|
Have I been hacked?
I ran chrootkit and found the following:
Checking `amd'... not found Checking `ldsopreload'... can't exec ./strings-static, not tested Checking `sniffer'... eth0: PF_PACKET(/sbin/dhclient) then I ran nmap and found the following: Starting nmap 3.50 ( http://www.insecure.org/nmap/ ) at 2004-07-13 10:55 EDT Host localhost (127.0.0.1) appears to be up ... good. Initiating SYN Stealth Scan against localhost (127.0.0.1) at 10:55 Adding open port 952/tcp Adding open port 445/tcp Adding open port 139/tcp Adding open port 908/tcp Adding open port 111/tcp Adding open port 2049/tcp Adding open port 25/tcp Adding open port 6000/tcp The SYN Stealth Scan took 2 seconds to scan 1659 ports. Interesting ports on localhost (127.0.0.1): (The 1651 ports scanned but not shown below are in state: closed) PORT STATE SERVICE 25/tcp open smtp 111/tcp open rpcbind 139/tcp open netbios-ssn 445/tcp open microsoft-ds 908/tcp open unknown 952/tcp open unknown 2049/tcp open nfs 6000/tcp open X11 I have shorewall installed and just a few weeks ago i installed tripwire |
I've seen dhclient set off the PF_PACKET check before. The others are common false alarms as well. try using netstat -pantu to check what ports are really open (doing an nmap of localhost aka 127.0.0.1 doesn't tell you much that's usefull) or nmap the machine from a remote host. If you have tripwire installed, go ahead and run a check.
|
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 127.0.0.1:32768 0.0.0.0:* LISTEN 3174/xinetd tcp 0 0 0.0.0.0:32769 0.0.0.0:* LISTEN - tcp 0 0 0.0.0.0:2049 0.0.0.0:* LISTEN - tcp 0 0 0.0.0.0:962 0.0.0.0:* LISTEN 2900/rpc.statd tcp 0 0 0.0.0.0:869 0.0.0.0:* LISTEN 3234/rpc.mountd tcp 0 0 127.0.0.1:10026 0.0.0.0:* LISTEN 3390/master tcp 0 0 0.0.0.0:139 0.0.0.0:* LISTEN 3505/smbd tcp 0 0 0.0.0.0:111 0.0.0.0:* LISTEN 2808/portmap tcp 0 0 0.0.0.0:6000 0.0.0.0:* LISTEN 3899/X tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN 3390/master tcp 0 0 0.0.0.0:445 0.0.0.0:* LISTEN 3505/smbd tcp 0 0 61.34.52.101:38821 211.53.215.168:80 ESTABLISHED 6419/opera tcp 0 0 61.34.52.101:38851 216.239.57.104:80 ESTABLISHED 6419/opera tcp 0 0 61.34.52.101:32778 205.188.5.224:5190 ESTABLISHED 4123/gaim tcp 1 0 61.34.52.101:38845 207.44.182.114:80 CLOSE_WAIT 6419/opera tcp 0 0 61.34.52.101:38861 64.70.61.129:80 ESTABLISHED 6419/opera udp 0 0 0.0.0.0:32768 0.0.0.0:* - udp 0 0 0.0.0.0:2049 0.0.0.0:* - udp 0 0 61.34.52.101:137 0.0.0.0:* 3515/nmbd udp 0 0 0.0.0.0:137 0.0.0.0:* 3515/nmbd udp 0 0 61.34.52.101:138 0.0.0.0:* 3515/nmbd udp 0 0 0.0.0.0:138 0.0.0.0:* 3515/nmbd udp 0 0 0.0.0.0:956 0.0.0.0:* 2900/rpc.statd udp 0 0 0.0.0.0:959 0.0.0.0:* 2900/rpc.statd udp 0 0 0.0.0.0:68 0.0.0.0:* 2748/dhclient udp 0 0 0.0.0.0:866 0.0.0.0:* 3234/rpc.mountd udp 0 0 0.0.0.0:111 0.0.0.0:* 2808/portmap I'm worried because for about a week my firewall was misconfigured. And i installed tripwire after it. Even though I am running a fully patched (that i know of anyway) Mandrake 10 machine |
Filesystem integrity tools should be installed *before* connecting a box to a network, anything else kinda defeats their purpose. Your network stats don't show anything weird except something listening on high ports. Take the port and try "lsof -lMnP -i tcp:2049" or "fuser -n tcp 2049" to see process info.
Checking `ldsopreload'... can't exec ./strings-static, not tested ...so you didn't compile Chkrootkit's binary helpers or didn't install Chkrootkit like it should. Checking `sniffer'... eth0: PF_PACKET(/sbin/dhclient) Like CC already said it's an FP. DHCP clients usually are (of course this assumes /sbin/dhclient is a legitimate binary: something you can't tell from the name but from the MD5/SHA1sum your distro (should) provide). |
| All times are GMT -5. The time now is 11:54 AM. |