LinuxQuestions.org
Visit Jeremy's Blog.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 01-21-2004, 01:52 AM   #1
AceTech747
Member
 
Registered: Nov 2003
Distribution: RH 9.0
Posts: 144

Rep: Reputation: 15
I think somethings is not right with the chkrootkit


I ran a chkrootkit and get a message about something on the the eth(0).
 
Old 01-21-2004, 02:06 AM   #2
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Rep: Reputation: 69
Could you be a little more specific about the message. Was eth0 promiscuous or was chkrootkit not able to run ifpromisc.c?
 
Old 01-21-2004, 08:58 AM   #3
stickman
Senior Member
 
Registered: Sep 2002
Location: Nashville, TN
Posts: 1,552

Rep: Reputation: 53
Just "something" eh?
 
Old 01-21-2004, 06:19 PM   #4
AceTech747
Member
 
Registered: Nov 2003
Distribution: RH 9.0
Posts: 144

Original Poster
Rep: Reputation: 15
Sorry I did not have the exact message before the following is what it said:

eth0: PF_Packet (sbin/.......)

not sure exactly what the ....... is but it is part of the directory stucture or something.

I am definatly concerned with this. I switched to Linux because I though it would be safer not more vulnerable to attacks.
 
Old 01-21-2004, 09:01 PM   #5
witeshark
Member
 
Registered: Jan 2004
Location: Miami FL
Distribution: Mac OS X 10.4.11 Ubuntu 12.04 LTS
Posts: 429

Rep: Reputation: 30
you did put your firewall to high I'm guessing.
 
Old 01-22-2004, 03:10 PM   #6
AceTech747
Member
 
Registered: Nov 2003
Distribution: RH 9.0
Posts: 144

Original Poster
Rep: Reputation: 15
I am not sure what the setting is on? I can find out if someone tells me how....i'm runnning RH 9.0.... I know I would default for it to be high but am not sure that I set it on high when installijng the box. Does the message i'm getting indicate i've been hacked?
 
Old 01-22-2004, 05:35 PM   #7
witeshark
Member
 
Registered: Jan 2004
Location: Miami FL
Distribution: Mac OS X 10.4.11 Ubuntu 12.04 LTS
Posts: 429

Rep: Reputation: 30
The simplest way to disallow some connections to your RedHat box is to enable the firewall. The firewall is a helpful tool BUT IT IS BY NO MEANS a certain and absolute defense! To do this, log in as "root" and at the command line type the command "lokkit" But please be sure your NEVER online as Root!!!! remember to set fairly low permissions to the user name the goes on-line. Make sure ALL file sharing are turned off except of course those that you want. Any Internet connection results in data exchange between your box and ANYTHING you are reading - web site or e-mail. Of all the allowed connections and exchanges the firewall has NO WAY to magically know if malicious data is sneaked in!
 
Old 01-22-2004, 08:15 PM   #8
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Rep: Reputation: 69
Quote:
Originally posted by AceTech747
Sorry I did not have the exact message before the following is what it said:

eth0: PF_Packet (sbin/.......)

not sure exactly what the ....... is but it is part of the directory stucture or something.

I am definatly concerned with this. I switched to Linux because I though it would be safer not more vulnerable to attacks.
Did it literally report /sbin/.... or did it report some path and you just aren't sure what it said. If that's the case, just do:

chkrootkit | more

and copy what chkrootkit reports. The path is important, as that message seems to be telling you that some executable in sbin is connected to a packet socket (PF_Packet) (see the packet man page for more info ). The identitiy of that executable is important, because it could just be a false alarm (chkrootkit is prone to them). Also run:

lsof -i
netstat -al

and see if that reports anything abnormal. If it actually reported /sbin/.... then that's not a good sign. Crackers tend to think that people don't know the difference between .. and ... and .....

Also try running the following to get a more informative output:
chkrootkit -x | grep PF_Packet


Last edited by Capt_Caveman; 01-23-2004 at 12:33 AM.
 
Old 01-23-2004, 09:31 AM   #9
AceTech747
Member
 
Registered: Nov 2003
Distribution: RH 9.0
Posts: 144

Original Poster
Rep: Reputation: 15
Checking `sniffer'... eth0: PF_PACKET(/sbin/dhclient)


this is the exact message......
 
Old 01-23-2004, 10:57 AM   #10
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Rep: Reputation: 69
That's what I thought it was going to be. Probably a false alarm, dhclient is you dhcp client program which listens on an interface for network dhcp messages. Sometines the bound dhclient looks like a sniffer to chkrootkit. Verify the integrity of the rpm just to make sure (rpm -V dhclient). Probably a good example of why you should install a file integity scanner like tripwire/aide/etc before hand. Then you would know in a second or two if any important system files had been altered.
 
Old 01-23-2004, 11:00 AM   #11
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Rep: Reputation: 69
Once you've verified that the dhclient is alright, now would be a good time to follow witesharks advice and make sure that A) you have your firewall on and B) that it's set to some sane level.
 
Old 01-27-2004, 10:01 PM   #12
AceTech747
Member
 
Registered: Nov 2003
Distribution: RH 9.0
Posts: 144

Original Poster
Rep: Reputation: 15
How am I able to change the firewire. I am using fluxbox for a WM. Is there a command for the graphical tool?
 
Old 01-27-2004, 11:10 PM   #13
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Rep: Reputation: 69
Firewire? Do you mean firewall? If so, I'm not real familiar with flux so I don't know if it comes with it's own firewall GUI built in. But you can just open up an xterm, su - to root, and type lokkit. That should give you an ncurses 'wizard' that will walk you through it. If your box is a router that shares a network connection or runs services that have to be publically accessible (like a web server), then you might have to add a few iptables rules manually. If that's the case, you might want to post a new thread about firewalling, as this ones moving beyond it's original scope.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Somethings up with my Hardrive or ... patske Linux - Newbie 1 04-10-2005 02:42 PM
somethings is wrong with GNOME egypt Red Hat 3 10-11-2004 05:16 PM
somethings is wrong with GNOME egypt Red Hat 0 09-29-2004 06:01 AM
somethings wrong with CD (?) mrb Arch 2 07-21-2004 06:41 PM
Stopping Somethings iMPReZa-WRX Linux - Security 4 06-19-2001 02:47 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 07:55 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration