Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
[[root@81 root]# mail root@localhost -s foo < /dev/null
Null message body; hope that's ok
[root@81 root]# mail
Mail version 8.1 6/6/93. Type ? for help.
"/var/spool/mail/root": 1 message 1 new
>N 1 MAILER-DAEMON@localh Wed Dec 24 02:43 111/3762 "Postmaster notify: see transcript for details"
& 1
Message 1:
[...]
The original message was received at Wed, 24 Dec 2003 02:43:54 GMT
from localhost
with id hBO2hs2u010464
----- The following addresses had permanent fatal errors -----
<root@81.6.33.181>
(reason: 550 Host unknown)
----- Transcript of session follows -----
550 5.1.2 <root@81.6.33.181>... Host unknown (Name server: 81.6.33.181: host not found)
Return-Path: <MAILER-DAEMON>
Received: from localhost (localhost)
by localhost.localdomain (8.12.8/8.12.8) id hBO2hs2u010464;
Wed, 24 Dec 2003 02:43:54 GMT
Date: Wed, 24 Dec 2003 02:43:54 GMT
From: Mail Delivery Subsystem <MAILER-DAEMON>
Message-Id: <200312240243.hBO2hs2u010464@localhost.localdomain>
To: <root@81.6.33.181>
MIME-Version: 1.0
Content-Type: multipart/report; report-type=delivery-status;
boundary="hBO2hs2u010464.1072233834/localhost.localdomain"
Subject: Returned mail: see transcript for details
Auto-Submitted: auto-generated (failure)
This is a MIME-encapsulated message
--hBO2hs2u010464.1072233834/localhost.localdomain
The original message was received at Wed, 24 Dec 2003 02:43:54 GMT
from localhost.localdomain [127.0.0.1]
[...]
Received: (from root@localhost)
by 81.6.33.181 (8.12.8/8.12.8/Submit) id hBO2hslT010460
for root@localhost; Wed, 24 Dec 2003 02:43:54 GMT
Date: Wed, 24 Dec 2003 02:43:54 GMT
From: root <root@81.6.33.181>
Message-Id: <200312240243.hBO2hslT010460@81.6.33.181>
To: root@81.6.33.181
Subject: foo
& q
Saved 1 message in mbox
[root@81 root]# cat /etc/hosts
# Do not remove the following line, or various programs
# that require network functionality will fail.
127.0.0.1 localhost.localdomain localhost
[root@81 root]# ping localhost
PING localhost.localdomain (127.0.0.1) 56(84) bytes of data.
64 bytes from localhost.localdomain (127.0.0.1): icmp_seq=1 ttl=64 time=0.089 ms
64 bytes from localhost.localdomain (127.0.0.1): icmp_seq=2 ttl=64 time=0.085 ms
64 bytes from localhost.localdomain (127.0.0.1): icmp_seq=3 ttl=64 time=0.105 ms
64 bytes from localhost.localdomain (127.0.0.1): icmp_seq=4 ttl=64 time=0.126 ms
Starting nmap 3.48 ( ) at 2003-12-24 03:04 GMT
Interesting ports on localhost.localdomain (127.0.0.1):
(The 65526 ports scanned but not shown below are in state: closed)
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
25/tcp open smtp
111/tcp open rpcbind
631/tcp open ipp
3003/tcp open unknown
5555/tcp open freeciv
6000/tcp open X11
32768/tcp open unknown <- I have no idea what this one is for
Device type: general purpose
Running: Linux 2.4.X|2.5.X
OS details: Linux Kernel 2.4.0 - 2.5.20
Uptime 0.258 days (since Tue Dec 23 20:54:04 2003)
Nmap run completed -- 1 IP address (1 host up) scanned in 7.821 seconds
[root@81 root]#
Before you ask, no it isn't my ip. I've scanned my system with chkrootkit, and it didn't find anything.
Is it a hacker or did I change something without even knowing it (it isn't very probable, but possible, Linux newb here)? And how to get my localhost back?
Sounds like your mailing agent is the only thing that is resolving hostnames improperly. Checkout all the files in /etc/mail the are used to resolve hostnames (local-host-names, etc) and see if any of those have localhost set to something different. Also, I find it odd that the hostname of your machine is 81, while the first octet of that ip address is 81. is that just coincidence or has your hostname been changed as well?
As a side note, that sounds suspiciously like someone tried to redirect the system logs so that root wouldn't see them. Chkrootkit will tell you if a rootkit/trojan or sniffer is present, but there are plenty of good old fashioned ways to hack a system. Check all of your system logs (esp, security ones) for abnormal activity. Take a look at any other returned syslog messages, as those are likely to contain what, if anthing, that a potential intruder would be trying to hide. Also check and see if you have any new users or if any users now have a UID of 0. Look at things like roots bash_history, and at login activity. Check the output of netstat -al for the presence of a backdoor or listener. Could just be that something got changed by accident, but it does sound kind of suspicious.
OK, I'm getting seriously worried....
The redirection disappeared.
@ Capt_Caveman
81. shouldn't have been there - I was working on the machine.
That ip also showed up in the tripwire report (which is unfortunately next to useless because I up-to-dated my system a day or so b4 the problem)
Right now my box is offline (nothing connected with the hacker, a hardware problem + loooong delivery )
As, I said I've checked my system with chkroot already, and it showed no positives. Is it possible that i've been rootkited with something that it doesn't detect?
I'm not terribly keen on reinstalling the system (it took me quite a long time to get modem drivers working). Is there any way of removing that rootkit without doing that (My bet is that it listens on 32768, but it's supposed to be confined to my local network by the firewall).
@ Capt_Caveman
81. shouldn't have been there - I was working on the machine.
Not sure what you mean by that.
That ip also showed up in the tripwire report (which is unfortunately next to useless because I up-to-dated my system a day or so b4 the problem)
The tripwire report by itelf is probably not very helpful, but what do you mean by the "IP also showed up"? If you could post the relevent portion of the tripwire report, that might help.
Right now my box is offline (nothing connected with the hacker, a hardware problem + loooong delivery )
You should probably keep it offline until you're absolutely sure that it's clean.
As, I said I've checked my system with chkroot already, and it showed no positives. Is it possible that i've been rootkited with something that it doesn't detect?
Yes, it is possible but not very likely. As far as rootkit identification, chkrootkit looks for certain characteristic filenames, but it also looks for deleted log entries, promiscuous interfaces, hidden processes, etc. So it's not limited to certain rootkit fingerprints exclusively. And as I said before, your system could have been hacked and rooted without a rootkit being installed at all. Rootkits are just a convenient toolbox for cracking, so you shouldn't focus so much on that as you should on what's in your logs or often more importantly, what's missing from your logs.
Is there any way of removing that rootkit without doing that (My bet is that it listens on 32768, but it's supposed to be confined to my local network by the firewall).
What makes you think that port? Again if you could post any relevent info, that would help. If your system has been compromised, whether a rootkit was installed or not, you should do a full reinstall from scratch. I know that sucks, but would you rather have someone else observing what you're doing at any moment, logging every keystroke, or even worse attacking other computers from your box?
I'm not terribly keen on reinstalling the system (it took me quite a long time to get modem drivers working)
While everything is pretty suspiscious, I don't think there's proof one way or the other. Post all the stuff that leads you to believe that and hopfully we can find out what's up.
81. shouldn't have been there - I was working on the machine. Not sure what you mean by that.
Normally I get root@localhost, not root@81.
That ip also showed up in the tripwire report (which is unfortunately next to useless because I up-to-dated my system a day or so b4 the problem) The tripwire report by itelf is probably not very helpful, but what do you mean by the "IP also showed up"? If you could post the relevent portion of the tripwire report, that might help.
Tripwire key files have names ending in loacalhost.localdomain. When I tried to do a check with defalut settings it tried to use that ip in filename.
In the header of the tripwire report there is some info about the person who started the check, it includes ip address. Normally it was localhost, but it got changed as well.
Is there any way of removing that rootkit without doing that (My bet is that it listens on 32768, but it's supposed to be confined to my local network by the firewall). What makes you think that port? Again if you could post any relevent info, that would help.
Look at my first post - I've done nmap scan, and it shows that it's open.
Normally I get root@localhost, not root@81.
OK. Check root's .bash_history to see if it was changed from the command line:
cat /root/.bash_history | grep hostname
Also looking at the first tripwire report with 81 as the hostname or the last successful tripwire report should tell you approximately when it was changed. Also if the hostname is back to normal, do a tripwire check to see what (if anything) has changed. If the hostname is still wrong, change it back or tell tripwire which file to use as the database.
Look at my first post - I've done nmap scan, and it shows that it's open.
My bad. See what is using that port:
lsof -i
netstat -al
Any new users? Use this to look for users with root priviledges:
awk -F: '$3==0 {print $1}' /etc/passwd
It should only print out "root". Any other abnormalities in /var/log/secure or /var/log/messages? Things like error messages or application panics can be a tip off.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
7:8C
)
