Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here. |
Notices |
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
|
|
05-20-2004, 06:58 AM
|
#1
|
Member
Registered: Feb 2004
Location: Canada
Distribution: LFS SVN
Posts: 334
Rep:
|
I thin I have been rooted
Hey, I would like to know the signs of being rooted, because i think someone has installed a root kit on my box. The reason why I think this has happened is because my box will crash and I mean completely lock up while still in X, When I mean locked up its hardlocked no input from anything and my sound has stopped too (music) ... If I reboot and check the messages and syslog files I see some entrys that look like they have been covered up.. i will post apart of my messges log
Code:
May 20 03:43:50 darkstar gconfd (zer0-3016): starting (version 2.6.1), pid 3016 user 'zer0'
May 20 03:43:51 darkstar gconfd (zer0-3016): Resolved address "xml:readonly:/etc/gconf/gconf.xml.mandatory" to a read-only$
May 20 03:43:51 darkstar gconfd (zer0-3016): Resolved address "xml:readwrite:/home/zer0/.gconf" to a writable config sourc$
May 20 03:43:51 darkstar gconfd (zer0-3016): Resolved address "xml:readonly:/etc/gconf/gconf.xml.defaults" to a read-only $
May 20 04:08:21 darkstar -- MARK --
May 20 04:24:21 darkstar gconfd (zer0-3016): GConf server is not in use, shutting down.
May 20 04:24:21 darkstar gconfd (zer0-3016): Exiting
May 20 04:26:51 darkstar gconfd (zer0-3261): starting (version 2.6.1), pid 3261 user 'zer0'
May 20 04:26:51 darkstar gconfd (zer0-3261): Resolved address "xml:readonly:/etc/gconf/gconf.xml.mandatory" to a read-only$
May 20 04:26:51 darkstar gconfd (zer0-3261): Resolved address "xml:readwrite:/home/zer0/.gconf" to a writable config sourc$
May 20 04:26:51 darkstar gconfd (zer0-3261): Resolved address "xml:readonly:/etc/gconf/gconf.xml.defaults" to a read-only $
May 20 04:48:21 darkstar -- MARK --
May 20 05:08:21 darkstar -- MARK --
May 20 05:28:21 darkstar -- MARK --
May 20 05:35:21 darkstar gconfd (zer0-3261): GConf server is not in use, shutting down.
May 20 05:35:21 darkstar gconfd (zer0-3261): Exiting
May 20 05:48:21 darkstar -- MARK --
May 20 06:08:21 darkstar -- MARK --
May 20 06:28:21 darkstar -- MARK --
May 20 06:48:21 darkstar -- MARK --
May 20 07:08:21 darkstar -- MARK --
May 20 07:28:21 darkstar -- MARK --
May 20 07:41:42 darkstar syslogd 1.4.1: restart.
May 20 07:41:43 darkstar kernel: klogd 1.4.1, log source = /proc/kmsg started.
Can anyone help me? or tell me if my security has been compremised?
|
|
|
05-20-2004, 07:26 AM
|
#2
|
Member
Registered: Jun 2003
Location: London
Distribution: Linux Mint 13 Maya
Posts: 729
Rep:
|
I can not help you although I am sure others can.
However until you are sure that you are not comprised, disconnect from the internet now !!
|
|
|
05-20-2004, 08:05 AM
|
#3
|
Member
Registered: Feb 2004
Location: Canada
Distribution: LFS SVN
Posts: 334
Original Poster
Rep:
|
I am on my Windows Box now... any siggestions one what this it?
|
|
|
05-20-2004, 08:13 AM
|
#4
|
Senior Member
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658
Rep:
|
Those messages don't look abnormal in of themselves. Should you have a user "zer0"? You might want to go ahead and download and run chkrootkit, check the output of the last command for any odd logins, check /etc/passwd for new users just to be cautious.
I would also checkout the rest of the system logs to see if you can determine the cause of the lockups. Might just be a hardware issue.
|
|
|
05-20-2004, 09:31 PM
|
#5
|
LQ Addict
Registered: Dec 2001
Location: Brooklyn, NY
Distribution: *NIX
Posts: 3,704
Rep:
|
Well, if you've been rooted most of the commands were probably substituted with the ones to disguise the real output, chkrootkit might help, but I would definetelly get a KNOPPIX-STD CD and boot the system off it, mount the / and other filesystems and then check it with chkrootkit supplied by KNOPPIX-STD, if you you have a spare machine with a CD-RW you can obtain KNOPPIX-STD from http://newcastlecomputer.com/knoppix_std.htm
Good luck.
P.S. Oops you don't even need a CD-RW just 9.95 + S&H + sales tax if applicable. If helping linux hackers with money seems obscure get standard KNOPPIX, I am pretty sure it has chkrootkit on it. I have STD edition at work but copy isn't mine though.
Last edited by neo77777; 05-20-2004 at 09:36 PM.
|
|
|
05-21-2004, 01:21 PM
|
#6
|
Senior Member
Registered: Dec 2003
Location: Shelbyville, TN, USA
Distribution: Fedora Core, CentOS
Posts: 1,019
Rep:
|
If the covered up lines you are talking about are these:
May 20 06:48:21 darkstar -- MARK --
Then you really don't have anything to worry about.... Slack 9.1 puts these in there every 20 minutes to give you a visual aid to see how much time has passed between log entries and also to tell that everything is up and running during those times. I imagine if someone were going to hid log entries they'd just plain get rid of them.... That's how I'd do it
|
|
|
05-21-2004, 03:39 PM
|
#7
|
Member
Registered: Dec 2003
Distribution: Debian, FreeBSD
Posts: 310
Rep:
|
It's most likely just a buggy application that is crashing X. I'm sure most people here have had that happen at some point. From the information you have provided it doesn't seem like anyone compromised the computer. Were there even any publicly available services running one the computer? Did you keep the system patched, and updated?
Last edited by fur; 05-21-2004 at 03:41 PM.
|
|
|
05-24-2004, 04:49 PM
|
#8
|
Member
Registered: Apr 2004
Distribution: Debian
Posts: 185
Rep:
|
I suggest using aide or tripwire. These programs actually run md5sums, check mtime ctime etc and reports any changes to your binaies or system files. Of course this has to be done ahead of time but it takes the guess work out of guessing if your binaries have been replaced with rootkit ones. Another note it is a good idea to keep a copy of your aide or tripwire database offline so it cannot be modified by hax0r. By those messages it doesn't look to be anything to bad as long as there is a user called zer0
|
|
|
05-31-2004, 02:02 PM
|
#9
|
LQ Newbie
Registered: Feb 2004
Posts: 7
Rep:
|
I don't think you're rooted - I just installed Mandrake 10 on an old Acer TravelMate 515TE laptop computer, which was previously installed with XP Pro, and I get the exact same symptoms, i.e. more or less randomly occurring total system freeze-ups, associated with the exact same gconfd messages.
Also, after a hard reboot, the file system check *always* reveals exactly two orphaned inodes in /dev/hda7 (which is my /var partition). This is probably caused by a failed log write attempt immediately preceding the freeze-up.
Since installing Linux, this machine has not been connected to the Internet (because the SiteCom WL-011v2 PC Card is not supported). Therefore, there is no possible way that the problems on my machine are linked to a rootkit. Since your symptoms almost exactly match mine, I think it's a safe bet that you haven't been rooted either.
There might be a problem with gconfd, although I haven't yet found a clue what.or how. Also, there may be a problem with XFree86 - more in particular when enabling the advanced touchpad functions with synaptics and evdev(*). When these functions were enabled, the freeze-ups seemed to occur more regularly.
*): I found that I couldn't get evdev to load by including it in /etc/modules, and had to explicitly make a SysV style startup link in /etc/rc5.d pointing to a modprobe script line in /etc/init.d. Would anyone have any clues on this?
So, although you've probably not been rooted, I can't offer an explanation for or a solution to the problem. Perhaps you could start by seeing what happens when gconfd is not active. I'll keep investigating this problem, and I'll most certainly will report back here if anything turns up.
Regards,
Richard Rasker
|
|
|
05-31-2004, 02:16 PM
|
#10
|
LQ Newbie
Registered: Feb 2004
Posts: 7
Rep:
|
Sorry, I was too quick suspecting gconfd - these messages seem to appear at every startup of X; I did a sloppy job looking at the log files ...
So now I even have less of a clue what causes the freezes ...
|
|
|
All times are GMT -5. The time now is 10:25 AM.
|
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
|
Latest Threads
LQ News
|
|