I just ran chkrootkit because i have suspected for ahwile that i've been hacked.

Checking `lkm'... You have 47 process hidden for readdir command
You have 47 process hidden for ps command
Warning: Possible LKM Trojan installed
Checking `rexedcs'... not found
Checking `sniffer'... eth0: PF_PACKET(/sbin/dhclient)


Until I can track down who did this and review the logs, can anyone give me any information on this Trojan...default file names or what have you.


I noticed some files in particular my webcam server files, and anything of interest the users and groups were changed. They were changed to numerical users/groups.

This might explain why my windows machine cant be booted properly. I suspect they may have deleted some files, but left the data.

also in my /tmp i have some anomolies...does this look like anytihng to you guys?

total 3424
drwxrwxrwt 15 root root 4096 Jul 17 20:22 ./
drwxr-xr-x 20 root adm 4096 Jul 15 19:57 ../
-rw-r--r-- 1 david david 1590 Jun 28 20:15 AZU12831.tmp
-rw-r--r-- 1 david david 2361 Jul 9 15:35 AZU9692.tmp
-rw-r--r-- 1 david david 3422118 Jul 9 15:39 Azureus2.1.0.4.jar
srwx------ 1 root nogroup 0 Jul 15 19:58 .fam_socket=
drwxrwxrwt 2 xfs xfs 4096 Jul 15 19:57 .font-unix/
drwx------ 3 david david 4096 Jul 15 19:58 gconfd-david/
drwx------ 2 root root 4096 Jul 7 17:21 gconfd-root/
drwxr-xr-x 2 david david 4096 Jul 17 20:30 hsperfdata_david/
drwxr-xr-x 2 root root 4096 Jul 10 16:24 hsperfdata_root/
drwxrwxrwt 2 root root 4096 Jul 17 14:46 .ICE-unix/
drwx------ 2 david david 4096 Jul 15 20:00 kde-david/
drwx------ 2 root root 4096 Jul 17 14:45 kde-root/
drwx------ 2 david david 4096 Jul 17 20:31 ksocket-david/
drwx------ 2 root root 4096 Jul 17 14:46 ksocket-root/
drwx------ 3 david david 4096 Jul 15 19:58 mcop-david/
drwx------ 2 root root 4096 Jun 21 20:21 scrollkeeper-root/
-r--r--r-- 1 root david 11 Jul 15 19:58 .X0-lock
drwxrwxrwt 2 root david 4096 Jul 15 19:58 .X11-unix/
-rw------- 1 root root 58 Jul 17 20:07 xauth.XXXXniF75f

I found these in my apache logs. I was testing some things with apache and had it open for a few days.

61.42.74.111 - - [03/Jul/2004:22:04:14 -0400] "GET /default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucb d3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a HTTP/1.0" 404 391 "-" "-"


18.80.230.150 - - [02/Jul/2004:13:58:58 -0400] "CONNECT 64.156.215.18:25 HTTP/1.1" 403 399 "-" "-"

The first entry from your Webserver log is just an IIS Code Red exploit attempt, not the source of your problem. Your /tmp files don't show anything that to me immediately looks out of place. But the chkrootkit result is troubling. Until you can get a handle on things, you should disconnect the machine from the Internet (the dhclient PF_PACKET is probably a false positive -- unless you don't intend to be using DHCP on that interface). How long do you feel you've been hacked? If the event occured more than a few weeks ago, then the relevant log(s) will have been overwritten, assuming the cracker didn't just whitewash them himself. In any case: when you disconnect the machine look for new/strange accounts, particularly with UID 0. Ultimately, though, I think you'll have to reinstall the OS from known good media.

A LKM trojan is particularly insidious because it runs as part of the Linux kernel proper, making it tough to detect. As you can see, there are processes running on your system that are hidden from the ps command -- that's not good. One of these processes may be giving a root shell to anyone who connects to a particular port or doing something equally nasty. You shouldn't take chances -- disconnect the box and try to see if you can figure out who did this, back up any important data (and be sure to check it and don't back up any executables or odd looking files/scripts, you don't want to back up any of the intruder's stuff and put it on your new install), reinstall, and apply ALL relevant security patches before connecting the machine back.

chkrootkit is not always reliable. On my system, when apache2 is running, it shows up as a hidden process.

try running rkhunter.

#netstat -pl

will give you a list of processes that are listening. BUT, if your system is compromised, the output may not be showing you the exact state.

Ive had a similar problem and i was running azureus and i think that accounted for maybe 20 of my hidden processes. After bed, i'll have to consider whether or not to reinstall, but if rkhunter isnt showing anything later on i'll probably leave it for the minute.

On the same topic is it possible to just rebuild a new kernel using new source, and copy over the /bin, and /sbin, files from another system that hasnt been compromised.

Can ... but how can you be sure that the attacker's tools are not lying around elsewhere on your disks and that there are no accesspoints that would enable the attacker to regain control of your system.

I re-installed and opera / azarus were the source of the ps's.

does anyone have a good tutorial on tripwire? i'll be keeping it up to date first this time.