pass phrases, consider isolating disposable games servers in a DMZ and keeping your family data in the LAN, do consider separately encryption truly valuable data and do read up on securing servers. *If you need pointers to documentation outside of what Ubuntu and the "Securing Debian" bible offer let us know, OK?
Thank you all for the replies. I am not exactly sure what is going on, but I checked a few times over and chkrootkit is actually showing nothing at this point except for a false positive. As for rkhunter, the results are questionable. It took a while for everything to show up in my logs, but they finally did. On the other hand, I think I would be better off hosting game servers from a Virtual Machine. ;-)
Any recommendations to make security certain? (Intrusion Detection anyone?)
...but still there is nothing to "clean up".
Plus you haven't posted any details that would help us help you.
Quote:
Originally Posted by donald3.heckel
Any recommendations to make security certain?
Start afresh. Do mark past backups as "tainted, don't use", have every user change pass phrases, consider isolating disposable games servers in a DMZ and keeping your family data in the LAN, do consider separately encryption truly valuable data and do read up on securing servers and if you need pointers after reading the Ubuntu (security) documentation and the "Securing Debian" bible let us know, OK? (IDS is nice but it's no replacement for a properly maintained and hardened setup.)
I was wondering if any of you would recommend any intrusion detection systems. At this point, I am curious on how to address the rkhunter warnings. I will also consider hosting game servers from VMs as an extra safety/security precaution. ;-)
I might've been thrown off by the delay in the machine logging the activity, but I am not entirely sure.
ADDITION: Agreed. Do you know of any resources on how to better harden my system? I usually keep it well maintained. I am curious about using SELinux as an option.
Sincerely,
donald3.heckel
Last edited by donald3.heckel; 09-23-2016 at 05:08 PM.
Reason: Adding in a detailed reply
If you're hosting some sort of servers on-premise, you better dedicate a DMZ for those external services. And separate your LAN to begin with. Also, if the external facing services are known for security issues (or run as root) then, it has a wider attack surface.
If you enable SSH, accept only certificate-based auth.
SELinux can mitigate exploits and is another component of security layer (though comes with additional complexity, unfortunately). I'd say, forget this for now. Start with the basics. Proper permission, updates, network isolation, cert auth etc.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.