Possibly Cracked....
Earlier today (~5 PM), I noticed my computer running very slowly. I opened top, saw "basename" running using 99% CPU. I looked at the tree view in ksysguard and saw that crond was running it. I took a look at my crontab, nothing out of the ordinary. Took a look at the contents of /etc/cron.*/* (this is on Slackware, daily, hourly, and weekly auto scripts are put in there and run with run-parts, which is how this was being run), and saw this:
Code:
#!/bin/sh Later, (~8:30 PM) while I was working on my log analyser (in pygtk, tails logs, hilights IPs, click IPs to get info on them such as reverse DNS), I noticed a lot of packets being dropped by my egress firewall rules going OUT of my computer to IPs that were standard DSL, cable, etc by looking at the reverse DNSs. I started getting suspicious then. I ran rkhunter, and got this: Code:
Determining OS... Warning: this operating system is not fully supported! chkrootkit and my own hash databasing script brought up nothing as well. Right now, I'm only on medium-low alert, and just want explainations for three things, and then I'll be certain that this was a false positive. 1) Why was basename running at a weird time under the crond, run-parts processes? Does updatedb call it? I'm almost certain rmmod and logrotate don't. 2) Why was basename using 99% CPU? 3) Why is rkhunter crippled, and how do I fix it? I haven't run rkhunter in awhile (1-2 weeks, my status cron script is broken right now so it doesn't automatically email me all the status stuff like it used to), so this might be a problem with some updates on Slackware recently. I tried re-downloading rkhunter, and it's still not working. md5sum is working fine, and rkhunter normally runs fine... Any ideas for these? EDIT: I was also thinking of letting my egress filtering go to normal filtering (allow all outgoing) for ~1 week or so and see if my IP shows up on dshield or not. |
Guess what, I was...
http://dshield.org/warning_explanati...&Submit=Submit These are all going in/out on ports that I have allowed. All of that looks like Azureus, so.... fuck me in the ass... I'm not bullshitting, while I was typing this message Azureus just shut down. This computer is getting yanked as soon as I hit submit. |
Alright, I'm on another box right now.
This is scary stuff.... I need to change EVERYTHING, every password, every secret key, EVERYTHING.... I'm also informing the Azureus team of a possible security hole. I'm going to try to figure this out through logs.... I'm not immediately wiping that computer. I want to know how it was compromised. I'll report back here with more information if I get it. |
Quote:
|
Yes, it's my IP address. That computer isn't plugged in.
When it finally does get plugged in, the DHCP server would have flushed my MAC address and my IP will have changed. Also, I have a script that changes my IP every time I boot the computer (randomly generated MAC address in memory, instead of the real one). |
All times are GMT -5. The time now is 10:13 AM. |