possibly compromised - what to do?
hi all
i configured my webserver to send me the results of a couple of security scans every night, and for months all was quiet and reassuringly unsurprising - until this morning when one of the commands comes back with a different output. this is my crontab Code:
00 05 * * * /usr/sbin/chkrootkit -q 2>&1 | mail -s chkrootkit my-email@address.com You have 1 process hidden for readdir command You have 1 process hidden for ps command Warning: Possible LKM Trojan installed eth0 is not promisc eth0:1 is not promisc The chkrootkit warning is now no longer appearing when i run it - is that a good or a bad sign??? My contract with my ISP is fixed bandwidth, so I can't get any huge bills because of a spammer abusing my server, but I wouldn't want my IP address to get into the spam police's bad books. I'm obviously going to research this as much as I can on google, but can anyone point me at a decent doc or resource on what I can do now? |
The first thing to do is to unplug the thing from the network. And to keep you busy reading until one of the real experts comes along, there is a sticky thread at the top of the forum and unSpawn has collected a lot of good forensic links in post #5.
|
The hidden process warning is a common false positive. In fact there is a note about it on the chkrootkit FAQ. Basically, the hidden process/lkm check compares the output of ps to what is in the list of processes in /proc looking for any discrepancies. Occasionally a short-lived process will terminate in between the two checks and will get flagged. Normally the best option is to immediately re-run chkrootkit and see if it still finds any hidden processes. If it doesn't then it's likely a false positive (which it would appear to be in your case). If it does find hidden processes still, then use chkrootkit -x lkm to produce a list of the hidden processes and see if they look abnormal. In this case, I think you're pretty safe in assuming it is a false positive. Though if you have tripwire or some other file alteration detector, now would be a good time to run a check just to be extra sure.
|
cooliio!! thanks hangdog and caveman. I was late for work and flailing around uselessly. I'm going to check out that tripwire now. I couldn't get on to the server from work either because their firewall blocks my ssh and I haven't figured out whether I can use socks yet.
:) have a good one this w/e |
Quote:
|
All times are GMT -5. The time now is 09:44 PM. |