Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Hi. I have just done 'top' on my linux (RHEL) OS, and to my shock I can see a job running which I have not had before:
PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND
15308 ****** 25 0 6456 2168 876 R 101 0.0 297:07.18 gam_server
I so not know what gam_server is? I did a ps -aut and found the following:
Warning: bad syntax, perhaps a bogus '-'? See /usr/share/doc/procps-3.2.3/FAQ
****** 15308 3.4 0.0 6456 2168 ? R Jun11 308:18 /usr/libexec/gam_server
(The ****** in the above is my username which I have blocked out.)
Question: Have I been hacked? What should I do?
I have run rkhunter as root, and everything looks ok except the following:
Code:
Application advisories
* Application scan
Checking Apache2 modules ... [ Not found ]
Checking Apache configuration ... [ OK ]
* Application version scan
- Exim MTA 4.43 [ Old or patched version ]
- GnuPG 1.2.6 [ Old or patched version ]
- Apache 2.0.52 [ OK ]
- Bind DNS 9.2.4 [ OK ]
- OpenSSL 0.9.7a [ Old or patched version ]
- PHP 4.3.9 [ Old or patched version ]
- Procmail MTA 3.22 [ OK ]
- OpenSSH 3.9p1 [ OK ]
Security advisories
* Check: Groups and Accounts
Searching for /etc/passwd... [ Found ]
Checking users with UID '0' (root)... [ OK ]
* Check: SSH
Searching for sshd_config...
Found /etc/ssh/sshd_config
Checking for allowed root login... Watch out Root login possible. Possible risk!
info: No 'PermitRootLogin' entry found in file /etc/ssh/sshd_config
Hint: See logfile for more information about this issue
Checking for allowed protocols... [ Warning (SSH v1 allowed) ]
* Check: Events and Logging
Search for syslog configuration... [ OK ]
Checking for running syslog slave... [ OK ]
Checking for logging to remote system... [ OK (no remote logging) ]
MD5 scan
Skipped
File scan
Scanned files: 342
Possible infected files: 0
Application scan
Vulnerable applications: 4
Thanks.
The Watcher
Last edited by unSpawn; 01-07-2010 at 11:11 AM.
Reason: //Added code tag, removed unnecessary colour tag.
As far as the 4 vurnablities most seem to be sshd related. If you are running sshd service then you should fix those items as mentioned.
Add
PermitRootLogin no
Protocol 2
Not seeing the whole output of rkhunter my guess some files are preset with hidden . in certain directories.
As far as the 4 vurnablities most seem to be sshd related. If you are running sshd service then you should fix those items as mentioned.
Add
PermitRootLogin no
Protocol 2
Not seeing the whole output of rkhunter my guess some files are preset with hidden . in certain directories.
Brian
Thanks Brian.
At least it is relief that I am not being hacked. Bearing in mind that I am a novice with linux, can you advise me on the following:
(1) Where do I add "PermitRootLogin no" and "Protocol 2"? And how -- is it a simple vi trick?
(2) Why have I got gam_server running and why is it taking an entire CPU processor? (There is only 1 external host that I have access to directly via ssh. I have not connected to it for a couple of months.)
Here is my complete rkhunter output:
Code:
Rootkit Hunter 1.2.9 is running
Determining OS... Unknown
Warning: This operating system is not fully supported!
All MD5 checks will be skipped!
Checking binaries
* Selftests
Strings (command) [ OK ]
* System tools
Skipped!
Check rootkits
* Default files and directories
Rootkit '55808 Trojan - Variant A'... [ OK ]
ADM Worm... [ OK ]
Rootkit 'AjaKit'... [ OK ]
Rootkit 'aPa Kit'... [ OK ]
Rootkit 'Apache Worm'... [ OK ]
Rootkit 'Ambient (ark) Rootkit'... [ OK ]
Rootkit 'Balaur Rootkit'... [ OK ]
Rootkit 'BeastKit'... [ OK ]
Rootkit 'beX2'... [ OK ]
Rootkit 'BOBKit'... [ OK ]
Rootkit 'CiNIK Worm (Slapper.B variant)'... [ OK ]
Rootkit 'Danny-Boy's Abuse Kit'... [ OK ]
Rootkit 'Devil RootKit'... [ OK ]
Rootkit 'Dica'... [ OK ]
Rootkit 'Dreams Rootkit'... [ OK ]
Rootkit 'Duarawkz'... [ OK ]
Rootkit 'Flea Linux Rootkit'... [ OK ]
Rootkit 'FreeBSD Rootkit'... [ OK ]
Rootkit 'Fuck`it Rootkit'... [ OK ]
Rootkit 'GasKit'... [ OK ]
Rootkit 'Heroin LKM'... [ OK ]
Rootkit 'HjC Kit'... [ OK ]
Rootkit 'ignoKit'... [ OK ]
Rootkit 'ImperalsS-FBRK'... [ OK ]
Rootkit 'Irix Rootkit'... [ OK ]
Rootkit 'Kitko'... [ OK ]
Rootkit 'Knark'... [ OK ]
Rootkit 'Li0n Worm'... [ OK ]
Rootkit 'Lockit / LJK2'... [ OK ]
Rootkit 'MRK'... [ OK ]
Rootkit 'Ni0 Rootkit'... [ OK ]
Rootkit 'RootKit for SunOS / NSDAP'... [ OK ]
Rootkit 'Optic Kit (Tux)'... [ OK ]
Rootkit 'Oz Rootkit'... [ OK ]
Rootkit 'Portacelo'... [ OK ]
Rootkit 'R3dstorm Toolkit'... [ OK ]
Rootkit 'RH-Sharpe's rootkit'... [ OK ]
Rootkit 'RSHA's rootkit'... [ OK ]
Sebek LKM... [ OK ]
Rootkit 'Scalper Worm'... [ OK ]
Rootkit 'Shutdown'... [ OK ]
Rootkit 'SHV4'... [ OK ]
Rootkit 'SHV5'... [ OK ]
Rootkit 'Sin Rootkit'... [ OK ]
Rootkit 'Slapper'... [ OK ]
Rootkit 'Sneakin Rootkit'... [ OK ]
Rootkit 'Suckit Rootkit'... [ OK ]
Rootkit 'SunOS Rootkit'... [ OK ]
Rootkit 'Superkit'... [ OK ]
Rootkit 'TBD (Telnet BackDoor)'... [ OK ]
Rootkit 'TeLeKiT'... [ OK ]
Rootkit 'T0rn Rootkit'... [ OK ]
Rootkit 'Trojanit Kit'... [ OK ]
Rootkit 'Tuxtendo'... [ OK ]
Rootkit 'URK'... [ OK ]
Rootkit 'VcKit'... [ OK ]
Rootkit 'Volc Rootkit'... [ OK ]
Rootkit 'X-Org SunOS Rootkit'... [ OK ]
Rootkit 'zaRwT.KiT Rootkit'... [ OK ]
* Suspicious files and malware
Scanning for known rootkit strings [ OK ]
Scanning for known rootkit files [ OK ]
Testing running processes... [ OK ]
Miscellaneous Login backdoors [ OK ]
Miscellaneous directories [ OK ]
Software related files [ OK ]
Sniffer logs [ OK ]
* Trojan specific characteristics
shv4
Checking /etc/rc.d/rc.sysinit
Test 1 [ Clean ]
Test 2 [ Clean ]
Test 3 [ Clean ]
Checking /etc/inetd.conf [ Not found ]
Checking /etc/xinetd.conf [ Clean ]
* Suspicious file properties
chmod properties
Checking /bin/ps [ Clean ]
Checking /bin/ls [ Clean ]
Checking /usr/bin/w [ Clean ]
Checking /usr/bin/who [ Clean ]
Checking /bin/netstat [ Clean ]
Checking /bin/login [ Clean ]
Script replacements
Checking /bin/ps [ Clean ]
Checking /bin/ls [ Clean ]
Checking /usr/bin/w [ Clean ]
Checking /usr/bin/who [ Clean ]
Checking /bin/netstat [ Clean ]
Checking /bin/login [ Clean ]
* OS dependant tests
Linux
Checking loaded kernel modules... [ OK ]
Checking file attributes [ OK ]
Checking LKM module path [ OK ]
Networking
* Check: frequently used backdoors
Port 2001: Scalper Rootkit [ OK ]
Port 2006: CB Rootkit [ OK ]
Port 2128: MRK [ OK ]
Port 14856: Optic Kit (Tux) [ OK ]
Port 47107: T0rn Rootkit [ OK ]
Port 60922: zaRwT.KiT [ OK ]
* Interfaces
Scanning for promiscuous interfaces... [ OK ]
System checks
* Allround tests
Checking hostname... Found. Hostname is ******
Checking for passwordless user accounts... OK
Checking for differences in user accounts... OK. No changes.
Checking for differences in user groups... OK. No changes.
Checking boot.local/rc.local file...
- /etc/rc.local [ OK ]
- /etc/rc.d/rc.local [ OK ]
- /usr/local/etc/rc.local [ Not found ]
- /usr/local/etc/rc.d/rc.local [ Not found ]
- /etc/conf.d/local.start [ Not found ]
- /etc/init.d/boot.local [ Not found ]
Checking rc.d files...
Processing........................................
........................................
........................................
........................................
........................................
........................................
........................................
........................................
........................................
........................................
........................................
........................................
........................................
........................................
........................................
........................................
........................................
........................................
........................................
........................................
..................................
Result rc.d files check [ OK ]
Checking history files
Bourne Shell [ OK ]
* Filesystem checks
Checking /dev for suspicious files... [ OK ]
Scanning for hidden files... [ OK ]
[Press <ENTER> to continue]
Application advisories
* Application scan
Checking Apache2 modules ... [ Not found ]
Checking Apache configuration ... [ OK ]
* Application version scan
- Exim MTA 4.43 [ Old or patched version ]
- GnuPG 1.2.6 [ Old or patched version ]
- Apache 2.0.52 [ OK ]
- Bind DNS 9.2.4 [ OK ]
- OpenSSL 0.9.7a [ Old or patched version ]
- PHP 4.3.9 [ Old or patched version ]
- Procmail MTA 3.22 [ OK ]
- OpenSSH 3.9p1 [ OK ]
Security advisories
* Check: Groups and Accounts
Searching for /etc/passwd... [ Found ]
Checking users with UID '0' (root)... [ OK ]
* Check: SSH
Searching for sshd_config...
Found /etc/ssh/sshd_config
Checking for allowed root login... Watch out Root login possible. Possible risk!
info: No 'PermitRootLogin' entry found in file /etc/ssh/sshd_config
Hint: See logfile for more information about this issue
Checking for allowed protocols... [ Warning (SSH v1 allowed) ]
* Check: Events and Logging
Search for syslog configuration... [ OK ]
Checking for running syslog slave... [ OK ]
Checking for logging to remote system... [ OK (no remote logging) ]
---------------------------- Scan results ----------------------------
MD5 scan
Skipped
File scan
Scanned files: 342
Possible infected files: 0
Application scan
Vulnerable applications: 4
Scanning took 74 seconds
Thanks.
The Watcher
Last edited by unSpawn; 01-07-2010 at 11:10 AM.
Reason: //Added code tag, removed unnecessary colour tag.
Found /etc/ssh/sshd_config is the current ssh config file....
you do not need to use vi if you are not familar with it
suggest you open this config file with your fav editor using root powers and edit as per Brian's suggestions
and there is no hash to be in front of those 2 configs pls.
2) having had a peek at that gamin site you are likely to have a
etc/gamin folder which you can delete etc
I suggest you do a grep or a search for gamin on you whole filesystem just to be sure.
3) You do not appear to be a regular user of ssh so consider turning it off in the /etc/ssh and /etc/init.d or /etc/rc area...depending on how it works on your distro as I do not use RH.
I would use the file manager to change permissions from rwx to r--
2) having had a peek at that gamin site you are likely to have a
etc/gamin folder which you can delete etc
I suggest you do a grep or a search for gamin on you whole filesystem just to be sure.
3) You do not appear to be a regular user of ssh so consider turning it off in the /etc/ssh and /etc/init.d or /etc/rc area...depending on how it works on your distro as I do not use RH.
I would use the file manager to change permissions from rwx to r--
Thanks, I have altered the /etc/ssh/sshd_config file accordingly, and that is all ok now. I have restarted my workstation and the gamin_server has disappeared from the 'top' list.
I cannot find /etc/gamin; or gamin anywhere. I did 'find / -name gamin' as root and got nothing?
How do I turn off ssh? What do I do when I actually do want to use ssh?
Can you tell me what file I should change permission of to r-- ?
I have restarted my workstation and the gamin_server has disappeared from the 'top' list.
I cannot find /etc/gamin; or gamin anywhere. I did 'find / -name gamin' as root and got nothing?
Next time you should use lsof on the PID. Lsof will show what files it's got open, so if it's not installed using the package manager it's easier to find traces of. Since you use RH*L tho you could "rpm -q --whatprovides /usr/libexec/gam_server" to see if it's part of an installed package. If it's not then you should search with "find / -iname \*gamin\*".
* To deny rogue processes use something like SELinux or GRSecurity. In this case GRSecurity this is "easier" to "fix" since you can simply deny users to start applications outside the set $PATH using a sysctl control.
/sbin/service sshd start I think, will start it manually when you need it.
I use ntsysv command to manage services in RH, simply scroll down the list and hit space to select/deselect services to run in your current runlevel, then reboot - or perhaps re-init your runlevel. Seems to work ok for me, I also turn off cups/pcmcia/isdn/sendmail and all the other junk I dont use, takes about 5 seconds
Do you have the updates icon in your system tray of the panel?
if so, right hand click it...for a rh person...and disable it from starting and quit it.....then reboot and to test and recheck your kinfo memory as I am just testing mdv 2007.1 (cooker with updates heh heh) and it had a huge memory leak and a google at LXF forum suggests its the update icon.
of course you now do manual checking but that is no worries for me.
FYI
I am now getting on a 1G ram system
app 13%
cache 14%
free ram 73%
while b4 I went down to free 15 Megs but it bottomed out and did not do a ms BSOD
Do you have the updates icon in your system tray of the panel?
if so, right hand click it...for a rh person...and disable it from starting and quit it.....then reboot and to test and recheck your kinfo memory as I am just testing mdv 2007.1 (cooker with updates heh heh) and it had a huge memory leak and a google at LXF forum suggests its the update icon.
of course you now do manual checking but that is no worries for me.
FYI
I am now getting on a 1G ram system
app 13%
cache 14%
free ram 73%
while b4 I went down to free 15 Megs but it bottomed out and did not do a ms BSOD
good luck
O No! After all that, the gam_server has appeared again. Here is what I see when I do 'top' --
Gamin is a file monitoring service. It is a defensive service that monitors your system in the background, looking for system files that have been modified. You might not want to uninstall it's goodness!
Code:
Name : gamin
Version : 0.1.7 Vendor : Red Hat, Inc_
Release : 8.fc6 Date : 2006-11-20 12:03:41
Group : Development/Libraries Source RPM : gamin-0.1.7-8.fc6.src.rpm
Size : 396356
Packager : Red Hat, Inc_ < http://bugzilla_redhat_com/bugzilla>
Summary : Library providing the FAM File Alteration Monitor API
Description :
This C library provides an API and ABI compatible file alteration
monitor mechanism compatible with FAM but not dependent on a system wide
daemon.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
Urgent, possible hacker. Tried rkhunter
