LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 11-16-2006, 09:51 AM   #1
devj.nullj
LQ Newbie
 
Registered: Nov 2006
Posts: 2

Rep: Reputation: 0
rootedrooted


Hello All,

I have slackware version 10.1.0 installed on an Intel P-IV for some time now and I use this system as desktop. No particular services running on this machine except

tcp 37 time
tcp 113 auth
tcp 22 ssh

and occasionally I run X on this system as well and some time download email.

Today, I switched on my system and did some usual work. I was busy working
with papers and the monitor went off in the standby mode. After sometime when I touched the
keyboard the screen came back on. But what made me write this post was a message below
that appeared on the prompt:

$ rootedrooted

exactly as above. I don't think that it appeared by some accident pressing of some keys.


(1)How to determine that somebody really rooted this machine?

(2)I would like to know what to do next if so?


Thank you!
 
Old 11-16-2006, 09:57 AM   #2
acid_kewpie
Moderator
 
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,417

Rep: Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985
1) use rkhunter and / or chkrootkit to see what's been done.

2) do not use the system again. reinstall.
 
Old 11-16-2006, 10:24 AM   #3
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,415
Blog Entries: 55

Rep: Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600
1. Get insight. This is the first thing to read and do: the Intruder Detection Checklist (CERT): http://www.cert.org/tech_tips/intrud...checklist.html. If unsure run from your distro's rescue CD or a Live CD like KNOPPIX, HELIX or similar.

2. Try to check at least and post info about:
- system, daemon and firewall logs (unusual entries if any),
- auth data (users, logins),
- any IDS data (Snort, Prelude),
- running (and accessable) services and processes at the time and now,
- any setuid root files encountered,
- any audit data from running your distro's package manager in file verification mode, Chkrootkit and Rootkit Hunter,
- user shell histories (unusual entries if any).
Having as much as possible of this information is crucial because else no advice tailored to your situation can be given. Be methodical and please post *exact* messages and not descriptions of. Add anything else you think could hold a clue or might be beneficial for solving the case.
 
Old 11-16-2006, 11:59 AM   #4
devj.nullj
LQ Newbie
 
Registered: Nov 2006
Posts: 2

Original Poster
Rep: Reputation: 0
I have already run chkrootkit-0.47 and rkhunter. When run, chkrootkit told me that


"Warning: crontab for nobody found, possible Lupper.Worm... not infected"


Though when I ran

crontab -u nobody -l

It reported nothing. There was nothing else reported by chkrootkit either.

rkhunter also did not report anything except that it tagged my ssh "vulnerable"
as it supports ssh ver 1.

Currently I am downloading knoppix. However, I have not used knoppix before.
So, any pointer how to use this for the purpose?


Cert pointer for intrusion checklist is definitely helpful and I would try
to follow the procedure.

Thanks for your reply.
 
Old 11-16-2006, 01:02 PM   #5
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,415
Blog Entries: 55

Rep: Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600
It reported nothing. There was nothing else reported by chkrootkit either.
OK. Next.


rkhunter also did not report anything except that it tagged my ssh "vulnerable"
as it supports ssh ver 1.

The question is: is the port publicly accessable?


Currently I am downloading knoppix. However, I have not used knoppix before.
So, any pointer how to use this for the purpose?

Put CDR in drive, burn ISO, reboot box with CDR in drive. Make sure BIOS reads boot from CD first. Then just run KNOPPIX. It's a distro like any other, only on CDR and in RAM.


CERT pointer for intrusion checklist is definitely helpful and I would try to follow the procedure.
Great. Consider it mandatory steps to take.
 
Old 11-17-2006, 12:23 AM   #6
jayjwa
Member
 
Registered: Jul 2003
Location: NY
Distribution: Slackware, Termux
Posts: 901

Rep: Reputation: 320Reputation: 320Reputation: 320Reputation: 320
There were some recent X11 vulnerabilities with fonts, and SSH on port 22 gets hammered all day long; possibly someone hit a user that didn't have a password, or a weak one. It could be users that you don't think of, like "bin" or "smmsp" or "shutdown". Also, could it be possible you had X11 listening on tcp while you had it running? Perhaps you were running with no access restriction so that anyone could display on the server.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 09:47 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration