LinuxQuestions.org
Page 2 of 3 1 2 3
Show 50 post(s) from this thread on one page

LinuxQuestions.org (/questions/)
-   Slackware (https://www.linuxquestions.org/questions/slackware-14/)
-   -   Slackware box possibly infected, how do I monitor TCP connections? (https://www.linuxquestions.org/questions/slackware-14/slackware-box-possibly-infected-how-do-i-monitor-tcp-connections-4175502655/)

Smokey_justme 04-24-2014 08:08 AM
Well, it can also be running like a hidden process providing a backdoor.. It can do a lot of things.. There is no "right" answer, there are just a series of tests which eliminate some possibilities and/or tracks the "culprit" process..

T3slider 04-24-2014 01:17 PM
Slackware already includes tcpdump, so if you can't find the culprit in netstat/lsof output you should at least be able to record and inspect the packets being sent out (unless of course there is a well-hidden rootkit that modifies tcpdump output). Running the following as root would record all packets for 2 minutes:
Code:
# tcpdump -i eth0 -G 120 -W 1 -w /root/tcpdump-$(date +"%F_%H:%M:%S").log
(You should avoid unnecessary network access during those two minutes to minimize the size of the log.) Then you can take your time looking for malicious packets in the file created. You can copy that file to a user's home directory (and chown to that user) so you can look through the whole thing as a non-root user after having recorded it as root, if you're paranoid.
Code:
$ /usr/sbin/tcpdump -n -r /path/to/file.log | less
lets you see the highlights, while
Code:
$ /usr/sbin/tcpdump -n -XX -r /path/to/file.log | less
lets you do a deeper inspection of packets. Assuming tcpdump is not manipulated by a rootkit and the connection is unencrypted, you should be able to see exactly what data is being sent; it may turn out to be nothing to worry about, or it may confirm the worst. Note of course that this assumes that the Chinese IP is contacted within the two minutes of recording (you may have to extend the recording time or record multiple times if it isn't -- you can confirm connection times using your router's log since that appears to still work), and that there is no rootkit; thus, if you see no activity (or if the activity is spotted but is still not clearly identifiable), you should continue to investigate using other techniques.

Tachtory 04-24-2014 11:43 PM
Sorry for not replying sooner, I was a bit discouraged and just disconnected the thing from the network.
Code:
netstat -cutpan
is the command I was looking for.

Code:
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address          Foreign Address        State      PID/Program name   
tcp        0      0 0.0.0.0:22              0.0.0.0:*              LISTEN      615/sshd           
tcp        0    158 192.168.2.101:53458    119.145.148.105:905    FIN_WAIT1  -                 
tcp        0      0 192.168.2.101:22        192.168.2.2:36711      ESTABLISHED 20492/sshd: spearma
tcp        0    157 192.168.2.101:53534    119.145.148.76:905      ESTABLISHED 20543/.IptabLex   
tcp        0      1 192.168.2.101:52831    59.63.167.167:905      SYN_SENT    20539/.IptabLes   
tcp6      0      0 :::22                  :::*                    LISTEN      615/sshd           
udp        0      0 0.0.0.0:35760          0.0.0.0:*                          753/[flush-63:0]   
udp        0      0 0.0.0.0:55410          0.0.0.0:*                          753/[flush-63:0]   
udp        0      0 0.0.0.0:49537          0.0.0.0:*                          753/[flush-63:0]
Looks like .IptabLex and .IptabLes are the culprits. From what searching the web is telling me it's some kind of infection.

I don't even know if its worth dealing with :| ...I'm going to be installing the new version of Mint at the end of May on my other machines, might as well just wipe the Slackbox and make sure I have proper configuration for my ssh security.

unSpawn 04-25-2014 01:30 AM
Quote:
Originally Posted by Tachtory (Post 5158791)
I (..) disconnected the thing from the network.
Good.


Quote:
Originally Posted by Tachtory (Post 5158791)
Looks like .IptabLex and .IptabLes are the culprits. From what searching the web is telling me it's some kind of infection.
Not "some kind of infection" but one likely involving a root compromise as, looking at nfo elsewhere, most files are written to /boot and other locations owned by root (search will cause some false positives):
Code:
find  /boot /etc /usr /var -type f \( -iname iptable\* -o -iname .\*iptable\* -o -iname S55ip\* \)
find  / -type f \( -iname getsetup\* -o -iname .mylisthb\*.pid \)
*BTW: I'd appreciate a copy of the files you find. You're invited to mail me to discuss dropping them off or add them to https://sourceforge.net/p/rkhunter/support-requests/ on your own.


Quote:
Originally Posted by Tachtory (Post 5158791)
I don't even know if its worth dealing with :| ...I'm going to be installing the new version of Mint at the end of May on my other machines, might as well just wipe the Slackbox and make sure I have proper configuration for my ssh security.
As long as you don't revive that machine until you wipe it and check others stat. After all a root compromise means having to change passwords, private keys et cetera as you don't know what got syphoned off of the box.

Tachtory 04-25-2014 02:53 AM
The above find commands turned up 2 binaries in /boot/ and 2 basic shell scripts in /init.d/ to start them

Is there messaging/mail within LinuxQuestions? I can't seem to find a way to direct message you.

Smokey_justme 04-25-2014 02:56 AM
There is a private message system, but it seems to be limited (I'm not quite sure when it's activated)

http://www.linuxquestions.org/questi.../unspawn-2450/

Go to "Contact info", you'll find a link to mail him (unfortunatly, without attachments, so try putting the files in an archive on Dropbox or Google Docs and share them by link)..

Btw, I would also appreciate a copy of them.. if you can .. :)

Tachtory 04-25-2014 03:38 AM
Really odd, I don't see 'Contact Info'

http://oi57.tinypic.com/k93wn.jpg

Didier Spaier 04-25-2014 04:45 AM
Quote:
Originally Posted by Tachtory (Post 5158868)
Really odd, I don't see 'Contact Info'

http://oi57.tinypic.com/k93wn.jpg
You need to be logged in LQ for this to work, else you won't see 'Contact Info'.

You can also, in the "My LQ" menu on the right, click on the link tagged "LQ UserCP" (that stands for "LQ user Control Panel").

Tachtory 04-25-2014 05:16 AM
Well it seems like I'm logged in, I don't know what the problem is.

Would it be okay to just post a drop-box link in this thread?

mrclisdue 04-25-2014 05:44 AM
You have to enable private messaging - on the left side of the page, in the MY LQ box, select "edit options" and it's in there under messaging and notifications. You already have email turned on, as does unSpawn.

Also, more easily in this case, if you simply click on unSpawn's (or anyone else's) username, you should get a fly-out with an email to <username> link, plus an IM link if it's enabled.

cheers,

Smokey_justme 04-25-2014 05:51 AM
Actually, I remember not having PMs and some stuff not so long ago.. I think it's a post-count anti-spam limit..

@Tachtory, sure.. just present a big warning of what it contains.. :P

Tachtory 04-25-2014 06:04 AM
IptabLes.tar.gz 0.98MB

Contains:

Code:
boot-.IptabLes  -- binary exe found in /boot/
boot-.IptabLex  -- binary exe found in /boot/
etc-rc.d-init.d-IptabLes  -- shell script found in /etc/rc.d/init.d/
etc-rc.d-init.d-IptabLex  -- shell script found in /etc/rc.d/init.d/
The only modifications I made was to chmod -x on .IptabLes and .IptabLex. From looking at .IptabLes in a text editor, it looks like there's some shell script that does some nasty stuff (lots of rm -f)

Hyakutake 04-25-2014 07:20 AM
Hello all

If the box compromized than it should not be used to verify anything. Reason? It's compromized! At the first moment it's not possible to verify what has been afected (nmap, netstat, tcpdump, iptables?).
In this case I would get a second machine and make Man In The Middle with that box and capture all traffic to see what's going on.

For me the best option is to build the system from scratch and install precautions (fail2ban; tripwire; others?)

Anyway good luck.

Regards,
hyakutake

genss 04-25-2014 09:52 AM
Quote:
Originally Posted by Tachtory (Post 5158922)
IptabLes.tar.gz 0.98MB

Contains:

Code:
boot-.IptabLes  -- binary exe found in /boot/
boot-.IptabLex  -- binary exe found in /boot/
etc-rc.d-init.d-IptabLes  -- shell script found in /etc/rc.d/init.d/
etc-rc.d-init.d-IptabLex  -- shell script found in /etc/rc.d/init.d/
The only modifications I made was to chmod -x on .IptabLes and .IptabLex. From looking at .IptabLes in a text editor, it looks like there's some shell script that does some nasty stuff (lots of rm -f)
hahaha
whoever made this didn't even strip the binaries :)
a 2MB virus :)
thx for sharing, this made my day

metaschima 04-25-2014 11:20 AM
It's definitely a trojan:
http://www.ebel-computing.de/JSPWiki...erver%20Trojan


All times are GMT -5. The time now is 07:43 PM.
Page 2 of 3 1 2 3
Show 50 post(s) from this thread on one page