Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
--------------------------------------------------------------------------------
Found parts of this rootkit/trojan by checking the default files and directories
Please inspect the available files, by running this check with the parameter
--createlogfile and check the log file (current file: /var/log/rkhunter.log).
--------------------------------------------------------------------------------
Rootkit 'Sin Rootkit'... [ Warning! ]
After the rootkit check is done, it also reports this:
* Suspicious files and malware
Scanning for known rootkit strings [ BAD ]
Scanning for known rootkit files [ OK ]
* Filesystem checks
Checking /dev for suspicious files... [ Warning! (unusual files found) ]
---------------------------------------------
Unusual files:
/dev/ttyoa: ASCII text
/dev/ttyof: ASCII text
/dev/ttyop: ASCII text
---------------------------------------------
This ain't so good, as when I check the dev files, they come up looking anything but clean:
And when I do strings --all on the files mentioned as bad I see /dev/ttyop show up in /bin/ps (only one checked so far)
This is no doubt not good, but the machine is fairly protected, at least from a firewall point of view, with 3 or 4 ports open, beeing mail, ssh, httpd.
I have not beeing the one doing the updates on the machine, but was sent in to do the cleanup. Any sugestions on what to do next? I obviously should reinstall, and only keep the things most desperately needed, but is this most likely the work of a script-kiddy or something that has been configured wrong and allowed a hacker to take over?
First I would do as little as possible on the compromised machine, maybe get the output of lsof -i and then immediately take it offline. Immediately remove the drive and put it some place safe, then put a new drive in the system and do a reinstall.
Normally I'd suggest looking around the system and doing forensic analysis yourself, simply because most authorities won't really do much for the average hacked machine. In this case however, your system may contain info relevant to a phishing scam (fraud) and may be helpful in identifying the perpetrators. I'd contact ebay and ask them if they have any information regarding the use of your machine to commit fraud (the phishing scam). If so, you should contact your local authorities and report that you may have information regarding a phishing scam. If the fraud is involves significant financial losses, they may actually want the drive so that their own forensic specialists can examine it, so monkeying around on it is not a good idea.
Last edited by Capt_Caveman; 04-05-2005 at 01:52 PM.
Rootkit 'Dreams Rootkit'... [ Warning! ]
Only thing I read was 'Dreams' exploits a gzip buffer overflow.
/Unusual files:
/dev/ttyoa: ASCII text
The ttyo.* are config files for hiding stuff: A for netstat, P for ps.
This is no doubt not good, but the machine is fairly protected, at least from a firewall point of view, with 3 or 4 ports open, beeing mail, ssh, httpd.
Arbitrairy classification at least, as 'fairly protected' got the box compromised anyway. Take an older or unpatched version or insecure install and presto: root.
I'd make myself some disk images to work on if you care for that, for the rest I agree what CC wrote is the best approach.
I'd make myself a disk image to keep. Given the situation described, there is likely some serious liability for someone. I would make certain that I had a complete copy of the data that was on the system so that I could turn aside any attempt to make me the one liable.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.