LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 07-12-2004, 09:58 PM   #1
af_dave
Member
 
Registered: May 2004
Distribution: Slackware 9.1
Posts: 37

Rep: Reputation: 15
Have I been hacked?


I ran chrootkit and found the following:
Checking `amd'... not found
Checking `ldsopreload'... can't exec ./strings-static, not tested
Checking `sniffer'... eth0: PF_PACKET(/sbin/dhclient)

then I ran nmap and found the following:

Starting nmap 3.50 ( http://www.insecure.org/nmap/ ) at 2004-07-13 10:55 EDT
Host localhost (127.0.0.1) appears to be up ... good.
Initiating SYN Stealth Scan against localhost (127.0.0.1) at 10:55
Adding open port 952/tcp
Adding open port 445/tcp
Adding open port 139/tcp
Adding open port 908/tcp
Adding open port 111/tcp
Adding open port 2049/tcp
Adding open port 25/tcp
Adding open port 6000/tcp
The SYN Stealth Scan took 2 seconds to scan 1659 ports.
Interesting ports on localhost (127.0.0.1):
(The 1651 ports scanned but not shown below are in state: closed)
PORT STATE SERVICE
25/tcp open smtp
111/tcp open rpcbind
139/tcp open netbios-ssn
445/tcp open microsoft-ds
908/tcp open unknown
952/tcp open unknown
2049/tcp open nfs
6000/tcp open X11


I have shorewall installed and just a few weeks ago i installed tripwire
 
Old 07-12-2004, 10:05 PM   #2
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Rep: Reputation: 69
I've seen dhclient set off the PF_PACKET check before. The others are common false alarms as well. try using netstat -pantu to check what ports are really open (doing an nmap of localhost aka 127.0.0.1 doesn't tell you much that's usefull) or nmap the machine from a remote host. If you have tripwire installed, go ahead and run a check.
 
Old 07-14-2004, 05:06 AM   #3
af_dave
Member
 
Registered: May 2004
Distribution: Slackware 9.1
Posts: 37

Original Poster
Rep: Reputation: 15
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 127.0.0.1:32768 0.0.0.0:* LISTEN 3174/xinetd
tcp 0 0 0.0.0.0:32769 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:2049 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:962 0.0.0.0:* LISTEN 2900/rpc.statd
tcp 0 0 0.0.0.0:869 0.0.0.0:* LISTEN 3234/rpc.mountd
tcp 0 0 127.0.0.1:10026 0.0.0.0:* LISTEN 3390/master
tcp 0 0 0.0.0.0:139 0.0.0.0:* LISTEN 3505/smbd
tcp 0 0 0.0.0.0:111 0.0.0.0:* LISTEN 2808/portmap
tcp 0 0 0.0.0.0:6000 0.0.0.0:* LISTEN 3899/X
tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN 3390/master
tcp 0 0 0.0.0.0:445 0.0.0.0:* LISTEN 3505/smbd
tcp 0 0 61.34.52.101:38821 211.53.215.168:80 ESTABLISHED 6419/opera
tcp 0 0 61.34.52.101:38851 216.239.57.104:80 ESTABLISHED 6419/opera
tcp 0 0 61.34.52.101:32778 205.188.5.224:5190 ESTABLISHED 4123/gaim
tcp 1 0 61.34.52.101:38845 207.44.182.114:80 CLOSE_WAIT 6419/opera
tcp 0 0 61.34.52.101:38861 64.70.61.129:80 ESTABLISHED 6419/opera
udp 0 0 0.0.0.0:32768 0.0.0.0:* -
udp 0 0 0.0.0.0:2049 0.0.0.0:* -
udp 0 0 61.34.52.101:137 0.0.0.0:* 3515/nmbd
udp 0 0 0.0.0.0:137 0.0.0.0:* 3515/nmbd
udp 0 0 61.34.52.101:138 0.0.0.0:* 3515/nmbd
udp 0 0 0.0.0.0:138 0.0.0.0:* 3515/nmbd
udp 0 0 0.0.0.0:956 0.0.0.0:* 2900/rpc.statd
udp 0 0 0.0.0.0:959 0.0.0.0:* 2900/rpc.statd
udp 0 0 0.0.0.0:68 0.0.0.0:* 2748/dhclient
udp 0 0 0.0.0.0:866 0.0.0.0:* 3234/rpc.mountd
udp 0 0 0.0.0.0:111 0.0.0.0:* 2808/portmap


I'm worried because for about a week my firewall was misconfigured. And i installed tripwire after it. Even though I am running a fully patched (that i know of anyway) Mandrake 10 machine
 
Old 07-14-2004, 03:02 PM   #4
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,415
Blog Entries: 55

Rep: Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600
Filesystem integrity tools should be installed *before* connecting a box to a network, anything else kinda defeats their purpose. Your network stats don't show anything weird except something listening on high ports. Take the port and try "lsof -lMnP -i tcp:2049" or "fuser -n tcp 2049" to see process info.

Checking `ldsopreload'... can't exec ./strings-static, not tested
...so you didn't compile Chkrootkit's binary helpers or didn't install Chkrootkit like it should.
Checking `sniffer'... eth0: PF_PACKET(/sbin/dhclient)
Like CC already said it's an FP. DHCP clients usually are (of course this assumes /sbin/dhclient is a legitimate binary: something you can't tell from the name but from the MD5/SHA1sum your distro (should) provide).
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Have I been hacked? Please help linuxboy69 Linux - Security 11 09-07-2005 08:20 AM
Hacked? mikeshn Linux - Security 2 03-12-2004 02:57 PM
Help! Have I been hacked? Tenover Linux - Security 1 11-19-2003 04:24 PM
Did we just get hacked? vous Linux - Security 4 11-17-2003 09:11 AM
am i being hacked? tearinox Linux - Security 5 11-13-2003 07:00 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 08:01 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration