LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 06-28-2017, 10:44 AM   #1
aidylewis
LQ Newbie
 
Registered: Apr 2016
Posts: 25

Rep: Reputation: Disabled
rootkit installed?


Someone left an ssh port open to the world for a considerable amount of time. I know modern hackers clear syslogs to clear their tracks. What is the best way to find if a rootkit has been installed?
 
Old 06-28-2017, 12:08 PM   #2
Habitual
LQ Veteran
 
Registered: Jan 2011
Location: Abingdon, VA
Distribution: Catalina
Posts: 9,374
Blog Entries: 37

Rep: Reputation: Disabled
and if it was not a "modern hacker"?
See also https://www.linuxquestions.org/quest...og-4175608746/

Last edited by Habitual; 06-28-2017 at 12:40 PM.
 
Old 06-28-2017, 01:56 PM   #3
suicidaleggroll
LQ Guru
 
Registered: Nov 2010
Location: Colorado
Distribution: OpenSUSE, CentOS
Posts: 5,573

Rep: Reputation: 2138Reputation: 2138Reputation: 2138Reputation: 2138Reputation: 2138Reputation: 2138Reputation: 2138Reputation: 2138Reputation: 2138Reputation: 2138Reputation: 2138
Quote:
Originally Posted by aidylewis View Post
Someone left an ssh port open to the world for a considerable amount of time.
Lots of SSH servers are open to the world 24/7. Do you have reason to believe you had an unauthorized login? Does the system have root login disabled? Does it have any other easily-guessable usernames with login access?

If root login is disabled and you don't have any other guessable usernames, then an attacker is going to have to guess both the username and the password from scratch, the chance that a script-kiddie has in pulling that off is zero. If you were specifically targeted by an individual then maybe they could guess a valid username, but as long as your passwords are reasonably secure the amount of time it would take to brute force one with SSH's default ~3 second delay after an incorrect login attempt means it would take decades (maybe more) to do so.

It's always a good idea to change the default SSH port and install fail2ban or similar to blacklist IPs after a few failed login attempts, but I'd say the chances of your system getting broken into because somebody left the SSH port exposed is INCREDIBLY small, unless you have some stupid login/password combinations like admin/admin going on.
 
Old 06-28-2017, 02:20 PM   #4
wpeckham
Senior Member
 
Registered: Apr 2010
Location: Continental USA
Distribution: Debian, Ubuntu, Fedora, RedHat, DSL, Puppy, CentOS, Knoppix, Mint-DE, Sparky, Vsido, tinycore, Q4OS
Posts: 3,786

Rep: Reputation: 1699Reputation: 1699Reputation: 1699Reputation: 1699Reputation: 1699Reputation: 1699Reputation: 1699Reputation: 1699Reputation: 1699Reputation: 1699Reputation: 1699
Do you not have a rootkit detector (RootKitHunter perhaps) installed and scheduled for a daily run?
I always try to get rootkit detection, AV, and fail2ban installed on anything with direct access from external networks before user access is allowed.
 
Old 06-28-2017, 02:30 PM   #5
jefro
Moderator
 
Registered: Mar 2008
Posts: 20,836

Rep: Reputation: 3370Reputation: 3370Reputation: 3370Reputation: 3370Reputation: 3370Reputation: 3370Reputation: 3370Reputation: 3370Reputation: 3370Reputation: 3370Reputation: 3370
I'd reload the entire system from clean known good media. I've never had much faith in finding problems. Clean install I know.
 
Old 06-28-2017, 06:57 PM   #6
wpeckham
Senior Member
 
Registered: Apr 2010
Location: Continental USA
Distribution: Debian, Ubuntu, Fedora, RedHat, DSL, Puppy, CentOS, Knoppix, Mint-DE, Sparky, Vsido, tinycore, Q4OS
Posts: 3,786

Rep: Reputation: 1699Reputation: 1699Reputation: 1699Reputation: 1699Reputation: 1699Reputation: 1699Reputation: 1699Reputation: 1699Reputation: 1699Reputation: 1699Reputation: 1699
Quote:
Originally Posted by jefro View Post
I'd reload the entire system from clean known good media. I've never had much faith in finding problems. Clean install I know.
If you have a rootkit, they try to hide themselves from all of the normal utilities. If you KNOW you have a rootkit problem, a clean load is always the best answer. It may be overkill in your case, but worth the trouble for your peace of mind.

Just make sure you add rootkit detection or protection before you open services to the internet again, and you should be golden.
 
Old 06-28-2017, 07:18 PM   #7
jefro
Moderator
 
Registered: Mar 2008
Posts: 20,836

Rep: Reputation: 3370Reputation: 3370Reputation: 3370Reputation: 3370Reputation: 3370Reputation: 3370Reputation: 3370Reputation: 3370Reputation: 3370Reputation: 3370Reputation: 3370
Just to be clear.
Wasn't disagreeing with you wpeckham, just pointed out my opinion on the OP's question.



Yes, active protection is good.

Last edited by jefro; 06-29-2017 at 09:32 PM.
 
Old 06-29-2017, 09:25 PM   #8
AwesomeMachine
LQ Guru
 
Registered: Jan 2005
Location: USA and Italy
Distribution: Debian testing/sid; OpenSuSE; Fedora; Mint
Posts: 5,513

Rep: Reputation: 1009Reputation: 1009Reputation: 1009Reputation: 1009Reputation: 1009Reputation: 1009Reputation: 1009Reputation: 1009
It's the old, "Someone broke in and replaced everything with exact duplicates," routine.
 
Old 06-30-2017, 07:50 AM   #9
wpeckham
Senior Member
 
Registered: Apr 2010
Location: Continental USA
Distribution: Debian, Ubuntu, Fedora, RedHat, DSL, Puppy, CentOS, Knoppix, Mint-DE, Sparky, Vsido, tinycore, Q4OS
Posts: 3,786

Rep: Reputation: 1699Reputation: 1699Reputation: 1699Reputation: 1699Reputation: 1699Reputation: 1699Reputation: 1699Reputation: 1699Reputation: 1699Reputation: 1699Reputation: 1699
Quote:
Originally Posted by AwesomeMachine View Post
It's the old, "Someone broke in and replaced everything with exact duplicates," routine.
I have seen a rootkit infected machine. Acting admin was a CPA, no security training, used short guessable password. That "replaced everything..." is pretty much it.

A few things broke, but most of it kinda worked. For example ps worked, but refused to display the rootkit processes and crashed if there were too many processes (bad code). Top just crashed, but that may have been by intent. I captured some data using a live-cd image from usb and then reimaged the server. Luckily I was called in fast. The server contained no data and had critical configuration files relocated to non-standard paths: the breakers did not get time to figure out why their attempts to subvert the machine were not working.

Re-imaged the machine and re-created the configurations, gave a short workshop on security without humiliating that CPA, advised them to hire a local admin firm or agent to help them protect their network, made sure that they were fully productive and safe, and skipped town. Took a whole two days, and half of that was talking and drinking coffee.

In the extreme case, this is what you should expect and one way to move the client forward after such an exploit.

Off topic: Very nice people, by the way, and I would love to work with them again. Alas, if I did my job right they will never again need me.
 
Old 06-30-2017, 08:59 AM   #10
aidylewis
LQ Newbie
 
Registered: Apr 2016
Posts: 25

Original Poster
Rep: Reputation: Disabled
I have seen (not where I currently work BTW) an EC2 box with port 22 open being used as a DDOS machine. I ran the RootKitHunter, no errors. But this summary:

System checks summary
=====================

File properties checks...
Required commands check failed
Files checked: 141
Suspect files: 5

Rootkit checks...
Rootkits checked : 480
Possible rootkits: 1

Would this be my rootkit by any chance?
 
Old 06-30-2017, 09:57 AM   #11
hydrurga
LQ Guru
 
Registered: Nov 2008
Location: Pictland
Distribution: Linux Mint 20 MATE
Posts: 8,048
Blog Entries: 5

Rep: Reputation: 2916Reputation: 2916Reputation: 2916Reputation: 2916Reputation: 2916Reputation: 2916Reputation: 2916Reputation: 2916Reputation: 2916Reputation: 2916Reputation: 2916
Quote:
Originally Posted by aidylewis View Post
I have seen (not where I currently work BTW) an EC2 box with port 22 open being used as a DDOS machine. I ran the RootKitHunter, no errors. But this summary:

System checks summary
=====================

File properties checks...
Required commands check failed
Files checked: 141
Suspect files: 5

Rootkit checks...
Rootkits checked : 480
Possible rootkits: 1

Would this be my rootkit by any chance?
Who knows? You need to upload the entire rkhunter output to a pastebin site and share the link here so that we can examine it in more detail.

Or, find the line in the output that refers to the possible rootkit (look for "warning"?) and paste that line (and the few around it) here.
 
  


Reply

Tags
rootkit


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
LXer: Dell Compromises Customers’ Security with Pre-Installed Rootkit LXer Syndicated Linux News 1 11-25-2015 11:07 AM
rootkit maurice19 Linux - Newbie 5 01-24-2010 12:11 PM
rootkit hunter false positive for Xzibit Rootkit on CentOS 4.8? abefroman Linux - Security 2 12-20-2009 08:19 AM
where can I get rootkit ?? iamthewind Linux - Security 21 05-04-2008 01:57 PM
rootkit? basilogics Linux - Software 2 08-19-2005 08:16 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie

All times are GMT -5. The time now is 07:55 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration