RkHunter Output

jim.thornton · 01-10-2008, 10:39 PM

Hello...

Early this morning I received 2 emails from BFD. The first said that there was 300+ attacks against an ftp account and the 2nd email said there was 70+.

I ran RkHunter and got this:

Performing trojan specific checks
Checking for enabled xinetd services [ Warning ]
Checking for Apache backdoor [ Not found ]

Performing Linux specific checks
Checking kernel module commands [ Warning ]
Checking kernel module names [ Warning ]

But the final log summary was:
System checks summary
=====================

File properties checks...
Required commands check failed
Files checked: 124
Suspect files: 5

Rootkit checks...
Rootkits checked : 110
Possible rootkits: 0

Applications checks...
Applications checked: 9
Suspect applications: 0

The system checks took: 6 minutes and 4 seconds

gilead · 01-10-2008, 10:47 PM

Have you had a look through /var/log/rkhunter.log to see what the warnings were and which required commands were missing? Also, does your FTP log contain any information about whether they were able to log in successfully?

jim.thornton · 01-10-2008, 11:14 PM

Quote:

Originally Posted by gilead

Have you had a look through /var/log/rkhunter.log to see what the warnings were and which required commands were missing? Also, does your FTP log contain any information about whether they were able to log in successfully?

Well... Here is BFD Log file:

Code:

Jan 10 01:50:01 s1 BFD(19758): {proftpd} ffff210.173.249.105 exceeded login failures; executed ban command '/etc/apf/apf -d f$
Jan 10 01:50:03 s1 BFD(19758): {proftpd} uid=0 exceeded login failures; executed ban command '/etc/apf/apf -d uid=0 {bfd.prof$

/var/log/secure shows a LOT of attempts:
A bunch of lines like this -

Code:

Jan 10 21:00:01 server1 crond[32637]: pam_loginuid(crond:session): set_loginuid failed opening loginuid
Jan 10 21:00:01 server1 crond[32638]: pam_loginuid(crond:session): set_loginuid failed opening loginuid
J

Some like this:

Code:

Jan 10 02:18:24 server1 proftpd[19566]: server1.example.com (::ffff:210.173.249.105[::ffff:210.173.249.105]) - Maximum login attempts (3$
Jan 10 02:18:24 server1 proftpd[19566]: server1.example.com (::ffff:210.173.249.105[::ffff:210.173.249.105]) - FTP session closed.
Jan 10 02:18:25 server1 proftpd[19569]: server1.example.com (::ffff:210.173.249.105[::ffff:210.173.249.105]) - USER webadmin: no such us$
Jan 10 02:18:25 server1 proftpd[19571]: server1.example.com (::ffff:210.173.249.105[::ffff:210.173.249.105]) - USER webmaster: no such u$
Jan 10 02:18:25 server1 proftpd[19569]: server1.example.com (::ffff:210.173.249.105[::ffff:210.173.249.105]) - no such user 'webadmin'
Jan 10 02:18:25 server1 proftpd[19569]: server1.example.com (::ffff:210.173.249.105[::ffff:210.173.249.105]) - USER webadmin: no such us$
Jan 10 02:18:25 server1 proftpd[19571]: server1.example.com (::ffff:210.173.249.105[::ffff:210.173.249.105]) - no such user 'webmaster'
Jan 10 02:18:25 server1 proftpd[19571]: server1.example.com (::ffff:210.173.249.105[::ffff:210.173.249.105]) - USER webmaster: no such u$
Jan 10 02:18:26 server1 proftpd[19569]: server1.example.com (::ffff:210.173.249.105[::ffff:210.173.249.105]) - no such user 'webadmin'
Jan 10 02:18:26 server1 proftpd[19569]: server1.example.com (::ffff:210.173.249.105[::ffff:210.173.249.105]) - USER webadmin: no such us$
J

And then a bunch with some other usernames (one existed) but no passwords/logins were valid (I don't think).

In /var/log/messages:

Code:

Jan 10 01:50:01 server1 BFD(19758): {proftpd} ffff210.173.249.105 exceeded login failures; executed ban command '/etc/apf/apf -d f$
Jan 10 01:50:03 server1 BFD(19758): {proftpd} uid=0 exceeded login failures; executed ban command '/etc/apf/apf -d uid=0 {bfd.prof$
J

And a bunch of (I think) failed attempts - different username attempts to:

Code:

Jan 10 02:13:02 server1 proftpd[6125]: server1.example.com (::ffff:210.173.249.105[::ffff:210.173.249.105]) - no such user 'master'
Jan 10 02:13:02 server1 proftpd[6135]: server1.example.com (::ffff:210.173.249.105[::ffff:210.173.249.105]) - FTP session opened.
Jan 10 02:13:02 server1 proftpd[6136]: server1.example.com (::ffff:210.173.249.105[::ffff:210.173.249.105]) - FTP session opened.
Jan 10 02:13:03 server1 proftpd[6137]: server1.example.com (::ffff:210.173.249.105[::ffff:210.173.249.105]) - FTP session opened.
Jan 10 02:13:03 server1 proftpd[6136]: server1.example.com (::ffff:210.173.249.105[::ffff:210.173.249.105]) - no such user 'webadmin'
Jan 10 02:13:03 server1 proftpd[6137]: server1.example.com (::ffff:210.173.249.105[::ffff:210.173.249.105]) - no such user 'master'
Jan 10 02:13:04 server1 proftpd[6143]: server1.example.com (::ffff:210.173.249.105[::ffff:210.173.249.105]) - FTP session opened.
Jan 10 02:13:04 server1 proftpd[7168]: server1.example.com (::ffff:210.173.249.105[::ffff:210.173.249.105]) - FTP session opened.
Jan 10 02:13:04 server1 proftpd[6143]: server1.example.com (::ffff:210.173.249.105[::ffff:210.173.249.105]) - no such user 'webadmin'
Jan 10 02:13:04 server1 proftpd[7168]: server1.example.com (::ffff:210.173.249.105[::ffff:210.173.249.105]) - no such user 'master'
Jan 10 02:13:05 server1 proftpd[7169]: server1.example.com (::ffff:210.173.249.105[::ffff:210.173.249.105]) - FTP session opened.
Jan 10 02:13:06 server1 proftpd[7169]: server1.example.com (::ffff:210.173.249.105[::ffff:210.173.249.105]) - no such user 'webadmin'
Jan 10 02:13:06 server1 proftpd[7170]: server1.example.com (::ffff:210.173.249.105[::ffff:210.173.249.105]) - FTP session opened.
Jan 10 02:13:06 server1 proftpd[7170]: server1.example.com (::ffff:210.173.249.105[::ffff:210.173.249.105]) - no such user 'master'

And then a this:

Code:

Jan 10 02:20:06 server1 proftpd[24164]: server1.example.com (::ffff:210.173.249.105[::ffff:210.173.249.105]) - FTP session opened.
Jan 10 02:20:06 server1 proftpd[24164]: server1.example.com (::ffff:210.173.249.105[::ffff:210.173.249.105]) - no such user 'webadmin'
Jan 10 02:38:33 server1 init: Trying to re-exec init
Jan 10 02:38:33 server1 init: no more processes left in this runlevel
Jan 10 13:39:34 server1 xinetd[7348]: START: imap pid=13725 from=207.250.126.143
Jan 10 13:39:34 server1 xinetd[7348]: START: imap pid=13726 from=207.250.126.143
Jan 10 13:39:34 server1 xinetd[7348]: START: imap pid=13727 from=207.250.126.143
Jan 10 13:39:34 server1 xinetd[7348]: START: imap pid=13728 from=207.250.126.143
Jan 10 13:39:34 server1 xinetd[7348]: EXIT: imap status=1 pid=13725 duration=0(sec)
Jan 10 13:39:34 server1 xinetd[7348]: EXIT: imap status=1 pid=13728 duration=0(sec)
Jan 10 13:39:34 server1 xinetd[7348]: EXIT: imap status=1 pid=13727 duration=0(sec)
Jan 10 13:39:34 server1 xinetd[7348]: EXIT: imap status=1 pid=13726 duration=0(sec)
Jan 10 14:24:05 server1 xinetd[7348]: START: imap pid=21505 from=88.208.201.36
Jan 10 14:24:05 server1 xinetd[7348]: START: imap pid=21506 from=88.208.201.36
Jan 10 14:24:05 server1 xinetd[7348]: START: imap pid=21507 from=88.208.201.36
Jan 10 14:24:05 server1 xinetd[7348]: START: imap pid=21508 from=88.208.201.36
Jan 10 14:24:05 server1 xinetd[7348]: EXIT: imap status=1 pid=21505 duration=0(sec)
Jan 10 14:24:05 server1 xinetd[7348]: EXIT: imap status=1 pid=21506 duration=0(sec)
Jan 10 14:24:05 server1 xinetd[7348]: EXIT: imap status=1 pid=21508 duration=0(sec)
Jan 10 14:24:05 server1 xinetd[7348]: EXIT: imap status=1 pid=21507 duration=0(sec)
Jan 10 15:38:11 server1 shutdown[13898]: shutting down for system reboot
Jan 10 15:38:12 server1 init: Switching to runlevel: 6
Jan 10 15:38:14 server1 proftpd[7881]: server1.example.com - ProFTPD killed (signal 15)
Jan 10 15:38:14 server1 proftpd[7881]: server1.example.com - ProFTPD 1.3.1 standalone mode SHUTDOWN
Jan 10 15:38:14 server1 xinetd[7348]: Exiting...

unSpawn · 01-11-2008, 09:04 AM

Please check what you replied. Gilead asked three questions (warnings in rkhunter.log, missing commands in rkhunter.log and successful logins in system logs), of which only *one* you partially replied to. If you don't know exactly what's asked for there's nothing wrong with asking for clarification because providing complete information is crucial.

Code:

Jan 10 02:20:06 server1 proftpd[24164]: server1.example.com (::ffff:210.173.249.105[::ffff:210.173.249.105]) - FTP session opened.
Jan 10 02:20:06 server1 proftpd[24164]: server1.example.com (::ffff:210.173.249.105[::ffff:210.173.249.105]) - no such user 'webadmin'
Jan 10 02:38:33 server1 init: Trying to re-exec init
Jan 10 02:38:33 server1 init: no more processes left in this runlevel

The init: Trying to re-exec init line looks interesting, because re-executing init will only be done in a few circumstances like installing Glibc updates and after prelinking. If it was an authorised move then 'last' should show action between 02:20 and 02:40. Or did you leave out surrounding log lines you thought wouldn't be interesting? Wrt FTP: unless you left out lines or unless there's something wrong with logging, a "session opened" line should be followed by a "proftpd pam_unix session opened for user " to show a login.

Code:

Checking kernel module commands [ Warning ]
Checking kernel module names [ Warning ]

I too would be interested to see what rkhunter.log says about this. Kernel module names + init sounds like a recipe for something Knark-ish to me, let's hope it's not. If you can't

Unassorted remarks:
- It's good to know which version of Rootkit Hunter you run (I guess 1.2.9). Versions below 1.2.9 are deprecated and must not be used while version 1.2.9 is considered outdated. Support for it will drop RSN. We're at version 1.3.0 now which is a major rewrite.
- While we know BFD executed a ban for 210.173.249.105 on Jan 10 01:50:01 we don't know the duration of the ban (check your BFD config) but since he connected again at 02:20 it sure is too low. Also look into configuring your FTP daemon with additional access restrictions (see the config and docs).
- The /var/log/secure "set_loginuid failed opening loginuid" lines have nothing to do with FTP, BFD or Rootkit Hunter. The fifth field denotes the sending process (argv[0][$PID]) which is crond. It means you run a kernel that was configured without CONFIG_AUDIT and CONFIG_AUDITSYSCALL. Commenting out the loginuid.so lines in your /etc/pam.d/ stacks will remove the message. This is a minor issue.
- If you're going to post log lines or configs please use BB code tags and make sure you don't arbitrarily leave out lines. If the logs are too large U/L them on sone free hoster and post the D/L URI.

jim.thornton · 01-11-2008, 03:54 PM

Please excuse my ignorance. I'm trying hard but this (Linux) is a lot to grasp when using Windows practically my whole life.

There were entries that I cut out due to the size of the file. It's really big!

I think I have the right log files, and I read them to show that this particular attacker (Jan 10 @ 2:18am +/-) didn't get access, but I'm not sure. The RkHunter is 1.3.0 and the errors that I'm getting from that could very will be a configuration error.

/var/log/apf_log
/var/log/bfd_log
/var/log/messages
/var/log/rkhunter

At about 1pm on Jan 10, you will notice that there was a successful login, but I think that was me. I finally got near a computer that I could login and I thought it would be a good idea to install clamAV to scan the system with that too (but that didn't go to smoothly).

I do appreciate the help!!!

unSpawn · 01-11-2008, 06:44 PM

No problem. We're here to help and that is what we'll do. Thanks for the logs. The logs show no information about a breach of security. That does not mean there wasn't any, there just isn't enough info. What I'd suggest is that, before doing anything else, you familiarise yourself with the Intruder Detection Checklist (CERT): http://www.cert.org/tech_tips/intrud...checklist.html. Next to performing checks from the checklist use your package manager (if so capable) to verify all package contents. Please report back any findings, preferably using BB code tags for readability.

jim.thornton · 01-11-2008, 09:20 PM

Quote:

Originally Posted by unSpawn

No problem. We're here to help and that is what we'll do. Thanks for the logs. The logs show no information about a breach of security. That does not mean there wasn't any, there just isn't enough info. What I'd suggest is that, before doing anything else, you familiarise yourself with the Intruder Detection Checklist (CERT): http://www.cert.org/tech_tips/intrud...checklist.html. Next to performing checks from the checklist use your package manager (if so capable) to verify all package contents. Please report back any findings, preferably using BB code tags for readability.

By package manager, I assume you mean yum? If so, I can install with this, but would you be willing to give me the commands to verify the contents please?

jim.thornton · 01-11-2008, 10:03 PM

Okay... I've already been looking at the log files so I skipped right to step 2. Unfortunately, I really don't know what the output should be but here is what I got:

Code:

[root@server1 ~]# find / -user root -perm -4000 -print
/usr/libexec/openssh/ssh-keysign
/usr/sbin/exim
/usr/sbin/usernetctl
/usr/sbin/suexec
/usr/sbin/userhelper
/usr/bin/sudoedit
/usr/bin/chage
/usr/bin/newgrp
/usr/bin/passwd
/usr/bin/chsh
/usr/bin/crontab
/usr/bin/sudo
/usr/bin/chfn
/usr/bin/gpasswd
/sbin/pam_timestamp_check
/sbin/unix_chkpwd
/etc/virtual/majordomo/wrapper
/bin/umount
/bin/su
/bin/ping6
/bin/ping
/bin/mount
find: WARNING: Hard link count is wrong for /proc/vz/vzaquota: this may be a bug                                               in your filesystem driver.  Automatically turning on find's -noleaf option.  Ea                                              rlier results may have failed to include directories that should have been searc                                              hed.
find: /proc/2044/task/2044/fd/4: No such file or directory
find: /proc/2044/fd/4: No such file or directory

and:

Code:

[root@server1 ~]# find / -group kmem -perm -2000 -print
find: WARNING: Hard link count is wrong for /proc/vz/vzaquota: this may be a bug in your filesystem driver.  Automatically turning on find's -noleaf option.  Earlier results may have failed to include directories that should have been searched.
find: /proc/1472/task/1472/fd/4: No such file or directory
find: /proc/1472/fd/4: No such file or directory
[root@server1 ~]#

Code:

[root@server1 ~]# find / -user root -perm -4000 -print -xdev
find: warning: you have specified the -xdev option after a non-option argument -user, but options are not positional (-xdev affects tests specified before it as well as those specified after it).  Please specify options before other arguments.

/usr/libexec/openssh/ssh-keysign
/usr/sbin/exim
/usr/sbin/usernetctl
/usr/sbin/suexec
/usr/sbin/userhelper
/usr/bin/sudoedit
/usr/bin/chage
/usr/bin/newgrp
/usr/bin/passwd
/usr/bin/chsh
/usr/bin/crontab
/usr/bin/sudo
/usr/bin/chfn
/usr/bin/gpasswd
/sbin/pam_timestamp_check
/sbin/unix_chkpwd
/etc/virtual/majordomo/wrapper
/bin/umount
/bin/su
/bin/ping6
/bin/ping
/bin/mount

Is that okay?

jim.thornton · 01-11-2008, 10:16 PM

I just ran # last, and there is no entries (on the 10th) from 'admin', which was the user that was being attacked. The only successful login with admin was me from my IP at home.

Does that mean I have nothing to worry about?

jim.thornton · 01-12-2008, 12:22 AM

I ran rkhunter again with --report-warnings-only. Here's what I got:

Code:

E-Mail Address Book Personal Settings Logout
[RoundCube Webmail]
 Message 1 of 4 
Folders

    * Inbox (2)
    * Drafts
    * Sent
    * Junk
    * Trash (43)
    * VPS Stuff

Subject:  	rkhunter Daily Run server1.extra6.com
Sender:  	root add
Recipient:  	jim@moneytime.ca add
Date:  	Today 02:16
To protect your privacy, remote images are blocked in this message. Display images

[ Rootkit Hunter version 1.3.0 ]

[1;33mChecking rkhunter version...[0;39m
  This version  : 1.3.0
  Latest version: 1.3.0
[ Rootkit Hunter version 1.3.0 ]

[1;33mChecking rkhunter data files...[0;39m
  Checking file mirrors.dat[34C[ [1;32mNo update[0;39m ]
  Checking file programs_bad.dat[29C[ [1;32mNo update[0;39m ]
  Checking file backdoorports.dat[28C[ [1;32mNo update[0;39m ]
  Checking file suspscan.dat[33C[ [1;32mNo update[0;39m ]
  Checking file i18n/cn[38C[ [1;32mNo update[0;39m ]
  Checking file i18n/en[38C[ [1;32mNo update[0;39m ]
  Checking file i18n/zh[38C[ [1;32mNo update[0;39m ]
  Checking file i18n/zhutf[35C[ [1;32mNo update[0;39m ]
Warning: Checking for prerequisites               [ Warning ]
         The file of stored file properties (rkhunter.dat) does not exist, and
so must be created. To do this type in 'rkhunter --propupd'.
Warning: WARNING! It is the users responsibility to ensure that when the
'--propupd' option
         is used, all the files on their system are known to be genuine, and
installed from a
         reliable source. The rkhunter '--check' option will compare the
current file properties
         against previously stored values, and report if any values differ.
However, rkhunter
         cannot determine what has caused the change, that is for the user to
do.
Warning: The command '/usr/bin/groups' has been replaced by a script:
/usr/bin/groups: Bourne shell script text executable
Warning: The command '/usr/bin/ldd' has been replaced by a script:
/usr/bin/ldd: Bourne shell script text executable
Warning: The command '/usr/bin/whatis' has been replaced by a script:
/usr/bin/whatis: Bourne shell script text executable
Warning: The command '/sbin/ifdown' has been replaced by a script:
/sbin/ifdown: Bourne-Again shell script text executable
Warning: The command '/sbin/ifup' has been replaced by a script: /sbin/ifup:
Bourne-Again shell script text executable
Warning: Found enabled xinetd service: /etc/xinetd.d/imap
Warning: No output found from the lsmod command or the /proc/modules file:
         /proc/modules output:
         lsmod output:
Warning: The kernel module directory '/lib/modules/2.6.18-openvz-amd64' is
missing.
Warning: Suspicious file types found in /dev:
         /dev/MAKEDEV: ELF 32-bit LSB executable, Intel 80386, version 1
(SYSV), for GNU/Linux 2.2.5, dynamically linked (uses shared libs), for
GNU/Linux 2.2.5, stripped
Warning: Hidden file found: /usr/share/man/man1/..1.gz: gzip compressed data,
from Unix, max compression

One or more warnings have been found while checking the system.
Please check the log file (/var/log/rkhunter.log)

jim.thornton · 01-12-2008, 01:05 AM

Sorry, one more post tonight and then I'll wait for my next instruction. I just installed CHKRootkit 0.47 (installed by yum). It's output was:

Code:

ROOTDIR is `/'
Checking `amd'... not found
Checking `basename'... not infected
Checking `biff'... not found
Checking `chfn'... not infected
Checking `chsh'... not infected
Checking `cron'... not infected
Checking `crontab'... not infected
Checking `date'... not infected
Checking `du'... not infected
Checking `dirname'... not infected
Checking `echo'... not infected
Checking `egrep'... not infected
Checking `env'... not infected
Checking `find'... not infected
Checking `fingerd'... not infected
Checking `gpm'... not found
Checking `grep'... not infected
Checking `hdparm'... not found
Checking `su'... not infected
Checking `ifconfig'... not infected
Checking `inetd'... not found
Checking `inetdconf'... not found
Checking `identd'... not found
Checking `init'... not infected
Checking `killall'... not infected
Checking `ldsopreload'... not infected
Checking `login'... not infected
Checking `ls'... not infected
Checking `lsof'... not infected
Checking `mail'... not infected
Checking `mingetty'... not infected
Checking `netstat'... not infected
Checking `named'... not infected
Checking `passwd'... not infected
Checking `pidof'... not infected
Checking `pop2'... not found
Checking `pop3'... not found
Checking `ps'... not infected
Checking `pstree'... not infected
Checking `rpcinfo'... not infected
Checking `rlogind'... not found
Checking `rshd'... not found
Checking `slogin'... not infected
Checking `sendmail'... not infected
Checking `sshd'... not infected
Checking `syslogd'... not infected
Checking `tar'... not infected
Checking `tcpd'... not infected
Checking `tcpdump'... not infected
Checking `top'... not infected
Checking `telnetd'... not found
Checking `timed'... not found
Checking `traceroute'... not infected
Checking `vdir'... not infected
Checking `w'... not infected
Checking `write'... not infected
Checking `aliens'... no suspect files
Searching for sniffer's logs, it may take a while... nothing found
Searching for HiDrootkit's default dir... nothing found
Searching for t0rn's default files and dirs... nothing found
Searching for t0rn's v8 defaults... nothing found
Searching for Lion Worm default files and dirs... nothing found
Searching for RSHA's default files and dir... nothing found
Searching for RH-Sharpe's default files... nothing found
Searching for Ambient's rootkit (ark) default files and dirs... nothing found
Searching for suspicious files and dirs, it may take a while...
/usr/lib/perl5/5.8.8/i386-linux-thread-multi/.packlist

Searching for LPD Worm files and dirs... nothing found
Searching for Ramen Worm files and dirs... nothing found
Searching for Maniac files and dirs... nothing found
Searching for RK17 files and dirs... nothing found
Searching for Ducoci rootkit... nothing found
Searching for Adore Worm... nothing found
Searching for ShitC Worm... nothing found
Searching for Omega Worm... nothing found
Searching for Sadmind/IIS Worm... nothing found
Searching for MonKit... nothing found
Searching for Showtee... nothing found
Searching for OpticKit... nothing found
Searching for T.R.K... nothing found
Searching for Mithra... nothing found
Searching for OBSD rk v1... nothing found
Searching for LOC rootkit... nothing found
Searching for Romanian rootkit... nothing found
Searching for HKRK rootkit... nothing found
Searching for Suckit rootkit... nothing found
Searching for Volc rootkit... nothing found
Searching for Gold2 rootkit... nothing found
Searching for TC2 Worm default files and dirs... nothing found
Searching for Anonoying rootkit default files and dirs... nothing found
Searching for ZK rootkit default files and dirs... nothing found
Searching for ShKit rootkit default files and dirs... nothing found
Searching for AjaKit rootkit default files and dirs... nothing found
Searching for zaRwT rootkit default files and dirs... nothing found
Searching for Madalin rootkit default files... nothing found
Searching for Fu rootkit default files... nothing found
Searching for ESRK rootkit default files... nothing found
Searching for rootedoor... nothing found
Searching for ENYELKM rootkit default files... nothing found
Searching for anomalies in shell history files... nothing found
Checking `asp'... not infected
Checking `bindshell'... not infected
Checking `lkm'... You have    63 process hidden for readdir command
chkproc: Warning: Possible LKM Trojan installed
Checking `rexedcs'... not found
Checking `sniffer'... venet0: not promisc and no PF_PACKET sockets
venet0:0: not promisc and no PF_PACKET sockets
venet0:1: not promisc and no PF_PACKET sockets
venet0:2: not promisc and no PF_PACKET sockets
venet0:3: not promisc and no PF_PACKET sockets
Checking `w55808'... not infected
Checking `wted'... chkwtmp: nothing deleted
Checking `scalper'... not infected
Checking `slapper'... not infected
Checking `z2'... chklastlog: nothing deleted
Checking `chkutmp'... chkutmp: nothing deleted

It says that there is a possible LKM trojan installed! Is this a false positive?

unSpawn · 01-13-2008, 10:46 AM

Wrt post #7 about package managers it would be good to update your LQ profile with your distro info or post it here.

Wrt post #8, the filenames of setuid and setgid files look OK, checking their hashes against what the package database (or remote copies of packages) provides should give proof. The "No such file or directory" error may be caused by 'find' looking inside its own process information in /proc and is no cause for alarm.

Wrt post #9, if 'last' doesn't show logins for that date and time then that is OK, except if the wtmp database was tampered with. Unless there's suspicions there is no immediate need to check that. Remember though that for some forms of compromise, like for instance those exploited through (usually) available PHP-based applications, no root account compromise or login is necessary as they will run OK within webserver processes.

Wrt post #10, running RKH has changed between versions. The installation doc tells you you must run 'rkhunter --propupd' before scanning. The assumption there is that you install any auditing apps right after you install your O.S., especially if you specify RKH to use your package managers database to verify hashes. Also check rkhunter.conf for helper apps you might want to install.

Wrt post #11, for "/usr/lib/perl5/5.8.8/i386-linux-thread-multi/.packlist" see the Chkrootkit FAQ about dot-files, the chkproc "process hidden for readdir command" is in the FAQ as well, it's about short-lived processes.

I'm missing info about you running CERT checks five through eight. Some of those checks can be covered by running Tiger version 3.2.2 (http://freshmeat.net/projects/tiger-audit/) and if you run Debian, Gentoo or Red Hat or derivatives, you can complement it with LSAT version 0.9.6 (http://freshmeat.net/projects/lsat/).

In short we haven't seen any signs of compromise sofar and I doubt it any will turn up. If you want to find out if your system needs additional configuration and if you want to learn how to audit your system (which should be done regularly anyway) and if you want to be prepared in case of emergency I'd invite you to finish the rest of the checks.

jim.thornton · 01-13-2008, 05:31 PM

I didn't know what to do for steps 5 through 8, well, except for step 7. I did that one.

I didn't hear from you in a while, and my provider suggested that I reinstall my OS. So I did.

I didn't really think that there was an intrusion after all that stuff that you had me doing. However, I figured that it couldn't hurt.

unSpawn · 01-14-2008, 05:09 AM

Quote:

Originally Posted by jim.thornton

I didn't hear from you in a while,

Uh. It's not like this is 24/7 paid support or an IRC session you know. Consider a reply within 24hrs quite good actually.

Quote:

Originally Posted by jim.thornton

my provider suggested that I reinstall my OS. So I did.

Mitigating risks by reinstalling is laudable but in case of a real breach of security should have been preceded by making a bit copy of the disks. Wiping possible "evidence" means by reinstalling there's nothing to learn from and if the box was not reconfigured it could happen all over again.

Quote:

Originally Posted by jim.thornton

I didn't really think that there was an intrusion after all that stuff that you had me doing.

If that's your conclusion that's good.
At least now you have rudimentary knowledge of what to look for.

jim.thornton · 01-14-2008, 10:45 PM

Quote:

Originally Posted by unSpawn

Uh. It's not like this is 24/7 paid support or an IRC session you know. Consider a reply within 24hrs quite good actually.

Please accept my sincerest apologies. Sometimes what you think doesn't come across properly when posting.

I appreciate ALL of the help you gave me! I only opted for the re-install because I figured that I would get a lot of practice re-installing.

Thanks!