LinuxQuestions.org
View the Most Wanted LQ Wiki articles.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Distributions > Slackware
User Name
Password
Slackware This Forum is for the discussion of Slackware Linux.

Notices

Reply
 
Search this Thread
Old 04-24-2014, 08:08 AM   #16
Smokey_justme
Member
 
Registered: Oct 2009
Distribution: Slackware
Posts: 302

Rep: Reputation: 89

Well, it can also be running like a hidden process providing a backdoor.. It can do a lot of things.. There is no "right" answer, there are just a series of tests which eliminate some possibilities and/or tracks the "culprit" process..
 
Old 04-24-2014, 01:17 PM   #17
T3slider
Senior Member
 
Registered: Jul 2007
Distribution: Slackware64-14.1
Posts: 2,252

Rep: Reputation: 630Reputation: 630Reputation: 630Reputation: 630Reputation: 630Reputation: 630
Slackware already includes tcpdump, so if you can't find the culprit in netstat/lsof output you should at least be able to record and inspect the packets being sent out (unless of course there is a well-hidden rootkit that modifies tcpdump output). Running the following as root would record all packets for 2 minutes:
Code:
# tcpdump -i eth0 -G 120 -W 1 -w /root/tcpdump-$(date +"%F_%H:%M:%S").log
(You should avoid unnecessary network access during those two minutes to minimize the size of the log.) Then you can take your time looking for malicious packets in the file created. You can copy that file to a user's home directory (and chown to that user) so you can look through the whole thing as a non-root user after having recorded it as root, if you're paranoid.
Code:
$ /usr/sbin/tcpdump -n -r /path/to/file.log | less
lets you see the highlights, while
Code:
$ /usr/sbin/tcpdump -n -XX -r /path/to/file.log | less
lets you do a deeper inspection of packets. Assuming tcpdump is not manipulated by a rootkit and the connection is unencrypted, you should be able to see exactly what data is being sent; it may turn out to be nothing to worry about, or it may confirm the worst. Note of course that this assumes that the Chinese IP is contacted within the two minutes of recording (you may have to extend the recording time or record multiple times if it isn't -- you can confirm connection times using your router's log since that appears to still work), and that there is no rootkit; thus, if you see no activity (or if the activity is spotted but is still not clearly identifiable), you should continue to investigate using other techniques.
 
1 members found this post helpful.
Old 04-24-2014, 11:43 PM   #18
Tachtory
Member
 
Registered: Dec 2011
Distribution: Mint, Slackware
Posts: 42

Original Poster
Rep: Reputation: Disabled
Sorry for not replying sooner, I was a bit discouraged and just disconnected the thing from the network.
Code:
netstat -cutpan
is the command I was looking for.

Code:
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name    
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      615/sshd            
tcp        0    158 192.168.2.101:53458     119.145.148.105:905     FIN_WAIT1   -                   
tcp        0      0 192.168.2.101:22        192.168.2.2:36711       ESTABLISHED 20492/sshd: spearma 
tcp        0    157 192.168.2.101:53534     119.145.148.76:905      ESTABLISHED 20543/.IptabLex     
tcp        0      1 192.168.2.101:52831     59.63.167.167:905       SYN_SENT    20539/.IptabLes     
tcp6       0      0 :::22                   :::*                    LISTEN      615/sshd            
udp        0      0 0.0.0.0:35760           0.0.0.0:*                           753/[flush-63:0]    
udp        0      0 0.0.0.0:55410           0.0.0.0:*                           753/[flush-63:0]    
udp        0      0 0.0.0.0:49537           0.0.0.0:*                           753/[flush-63:0]
Looks like .IptabLex and .IptabLes are the culprits. From what searching the web is telling me it's some kind of infection.

I don't even know if its worth dealing with :| ...I'm going to be installing the new version of Mint at the end of May on my other machines, might as well just wipe the Slackbox and make sure I have proper configuration for my ssh security.

Last edited by Tachtory; 04-24-2014 at 11:45 PM.
 
Old 04-25-2014, 01:30 AM   #19
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,140
Blog Entries: 54

Rep: Reputation: 2791Reputation: 2791Reputation: 2791Reputation: 2791Reputation: 2791Reputation: 2791Reputation: 2791Reputation: 2791Reputation: 2791Reputation: 2791Reputation: 2791
Quote:
Originally Posted by Tachtory View Post
I (..) disconnected the thing from the network.
Good.


Quote:
Originally Posted by Tachtory View Post
Looks like .IptabLex and .IptabLes are the culprits. From what searching the web is telling me it's some kind of infection.
Not "some kind of infection" but one likely involving a root compromise as, looking at nfo elsewhere, most files are written to /boot and other locations owned by root (search will cause some false positives):
Code:
find  /boot /etc /usr /var -type f \( -iname iptable\* -o -iname .\*iptable\* -o -iname S55ip\* \)
find  / -type f \( -iname getsetup\* -o -iname .mylisthb\*.pid \)
*BTW: I'd appreciate a copy of the files you find. You're invited to mail me to discuss dropping them off or add them to https://sourceforge.net/p/rkhunter/support-requests/ on your own.


Quote:
Originally Posted by Tachtory View Post
I don't even know if its worth dealing with :| ...I'm going to be installing the new version of Mint at the end of May on my other machines, might as well just wipe the Slackbox and make sure I have proper configuration for my ssh security.
As long as you don't revive that machine until you wipe it and check others stat. After all a root compromise means having to change passwords, private keys et cetera as you don't know what got syphoned off of the box.

Last edited by unSpawn; 04-25-2014 at 01:49 AM. Reason: //files
 
Old 04-25-2014, 02:53 AM   #20
Tachtory
Member
 
Registered: Dec 2011
Distribution: Mint, Slackware
Posts: 42

Original Poster
Rep: Reputation: Disabled
The above find commands turned up 2 binaries in /boot/ and 2 basic shell scripts in /init.d/ to start them

Is there messaging/mail within LinuxQuestions? I can't seem to find a way to direct message you.
 
Old 04-25-2014, 02:56 AM   #21
Smokey_justme
Member
 
Registered: Oct 2009
Distribution: Slackware
Posts: 302

Rep: Reputation: 89
There is a private message system, but it seems to be limited (I'm not quite sure when it's activated)

http://www.linuxquestions.org/questi.../unspawn-2450/

Go to "Contact info", you'll find a link to mail him (unfortunatly, without attachments, so try putting the files in an archive on Dropbox or Google Docs and share them by link)..

Btw, I would also appreciate a copy of them.. if you can ..

Last edited by Smokey_justme; 04-25-2014 at 02:58 AM.
 
Old 04-25-2014, 03:38 AM   #22
Tachtory
Member
 
Registered: Dec 2011
Distribution: Mint, Slackware
Posts: 42

Original Poster
Rep: Reputation: Disabled
Really odd, I don't see 'Contact Info'

http://oi57.tinypic.com/k93wn.jpg
 
Old 04-25-2014, 04:45 AM   #23
Didier Spaier
Senior Member
 
Registered: Nov 2008
Location: Paris, France
Distribution: Slackware{,64}-{14.1,current} on a Lenovo Thinkpad T61 6457-4XG
Posts: 4,184

Rep: Reputation: 1022Reputation: 1022Reputation: 1022Reputation: 1022Reputation: 1022Reputation: 1022Reputation: 1022Reputation: 1022
Quote:
Originally Posted by Tachtory View Post
Really odd, I don't see 'Contact Info'

http://oi57.tinypic.com/k93wn.jpg
You need to be logged in LQ for this to work, else you won't see 'Contact Info'.

You can also, in the "My LQ" menu on the right, click on the link tagged "LQ UserCP" (that stands for "LQ user Control Panel").

Last edited by Didier Spaier; 04-25-2014 at 04:51 AM.
 
Old 04-25-2014, 05:16 AM   #24
Tachtory
Member
 
Registered: Dec 2011
Distribution: Mint, Slackware
Posts: 42

Original Poster
Rep: Reputation: Disabled
Well it seems like I'm logged in, I don't know what the problem is.

Would it be okay to just post a drop-box link in this thread?
 
Old 04-25-2014, 05:44 AM   #25
mrclisdue
Senior Member
 
Registered: Dec 2005
Distribution: Slackware -current, 14.1
Posts: 1,039

Rep: Reputation: 163Reputation: 163
You have to enable private messaging - on the left side of the page, in the MY LQ box, select "edit options" and it's in there under messaging and notifications. You already have email turned on, as does unSpawn.

Also, more easily in this case, if you simply click on unSpawn's (or anyone else's) username, you should get a fly-out with an email to <username> link, plus an IM link if it's enabled.

cheers,
 
Old 04-25-2014, 05:51 AM   #26
Smokey_justme
Member
 
Registered: Oct 2009
Distribution: Slackware
Posts: 302

Rep: Reputation: 89
Actually, I remember not having PMs and some stuff not so long ago.. I think it's a post-count anti-spam limit..

@Tachtory, sure.. just present a big warning of what it contains.. :P
 
Old 04-25-2014, 06:04 AM   #27
Tachtory
Member
 
Registered: Dec 2011
Distribution: Mint, Slackware
Posts: 42

Original Poster
Rep: Reputation: Disabled
IptabLes.tar.gz 0.98MB

Contains:

Code:
boot-.IptabLes  -- binary exe found in /boot/
boot-.IptabLex  -- binary exe found in /boot/
etc-rc.d-init.d-IptabLes  -- shell script found in /etc/rc.d/init.d/
etc-rc.d-init.d-IptabLex  -- shell script found in /etc/rc.d/init.d/
The only modifications I made was to chmod -x on .IptabLes and .IptabLex. From looking at .IptabLes in a text editor, it looks like there's some shell script that does some nasty stuff (lots of rm -f)
 
1 members found this post helpful.
Old 04-25-2014, 07:20 AM   #28
Hyakutake
Member
 
Registered: Apr 2004
Location: 127.0.0.1
Distribution: Slackware
Posts: 149

Rep: Reputation: 16
Hello all

If the box compromized than it should not be used to verify anything. Reason? It's compromized! At the first moment it's not possible to verify what has been afected (nmap, netstat, tcpdump, iptables?).
In this case I would get a second machine and make Man In The Middle with that box and capture all traffic to see what's going on.

For me the best option is to build the system from scratch and install precautions (fail2ban; tripwire; others?)

Anyway good luck.

Regards,
hyakutake
 
Old 04-25-2014, 09:52 AM   #29
genss
Member
 
Registered: Nov 2013
Posts: 189

Rep: Reputation: Disabled
Quote:
Originally Posted by Tachtory View Post
IptabLes.tar.gz 0.98MB

Contains:

Code:
boot-.IptabLes  -- binary exe found in /boot/
boot-.IptabLex  -- binary exe found in /boot/
etc-rc.d-init.d-IptabLes  -- shell script found in /etc/rc.d/init.d/
etc-rc.d-init.d-IptabLex  -- shell script found in /etc/rc.d/init.d/
The only modifications I made was to chmod -x on .IptabLes and .IptabLex. From looking at .IptabLes in a text editor, it looks like there's some shell script that does some nasty stuff (lots of rm -f)
hahaha
whoever made this didn't even strip the binaries
a 2MB virus
thx for sharing, this made my day

Last edited by genss; 04-25-2014 at 10:07 AM.
 
Old 04-25-2014, 11:20 AM   #30
metaschima
Senior Member
 
Registered: Dec 2013
Distribution: Slackware
Posts: 1,102

Rep: Reputation: Disabled
It's definitely a trojan:
http://www.ebel-computing.de/JSPWiki...erver%20Trojan
 
  


Reply

Tags
iptablex


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
/tmp/ repeatedly infected: how to trace (and disable?) server IRC connections? juodojiakis Linux - Security 13 02-04-2012 11:57 AM
Max num of concurrent tcp connections && tcp auto tune rosv Linux - Networking 3 02-04-2011 02:57 AM
USB security - transferring files from infected windows machine to Linux box leighz Linux - Security 5 03-05-2009 09:11 AM
LXer: My Linux Box is INFECTED! LXer Syndicated Linux News 3 06-07-2008 09:00 PM
how many TCP connections at a time? hegdeshashi Linux - Networking 5 01-05-2006 11:19 PM


All times are GMT -5. The time now is 07:51 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration