Possibly Cracked....
 

Earlier today (~5 PM), I noticed my computer running very slowly. I opened top, saw "basename" running using 99% CPU. I looked at the tree view in ksysguard and saw that crond was running it. I took a look at my crontab, nothing out of the ordinary. Took a look at the contents of /etc/cron.*/* (this is on Slackware, daily, hourly, and weekly auto scripts are put in there and run with run-parts, which is how this was being run), and saw this:

Nothing out of the ordinary at ALL, but basename was running (not in there) at a weird time (5 PM shouldn't have anything running via cron)... at this point I didn't think much of it, and killed the process and went on with what I was doing.

Later, (~8:30 PM) while I was working on my log analyser (in pygtk, tails logs, hilights IPs, click IPs to get info on them such as reverse DNS), I noticed a lot of packets being dropped by my egress firewall rules going OUT of my computer to IPs that were standard DSL, cable, etc by looking at the reverse DNSs. I started getting suspicious then. I ran rkhunter, and got this:

I immediately locked down my computer at that point (unplugged my ethernet cord, turned on "unplugged" firewall mode so that even if the cord magically plugged itself back in nothing was going to go in or out). I then looked at the processes running, (I know, I have a proper rootkit installed and this doesn't matter), took a look at netstat, etc. I found out that "wget" had a socket open. Looked at "ps aux | grep wget" and saw that wget was running with identical switches to my Slackware updating bash script I wrote, and downloading a file that wget downloads on my updating script. I took a look at the rules again, and noticed that they were on ports tor uses (9030), but I have blocked (I have 9001-9009 or so allowed), and so those logs I've ruled out as false positives, too.

chkrootkit and my own hash databasing script brought up nothing as well.

Right now, I'm only on medium-low alert, and just want explainations for three things, and then I'll be certain that this was a false positive.

1) Why was basename running at a weird time under the crond, run-parts processes? Does updatedb call it? I'm almost certain rmmod and logrotate don't.

2) Why was basename using 99% CPU?

3) Why is rkhunter crippled, and how do I fix it? I haven't run rkhunter in awhile (1-2 weeks, my status cron script is broken right now so it doesn't automatically email me all the status stuff like it used to), so this might be a problem with some updates on Slackware recently.

I tried re-downloading rkhunter, and it's still not working. md5sum is working fine, and rkhunter normally runs fine...

Any ideas for these?

EDIT: I was also thinking of letting my egress filtering go to normal filtering (allow all outgoing) for ~1 week or so and see if my IP shows up on dshield or not.

Guess what, I was...

http://dshield.org/warning_explanati...&Submit=Submit

These are all going in/out on ports that I have allowed. All of that looks like Azureus, so.... fuck me in the ass...

I'm not bullshitting, while I was typing this message Azureus just shut down. This computer is getting yanked as soon as I hit submit.

Alright, I'm on another box right now.

This is scary stuff.... I need to change EVERYTHING, every password, every secret key, EVERYTHING....

I'm also informing the Azureus team of a possible security hole.

I'm going to try to figure this out through logs.... I'm not immediately wiping that computer. I want to know how it was compromised.

I'll report back here with more information if I get it.

You did know that url you posted shows YOUR IP address? Not a wise choice if you think you're being yanked with. I suggest you remove it;)

Yes, it's my IP address. That computer isn't plugged in.

When it finally does get plugged in, the DHCP server would have flushed my MAC address and my IP will have changed.

Also, I have a script that changes my IP every time I boot the computer (randomly generated MAC address in memory, instead of the real one).