I'am wondering if I can keep my music, there was a root-kit installed, romanian I believe. Also, is there a way to clean it?

Thanks for any help,

-Jalalabee

there was a root-kit installed, romanian I believe / Also, is there a way to clean it?
Please be verbose when you report a system compromise. For instance:
- What vendor and release?
- What (network) services where running?
- How long ago was this?
- How did you detect it?
- What got "installed"?
- What logs showed "evidence" to trace back the exploit/cracker IP's?
- Files/dirs with "mihai" in it?


I'am wondering if I can keep my music
Most likely yes, because I never seen crackers "infect" music files on Linux but only scanning it should give proof because it would be easy to rename/append stuff to a music file (not likely that it would get executed, but that's beside the point).

Distro: Slackware 9.0
Kernal 2.4.21 built by myself
Noticed when: my locate started having funny problems
Ran the rootkit check script...the popular one i believe, its 30kb or so.

i had to kinda move *some* of the information back up here, the following is stuff i wrote down because it seemed a problem.

---

Infected were: ifconfig, login, pstree

possible root kit: T0rn v8 or varation, showtee, shkit

root kit: Romanian /usr/iclude/file.h /usr/iclude/proc.h

---

I'd like to keep my music atleast, i already changed all my passwords for things, so my next step is to try to keep my music and format to slackware 9.1, get the newest kernel and set up some good security measures.

atleast thats what i think i should do, right?

but what about cleaning or scanning infected music?

can i just read the harddrive with a windows install and take over the music and scan for it sometime?

what to do.....

edited on request.

i looked through the /var/logs and i found a foreign ip that seems to have logged into root i believe, i wonder if i should contact his/her isp?

With all due respect, but I specifically said: "Please be verbose when you report a system compromise." With that I mean the more precise information you give, the easier it could be for us to get a grip on the situation. It also means you should answer *all* questions and not only those you like. I'm not saying this to chide you, but because I take system compromises very seriously and the help I offer must be based on facts. The more facts I have, the more my advice will be for your specific situation.

Please answer the questions you didn't.


I'd like to keep my music atleast, i already changed all my passwords for things, so my next step is to try to keep my music and format to slackware 9.1, get the newest kernel and set up some good security measures.
* Do not impulsively backup, move, change or whatever you think you should do on the box, we'll get to that later on.

If your system is infected, your next step is to make sure you
- block any process from harming the system in any way,
- block anyone from accessing the box or making changes (and that includes yourself),
- understand why it has happened.


Infected were: ifconfig, login, pstree
possible root kit: T0rn v8 or varation, showtee, shkit
root kit: Romanian /usr/iclude/file.h /usr/iclude/proc.h
- If you have a rescue cdrom, or a cdrom distro like Knoppix, FIRE, Trinux etc etc or a one floppy distro like tomstrbt, then reboot the box you think is compromised and load the kernel from that floppy/cdr, mount partitions read-only and continue.
- If you don't have a cdrom or floppy distro, drop to runlevel 1*, mount partitions read-only and continue. *Unlikely, but this could trigger "boobytraps". Always keep your ears open for high disk activity. If you get suspicious, shut down the box immediately by whatever means necessary (reset, power cord).


- Please run "for i in ifconfig login pstree; do chkrootkit -d $i; done 2>&1|tee -a /tmp/chkr.log" and "chkrootkit -d aliens 2>&1|tee -a /tmp/chkr.log". Please post the contents of the log here. If you use /dev/shm, put logs there, else remount /tmp in rw mode.
- If you have a filesystem integrity scanner (with databases on read-only media), run it and post the output. If you don't, and your package manager doesn't support GPG or md5sum checking, then you will have to fetch the packages from cdrom/ftp to correlate. "Diff" the list for files not in the package database and inspect visually.
- Check your passwd/group files and wtmp for added users and logins.
- Check your system and daemon logs for errors or "weird" lines.


i had to kinda move *some* of the information back up here,
Please explain what you mean by this.


but what about cleaning or scanning infected music?
Let's handle this one step at a time. You may think otherwise, but music files are not your first priority at this point.



"Here are the general steps:"
I disagree.
The first step is to halt risks of exposure.
The second step is to determine the box status.
The third step is to determine object status, salvage and isolate to (and investigate the point of breach).
"Mopping up" comes after that.

If you want to learn about what to do with situations like these, please try reading
the LQ FAQ: Security references, post #1 "Basics, important sites, HOWTO's", the "Compromise, breach of security, detection" part and post #5 "Forensics, recovery, undelete", the "Forensics HOWTO's, docs" part, before you offer suggestions.

Ah, I'm pretty much low-grade, as in I don't know *that* much. But here I go.

- What vendor and release?

Slackware 9.0 -- kernel 2.4.21 compiled myself


- What (network) services where running?

webmin, apache, bind, and anything default that slackware 9.0 would contain, I'am not sure how else to answer this question.


- How long ago was this?

I'am unsure, I looked over logs (I'm not too good at noticing what is "weird", however I noticed an ip and the port 1390 and the time was 3 days ago. it seems to start today however things like nautilus wern't loading and icons missing, locate stopped working.)

- How did you detect it?

I used a root kit check script: http://www.chkrootkit.org/


- What got "installed"?

I posted above but the only thing for "sure" is the romanian root kit


- What logs showed "evidence" to trace back the exploit/cracker IP's?

I looked through message.1 and found an IP coming in as root or something about that.


- Files/dirs with "mihai" in it?

mihai? is that a file? i wouldn't know because my locate, i believe.

OK, cool. Thanks for posting. Really helps.

Ah, I'm pretty much low-grade, as in I don't know *that* much.
No prob if you don't know stuff. Hell, I don't know everything either.


- What (network) services where running?
webmin, apache, bind, and anything default that slackware 9.0 would contain, I'am not sure how else to answer this question.
1. You could get the versions of the SW you're running from querying your package manager. Please do so for the network services you provide(d). No Samba?
2. If netstat isn't b0rken too, running "netstat -panel -A inet 2>&1|tee -a /tmp/netstat.log" should show whatever is listening.


- How long ago was this?
I'am unsure, I looked over logs.*the time was 3 days ago.
OK. Time to do the right thing. Please read the stuff below "Please answer the questions you didn't.", carefully, execute and post the logs.

No samba, I believe, I also installed a new pkg manager for SW (was going to update last week but it wasn't working for me) 9.0 is ALL I know, that and it JUST came out when I burned the CD.

Also: http://4.5.92.217/~jalal/netlog

Please read the stuff below the line "Please answer the questions you didn't." in my second post carefully, execute and post the (URI of the) logs (or email me the URI and I'll fetch it if you make it a tarball and it's size is not in excess of a few megs).

* Looking at what you posted I'd you could take the chance and run chkrootkit etc from your box w/o booting Knoppix or a rescue cdr/floppy distro, but make sure you DISCONNECT the box from the 'net first. When you're done, run "find / 2>&1|tee find.log", then reboot with Knoppix or a rescue cdr/floppy distro and do a second run of everything, and a second run of the "find" command.
Diff the two resulting lists and if anything is hidden with an LKM (and you didn't boot the kernel from harddisk) chances are you'll see all then.


~jalal/netlog
OK. So you have a lot more running than you said... And you're running emech, an IRC bot. Cool. Probably has logs. Try running "pgrep emech -d " "| xargs -iP lsof -p 'P' 2>&1|tee emech_lsof.log" after you done the stuff above. If anything says "(deleted)", you can copy those files out of /proc/(pid of emech)/fd.