[SOLVED] Possible connection between traffic control rules & chkrootkit threat notifications
Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Possible connection between traffic control rules & chkrootkit threat notifications
Hello,
Two days ago we started to receive the following message:
/etc/cron.daily/chkrootkit:
The following suspicious files and directories were found:
/lib/init/rw/.mdadm /lib/init/rw/.ramfs
/lib/init/rw/.mdadm
INFECTED (PORTS: 4369)
You have 2 process hidden for ps command
chkproc: Warning: Possible LKM Trojan installed
And about at the same time (a day before that) we have set up new rules for the queueing disciplines using 'tc' on our Debian lenny box (these rules are for some of the experiments we are carrying out).
I have ran the chkrootkit manually and this message (as above) keeps appearing, while the rkhunter tool does not complain about these items.
Could there be a connection between setting up the new qdisc's and the chkrootkit "INFECTED" messages?
Wrt "chkproc: Warning: Possible LKM Trojan installed" see the chkrootkit.org FAQ entry. Wrt port 4369 this points to the Remote Shell Trojan RST.b but only if it's UDP traffic. (An active backdoor may use /dev/hdx.* files which Chkrootkit doesn't check for but Rootkit Hunter does.) Looking at process information and dumping traffic should show it's a remote shell or not. If you want to add port white-listing to Chkrootkit, so you don't have to edit the chkrootkit script itself each time you need to add a port exclusion, you could use a patch.
The rkhunter outcome is a bit worrisome, especially now that you mentioned a possible backdoor through /dev/hdx.*, since I am getting warnings on /dev and some other checks. Here is a snippet of the rkhunter output:
Code:
Checking the local host...
Performing system boot checks
Checking for local host name [ Found ]
Checking for local startup files [ Found ]
Checking local startup files for malware [ None found ]
Checking system startup files for malware [ None found ]
Performing group and account checks
Checking for passwd file [ Found ]
Checking for root equivalent (UID 0) accounts [ None found ]
Checking for passwordless accounts [ Warning ]
Checking for passwd file changes [ None found ]
Checking for group file changes [ None found ]
Checking root account shell history files [ OK ]
Performing system configuration file checks
Checking for SSH configuration file [ Found ]
Checking if SSH root access is allowed [ Not allowed ]
Checking if SSH protocol v1 is allowed [ Not allowed ]
Checking for running syslog daemon [ Found ]
Checking for syslog configuration file [ Found ]
Checking if syslog remote logging is allowed [ Not allowed ]
Performing filesystem checks
Checking /dev for suspicious file types [ Warning ]
Checking for hidden files and directories [ None found ]
[Press <ENTER> to continue]
Checking application versions...
Checking version of GnuPG [ Warning ]
Checking version of OpenSSL [ Warning ]
Checking version of PHP [ OK ]
Checking version of OpenSSH [ Warning ]
I haven't noticed RST.b type trojan being mentioned by neither the chkrootkit nor the rkhunter.
The /var/logrkhunter.log shows that the warning associated with /dev is the following:
Quote:
[16:45:02] Checking /dev for suspicious file types [ Warning ]
[16:45:02] Warning: Suspicious file types found in /dev:
[16:45:02] /dev/shm/network/ifstate: ASCII text
[16:45:02] Checking for hidden files and directories [ None found ]
The same log file also tells me that my and another colegaue's account is passwordless on this machine, even though we use passwords to log in, and have the following two rules in our sshd_config file:
Quote:
PermitEmptyPasswords no
PasswordAuthentication yes
If you've verified the binary to be "known good" then it's all good.
Quote:
Originally Posted by brownflamigo1
The /var/log/rkhunter.log shows that the warning associated with /dev is the following:
Code:
[16:45:02] /dev/shm/network/ifstate: ASCII text
If "/dev/shm/network/ifstate" is a "known good" file (Debian, Ubuntu?) then you could white-list it. For white-listing options please see the RKH config, docs or rkhunter-user mailing list archives.
Quote:
Originally Posted by brownflamigo1
The same log file also tells me that my and another colleague's account is password-less on this machine, even though we use passwords to log in
If you do not run RKH 1.3.6 then please upgrade and test again, elif you run RKH 1.3.6 then please open a ticket at Sourceforge and attach your debug log.
On a couple of past occasions, I have seen an update to an Ubuntu system leave "stubs" in /dev that causes chrootkit to declare Trojan warnings. Rebooting the system clears out those files and the warnings disappear.
If you do not run RKH 1.3.6 then please upgrade and test again, elif you run RKH 1.3.6 then please open a ticket at Sourceforge and attach your debug log.
Have done so, and still get the message regarding "passwordless users".
In addition, I started to get the following message:
I have also ran debsums, and no changed or missing sums were detected.
Good. Now you can safely white-list file locations.
Quote:
Originally Posted by brownflamigo1
Code:
Possible rootkits: 2
Rootkit names : Xzibit Rootkit, Xzibit Rootkit
The rkhunter.log holds the details. Same procedure: verify integrity, white-list target if "known good".
Quote:
Originally Posted by brownflamigo1
(..) still get the message regarding "passwordless users".(..) Just posted the log file from a debug mode (--debug) rkhunter check.
You didn't add the *debug* log but the regular rkhunter.log. Try a white-list of "PWDLESS_ACCOUNTS=+". If that works then there is no apparent need to attach the debug log.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
