LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 05-16-2005, 06:28 PM   #1
synaptical
Senior Member
 
Registered: Jun 2003
Distribution: Mint 13/15, CentOS 6.4
Posts: 2,020

Rep: Reputation: 47
rootkit: infected??? help


i think my web server might be compromised, but i'm not sure. chkrootkit says there's a packet sniffer on eth0:

eth0: PACKET SNIFFER(/sbin/dhclient[1963])

and when i just ran it again, i also get an infected message:

Checking `bindshell'... INFECTED (PORTS: 1524)

i don't want to panic just yet because the stuff i googled said the bindshell thing can be a false positive. the bad news is i'm not running portsentry or klaxon, so maybe it's a true positive. otoh, nothing seems to be affected: no weird log activity, nothing in the .bash_history files, no bandwidth issues.

what steps should i take to make sure i'm okay?
 
Old 05-16-2005, 07:04 PM   #2
Matir
LQ Guru
 
Registered: Nov 2004
Location: San Jose, CA
Distribution: Ubuntu
Posts: 8,507

Rep: Reputation: 124Reputation: 124
The first one is a normal false positive caused by the dhcp client. The second one, I would be worried about. Very worried.
 
Old 05-16-2005, 07:12 PM   #3
synaptical
Senior Member
 
Registered: Jun 2003
Distribution: Mint 13/15, CentOS 6.4
Posts: 2,020

Original Poster
Rep: Reputation: 47
i installed snort, and now that's showing up in the eth0 result as being packet sniffed too, so i think you're right about dhclient being an FP. and strangely, chkrootkit now doesn't return the warning for bindshell. so i think that must have also been an FP, but i'll keep my eye on it. thx
 
Old 05-16-2005, 07:36 PM   #4
Matir
LQ Guru
 
Registered: Nov 2004
Location: San Jose, CA
Distribution: Ubuntu
Posts: 8,507

Rep: Reputation: 124Reputation: 124
Both snort and dhclient show up as packet sniffers because, I believe, they force the interface into promiscuous mode. I do believe that recent versions of dhclient have this fixed, so upgrading that might at least reduce the false positives.
 
Old 05-16-2005, 08:11 PM   #5
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Rep: Reputation: 69
If you get another bindshell warning, try running nestat -pantu or lsof -i and see what process has the the socket open.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
where can I get rootkit ?? iamthewind Linux - Security 21 05-04-2008 02:57 PM
rootkit? basilogics Linux - Software 2 08-19-2005 09:16 AM
Possible rootkit? bleunuit Linux - Security 4 05-18-2005 04:21 PM
rootkit? linuxtesting2 Linux - Security 3 12-06-2004 09:43 AM
irssi with a rootkit _LR_ Linux - Networking 5 05-30-2002 05:38 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 06:49 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration