chkrootkit: tcpd

merchtemeagle · 01-22-2007, 08:06 AM

When I run chkrootkit, it reports:

Checking `tcpd'... INFECTED

I reinstalled the tcpip package from the Slackware DVD but chkrootkit still returns the same output.

Matir · 01-22-2007, 08:58 AM

If you really have a rootkit, you'll probably need to reinstall your system.

unSpawn is our resident security expert (and maintainer of rkhunter, which you may want to try as well) and can probably tell you a lot more than I can.

unSpawn · 01-22-2007, 09:03 AM

What version of Chkrootkit? Please run Chkrootkit with the "-x" and "-d" flags, output to file, then post the relevant part of output between BB code tags. If you have any doubt use the Intruder Detection Checklist (CERT): http://www.cert.org/tech_tips/intrud...checklist.html to get assurance. If you have more than a hunch run checks from a Live CD like Hlix, KNOPPIX-(STD), Fire or equiv.

merchtemeagle · 01-22-2007, 09:14 AM

Quote:

Originally Posted by unSpawn

What version of Chkrootkit? Please run Chkrootkit with the "-x" and "-d" flags, output to file, then post the relevant part of output between BB code tags. If you have any doubt use the Intruder Detection Checklist (CERT): http://www.cert.org/tech_tips/intrud...checklist.html to get assurance. If you have more than a hunch run checks from a Live CD like Hlix, KNOPPIX-(STD), Fire or equiv.

Both at the same run?

unSpawn · 01-22-2007, 09:39 AM

"-d" basically is "set -x", which should show what it reacts on and "-x" dumps all output which could come in handy to see if it's a simple FP based on say a bad anchored grep. You'll find tcpd starting near line 20000, look for "thing=tcpd", continue until the next thing= line, aprox 300 lines of output. Posting the relevant part of the output file looks way too large to post to me so cut out the part, compress it and provide a D/L location if you can or maybe post the lines in some pastebin on teh intarweb and provide a URI?

merchtemeagle · 01-22-2007, 02:10 PM

My chkrootkit is version 0.46 .

Code:

# chkrootkit -x -d &> rootkitlog
$ grep -i "thing=tcpd" rootkitlog.

This last command returns nothing.

unSpawn · 01-22-2007, 05:11 PM

This last command returns nothing.
Uh. It's not like I told you to do *that*, didn't I?

merchtemeagle · 01-22-2007, 05:17 PM

Quote:

Originally Posted by unSpawn

This last command returns nothing.
Uh. It's not like I told you to do *that*, didn't I?

True, what I meant is that I can't find a line "thing=tcpd" in the output of the chkrootkit run.

unSpawn · 01-22-2007, 06:23 PM

OK, BTW it's at version 0.47 now. Remembering it can do separate tests, what does "chkrootkit -d tcpd" say?

merchtemeagle · 01-22-2007, 06:28 PM

Code:

bash-3.1# chkrootkit tcpd
ROOTDIR is `/'
Checking `tcpd'... not infected

Code:

bash-3.1# chkrootkit -d tcpd
+ '[' / '!=' / ']'
+ '[' '' '!=' t ']'
+ echo 'ROOTDIR is `/'\'''
ROOTDIR is `/'
+ for cmd in '${LIST}'
+ echo 'amd basename biff chfn chsh cron date du dirname echo egrep env find fingerd gpm grep hdparm su ifconfig inetd inetdconf identd init killall ldsopreload login ls lsof mail mingetty netstat named passwd pidof pop2 pop3 ps pstree rpcinfo rlogind rshd slogin sendmail sshd syslogd tar tcpd tcpdump top telnetd timed traceroute vdir w write'
+ /usr/bin/egrep '(^|[^A-Za-z0-9_])tcpd([^A-Za-z0-9_]|$)'
+ '[' '' '!=' t -a '' '!=' t ']'
+ printn 'Checking `tcpd'\''... '
++ /usr/bin/echo 'a\c'
++ /usr/bin/egrep c
+ /usr/bin/echo -n 'Checking `tcpd'\''... '
Checking `tcpd'... + chk_tcpd
+ STATUS=1
+ TCPD_INFECTED_LABEL='p1r0c4|hack|/dev/xmx|/dev/hdn0|/dev/xdta|/dev/tux'
+ '[' -r /etc/inetd.conf ']'
+ /usr/bin/ps auwx
+ /usr/bin/egrep xinetd
+ /usr/bin/egrep -v grep
+ '[' -z '' ']'
++ loc tcpd tcpd /usr/pkg/java/sun-1.5/bin /usr/pkg/bin /usr/pkg/xorg/bin /usr/pkg/java/sun-1.5/bin /usr/pkg/bin /usr/pkg/xorg/bin /usr/local/bin /usr/bin /bin /usr/X11R6/bin /usr/games . /sbin /usr/sbin /lib /usr/lib /usr/libexec .
++ thing=tcpd
++ shift
++ dflt=tcpd
++ shift
++ for dir in '$*'
++ case "$thing" in
++ for thisthing in '$dir/$thing'
++ :
++ test -f /usr/pkg/java/sun-1.5/bin/tcpd
++ for dir in '$*'
++ case "$thing" in
++ for thisthing in '$dir/$thing'
++ :
++ test -f /usr/pkg/bin/tcpd
++ for dir in '$*'
++ case "$thing" in
++ for thisthing in '$dir/$thing'
++ :
++ test -f /usr/pkg/xorg/bin/tcpd
++ for dir in '$*'
++ case "$thing" in
++ for thisthing in '$dir/$thing'
++ :
++ test -f /usr/pkg/java/sun-1.5/bin/tcpd
++ for dir in '$*'
++ case "$thing" in
++ for thisthing in '$dir/$thing'
++ :
++ test -f /usr/pkg/bin/tcpd
++ for dir in '$*'
++ case "$thing" in
++ for thisthing in '$dir/$thing'
++ :
++ test -f /usr/pkg/xorg/bin/tcpd
++ for dir in '$*'
++ case "$thing" in
++ for thisthing in '$dir/$thing'
++ :
++ test -f /usr/local/bin/tcpd
++ for dir in '$*'
++ case "$thing" in
++ for thisthing in '$dir/$thing'
++ :
++ test -f /usr/bin/tcpd
++ for dir in '$*'
++ case "$thing" in
++ for thisthing in '$dir/$thing'
++ :
++ test -f /bin/tcpd
++ for dir in '$*'
++ case "$thing" in
++ for thisthing in '$dir/$thing'
++ :
++ test -f /usr/X11R6/bin/tcpd
++ for dir in '$*'
++ case "$thing" in
++ for thisthing in '$dir/$thing'
++ :
++ test -f /usr/games/tcpd
++ for dir in '$*'
++ case "$thing" in
++ for thisthing in '$dir/$thing'
++ :
++ test -f ./tcpd
++ for dir in '$*'
++ case "$thing" in
++ for thisthing in '$dir/$thing'
++ :
++ test -f /sbin/tcpd
++ for dir in '$*'
++ case "$thing" in
++ for thisthing in '$dir/$thing'
++ :
++ test -f /usr/sbin/tcpd
++ echo /usr/sbin/tcpd
++ exit 0
+ CMD=/usr/sbin/tcpd
+ '[' tcpd = /usr/sbin/tcpd ']'
+ '[' '' = t ']'
+ /usr/bin/strings -a /usr/sbin/tcpd
+ /usr/bin/egrep 'p1r0c4|hack|/dev/xmx|/dev/hdn0|/dev/xdta|/dev/tux'
+ return 1
+ STATUS=1
+ '[' '' = t ']'
+ case $STATUS in
+ echo 'not infected'
not infected

unSpawn · 01-22-2007, 06:58 PM

Checking `tcpd'... not infected
Bummer. Opportunity gone.

merchtemeagle · 01-22-2007, 07:02 PM

Quote:

Originally Posted by unSpawn

Checking `tcpd'... not infected
Bummer. Opportunity gone.

I don't understand? If I run chkrootkit without the tcpd argument I still get the INFECTED warning.

unSpawn · 01-22-2007, 07:37 PM

OK. Let's cut this short, then, dragging on for too long. First upgrade to version 0.47. Then run "chkrootkit -x -d 2>&1>/tmp/logfile", bzip it and post the D/L URI.

merchtemeagle · 01-22-2007, 08:05 PM

Did what you said:
http://wilma.vub.ac.be/~lddekeyz/logfile.bz2

unSpawn · 01-23-2007, 08:15 AM

OK, I read your log:

Code:

wc -l mylog yourlog
  30242 mylog
 117019 yourlog

]# grep /tcpd mylog 
(..)
++ test -f /usr/sbin/tcpd
++ echo /usr/sbin/tcpd
+ CMD=/usr/sbin/tcpd
+ '[' -z /usr/sbin/tcpd ']'
+ '[' tcpd = /usr/sbin/tcpd ']'
+ expertmode_output '/usr/bin/strings -a /usr/sbin/tcpd'
+ echo '### Output of: /usr/bin/strings -a /usr/sbin/tcpd'
### Output of: /usr/bin/strings -a /usr/sbin/tcpd
+ eval /usr/bin/strings -a /usr/sbin/tcpd
++ /usr/bin/strings -a /usr/sbin/tcpd
/usr/include/./tcpd.h

]# grep /tcpd yourlog
/usr/include/./tcpd.h

]# egrep -n "p1r0c4|hack|/dev/xmx|/dev/hdn0|/dev/xdta|/dev/tux" mylog 
1574:+ DU_INFECTED_LABEL=/dev/ttyof|/dev/pty[pqrsx]|w0rm|^/prof|/dev/tux|file\.h
6839:+ TOP_INFECTED_LABEL=/dev/ttyop|/dev/pty[pqrs]|/dev/hda[0-7]|/dev/hdp|/dev/ptyxx|/dev/tux|proc\.h
7329:+ LS_INFECTED_LABEL=/dev/ttyof|/dev/pty[pqrs]|/dev/hdl0|\.tmp/lsfile|/dev/hdcc|/dev/ptyxx|duarawkz|^/prof|/dev/tux|/security|file\.h
9272:+ NETSTAT_I_L=/dev/hdl0/dev/xdta|/dev/ttyoa|/dev/pty[pqrsx]|/dev/cui|/dev/hdn0|/dev/cui221|/dev/dszy|/dev/ddth3|/dev/caca|^/prof|/dev/tux|grep|addr\.h
10876:+ PS_I_L=/dev/xmx|\.1proc|/dev/ttyop|/dev/pty[pqrsx]|/dev/cui|/dev/hda[0-7]|/dev/hdp|/dev/cui220|/dev/dsx|w0rm|/dev/hdaa|duarawkz|/dev/tux|/security|^proc\.h
11139:uid_hack
11466:uid_hack,pid,ppid,c,stime,tname,time,cmd
11467:f,s,uid_hack,pid,ppid,c,opri,ni,addr,sz,wchan,stime,tname,time,cmd
11626:+ PSTREE_INFECTED_LABEL=/dev/ttyof|/dev/hda01|/dev/cui220|/dev/ptyxx|^/prof|/dev/tux|proc\.h
11961:+ RLOGIN_INFECTED_LABEL=p1r0c4|r00t
20442:+ SYSLOG_I_L=/usr/lib/pt07|/dev/pty[pqrs]|/dev/hd[als][0-7]|/dev/ddtz1|/dev/ptyxx|/dev/tux|syslogs\.h
20839:+ TCPD_INFECTED_LABEL=p1r0c4|hack|/dev/xmx|/dev/hdn0|/dev/xdta|/dev/tux
21168:+ TOP_INFECTED_LABEL=/dev/xmx|/dev/ttyop|/dev/pty[pqrsx]|/dev/hdp|/dev/dsx|^/prof/|/dev/tux|^/proc\.h
28858:/usr/include/./openssl/symhacks.h

]# egrep -n "p1r0c4|hack|/dev/xmx|/dev/hdn0|/dev/xdta|/dev/tux" yourlog
58125:uid_hack
58209:uid_hack,pid,ppid,c,stime,tname,time,cmd
58210:f,s,uid_hack,pid,ppid,c,opri,ni,addr,sz,wchan,stime,tname,time,cmd
105136:gnu_hack_len
105166:gnu_hack_string
105631:gnu_hack_len
105632:gnu_hack_string

Then checked yourlog to see if they where related to /usr/sbin/tcpd. None where. Also no "infected" status found for tcpd. Besides, there's way too many output differences. Did you upgrade to version 0.47 (just to make sure)? Now I think I'm pretty comfortable with Chkrootkit in many aspects, but this got me baffled.
To summarise:
- you replaced the binary from a "known good" source (or so I hope),
- running only "tcpd" test does not return INFECTED status,
- running with debug and expert flags does not show INFECTED status for tcpd,
- Chkrootkit mailing list archives show no relevant threads on this subject,
- a diff between version 0.46a and 0.47 shows no differences I can relate to tcpd.

I suggest you first make certain (not guess or "assume") your system is clean. If unsure run test from a Live CD like Helix, KNOPPIX(-STD) or equivalent. If it is clean, attach your bzipped log and get on their mailing list or send it to Nelson directly with as much details as you can. I would appreciate it if you post back their findings.

Sorry I couldn't be of more help.