LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 09-30-2006, 09:56 PM   #1
DaveQB
Member
 
Registered: Oct 2003
Location: Sydney, Australia.
Distribution: Debian, Ubuntu
Posts: 400

Rep: Reputation: 39
Compromised ? ./2[1].6.12


Hi,

Noticed in my cron daily email from server this .

Code:
/etc/cron.daily/logrotate:
(98)Address already in use: make_sock: could not bind to address [::]:80
no listening sockets available, shutting down
Unable to open logs
error: error running shared postrotate script for /var/log/apache2/*.log 
run-parts: /etc/cron.daily/logrotate exited with return code 1
So when hunting and.....

Code:
[root@debian rc1.d]#  netstat -tulpn | grep :80
tcp6       0      0 :::80                   :::*                    LISTEN     9340/2[1].6.12
Code:
[root@debian rc1.d]#  ps ax | grep 9340
 9340 ?        T      0:00 ./2[1].6.12
16123 pts/0    R+     0:00 grep 9340

What the heck is that ? Looks like a kernel version of sorts.

chkrootkit doesn't return anything about this. I haven't any other packages like tripwire or snort installed yet.

Should I be worried ?
 
Old 09-30-2006, 10:30 PM   #2
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Rep: Reputation: 69
Looks highly suspect. Who owns it (ps aux)?

What does cat /proc/9340/cmdline show?

Also go through the usual suspects: Check /tmp for any weird files or directories. Check the output of last -i for abnormal logins. Check /etc/passwd for new users or non-root users with uid/gid of 0. Check system logs for anything strange especially error messages or panics. Check root and user bash histories. Check system for SUID/SGID root files. If you have any other systems on this network, try sniffing some of the outbound traffic.

If the process is owned by root (or someone with 0 uid) then this is likely a serious incident that will require a complete rebuild from trusted media. That fact that the process is using a priviledged port is not a good sign.

Last edited by Capt_Caveman; 09-30-2006 at 10:32 PM.
 
Old 10-02-2006, 06:14 AM   #3
DaveQB
Member
 
Registered: Oct 2003
Location: Sydney, Australia.
Distribution: Debian, Ubuntu
Posts: 400

Original Poster
Rep: Reputation: 39
Thanks Caveman.

I later did this....

Code:
[root@debian rc1.d]#  kill -9 9340
[root@debian rc1.d]#  ps ax | grep 9340
16129 pts/0    R+     0:00 grep 9340
[root@debian rc1.d]#  invoke-rc.d apache2 start
Starting web server: Apache2(98)Address already in use: make_sock: could not bind to address [::]:80
no listening sockets available, shutting down
Unable to open logs
invoke-rc.d: initscript apache2, action "start" failed.
[root@debian rc1.d]#  ps ax | grep 9340
16152 pts/0    R+     0:00 grep 9340
[root@debian rc1.d]#  netstat -tulpn | grep :80
tcp6       0      0 :::80                   :::*                    LISTEN     9346/k-rad3
[root@debian rc1.d]#  ps ax | grep 9346
 9346 ?        T      0:00 ./k-rad3
16156 pts/0    R+     0:00 grep 9346
Then killed process 9346 and then started Apache ok. Then went away for the long weekend and only just got back to read your reply.

So far apache is running fine, but I will comb through the server for anything suspicious. Its only meant to be a temp server anyway, but have been running it for a few months now [home projects just seem to take longer then you want]
 
Old 10-02-2006, 07:05 AM   #4
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,415
Blog Entries: 55

Rep: Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600
Code:
tcp6 0 0 :::80 :::* LISTEN 9346/k-rad3
While the name a process is known by itself doesn't make it's malicious, chances a benign process is named "k-rad3" are infinitesmally, uh, small. If it's the K-rad3 I think it is then you're looking at a kernel 2.6 exploit from 2005.

I suggest you read these before doing anything else:
Intruder Detection Checklist (CERT): http://www.cert.org/tech_tips/intrud...checklist.html
Steps for Recovering from a UNIX or NT System Compromise (CERT): http://www.cert.org/tech_tips/root_compromise.html
then perform those tasks CC asked you.
 
Old 10-10-2006, 07:47 PM   #5
DaveQB
Member
 
Registered: Oct 2003
Location: Sydney, Australia.
Distribution: Debian, Ubuntu
Posts: 400

Original Poster
Rep: Reputation: 39
The checklist didnt find any anomalies at all. Good sign.

I'll try the other steps next.

Thanks
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Compromised??? redice Linux - Security 5 02-25-2006 02:14 PM
Server Compromised? stlyz3 Linux - Security 6 09-07-2005 05:28 PM
Compromised? I can't tell. Chuck23 Linux - Security 11 02-15-2005 08:33 AM
Am I compromised? dripter Linux - Security 5 01-27-2004 01:31 AM
Help: I think my system has been compromised! Comatose51 Linux - General 2 06-29-2003 06:00 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 03:47 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration