Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here. |
Notices |
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
|
|
09-28-2006, 12:46 PM
|
#1
|
Senior Member
Registered: Jun 2004
Distribution: Arch, Debian, Slack
Posts: 1,016
Rep:
|
debian "rootkits?"
i upgraded my debian etch box last night, it upgraded a lot of things including mysql, and today my tiger logs and chkrootkit cron jobs say i've been hacked with the "Showtee" rootkit. i'm not sure how that's possible, because /etc/hosts.deny denies ALL to sshd, and hosts.allow only contains the IPs on the LAN that are allowed to use ssh and nfs. i use protocol 2 and key based authentication, i.e., no passwords, just the key. the box runs apache, proftpd, and mysql - could any ports associated with those apps be sources of the hack? nothing looks out of the ordinary in any logs (except the usual hack attempts of proftpd from china, germany, etc. using the non-existent "Administrator" account ). rkhunter says everything is "green"/OK.
i've shut off all internet access to the box at the firewall and scanned the other computers on the network, which come up clean. my gut feeling is that this "showtee" is a false positive, some library or something changed by the upgrade, but i can't find much about it on google. what should i do next?
p.s. h4ck3rs suc|<
Last edited by slackhack; 09-28-2006 at 12:48 PM.
|
|
|
09-28-2006, 01:23 PM
|
#3
|
Senior Member
Registered: Jun 2004
Distribution: Arch, Debian, Slack
Posts: 1,016
Original Poster
Rep:
|
thanks, i've gone through that thread and the excellent link there to the "redhat" hack page (along with about a dozen other pages on LQ that have showtee in them), but i'm not coming up with anything.
i guess i have 2 options: make md5sums and check them against known good versions? how will i know that a debian package hasn't upgraded by the time i get to compare my version against it? i'm not even sure which ones to check. or 2, clean drive and reinstall the OS.
btw, since this probably isn't debian specific after all, could a mod move it to security? appreciate.
p.s. h4ck3rs *REALLY* suc|<
---------------------
>>Solved. it was a file in the flex package.
Last edited by slackhack; 09-28-2006 at 08:42 PM.
|
|
|
09-29-2006, 10:00 AM
|
#4
|
Member
Registered: Jun 2004
Location: Canada
Distribution: Slackware 10.2 KDE 3.4
Posts: 43
Rep:
|
Quote:
Originally Posted by slackhack
p.s. h4ck3rs *REALLY* suc|<
|
they don't suck ... script kiddies suck..
|
|
|
09-29-2006, 11:13 AM
|
#5
|
LQ Newbie
Registered: Mar 2005
Location: Australia
Distribution: Slackware, Debian, Gentoo, FreeBSD.
Posts: 8
Rep:
|
Back-up your filesystem, dd (dd if=/dev/zero of=/dev/hdX) the disk and re-install.
Re-create the system as much as possible and see if chkrootkit whines.
-Reth
|
|
|
09-29-2006, 01:07 PM
|
#6
|
Senior Member
Registered: Jun 2004
Distribution: Arch, Debian, Slack
Posts: 1,016
Original Poster
Rep:
|
Quote:
Originally Posted by Reth
Back-up your filesystem, dd (dd if=/dev/zero of=/dev/hdX) the disk and re-install.
Re-create the system as much as possible and see if chkrootkit whines.
-Reth
|
see edit above. it was libfl.so from the flex package. i just removed flex and that took care of it. i don't know why that was installed anyway, it doesn't seem to be a dependency of anything else i'm using, and i'm not doing any programming, if that's what it's used for. i guess it's possible i got hacked and someone installed flex, but it seems unlikely.
>>edit - link:
http://lists.debian.org/debian-user/.../msg01095.html
Last edited by slackhack; 09-29-2006 at 01:37 PM.
|
|
|
All times are GMT -5. The time now is 01:00 AM.
|
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
|
Latest Threads
LQ News
|
|