LinuxQuestions.org
Help answer threads with 0 replies.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 09-28-2006, 12:46 PM   #1
slackhack
Senior Member
 
Registered: Jun 2004
Distribution: Arch, Debian, Slack
Posts: 1,016

Rep: Reputation: 47
debian "rootkits?"


i upgraded my debian etch box last night, it upgraded a lot of things including mysql, and today my tiger logs and chkrootkit cron jobs say i've been hacked with the "Showtee" rootkit. i'm not sure how that's possible, because /etc/hosts.deny denies ALL to sshd, and hosts.allow only contains the IPs on the LAN that are allowed to use ssh and nfs. i use protocol 2 and key based authentication, i.e., no passwords, just the key. the box runs apache, proftpd, and mysql - could any ports associated with those apps be sources of the hack? nothing looks out of the ordinary in any logs (except the usual hack attempts of proftpd from china, germany, etc. using the non-existent "Administrator" account ). rkhunter says everything is "green"/OK.

i've shut off all internet access to the box at the firewall and scanned the other computers on the network, which come up clean. my gut feeling is that this "showtee" is a false positive, some library or something changed by the upgrade, but i can't find much about it on google. what should i do next?


p.s. h4ck3rs suc|<

Last edited by slackhack; 09-28-2006 at 12:48 PM.
 
Old 09-28-2006, 12:59 PM   #2
craigevil
Senior Member
 
Registered: Apr 2005
Location: OZ
Distribution: Debian Sid/RPIOS
Posts: 4,905
Blog Entries: 29

Rep: Reputation: 537Reputation: 537Reputation: 537Reputation: 537Reputation: 537Reputation: 537
Not Debian specific but take a look at:
chkrootkit found ifconfig infected - LinuxQuestions.org
http://www.linuxquestions.org/questi...d.php?t=295765
 
Old 09-28-2006, 01:23 PM   #3
slackhack
Senior Member
 
Registered: Jun 2004
Distribution: Arch, Debian, Slack
Posts: 1,016

Original Poster
Rep: Reputation: 47
thanks, i've gone through that thread and the excellent link there to the "redhat" hack page (along with about a dozen other pages on LQ that have showtee in them), but i'm not coming up with anything.

i guess i have 2 options: make md5sums and check them against known good versions? how will i know that a debian package hasn't upgraded by the time i get to compare my version against it? i'm not even sure which ones to check. or 2, clean drive and reinstall the OS.

btw, since this probably isn't debian specific after all, could a mod move it to security? appreciate.


p.s. h4ck3rs *REALLY* suc|<


---------------------
>>Solved. it was a file in the flex package.

Last edited by slackhack; 09-28-2006 at 08:42 PM.
 
Old 09-29-2006, 10:00 AM   #4
phoenix99
Member
 
Registered: Jun 2004
Location: Canada
Distribution: Slackware 10.2 KDE 3.4
Posts: 43

Rep: Reputation: 15
Quote:
Originally Posted by slackhack
p.s. h4ck3rs *REALLY* suc|<
they don't suck ... script kiddies suck..
 
Old 09-29-2006, 11:13 AM   #5
Reth
LQ Newbie
 
Registered: Mar 2005
Location: Australia
Distribution: Slackware, Debian, Gentoo, FreeBSD.
Posts: 8

Rep: Reputation: 0
Back-up your filesystem, dd (dd if=/dev/zero of=/dev/hdX) the disk and re-install.

Re-create the system as much as possible and see if chkrootkit whines.

-Reth
 
Old 09-29-2006, 01:07 PM   #6
slackhack
Senior Member
 
Registered: Jun 2004
Distribution: Arch, Debian, Slack
Posts: 1,016

Original Poster
Rep: Reputation: 47
Quote:
Originally Posted by Reth
Back-up your filesystem, dd (dd if=/dev/zero of=/dev/hdX) the disk and re-install.

Re-create the system as much as possible and see if chkrootkit whines.

-Reth
see edit above. it was libfl.so from the flex package. i just removed flex and that took care of it. i don't know why that was installed anyway, it doesn't seem to be a dependency of anything else i'm using, and i'm not doing any programming, if that's what it's used for. i guess it's possible i got hacked and someone installed flex, but it seems unlikely.


>>edit - link:
http://lists.debian.org/debian-user/.../msg01095.html

Last edited by slackhack; 09-29-2006 at 01:37 PM.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Telling people to use "Google," to "RTFM," or "Use the search feature" Ausar General 77 03-21-2010 12:26 PM
"Xlib: extension "XFree86-DRI" missing on display ":0.0"." zaps Linux - Games 9 05-14-2007 04:07 PM
Any way to get "Alice"; "Call of Duty" series and "Descent 3" to work? JBailey742 Linux - Games 13 06-23-2006 02:34 PM
Debian Boot Up Problem - stuck at "BR" & "I" jc70417 Debian 2 08-30-2005 05:36 PM
"sar" and "iostat" equivalents on Debian? aditya_shah Debian 8 08-02-2004 12:53 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 01:00 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration