possibly compromised - what to do?
 

hi all

i configured my webserver to send me the results of a couple of security scans every night, and for months all was quiet and reassuringly unsurprising - until this morning when one of the commands comes back with a different output.

this is my crontab

And the last one comes back with the following output today:

You have 1 process hidden for readdir command
You have 1 process hidden for ps command
Warning: Possible LKM Trojan installed
eth0 is not promisc eth0:1 is not promisc

The chkrootkit warning is now no longer appearing when i run it - is that a good or a bad sign???

My contract with my ISP is fixed bandwidth, so I can't get any huge bills because of a spammer abusing my server, but I wouldn't want my IP address to get into the spam police's bad books.

I'm obviously going to research this as much as I can on google, but can anyone point me at a decent doc or resource on what I can do now?

The first thing to do is to unplug the thing from the network. And to keep you busy reading until one of the real experts comes along, there is a sticky thread at the top of the forum and unSpawn has collected a lot of good forensic links in post #5.

The hidden process warning is a common false positive. In fact there is a note about it on the chkrootkit FAQ. Basically, the hidden process/lkm check compares the output of ps to what is in the list of processes in /proc looking for any discrepancies. Occasionally a short-lived process will terminate in between the two checks and will get flagged. Normally the best option is to immediately re-run chkrootkit and see if it still finds any hidden processes. If it doesn't then it's likely a false positive (which it would appear to be in your case). If it does find hidden processes still, then use chkrootkit -x lkm to produce a list of the hidden processes and see if they look abnormal. In this case, I think you're pretty safe in assuming it is a false positive. Though if you have tripwire or some other file alteration detector, now would be a good time to run a check just to be extra sure.

cooliio!! thanks hangdog and caveman. I was late for work and flailing around uselessly. I'm going to check out that tripwire now. I couldn't get on to the server from work either because their firewall blocks my ssh and I haven't figured out whether I can use socks yet.

:)

have a good one this w/e

Tripwire is really most effective when installed on a new machine that hasn't been networked yet. Since it only detects changes in system critical files, once a machine has been compromised and system files replace with trojaned versions it's usually too late for tripwire to be as effective. Of couse it would detect any further alterations. Something like rootkit hunter might be a bit more useful though, as it compares file checksum values to a database of "known good" values for each distro.