Gentoo Archives: gentoo-user

From: Paul Hartman <paul.hartman+gentoo@×××××.com>
To: gentoo-user@l.g.o
Subject: [gentoo-user] Rooted/compromised Gentoo, seeking advice
Date: Mon, 09 Aug 2010 16:26:45
Message-Id: AANLkTikcKYS+pTQOesC_rmqVwjwN80PKqrTuv3TPAq_h@mail.gmail.com
1 Hi, today when working remotely I ran nethogs and noticed suspicious
2 network traffic coming from my home gentoo box. It was very low
3 traffic (less than 1KB/sec bandwidth usage) but according to nethogs
4 it was between a root user process and various suspicious-looking
5 ports on outside hosts in other countries that I have no business
6 with. netstat didn't show anything, however, but when I ran chkrootkit
7 told me that netstat was INFECTED. I immediately issued "shutdown -h
8 now" and now I won't be able to take a further look at it until I get
9 home and have physical access to the box. System uptime was a few
10 months. It was last updated for installation of a 2.6.33 kernel
11 (2.6.35 is out now).
12
13 I have 3 goals now:
14
15 1) Figure out what is running on my box and how long it has been there.
16 2) Find out how it got there.
17 3) Sanitizing, or most likely rebuilding the system from scratch.
18
19 I won't feel comfortable about doing item 3 until I learn the cause of
20 1 and 2. Since this is a home PC, it's not mission-critical and I have
21 other computers so I can afford to leave it offline while I
22 investigate this security breach, but at the same time it's worrisome
23 because I do banking etc from this machine. I'll obviously have to
24 check the status of any other computer on the same network.
25
26 My user account has sudo-without-password rights to any command. In
27 hindsight this risk may not be worth the extra convenience... A rogue
28 "sudo install-bad-stuff" anywhere over time could have done me in.
29
30 Alternatively I was running vulnerable/compromised software. My box
31 has sshd running, root login in ssh is not allowed, and pubkey only
32 logins (no passwords). It is behind a wireless router but port 22 is
33 open and pointing to this box, and a few others needed by other
34 applications. So I will check out which keys exist on the compromised
35 machine and make sure I recognize them all. I'll also need to check
36 the status of any other computer my key is stored on (a mix of linux &
37 windows, and my mobile phone). Sigh...
38
39 I am using ~amd64 and I update deep world about 3 times a week normally.
40
41 The computer is only a few months old, but it was created by cloning a
42 ~2-years-old computer. I did emerge -e world as part of the upgrade
43 process.
44
45 If anyone has advice on what I should look at forensically to
46 determine the cause of this, it is appreciated. I'll first dig into
47 the logs, bash history etc. and really hope that this very happened
48 recently.
49
50 Thanks for any tips and wish me good luck. :)

Replies

Subject Author
Re: [gentoo-user] Rooted/compromised Gentoo, seeking advice Alan McKinnon <alan.mckinnon@×××××.com>
[gentoo-user] Re: Rooted/compromised Gentoo, seeking advice 7v5w7go9ub0o <7v5w7go9ub0o@×××××.com>
Re: [gentoo-user] Rooted/compromised Gentoo, seeking advice Mick <michaelkintzios@×××××.com>
Re: [gentoo-user] Rooted/compromised Gentoo, seeking advice Adam Carter <adamcarter3@×××××.com>