LinuxQuestions.org
Page 1 of 2 1 2
Show 50 post(s) from this thread on one page

LinuxQuestions.org (/questions/)
-   Linux - Security (https://www.linuxquestions.org/questions/linux-security-4/)
-   -   chkrootkit: tcpd (https://www.linuxquestions.org/questions/linux-security-4/chkrootkit-tcpd-521683/)

merchtemeagle 01-22-2007 08:06 AM
chkrootkit: tcpd
 
When I run chkrootkit, it reports:

Checking `tcpd'... INFECTED

I reinstalled the tcpip package from the Slackware DVD but chkrootkit still returns the same output.

Matir 01-22-2007 08:58 AM
If you really have a rootkit, you'll probably need to reinstall your system.

unSpawn is our resident security expert (and maintainer of rkhunter, which you may want to try as well) and can probably tell you a lot more than I can.

unSpawn 01-22-2007 09:03 AM
What version of Chkrootkit? Please run Chkrootkit with the "-x" and "-d" flags, output to file, then post the relevant part of output between BB code tags. If you have any doubt use the Intruder Detection Checklist (CERT): http://www.cert.org/tech_tips/intrud...checklist.html to get assurance. If you have more than a hunch run checks from a Live CD like Hlix, KNOPPIX-(STD), Fire or equiv.

merchtemeagle 01-22-2007 09:14 AM
Quote:
Originally Posted by unSpawn
What version of Chkrootkit? Please run Chkrootkit with the "-x" and "-d" flags, output to file, then post the relevant part of output between BB code tags. If you have any doubt use the Intruder Detection Checklist (CERT): http://www.cert.org/tech_tips/intrud...checklist.html to get assurance. If you have more than a hunch run checks from a Live CD like Hlix, KNOPPIX-(STD), Fire or equiv.
Both at the same run?

unSpawn 01-22-2007 09:39 AM
"-d" basically is "set -x", which should show what it reacts on and "-x" dumps all output which could come in handy to see if it's a simple FP based on say a bad anchored grep. You'll find tcpd starting near line 20000, look for "thing=tcpd", continue until the next thing= line, aprox 300 lines of output. Posting the relevant part of the output file looks way too large to post to me so cut out the part, compress it and provide a D/L location if you can or maybe post the lines in some pastebin on teh intarweb and provide a URI?

merchtemeagle 01-22-2007 02:10 PM
My chkrootkit is version 0.46 .
Code:
# chkrootkit -x -d &> rootkitlog
$ grep -i "thing=tcpd" rootkitlog.
This last command returns nothing.

unSpawn 01-22-2007 05:11 PM
This last command returns nothing.
Uh. It's not like I told you to do *that*, didn't I?

merchtemeagle 01-22-2007 05:17 PM
Quote:
Originally Posted by unSpawn
This last command returns nothing.
Uh. It's not like I told you to do *that*, didn't I?
True, what I meant is that I can't find a line "thing=tcpd" in the output of the chkrootkit run.

unSpawn 01-22-2007 06:23 PM
OK, BTW it's at version 0.47 now. Remembering it can do separate tests, what does "chkrootkit -d tcpd" say?

merchtemeagle 01-22-2007 06:28 PM
Code:
bash-3.1# chkrootkit tcpd
ROOTDIR is `/'
Checking `tcpd'... not infected
Code:
bash-3.1# chkrootkit -d tcpd
+ '[' / '!=' / ']'
+ '[' '' '!=' t ']'
+ echo 'ROOTDIR is `/'\'''
ROOTDIR is `/'
+ for cmd in '${LIST}'
+ echo 'amd basename biff chfn chsh cron date du dirname echo egrep env find fingerd gpm grep hdparm su ifconfig inetd inetdconf identd init killall ldsopreload login ls lsof mail mingetty netstat named passwd pidof pop2 pop3 ps pstree rpcinfo rlogind rshd slogin sendmail sshd syslogd tar tcpd tcpdump top telnetd timed traceroute vdir w write'
+ /usr/bin/egrep '(^|[^A-Za-z0-9_])tcpd([^A-Za-z0-9_]|$)'
+ '[' '' '!=' t -a '' '!=' t ']'
+ printn 'Checking `tcpd'\''... '
++ /usr/bin/echo 'a\c'
++ /usr/bin/egrep c
+ /usr/bin/echo -n 'Checking `tcpd'\''... '
Checking `tcpd'... + chk_tcpd
+ STATUS=1
+ TCPD_INFECTED_LABEL='p1r0c4|hack|/dev/xmx|/dev/hdn0|/dev/xdta|/dev/tux'
+ '[' -r /etc/inetd.conf ']'
+ /usr/bin/ps auwx
+ /usr/bin/egrep xinetd
+ /usr/bin/egrep -v grep
+ '[' -z '' ']'
++ loc tcpd tcpd /usr/pkg/java/sun-1.5/bin /usr/pkg/bin /usr/pkg/xorg/bin /usr/pkg/java/sun-1.5/bin /usr/pkg/bin /usr/pkg/xorg/bin /usr/local/bin /usr/bin /bin /usr/X11R6/bin /usr/games . /sbin /usr/sbin /lib /usr/lib /usr/libexec .
++ thing=tcpd
++ shift
++ dflt=tcpd
++ shift
++ for dir in '$*'
++ case "$thing" in
++ for thisthing in '$dir/$thing'
++ :
++ test -f /usr/pkg/java/sun-1.5/bin/tcpd
++ for dir in '$*'
++ case "$thing" in
++ for thisthing in '$dir/$thing'
++ :
++ test -f /usr/pkg/bin/tcpd
++ for dir in '$*'
++ case "$thing" in
++ for thisthing in '$dir/$thing'
++ :
++ test -f /usr/pkg/xorg/bin/tcpd
++ for dir in '$*'
++ case "$thing" in
++ for thisthing in '$dir/$thing'
++ :
++ test -f /usr/pkg/java/sun-1.5/bin/tcpd
++ for dir in '$*'
++ case "$thing" in
++ for thisthing in '$dir/$thing'
++ :
++ test -f /usr/pkg/bin/tcpd
++ for dir in '$*'
++ case "$thing" in
++ for thisthing in '$dir/$thing'
++ :
++ test -f /usr/pkg/xorg/bin/tcpd
++ for dir in '$*'
++ case "$thing" in
++ for thisthing in '$dir/$thing'
++ :
++ test -f /usr/local/bin/tcpd
++ for dir in '$*'
++ case "$thing" in
++ for thisthing in '$dir/$thing'
++ :
++ test -f /usr/bin/tcpd
++ for dir in '$*'
++ case "$thing" in
++ for thisthing in '$dir/$thing'
++ :
++ test -f /bin/tcpd
++ for dir in '$*'
++ case "$thing" in
++ for thisthing in '$dir/$thing'
++ :
++ test -f /usr/X11R6/bin/tcpd
++ for dir in '$*'
++ case "$thing" in
++ for thisthing in '$dir/$thing'
++ :
++ test -f /usr/games/tcpd
++ for dir in '$*'
++ case "$thing" in
++ for thisthing in '$dir/$thing'
++ :
++ test -f ./tcpd
++ for dir in '$*'
++ case "$thing" in
++ for thisthing in '$dir/$thing'
++ :
++ test -f /sbin/tcpd
++ for dir in '$*'
++ case "$thing" in
++ for thisthing in '$dir/$thing'
++ :
++ test -f /usr/sbin/tcpd
++ echo /usr/sbin/tcpd
++ exit 0
+ CMD=/usr/sbin/tcpd
+ '[' tcpd = /usr/sbin/tcpd ']'
+ '[' '' = t ']'
+ /usr/bin/strings -a /usr/sbin/tcpd
+ /usr/bin/egrep 'p1r0c4|hack|/dev/xmx|/dev/hdn0|/dev/xdta|/dev/tux'
+ return 1
+ STATUS=1
+ '[' '' = t ']'
+ case $STATUS in
+ echo 'not infected'
not infected

unSpawn 01-22-2007 06:58 PM
Checking `tcpd'... not infected
Bummer. Opportunity gone.

merchtemeagle 01-22-2007 07:02 PM
Quote:
Originally Posted by unSpawn
Checking `tcpd'... not infected
Bummer. Opportunity gone.
I don't understand? If I run chkrootkit without the tcpd argument I still get the INFECTED warning.

unSpawn 01-22-2007 07:37 PM
OK. Let's cut this short, then, dragging on for too long. First upgrade to version 0.47. Then run "chkrootkit -x -d 2>&1>/tmp/logfile", bzip it and post the D/L URI.

merchtemeagle 01-22-2007 08:05 PM
Did what you said:
http://wilma.vub.ac.be/~lddekeyz/logfile.bz2

unSpawn 01-23-2007 08:15 AM
OK, I read your log:

Code:
wc -l mylog yourlog
  30242 mylog
 117019 yourlog

]# grep /tcpd mylog
(..)
++ test -f /usr/sbin/tcpd
++ echo /usr/sbin/tcpd
+ CMD=/usr/sbin/tcpd
+ '[' -z /usr/sbin/tcpd ']'
+ '[' tcpd = /usr/sbin/tcpd ']'
+ expertmode_output '/usr/bin/strings -a /usr/sbin/tcpd'
+ echo '### Output of: /usr/bin/strings -a /usr/sbin/tcpd'
### Output of: /usr/bin/strings -a /usr/sbin/tcpd
+ eval /usr/bin/strings -a /usr/sbin/tcpd
++ /usr/bin/strings -a /usr/sbin/tcpd
/usr/include/./tcpd.h

]# grep /tcpd yourlog
/usr/include/./tcpd.h

]# egrep -n "p1r0c4|hack|/dev/xmx|/dev/hdn0|/dev/xdta|/dev/tux" mylog
1574:+ DU_INFECTED_LABEL=/dev/ttyof|/dev/pty[pqrsx]|w0rm|^/prof|/dev/tux|file\.h
6839:+ TOP_INFECTED_LABEL=/dev/ttyop|/dev/pty[pqrs]|/dev/hda[0-7]|/dev/hdp|/dev/ptyxx|/dev/tux|proc\.h
7329:+ LS_INFECTED_LABEL=/dev/ttyof|/dev/pty[pqrs]|/dev/hdl0|\.tmp/lsfile|/dev/hdcc|/dev/ptyxx|duarawkz|^/prof|/dev/tux|/security|file\.h
9272:+ NETSTAT_I_L=/dev/hdl0/dev/xdta|/dev/ttyoa|/dev/pty[pqrsx]|/dev/cui|/dev/hdn0|/dev/cui221|/dev/dszy|/dev/ddth3|/dev/caca|^/prof|/dev/tux|grep|addr\.h
10876:+ PS_I_L=/dev/xmx|\.1proc|/dev/ttyop|/dev/pty[pqrsx]|/dev/cui|/dev/hda[0-7]|/dev/hdp|/dev/cui220|/dev/dsx|w0rm|/dev/hdaa|duarawkz|/dev/tux|/security|^proc\.h
11139:uid_hack
11466:uid_hack,pid,ppid,c,stime,tname,time,cmd
11467:f,s,uid_hack,pid,ppid,c,opri,ni,addr,sz,wchan,stime,tname,time,cmd
11626:+ PSTREE_INFECTED_LABEL=/dev/ttyof|/dev/hda01|/dev/cui220|/dev/ptyxx|^/prof|/dev/tux|proc\.h
11961:+ RLOGIN_INFECTED_LABEL=p1r0c4|r00t
20442:+ SYSLOG_I_L=/usr/lib/pt07|/dev/pty[pqrs]|/dev/hd[als][0-7]|/dev/ddtz1|/dev/ptyxx|/dev/tux|syslogs\.h
20839:+ TCPD_INFECTED_LABEL=p1r0c4|hack|/dev/xmx|/dev/hdn0|/dev/xdta|/dev/tux
21168:+ TOP_INFECTED_LABEL=/dev/xmx|/dev/ttyop|/dev/pty[pqrsx]|/dev/hdp|/dev/dsx|^/prof/|/dev/tux|^/proc\.h
28858:/usr/include/./openssl/symhacks.h

]# egrep -n "p1r0c4|hack|/dev/xmx|/dev/hdn0|/dev/xdta|/dev/tux" yourlog
58125:uid_hack
58209:uid_hack,pid,ppid,c,stime,tname,time,cmd
58210:f,s,uid_hack,pid,ppid,c,opri,ni,addr,sz,wchan,stime,tname,time,cmd
105136:gnu_hack_len
105166:gnu_hack_string
105631:gnu_hack_len
105632:gnu_hack_string
Then checked yourlog to see if they where related to /usr/sbin/tcpd. None where. Also no "infected" status found for tcpd. Besides, there's way too many output differences. Did you upgrade to version 0.47 (just to make sure)? Now I think I'm pretty comfortable with Chkrootkit in many aspects, but this got me baffled.
To summarise:
- you replaced the binary from a "known good" source (or so I hope),
- running only "tcpd" test does not return INFECTED status,
- running with debug and expert flags does not show INFECTED status for tcpd,
- Chkrootkit mailing list archives show no relevant threads on this subject,
- a diff between version 0.46a and 0.47 shows no differences I can relate to tcpd.

I suggest you first make certain (not guess or "assume") your system is clean. If unsure run test from a Live CD like Helix, KNOPPIX(-STD) or equivalent. If it is clean, attach your bzipped log and get on their mailing list or send it to Nelson directly with as much details as you can. I would appreciate it if you post back their findings.

Sorry I couldn't be of more help.


All times are GMT -5. The time now is 06:12 PM.
Page 1 of 2 1 2
Show 50 post(s) from this thread on one page