LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Newbie (https://www.linuxquestions.org/questions/linux-newbie-8/)
-   -   chkrootkit found an infected port (https://www.linuxquestions.org/questions/linux-newbie-8/chkrootkit-found-an-infected-port-747721/)

qwertyjjj 08-15-2009 06:02 AM

chkrootkit found an infected port
 
Got this in my file this morning:
any ideas what to do? That port isn't open for input:

Code:

Checking `bindshell'... INFECTED (PORTS:  1008)
Checking `lkm'... chkproc: nothing detected
Checking `rexedcs'... not found
Checking `sniffer'... eth0: not promisc and no PF_PACKET sockets
eth0:0: not promisc and no PF_PACKET sockets
Checking `w55808'... not infected
Checking `wted'... chkwtmp: nothing deleted
Checking `scalper'... not infected
Checking `slapper'... not infected
Checking `z2'... chklastlog: nothing deleted
Checking `chkutmp'...  The tty of the following user process(es) were not found
 in /var/run/utmp !
! RUID          PID TTY    CMD
! root        3147 tty2  /sbin/mingetty tty2
! root        3161 tty5  /sbin/mingetty tty5
! root        3165 tty6  /sbin/mingetty tty6
chkutmp: nothing deleted


[root@localhost cron.daily]# /usr/sbin/lsof -P -n -i | grep 1008
rpc.statd 11002 rpcuser    7u  IPv4  63938      TCP *:1008 (LISTEN)
[root@localhost cron.daily]#

On a related note, rkhunter returns this:
Code:

Warning: This operating system is not fully supported!
All MD5 checks will be skipped!


MoonMind 08-15-2009 07:02 AM

For the bindshell thing, compare this thread:

http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=160539

Check your chkrootkit version - if in doubt, get a new one and re-check; same goes for rkhunter. rpc.statd is use in context with NFS - that may be good for a false positive as described in the (very dated) bug report.

M.

qwertyjjj 08-15-2009 07:04 AM

Quote:

Originally Posted by MoonMind (Post 3644222)
For the bindshell thing, look here:

http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=160539

M.

That's an old bug from 2002 isn't it + the port is for mailservers on 465.

repo 08-15-2009 07:11 AM

Maybe do a
Code:

netstat -an | grep 1008
To see if anything is listening on that port

Rkhunter can give false positives.

qwertyjjj 08-15-2009 07:12 AM

Quote:

Originally Posted by repo (Post 3644235)
Maybe do a
Code:

netstat -an | grep 1008
To see if anything is listening on that port

Rkhunter can give false positives.

I did already :)

Code:

[root@localhost cron.daily]# /usr/sbin/lsof -P -n -i | grep 1008
rpc.statd 11002 rpcuser    7u  IPv4  63938      TCP *:1008 (LISTEN)
[root@localhost cron.daily]#


unSpawn 08-15-2009 08:29 AM

Add an exclusion: `grep -i port rkhunter.conf` and take it from there.

qwertyjjj 08-15-2009 08:33 AM

Quote:

Originally Posted by unSpawn (Post 3644295)
Add an exclusion: `grep -i port rkhunter.conf` and take it from there.

port being the port number? How does grep adding an exception to the file because I ran it but can't see any changes in the rkhunter.conf file.

Is there a way to get rid of this:
grep -i port rkhunter.conf

or does rkhunter not support centos?

MoonMind 08-15-2009 05:52 PM

Quote:

Originally Posted by qwertyjjj (Post 3644224)
That's an old bug from 2002 isn't it + the port is for mailservers on 465.

Scroll down to the discussion...

M.

qwertyjjj 08-16-2009 05:28 AM

Quote:

Originally Posted by unSpawn (Post 3644295)
Add an exclusion: `grep -i port rkhunter.conf` and take it from there.

The exclusion didn't seem to work with that command. Is there a section in rkhunter.conf for exclusions?

Also, what about this:
Searching for suspicious files and dirs, it may take a while...
/usr/lib/perl5/5.8.8/i386-linux-thread-multi/.packlist /usr/lib/gtk-2.0/immodules/.relocation-tag /lib/.libcrypto.so.6.hmac /lib/.libcrypto.so.0.9.8e.hmac

unSpawn 08-16-2009 06:15 AM

[QUOTE=qwertyjjj;3645100]The exclusion didn't seem to work with that command. Is there a section in rkhunter.conf for exclusions?
It's not a command that enables whitelisting the port but (in a RKH 1.3.4 version) a way to draw your attention to whitelisting in rkhunter.conf. If you run 1.3.4 then read the section where it reads PORT_WHITELIST.


Quote:

Originally Posted by qwertyjjj (Post 3645100)
Also, what about this:
Searching for suspicious files and dirs, it may take a while...
/usr/lib/perl5/5.8.8/i386-linux-thread-multi/.packlist /usr/lib/gtk-2.0/immodules/.relocation-tag /lib/.libcrypto.so.6.hmac /lib/.libcrypto.so.0.9.8e.hmac

Files whose filename begin with a dot were used in the past millennium as a way to hide them because they will only be listed when "-a" is used in 'ls'. Please read the accompanying FAQ, chapter 3 "USAGE QUESTIONS".

qwertyjjj 08-16-2009 06:31 AM

.....post deleted.....

qwertyjjj 08-16-2009 06:46 AM

Interesting to find a search for a rootkit called the F**k'it rootkit - lol!
On updating to 1.3.4 and re-running there were no errors about the port so must have been an old version.
I have found the whitelist section in the conf file, which I swapped over so all looks good. Thanks

qwertyjjj 08-16-2009 06:48 AM

[QUOTE=unSpawn;3645145]
Quote:

Originally Posted by qwertyjjj (Post 3645100)
The exclusion didn't seem to work with that command. Is there a section in rkhunter.conf for exclusions?
It's not a command that enables whitelisting the port but (in a RKH 1.3.4 version) a way to draw your attention to whitelisting in rkhunter.conf. If you run 1.3.4 then read the section where it reads PORT_WHITELIST.



Files whose filename begin with a dot were used in the past millennium as a way to hide them because they will only be listed when "-a" is used in 'ls'. Please read the accompanying FAQ, chapter 3 "USAGE QUESTIONS".

Hang on...sorry, the port is listed in chkrootkit not rkhunter :)

Quote:

chkrootkit is reporting some files and dirs as suspicious: `.packlist', `.cvsignore', etc. These are clearly false positives. Can't you ignore these?

Ignoring some files and dirs could impair chkrootkit's accuracy. An attacker might use this, since he knows that chkrootkit will ignore certain files and dirs.
So, I just leave them basically.

unSpawn 08-16-2009 08:58 AM

Quote:

Originally Posted by qwertyjjj (Post 3645171)
Hang on...sorry, the port is listed in chkrootkit not rkhunter :)

Ah. I see. My mistake.


Quote:

Originally Posted by qwertyjjj (Post 3645171)
So, I just leave them basically.

One way could be to remove the port:
Code:

--- chkrootkit.orig    2009-08-01 23:01:00.000000000 +0000
+++ chkrootkit.1008    2009-08-01 23:02:00.000000000 +0000
@@ -266,7 +266,7 @@
    fi
 }
 bindshell () {
-PORT="114|145|465|511|600|1008|1524|1999|1978|2881|3049|3133|3879|4000|4369|5190|5665|6667|10008|12321|23132|27374|29364|30999|31336|31337|37998|45454|47017|47889|60001|7222"
+PORT="114|145|465|511|600|1524|1999|1978|2881|3049|3133|3879|4000|4369|5190|5665|6667|10008|12321|23132|27374|29364|30999|31336|31337|37998|45454|47017|47889|60001|7222"
    OPT="-an"
    PI=""
    if [ "${ROOTDIR}" != "/" ]; then

* Also note Chkrootkit currently still checks for /proc/ksyms instead of /proc/kallsyms (that is, in kernel 2.6 AND with CONFIG_KALLSYMS=y enabled at kernel compile time):
Code:

--- chkrootkit.orig    2009-08-01 23:02:00.000000000 +0000
+++ chkrootkit.1008    2009-08-01 23:03:00.000000000 +0000
@@ -306,7 +306,7 @@
      fi

      if [ "${EXPERT}" = "t" ]; then
-        [ -r /proc/ksyms ] &&  ${egrep} -i "adore|sebek" < /proc/ksyms 2>/dev/null
+        [ -r /proc/kallsyms ] &&  ${egrep} -i "adore|sebek" < /proc/kallsyms 2>/dev/null
          [ -d /proc/knark ] &&  ${ls} -la /proc/knark 2> /dev/null
          PV=`$ps -V 2>/dev/null| $cut -d " " -f 3 |${awk} -F . '{ print $1 "." $2 $3 }' | ${awk} '{ if ($0 > 3.19) print 3; else if ($0 < 2.015) print 1; else print 2 }'`
          [ "$PV" = "" ] &&  PV=2
@@ -316,14 +316,14 @@
      fi

      ### adore LKM
-      [ -r /proc/ksyms ] && \
-      if `${egrep} -i adore < /proc/ksyms >/dev/null 2>&1`; then
+      [ -r /proc/kallsyms ] && \
+      if `${egrep} -i adore < /proc/kallsyms >/dev/null 2>&1`; then
          echo "Warning: Adore LKM installed"
      fi

      ### sebek LKM (Adore based)
-      [ -r /proc/ksyms ] && \
-      if `${egrep} -i sebek < /proc/ksyms >/dev/null 2>&1`; then
+      [ -r /proc/kallsyms ] && \
+      if `${egrep} -i sebek < /proc/kallsyms >/dev/null 2>&1`; then
          echo "Warning: Sebek LKM installed"
      fi

I pointed Nelson at Debian Bug #411128 ages ago but he's even more stubborn I am.


All times are GMT -5. The time now is 03:05 PM.