LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices



Reply
 
Search this Thread
Old 03-20-2006, 04:37 AM   #1
zaraasran
LQ Newbie
 
Registered: Mar 2006
Posts: 4

Rep: Reputation: 0
Why does IRC show up when I exec netstat


Hi people,

I am a newbie in using unix. I installed NIS server and Mail Server using qmail, and currently it seems that perhaps I got attacked, but I am not really sure. My computer is directly connected to the internet and when I called netstat -ptav, it showed an active Internet connection to IRC server (I think), which is oslo1.no.eu.undern:ircd . Anybody could advise me what I should do?
Thank you for your attention

Sin
 
Old 03-20-2006, 07:54 AM   #2
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,781
Blog Entries: 54

Rep: Reputation: 2978Reputation: 2978Reputation: 2978Reputation: 2978Reputation: 2978Reputation: 2978Reputation: 2978Reputation: 2978Reputation: 2978Reputation: 2978Reputation: 2978
Hello there and welcome to LQ.

when I called netstat -ptav, it showed an active Internet connection to IRC server (I think), which is oslo1.no.eu.undern:ircd .
oslo1.no.eu.undernet.org[0] is a IRC server, that is correct.


it seems that perhaps I got attacked, but I am not really sure.
Well, let's make sure then. What you need to do is the following:
1. make sure the box is (back) under your control,
2. check for signs of abuse,
3. verify the integrity of the box,
4. Take appropriate steps to make sure this doesnt happen again.

1. make sure the box is (back) under your control
Be able to control your box before you continue. Here's a script to help you:
Code:
#!/bin/sh
PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/sbin:/usr/local/bin:/root/bin
echo Network info |tee -a ./log; \netstat -aelnp 2>&1 |tee -a ./log
echo Process info |tee -a ./log; \ps auxwwwe 2>&1 |tee -a ./log
echo Opened files |tee -a ./log; \lsof -n 2>&1 |tee -a ./log
echo User info |tee -a ./log; \who -a 2>&1 |tee -a ./log
echo User info |tee -a ./log; \w -l 2>&1 |tee -a ./log
telinit 1 2>&1 |tee -a ./log
If all is well you're in runlevel 1. If not power down.
If you are, backup logfile to log.1 and run again, then power down.
If you run a router in front, make sure it logs traffic.

2. check for signs of abuse
Boot a LiveCD (or into runlevel 1 if you have none), remount the disks read-only and check out these files/logs:
- the previously saved ./logs,
- /etc/passwd /etc/shadow /etc/gshadow and look for accounts that where added,
- issue "last -50", "lastb", "faillog -a" and check for failed logins,
- look for setuid binaries in unusual places or with unusual names: find / -perm -04000 -o -perm -02000 -ls
- system logs (check out /etc/syslog.conf for locations and also include any ksymoops dir if you have one) and application logs for any anomalous activity.

3. verify the integrity of the box.
- If you previously installed, configured and ran a filesystem integrity checker like Aide, Samhain or even tripwire now would be a good time to check. If you didn't you don't need to install one now: too late.
- Any distribution that uses the rpm package manager can easily verify package contents (rpm -V). If you don't use rpm, find out what your distro's package manager can do for you wrt verification. The scope for package managers is narrow: they can only check what's installed.
- Check your system with Chkrootkit and Rootkit Hunter. If you didn't install those and you have no other box to download and compile it on use the LiveCD (not recommended): or set up your firewall to deny inbound traffic before you go to runlevel 3.

Post back any info. If you want to include logs (scrub your IP first!) and they're large, compress and offer a (temporary) D/L location. If you can't manage that you are allowed to attach it and send it me by email if the size is over two megs I'd appreciate an early warning before DoSsing my mailbox:-]


* It would be helpful if you will in your OS/distribution/release info in your profile or give that information up front.
* Also, using the "-n" flag with netstat will make it *not* resolve IP addresses which makes netstat faster giving you output which can come in handy when you've got a slow resolver or a huge list of connections to work with.
 
Old 03-20-2006, 10:17 AM   #3
zaraasran
LQ Newbie
 
Registered: Mar 2006
Posts: 4

Original Poster
Rep: Reputation: 0
Hi again,

Thanks you for your reply. Yes, I think the box is under my control, and I dont't think there are any strange behaviours with the log files and account files, such as /etc/passwd, /etc/shadow ,and /etc/gshadow.
I also executed "last -50", "lastb", "faillog -a" but it all seemed natural.
One thing that captured my mind is the firewall setting. I am using ipchains, and I already set up some chains for forward option, but I haven't set up the chains for output option. I thought that setting it using forward option will be enough, but perhaps I was wrong. I am trying to set it up using output option now. Any comments?

Sin
 
Old 03-21-2006, 03:46 AM   #4
nx5000
Senior Member
 
Registered: Sep 2005
Location: Out
Posts: 3,307

Rep: Reputation: 53
3. verify the integrity of the box,
4. Take appropriate steps to make sure this doesnt happen again.

Still 2 points!

Nice post unSpawn
 
Old 03-22-2006, 10:17 PM   #5
zaraasran
LQ Newbie
 
Registered: Mar 2006
Posts: 4

Original Poster
Rep: Reputation: 0
I just found it yesterday, but I am afraid that I would have to wait. I used lsof, ps and netstat, and I found that there was actually one process that was connected to an IRC server using my friend's login name, at least that's what I think. I saved the logs, and I am planning to ask my friend if he did execute some programs which are connected to IRC, but unfortunately, he is out of town and out of reach too, so I guess I would have to wait.
Anyway about step 4, what should I do? I think you explained only three steps before.
Thank you in advance.

Sin
 
Old 03-23-2006, 03:28 AM   #6
nx5000
Senior Member
 
Registered: Sep 2005
Location: Out
Posts: 3,307

Rep: Reputation: 53
What I do is (if your box has a rootkit installed you would only see what the cracker wants you to see):
* plug a sniffer and filter for irc traffic: ethereal, tcpdump you will see all traffic.
* strace -p <pid_of_process> -o logfile : you would see all system calls
These two steps wouldn't show you how the possible cracker( maybe only your friend as you say) got in:


About step 4 to be sure this doesn't happen again, you have to find how it happened first (which is the most complicated step, look in log files, if they have not been modified.. integrity) then correct your error, maybe make a test yourself. That's basic quality managment which is synonym of logic..



You see the common problem here: integrity If you're not sure you found the cause, you can't be sure you're still not compromised then reinstall and install an integrity checker on a clean box , otherwise analysis can lead to partial/wrong results.
 
Old 03-23-2006, 08:23 AM   #7
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,781
Blog Entries: 54

Rep: Reputation: 2978Reputation: 2978Reputation: 2978Reputation: 2978Reputation: 2978Reputation: 2978Reputation: 2978Reputation: 2978Reputation: 2978Reputation: 2978Reputation: 2978
* plug a sniffer and filter for irc traffic: ethereal, tcpdump you will see all traffic.
If you're going down that road and you haven't run any recent version of Chkrootkit it would be good to *first* check if any network devices are in promiscuous mode already (/sbin/ip link show).


* strace -p <pid_of_process> -o logfile : you would see all system calls
Like you said, if syscalls are subverted in the kernel you wont see a thing. There's some tools to check (depending on the rootkit and method used) for rootkit existence. Some of them are in Chkrootkit and Rootkit Hunter (upcoming versions of Chkrootkit and Rootkit Hunter should show improvements wrt to detection), some of them are external tools like unhide, skdet, skdetect, checkIDT, checksysmap. Note compiling tools should always be done on another, verified clean, box. If unsure, just boot a LiveCD. This will not give you current process, network or user info but a clean view of the system.


@zaraasran: (this isn't directed at you alone,) I cant understand what keeps ppl from reading a post from start to end and answering all stuff in full and systematically, maybe you could enlighten me. Of course it's your own decision, but if you followed my reply and executed the tasks I asked you to it would have been much more efficient.
 
Old 03-24-2006, 04:21 AM   #8
zaraasran
LQ Newbie
 
Registered: Mar 2006
Posts: 4

Original Poster
Rep: Reputation: 0
I think this is for unSpawn:
Well, I am very grateful for your advice and opinion, and I would like to do the things that you've said systematically. But to be honest, I don't know about everyone else, but in my case, since I am a newbie, I don't really understand most of the terms that you've said in your post and I was a little bit ashamed if I had to ask such "trivial" matters. Therefore, I checked out some articles on the Internet, and I tried some new functions that I just figured out. I didn't even know that there is a function called traceroute. Well, I think that's about it. I am sorry for that, but please be patient and guide me. I do really want to become a Linux expert, but I think that will take time.

Sin
 
Old 03-24-2006, 06:17 AM   #9
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,781
Blog Entries: 54

Rep: Reputation: 2978Reputation: 2978Reputation: 2978Reputation: 2978Reputation: 2978Reputation: 2978Reputation: 2978Reputation: 2978Reputation: 2978Reputation: 2978Reputation: 2978
Thanks for clearing things up a bit.

since I am a newbie, I don't really understand most of the terms that you've said in your post
Next time please ask for clarification. I mean, that's what we're here for: to help you help yourself, innit?


and I was a little bit ashamed if I had to ask such "trivial" matters.
IMHO there are no stupid questions. *Not* asking, that's stupid.


I am sorry for that, but please be patient and guide me.
No need to apologise. Apparently it's me being too technical. There are however good reasons why I posted the steps (and in that order) in my first reply. So if you think you can't proceed please try to post questions before wandering off. Anyway. Seems you show the right attitude by looking for info yourself and trying out stuff. Heh. That's more than some people do. Don't let things or people scare you off. Just take your time and try to finish those last steps nx5000 and me posted about.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
inetd is running but netstat show no listening ports shroc Linux - Networking 1 01-31-2006 05:30 PM
Slackware10.0, doesn't show my domain in the IRC Tomanas Slackware 2 05-29-2005 02:58 PM
Linux Socket Bind Program Won't show with netstat rnice Programming 2 09-18-2004 10:59 AM
netstat, how to show what address are connected? trey85stang Slackware 2 12-30-2003 03:56 PM
netstat doesn't show tcp sockets in Redhat 7.2 pfpalmer Linux - General 3 10-31-2002 04:04 AM


All times are GMT -5. The time now is 05:15 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration