LinuxQuestions.org
Review your favorite Linux distribution.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices



Reply
 
Search this Thread
Old 02-04-2005, 04:41 AM   #1
TreeHugger
Member
 
Registered: Jul 2003
Location: London
Distribution: Debian, Redhat
Posts: 98

Rep: Reputation: 15
Thumbs down possibly compromised - what to do?


hi all

i configured my webserver to send me the results of a couple of security scans every night, and for months all was quiet and reassuringly unsurprising - until this morning when one of the commands comes back with a different output.

this is my crontab

Code:
00 05 * * * /usr/sbin/chkrootkit -q 2>&1 | mail -s chkrootkit my-email@address.com
00 05 * * * /bin/netstat --tcp -pa 2>&1 | mail -s netstat my-email@address.com
And the last one comes back with the following output today:

You have 1 process hidden for readdir command
You have 1 process hidden for ps command
Warning: Possible LKM Trojan installed
eth0 is not promisc eth0:1 is not promisc

The chkrootkit warning is now no longer appearing when i run it - is that a good or a bad sign???

My contract with my ISP is fixed bandwidth, so I can't get any huge bills because of a spammer abusing my server, but I wouldn't want my IP address to get into the spam police's bad books.

I'm obviously going to research this as much as I can on google, but can anyone point me at a decent doc or resource on what I can do now?
 
Old 02-04-2005, 08:34 AM   #2
Hangdog42
LQ Veteran
 
Registered: Feb 2003
Location: Maryland
Distribution: Slackware
Posts: 7,791
Blog Entries: 1

Rep: Reputation: 414Reputation: 414Reputation: 414Reputation: 414Reputation: 414
The first thing to do is to unplug the thing from the network. And to keep you busy reading until one of the real experts comes along, there is a sticky thread at the top of the forum and unSpawn has collected a lot of good forensic links in post #5.
 
Old 02-04-2005, 09:30 AM   #3
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Rep: Reputation: 57
The hidden process warning is a common false positive. In fact there is a note about it on the chkrootkit FAQ. Basically, the hidden process/lkm check compares the output of ps to what is in the list of processes in /proc looking for any discrepancies. Occasionally a short-lived process will terminate in between the two checks and will get flagged. Normally the best option is to immediately re-run chkrootkit and see if it still finds any hidden processes. If it doesn't then it's likely a false positive (which it would appear to be in your case). If it does find hidden processes still, then use chkrootkit -x lkm to produce a list of the hidden processes and see if they look abnormal. In this case, I think you're pretty safe in assuming it is a false positive. Though if you have tripwire or some other file alteration detector, now would be a good time to run a check just to be extra sure.
 
Old 02-04-2005, 01:21 PM   #4
TreeHugger
Member
 
Registered: Jul 2003
Location: London
Distribution: Debian, Redhat
Posts: 98

Original Poster
Rep: Reputation: 15
cooliio!! thanks hangdog and caveman. I was late for work and flailing around uselessly. I'm going to check out that tripwire now. I couldn't get on to the server from work either because their firewall blocks my ssh and I haven't figured out whether I can use socks yet.



have a good one this w/e
 
Old 02-05-2005, 12:03 AM   #5
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Rep: Reputation: 57
Quote:
Originally posted by TreeHugger
I'm going to check out that tripwire now.
Tripwire is really most effective when installed on a new machine that hasn't been networked yet. Since it only detects changes in system critical files, once a machine has been compromised and system files replace with trojaned versions it's usually too late for tripwire to be as effective. Of couse it would detect any further alterations. Something like rootkit hunter might be a bit more useful though, as it compares file checksum values to a database of "known good" values for each distro.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Sever compromised? Avatar33 Linux - Security 11 05-09-2005 10:19 AM
Compromised? I can't tell. Chuck23 Linux - Security 11 02-15-2005 08:33 AM
System possibly compromised kloppster Linux - Security 7 07-12-2004 04:30 PM
Am I compromised? dripter Linux - Security 5 01-27-2004 01:31 AM
System compromised BruceCadieux Linux - Security 20 09-29-2003 09:24 PM


All times are GMT -5. The time now is 01:06 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration