Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here. |
Notices |
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
|
|
|
06-17-2007, 12:45 PM
|
#1
|
Member
Registered: Mar 2007
Location: London
Posts: 40
Rep:
|
Urgent, possible hacker. Tried rkhunter
Hi. I have just done 'top' on my linux (RHEL) OS, and to my shock I can see a job running which I have not had before:
PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND
15308 ****** 25 0 6456 2168 876 R 101 0.0 297:07.18 gam_server
I so not know what gam_server is? I did a ps -aut and found the following:
Warning: bad syntax, perhaps a bogus '-'? See /usr/share/doc/procps-3.2.3/FAQ
****** 15308 3.4 0.0 6456 2168 ? R Jun11 308:18 /usr/libexec/gam_server
(The ****** in the above is my username which I have blocked out.)
Question: Have I been hacked? What should I do?
I have run rkhunter as root, and everything looks ok except the following:
Code:
Application advisories
* Application scan
Checking Apache2 modules ... [ Not found ]
Checking Apache configuration ... [ OK ]
* Application version scan
- Exim MTA 4.43 [ Old or patched version ]
- GnuPG 1.2.6 [ Old or patched version ]
- Apache 2.0.52 [ OK ]
- Bind DNS 9.2.4 [ OK ]
- OpenSSL 0.9.7a [ Old or patched version ]
- PHP 4.3.9 [ Old or patched version ]
- Procmail MTA 3.22 [ OK ]
- OpenSSH 3.9p1 [ OK ]
Security advisories
* Check: Groups and Accounts
Searching for /etc/passwd... [ Found ]
Checking users with UID '0' (root)... [ OK ]
* Check: SSH
Searching for sshd_config...
Found /etc/ssh/sshd_config
Checking for allowed root login... Watch out Root login possible. Possible risk!
info: No 'PermitRootLogin' entry found in file /etc/ssh/sshd_config
Hint: See logfile for more information about this issue
Checking for allowed protocols... [ Warning (SSH v1 allowed) ]
* Check: Events and Logging
Search for syslog configuration... [ OK ]
Checking for running syslog slave... [ OK ]
Checking for logging to remote system... [ OK (no remote logging) ]
MD5 scan
Skipped
File scan
Scanned files: 342
Possible infected files: 0
Application scan
Vulnerable applications: 4
Thanks.
The Watcher
Last edited by unSpawn; 01-07-2010 at 12:11 PM.
Reason: //Added code tag, removed unnecessary colour tag.
|
|
|
06-17-2007, 01:19 PM
|
#2
|
LQ Guru
Registered: Jan 2003
Location: Seymour, Indiana
Distribution: Distribution: RHEL 5 with Pieces of this and that.
Kernel 2.6.23.1, KDE 3.5.8 and KDE 4.0 beta, Plu
Posts: 5,700
Rep:
|
It is part of this app. http://www.gnome.org/~veillard/gamin/
Several post on the item here and on google.
As far as the 4 vurnablities most seem to be sshd related. If you are running sshd service then you should fix those items as mentioned.
Add
PermitRootLogin no
Protocol 2
Not seeing the whole output of rkhunter my guess some files are preset with hidden . in certain directories.
Brian
|
|
|
06-17-2007, 03:19 PM
|
#3
|
Member
Registered: Mar 2007
Location: London
Posts: 40
Original Poster
Rep:
|
Quote:
Originally Posted by Brian1
It is part of this app. http://www.gnome.org/~veillard/gamin/
Several post on the item here and on google.
As far as the 4 vurnablities most seem to be sshd related. If you are running sshd service then you should fix those items as mentioned.
Add
PermitRootLogin no
Protocol 2
Not seeing the whole output of rkhunter my guess some files are preset with hidden . in certain directories.
Brian
|
Thanks Brian.
At least it is relief that I am not being hacked. Bearing in mind that I am a novice with linux, can you advise me on the following:
(1) Where do I add "PermitRootLogin no" and "Protocol 2"? And how -- is it a simple vi trick?
(2) Why have I got gam_server running and why is it taking an entire CPU processor? (There is only 1 external host that I have access to directly via ssh. I have not connected to it for a couple of months.)
Here is my complete rkhunter output:
Code:
Rootkit Hunter 1.2.9 is running
Determining OS... Unknown
Warning: This operating system is not fully supported!
All MD5 checks will be skipped!
Checking binaries
* Selftests
Strings (command) [ OK ]
* System tools
Skipped!
Check rootkits
* Default files and directories
Rootkit '55808 Trojan - Variant A'... [ OK ]
ADM Worm... [ OK ]
Rootkit 'AjaKit'... [ OK ]
Rootkit 'aPa Kit'... [ OK ]
Rootkit 'Apache Worm'... [ OK ]
Rootkit 'Ambient (ark) Rootkit'... [ OK ]
Rootkit 'Balaur Rootkit'... [ OK ]
Rootkit 'BeastKit'... [ OK ]
Rootkit 'beX2'... [ OK ]
Rootkit 'BOBKit'... [ OK ]
Rootkit 'CiNIK Worm (Slapper.B variant)'... [ OK ]
Rootkit 'Danny-Boy's Abuse Kit'... [ OK ]
Rootkit 'Devil RootKit'... [ OK ]
Rootkit 'Dica'... [ OK ]
Rootkit 'Dreams Rootkit'... [ OK ]
Rootkit 'Duarawkz'... [ OK ]
Rootkit 'Flea Linux Rootkit'... [ OK ]
Rootkit 'FreeBSD Rootkit'... [ OK ]
Rootkit 'Fuck`it Rootkit'... [ OK ]
Rootkit 'GasKit'... [ OK ]
Rootkit 'Heroin LKM'... [ OK ]
Rootkit 'HjC Kit'... [ OK ]
Rootkit 'ignoKit'... [ OK ]
Rootkit 'ImperalsS-FBRK'... [ OK ]
Rootkit 'Irix Rootkit'... [ OK ]
Rootkit 'Kitko'... [ OK ]
Rootkit 'Knark'... [ OK ]
Rootkit 'Li0n Worm'... [ OK ]
Rootkit 'Lockit / LJK2'... [ OK ]
Rootkit 'MRK'... [ OK ]
Rootkit 'Ni0 Rootkit'... [ OK ]
Rootkit 'RootKit for SunOS / NSDAP'... [ OK ]
Rootkit 'Optic Kit (Tux)'... [ OK ]
Rootkit 'Oz Rootkit'... [ OK ]
Rootkit 'Portacelo'... [ OK ]
Rootkit 'R3dstorm Toolkit'... [ OK ]
Rootkit 'RH-Sharpe's rootkit'... [ OK ]
Rootkit 'RSHA's rootkit'... [ OK ]
Sebek LKM... [ OK ]
Rootkit 'Scalper Worm'... [ OK ]
Rootkit 'Shutdown'... [ OK ]
Rootkit 'SHV4'... [ OK ]
Rootkit 'SHV5'... [ OK ]
Rootkit 'Sin Rootkit'... [ OK ]
Rootkit 'Slapper'... [ OK ]
Rootkit 'Sneakin Rootkit'... [ OK ]
Rootkit 'Suckit Rootkit'... [ OK ]
Rootkit 'SunOS Rootkit'... [ OK ]
Rootkit 'Superkit'... [ OK ]
Rootkit 'TBD (Telnet BackDoor)'... [ OK ]
Rootkit 'TeLeKiT'... [ OK ]
Rootkit 'T0rn Rootkit'... [ OK ]
Rootkit 'Trojanit Kit'... [ OK ]
Rootkit 'Tuxtendo'... [ OK ]
Rootkit 'URK'... [ OK ]
Rootkit 'VcKit'... [ OK ]
Rootkit 'Volc Rootkit'... [ OK ]
Rootkit 'X-Org SunOS Rootkit'... [ OK ]
Rootkit 'zaRwT.KiT Rootkit'... [ OK ]
* Suspicious files and malware
Scanning for known rootkit strings [ OK ]
Scanning for known rootkit files [ OK ]
Testing running processes... [ OK ]
Miscellaneous Login backdoors [ OK ]
Miscellaneous directories [ OK ]
Software related files [ OK ]
Sniffer logs [ OK ]
* Trojan specific characteristics
shv4
Checking /etc/rc.d/rc.sysinit
Test 1 [ Clean ]
Test 2 [ Clean ]
Test 3 [ Clean ]
Checking /etc/inetd.conf [ Not found ]
Checking /etc/xinetd.conf [ Clean ]
* Suspicious file properties
chmod properties
Checking /bin/ps [ Clean ]
Checking /bin/ls [ Clean ]
Checking /usr/bin/w [ Clean ]
Checking /usr/bin/who [ Clean ]
Checking /bin/netstat [ Clean ]
Checking /bin/login [ Clean ]
Script replacements
Checking /bin/ps [ Clean ]
Checking /bin/ls [ Clean ]
Checking /usr/bin/w [ Clean ]
Checking /usr/bin/who [ Clean ]
Checking /bin/netstat [ Clean ]
Checking /bin/login [ Clean ]
* OS dependant tests
Linux
Checking loaded kernel modules... [ OK ]
Checking file attributes [ OK ]
Checking LKM module path [ OK ]
Networking
* Check: frequently used backdoors
Port 2001: Scalper Rootkit [ OK ]
Port 2006: CB Rootkit [ OK ]
Port 2128: MRK [ OK ]
Port 14856: Optic Kit (Tux) [ OK ]
Port 47107: T0rn Rootkit [ OK ]
Port 60922: zaRwT.KiT [ OK ]
* Interfaces
Scanning for promiscuous interfaces... [ OK ]
System checks
* Allround tests
Checking hostname... Found. Hostname is ******
Checking for passwordless user accounts... OK
Checking for differences in user accounts... OK. No changes.
Checking for differences in user groups... OK. No changes.
Checking boot.local/rc.local file...
- /etc/rc.local [ OK ]
- /etc/rc.d/rc.local [ OK ]
- /usr/local/etc/rc.local [ Not found ]
- /usr/local/etc/rc.d/rc.local [ Not found ]
- /etc/conf.d/local.start [ Not found ]
- /etc/init.d/boot.local [ Not found ]
Checking rc.d files...
Processing........................................
........................................
........................................
........................................
........................................
........................................
........................................
........................................
........................................
........................................
........................................
........................................
........................................
........................................
........................................
........................................
........................................
........................................
........................................
........................................
..................................
Result rc.d files check [ OK ]
Checking history files
Bourne Shell [ OK ]
* Filesystem checks
Checking /dev for suspicious files... [ OK ]
Scanning for hidden files... [ OK ]
[Press <ENTER> to continue]
Application advisories
* Application scan
Checking Apache2 modules ... [ Not found ]
Checking Apache configuration ... [ OK ]
* Application version scan
- Exim MTA 4.43 [ Old or patched version ]
- GnuPG 1.2.6 [ Old or patched version ]
- Apache 2.0.52 [ OK ]
- Bind DNS 9.2.4 [ OK ]
- OpenSSL 0.9.7a [ Old or patched version ]
- PHP 4.3.9 [ Old or patched version ]
- Procmail MTA 3.22 [ OK ]
- OpenSSH 3.9p1 [ OK ]
Security advisories
* Check: Groups and Accounts
Searching for /etc/passwd... [ Found ]
Checking users with UID '0' (root)... [ OK ]
* Check: SSH
Searching for sshd_config...
Found /etc/ssh/sshd_config
Checking for allowed root login... Watch out Root login possible. Possible risk!
info: No 'PermitRootLogin' entry found in file /etc/ssh/sshd_config
Hint: See logfile for more information about this issue
Checking for allowed protocols... [ Warning (SSH v1 allowed) ]
* Check: Events and Logging
Search for syslog configuration... [ OK ]
Checking for running syslog slave... [ OK ]
Checking for logging to remote system... [ OK (no remote logging) ]
---------------------------- Scan results ----------------------------
MD5 scan
Skipped
File scan
Scanned files: 342
Possible infected files: 0
Application scan
Vulnerable applications: 4
Scanning took 74 seconds
Thanks.
The Watcher
Last edited by unSpawn; 01-07-2010 at 12:10 PM.
Reason: //Added code tag, removed unnecessary colour tag.
|
|
|
06-18-2007, 03:54 AM
|
#4
|
LQ 5k Club
Registered: Oct 2003
Location: Western Australia
Distribution: Icewm
Posts: 5,842
Rep:
|
from your output
Found /etc/ssh/sshd_config is the current ssh config file....
you do not need to use vi if you are not familar with it
suggest you open this config file with your fav editor using root powers and edit as per Brian's suggestions
and there is no hash to be in front of those 2 configs pls.
2) having had a peek at that gamin site you are likely to have a
etc/gamin folder which you can delete etc
I suggest you do a grep or a search for gamin on you whole filesystem just to be sure.
3) You do not appear to be a regular user of ssh so consider turning it off in the /etc/ssh and /etc/init.d or /etc/rc area...depending on how it works on your distro as I do not use RH.
I would use the file manager to change permissions from rwx to r--
|
|
|
06-18-2007, 11:31 AM
|
#5
|
Member
Registered: Mar 2007
Location: London
Posts: 40
Original Poster
Rep:
|
Quote:
Originally Posted by aus9
from your output
2) having had a peek at that gamin site you are likely to have a
etc/gamin folder which you can delete etc
I suggest you do a grep or a search for gamin on you whole filesystem just to be sure.
3) You do not appear to be a regular user of ssh so consider turning it off in the /etc/ssh and /etc/init.d or /etc/rc area...depending on how it works on your distro as I do not use RH.
I would use the file manager to change permissions from rwx to r--
|
Thanks, I have altered the /etc/ssh/sshd_config file accordingly, and that is all ok now. I have restarted my workstation and the gamin_server has disappeared from the 'top' list.
I cannot find /etc/gamin; or gamin anywhere. I did 'find / -name gamin' as root and got nothing?
How do I turn off ssh? What do I do when I actually do want to use ssh?
Can you tell me what file I should change permission of to r-- ?
My /etc/ssh has the following entries:
moduli
ssh_config
ssh_host_dsa_key
ssh_host_dsa_key.pub
ssh_host_key
ssh_host_key.pub
ssh_host_rsa_key
ssh_host_rsa_key.pub
sshd_config
and my /etc/init.d has the following:
Code:
FreeWnn
NetworkManager
acpid
amd
anacron
arpwatch
atd
auditd
autofs
bgpd
bluetooth
bootparamd
canna
cpuspeed
crond
cups
cups-config-daemon
cyrus-imapd
dc_client
dc_server
dhcp6r
dhcp6s
dhcpd
dhcrelay
diskdump
dovecot
dund
exim
firstboot
functions
gpm
haldaemon
halt
hidd
hpoj
httpd
iiim
ip6tables
irda
irqbalance
iscsi
isdn
kadmin
keytable
killall
kprop
krb524
krb5kdc
kudzu
ldap
lisa
lm_sensors
lvm2-monitor
mailman
mdmonitor
mdmpd
messagebus
microcode_ctl
multipathd
mysqld
named
netdump
netdump-server
netfs
netplugd
network
nfs
nfslock
nscd
ntpd
nvconfig
openibd
ospf6d
ospfd
pand
pcmcia
portmap
postfix
postgresql
psacct
rawdevices
rdisc
readahead
readahead_early
rhnsd
ripd
ripngd
rpcgssd
rpcidmapd
rpcsvcgssd
rstatd
rusersd
rwhod
saslauthd
sendmail
single
smartd
smb
snmpd
snmptrapd
spamassassin
squid
sshd
syslog
sysstat
tog-pegasus
tux
vncserver
winbind
xfs
xinetd
ypbind
zebra
Thanks again.
The Watcher
Last edited by unSpawn; 01-07-2010 at 12:12 PM.
Reason: //Added code tag, removed unnecessary colour tag.
|
|
|
06-18-2007, 04:34 PM
|
#6
|
LQ Guru
Registered: Jan 2003
Location: Seymour, Indiana
Distribution: Distribution: RHEL 5 with Pieces of this and that.
Kernel 2.6.23.1, KDE 3.5.8 and KDE 4.0 beta, Plu
Posts: 5,700
Rep:
|
To see if sshd is runing run this command.
/sbin/service --status-all | grep ssh
If running then issue this command. Even if it is not run this one and the next one.
/sbin/service sshd stop
To stop it from starting on reboot of the machine.
/sbin/chkconfig --level 345 sshd off
Brian
|
|
|
06-18-2007, 05:30 PM
|
#7
|
Moderator
Registered: May 2001
Posts: 29,415
|
I have restarted my workstation and the gamin_server has disappeared from the 'top' list.
I cannot find /etc/gamin; or gamin anywhere. I did 'find / -name gamin' as root and got nothing?
Next time you should use lsof on the PID. Lsof will show what files it's got open, so if it's not installed using the package manager it's easier to find traces of. Since you use RH*L tho you could "rpm -q --whatprovides /usr/libexec/gam_server" to see if it's part of an installed package. If it's not then you should search with "find / -iname \*gamin\*".
* To deny rogue processes use something like SELinux or GRSecurity. In this case GRSecurity this is "easier" to "fix" since you can simply deny users to start applications outside the set $PATH using a sysctl control.
|
|
|
06-19-2007, 09:36 AM
|
#8
|
Member
Registered: Mar 2007
Location: London
Posts: 40
Original Poster
Rep:
|
Quote:
Originally Posted by Brian1
To see if sshd is runing run this command.
/sbin/service --status-all | grep ssh
If running then issue this command. Even if it is not run this one and the next one.
/sbin/service sshd stop
To stop it from starting on reboot of the machine.
/sbin/chkconfig --level 345 sshd off
Brian
|
And if I want to use ssh myself later on, I presume I do
/sbin/service sshd on
or something similar?
Can I out this into a start file like /etc/init.d ? And the overtride it whenever I want to use ssh ?
Thanks.
The Watcher
|
|
|
06-19-2007, 10:53 AM
|
#9
|
Member
Registered: Jun 2005
Location: London, Uk
Distribution: RH-ES 3/4, FC 5/6
Posts: 51
Rep:
|
/sbin/service sshd start I think, will start it manually when you need it.
I use ntsysv command to manage services in RH, simply scroll down the list and hit space to select/deselect services to run in your current runlevel, then reboot - or perhaps re- init your runlevel. Seems to work ok for me, I also turn off cups/pcmcia/isdn/sendmail and all the other junk I dont use, takes about 5 seconds
Last edited by RedHatCat; 06-19-2007 at 10:55 AM.
|
|
|
06-19-2007, 03:34 PM
|
#10
|
LQ Guru
Registered: Jan 2003
Location: Seymour, Indiana
Distribution: Distribution: RHEL 5 with Pieces of this and that.
Kernel 2.6.23.1, KDE 3.5.8 and KDE 4.0 beta, Plu
Posts: 5,700
Rep:
|
Yes to start from a command line use either of the following. First is a Redhat type command.
/sbin/service sshd start
/etc/init.d/sshd start
Brian
|
|
|
06-26-2007, 04:05 AM
|
#11
|
LQ 5k Club
Registered: Oct 2003
Location: Western Australia
Distribution: Icewm
Posts: 5,842
Rep:
|
the Watcher
Do you have the updates icon in your system tray of the panel?
if so, right hand click it...for a rh person...and disable it from starting and quit it.....then reboot and to test and recheck your kinfo memory as I am just testing mdv 2007.1 (cooker with updates heh heh) and it had a huge memory leak and a google at LXF forum suggests its the update icon.
of course you now do manual checking but that is no worries for me.
FYI
I am now getting on a 1G ram system
app 13%
cache 14%
free ram 73%
while b4 I went down to free 15 Megs but it bottomed out and did not do a ms BSOD
good luck
Last edited by aus9; 06-26-2007 at 04:06 AM.
|
|
|
06-26-2007, 09:05 PM
|
#12
|
Member
Registered: Mar 2007
Location: London
Posts: 40
Original Poster
Rep:
|
Quote:
Originally Posted by aus9
the Watcher
Do you have the updates icon in your system tray of the panel?
if so, right hand click it...for a rh person...and disable it from starting and quit it.....then reboot and to test and recheck your kinfo memory as I am just testing mdv 2007.1 (cooker with updates heh heh) and it had a huge memory leak and a google at LXF forum suggests its the update icon.
of course you now do manual checking but that is no worries for me.
FYI
I am now getting on a 1G ram system
app 13%
cache 14%
free ram 73%
while b4 I went down to free 15 Megs but it bottomed out and did not do a ms BSOD
good luck
|
O No! After all that, the gam_server has appeared again. Here is what I see when I do 'top' --
18721 [******] 25 0 6188 1988 876 R 98 0.0 43:28.16 gam_server
I have turned off sshd as before, to no effect.
Can I not simply kill it by "kill -9 18721" ?
The Watcher
|
|
|
06-26-2007, 09:13 PM
|
#13
|
Member
Registered: Mar 2007
Location: London
Posts: 40
Original Poster
Rep:
|
Quote:
Originally Posted by The_Watcher
O No! After all that, the gam_server has appeared again. Here is what I see when I do 'top' --
18721 [******] 25 0 6188 1988 876 R 98 0.0 43:28.16 gam_server
I have turned off sshd as before, to no effect.
Can I not simply kill it by "kill -9 18721" ?
The Watcher
|
By the way:
- What does gam_server or gamin actually do?
- I have found the package where gamin is installed by doing
"rpm -q --whatprovides /usr/libexec/gam_server". And what I get is:
gamin-0.1.7-1.2.EL4
gamin-0.1.7-1.2.EL4
Do I need gamin? can I remove it if it is not important? If so, how do I uninstall it?
Thanks.
The Watcher
|
|
|
06-26-2007, 10:20 PM
|
#14
|
LQ Guru
Registered: Aug 2001
Location: Fargo, ND
Distribution: SuSE AMD64
Posts: 15,733
|
Gamin is a file monitoring service. It is a defensive service that monitors your system in the background, looking for system files that have been modified. You might not want to uninstall it's goodness!
Code:
Name : gamin
Version : 0.1.7 Vendor : Red Hat, Inc_
Release : 8.fc6 Date : 2006-11-20 12:03:41
Group : Development/Libraries Source RPM : gamin-0.1.7-8.fc6.src.rpm
Size : 396356
Packager : Red Hat, Inc_ < http://bugzilla_redhat_com/bugzilla>
Summary : Library providing the FAM File Alteration Monitor API
Description :
This C library provides an API and ABI compatible file alteration
monitor mechanism compatible with FAM but not dependent on a system wide
daemon.
|
|
|
06-26-2007, 10:31 PM
|
#15
|
Senior Member
Registered: Nov 2003
Location: Knoxville, TN
Distribution: Kubuntu 9.04
Posts: 1,168
Rep:
|
Your system has definitely been copped by malicious computer coppers.
Copping is running rampant these days.
|
|
|
All times are GMT -5. The time now is 08:23 AM.
|
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
|
Latest Threads
LQ News
|
|