I've been hacked...any thoughts?
I logged on as root and found
Quote: Last login: Mon Jun 28 08:41:48 2004 from dsl093-061-155.pit1.dsl.speakeasy.net as being the last login for today. I was like WTH???? That wasn't me! So i ran the chkroot and thats what i have so far. I also noticed that two files has been d/l onto my server: 25-meg-file.dat and KNOPPIX_V3.2-2003-04-10-EN.iso I already contacted that person's isp but no reply as of yet. Any future things to do to prevent this? Thankx in advance... Quote: [root@server1 chkrootkit-0.43]# ./chkrootkit ROOTDIR is `/' Checking `amd'... not found Checking `basename'... not infected Checking `biff'... not found Checking `chfn'... not infected Checking `chsh'... not infected Checking `cron'... not infected Checking `date'... not infected Checking `du'... not infected Checking `dirname'... not infected Checking `echo'... not infected Checking `egrep'... not infected Checking `env'... not infected Checking `find'... not infected Checking `fingerd'... not infected Checking `gpm'... not infected Checking `grep'... not infected Checking `hdparm'... not infected Checking `su'... not infected Checking `ifconfig'... not infected Checking `inetd'... not tested Checking `inetdconf'... not found Checking `identd'... not found Checking `init'... not infected Checking `killall'... not infected Checking `ldsopreload'... not infected Checking `login'... not infected Checking `ls'... not infected Checking `lsof'... not infected Checking `mail'... not infected Checking `mingetty'... not infected Checking `netstat'... not infected Checking `named'... not found Checking `passwd'... not infected Checking `pidof'... not infected Checking `pop2'... not found Checking `pop3'... not found Checking `ps'... not infected Checking `pstree'... not infected Checking `rpcinfo'... not infected Checking `rlogind'... not infected Checking `rshd'... not infected Checking `slogin'... not infected Checking `sendmail'... not infected Checking `sshd'... not infected Checking `syslogd'... not infected Checking `tar'... not infected Checking `tcpd'... not infected Checking `tcpdump'... not infected Checking `top'... not infected Checking `telnetd'... not infected Checking `timed'... not found Checking `traceroute'... not infected Checking `vdir'... not infected Checking `w'... not infected Checking `write'... not infected Checking `aliens'... no suspect files Searching for sniffer's logs, it may take a while... nothing found Searching for HiDrootkit's default dir... nothing found Searching for t0rn's default files and dirs... nothing found Searching for t0rn's v8 defaults... nothing found Searching for Lion Worm default files and dirs... nothing found Searching for RSHA's default files and dir... nothing found Searching for RH-Sharpe's default files... nothing found Searching for Ambient's rootkit (ark) default files and dirs... nothing found Searching for suspicious files and dirs, it may take a while... /usr/lib/perl5/5.8.0/i386-linux-thread-multi/.packlist /usr/lib/perl5/site_perl/ 5.8.0/i386-linux-thread-multi/auto/mod_perl/.packlist /usr/lib/perl5/site_perl/5 .8.0/i386-linux-thread-multi/auto/Image/Magick/.packlist Searching for LPD Worm files and dirs... nothing found Searching for Ramen Worm files and dirs... nothing found Searching for Maniac files and dirs... nothing found Searching for RK17 files and dirs... nothing found Searching for Ducoci rootkit... nothing found Searching for Adore Worm... nothing found Searching for ShitC Worm... nothing found Searching for Omega Worm... nothing found Searching for Sadmind/IIS Worm... nothing found Searching for MonKit... nothing found Searching for Showtee... nothing found Searching for OpticKit... nothing found Searching for T.R.K... nothing found Searching for Mithra... nothing found Searching for LOC rootkit ... nothing found Searching for Romanian rootkit ... nothing found Searching for HKRK rootkit ... nothing found Searching for Suckit rootkit ... nothing found Searching for Volc rootkit ... nothing found Searching for Gold2 rootkit ... nothing found Searching for TC2 Worm default files and dirs... nothing found Searching for Anonoying rootkit default files and dirs... nothing found Searching for ZK rootkit default files and dirs... nothing found Searching for ShKit rootkit default files and dirs... nothing found Searching for AjaKit rootkit default files and dirs... nothing found Searching for zaRwT rootkit default files and dirs... nothing found Searching for anomalies in shell history files... nothing found Checking `asp'... not infected Checking `bindshell'... not infected Checking `lkm'... nothing detected Checking `rexedcs'... not found Checking `sniffer'... eth1: not promisc and no PF_PACKET sockets eth1:1: not promisc and no PF_PACKET sockets eth1:2: not promisc and no PF_PACKET sockets eth1:3: not promisc and no PF_PACKET sockets eth1:4: not promisc and no PF_PACKET sockets eth1:5: not promisc and no PF_PACKET sockets eth1:6: not promisc and no PF_PACKET sockets eth1:7: not promisc and no PF_PACKET sockets eth1:8: not promisc and no PF_PACKET sockets eth1:9: not promisc and no PF_PACKET sockets Checking `w55808'... not infected Checking `wted'... nothing deleted Checking `scalper'... not infected Checking `slapper'... not infected Checking `z2'... nothing deleted I have no idea how to make sense of it and should i be worried? |
Ouch that has to hurt. From everything I've read once you've been "rooted" the only way to totally undo it is to reinstall.
Maybe others have other suggestions. In the meantime I strongly suggest taking the machine off the web to avoid further problems. What distro are you using?? I might be able to help you secure a future install. Also the security and networking forums on this page have lots of good info. :Pengy: |
I'm running redhat 9. Did you read my input of chkrootkit? Do you see anything wrong with it?
It seems to check out for me though but mostly something is lurking that i dont know about... |
In terms of the files that have been downloaded; I assume those were simply to test the speed of your connection - if you have a particularly fast connection then you may be targetted as a warez server or a spam machine.
Still, as with the advise above, get the machine of the net and read unSpawn's stuff :) Steve |
Chkrootkit looks ok but......
Do nmap -vv localhost and see what ports are open. Also if you can, use rkhunter -c --createlogfile it will let you know if remote root access is possible on your system |
helps
1 u can turn on the firewall and close everything off, and reinstall. Install tripwire next time around.
2 leave everything in place and connect your computer to a hub and have a laptop or computer sniff the wires to see where and what traffic the computer is sending and recieving. I prefer the second method but it is up to u. |
Starting nmap V. 3.00 ( www.insecure.org/nmap/ )
No tcp,udp, or ICMP scantype specified, assuming SYN Stealth scan. Use -sP if you really don't want to portscan (and just want to see what hosts are up). Host localhost.localdomain (127.0.0.1) appears to be up ... good. Initiating SYN Stealth Scan against localhost.localdomain (127.0.0.1) Adding open port 53/tcp Adding open port 110/tcp Adding open port 25/tcp Adding open port 80/tcp Adding open port 22/tcp Adding open port 443/tcp Adding open port 993/tcp Adding open port 995/tcp Adding open port 143/tcp Adding open port 3306/tcp Adding open port 21/tcp The SYN Stealth Scan took 2 seconds to scan 1601 ports. Interesting ports on localhost.localdomain (127.0.0.1): (The 1590 ports scanned but not shown below are in state: closed) Port State Service 21/tcp open ftp 22/tcp open ssh 25/tcp open smtp 53/tcp open domain 80/tcp open http 110/tcp open pop-3 143/tcp open imap2 443/tcp open https 993/tcp open imaps 995/tcp open pop3s 3306/tcp open mysql thats what I have so far when i did the command... any thoughts? I'm so frustrated really, but everything seems to check out with chkroot as it seems.. I really do not want a whole new install- that would totally sucks! Any other commands to try? On a side note,... i tried this a tech told me to do but i can't seem to get it right b/c everytime i do the command below, it always comes to an error- any thoughts on how to succesfully execute the command? __________________________________________ rpm -Va >> rpmtest.txt Check the rpmtest.txt file. If your rpms (not the conf files) for S's and 5's. That means that the rpm got modified by an outside source. _____________________________________________ |
I'm sorry, but how would i utilize rkhunter joe? thankx
|
What do your logs say?
|
Download it from freshmeat.net compile &install
type rkhunter -c --createlogfile then go to /var/log and read the rkhunter.log file were you able to nmap your system ??? :Pengy: |
ok saw your nmap log More than likely 21 22 or 25 were the way in.
create these scripts to switch network on / off while you work on it cd /bin vi netup ifconfig eth0 up route add default gw 192.168.8.1 (save) now create: vi netdown ifconfig eth0 down (save) make executable root only : chmod 0700 netup netdown type netdown <return> to shut down network netup <return> to turn back on now: type netstat -tan and see if any others are listening etc. if so then fuser -v -n tcp (or udp) : port # this will tell you what service uses / listens on the port I strongly recommend closing / filtering ports removing unneccesary services If you need ssh access make sure it is set to protocol 2 with no remote root access. |
alright let me get to work on those and i'll post my findings...
|
the heck with it:) heheh i got the new nix on (fresh install). Thank you guys for helping me out. I appreciate it.
|
hope you have not already connected to the internet without configuring firewall / tcpwrappers.
|
Yeah, it's running... tcp wrappers is made for redhat 9 too? I searched for it but didnt see anything for rh9. I'm in the process of installing tripwire, rkhunter.
I like the sound of tcp wrapper btw:) logs everthing:) Any other progs you rec. that would work nicely on the redhat9 serv? Thankx |
All times are GMT -5. The time now is 02:23 AM. |