1 |
Hi, today when working remotely I ran nethogs and noticed suspicious |
2 |
network traffic coming from my home gentoo box. It was very low |
3 |
traffic (less than 1KB/sec bandwidth usage) but according to nethogs |
4 |
it was between a root user process and various suspicious-looking |
5 |
ports on outside hosts in other countries that I have no business |
6 |
with. netstat didn't show anything, however, but when I ran chkrootkit |
7 |
told me that netstat was INFECTED. I immediately issued "shutdown -h |
8 |
now" and now I won't be able to take a further look at it until I get |
9 |
home and have physical access to the box. System uptime was a few |
10 |
months. It was last updated for installation of a 2.6.33 kernel |
11 |
(2.6.35 is out now). |
12 |
|
13 |
I have 3 goals now: |
14 |
|
15 |
1) Figure out what is running on my box and how long it has been there. |
16 |
2) Find out how it got there. |
17 |
3) Sanitizing, or most likely rebuilding the system from scratch. |
18 |
|
19 |
I won't feel comfortable about doing item 3 until I learn the cause of |
20 |
1 and 2. Since this is a home PC, it's not mission-critical and I have |
21 |
other computers so I can afford to leave it offline while I |
22 |
investigate this security breach, but at the same time it's worrisome |
23 |
because I do banking etc from this machine. I'll obviously have to |
24 |
check the status of any other computer on the same network. |
25 |
|
26 |
My user account has sudo-without-password rights to any command. In |
27 |
hindsight this risk may not be worth the extra convenience... A rogue |
28 |
"sudo install-bad-stuff" anywhere over time could have done me in. |
29 |
|
30 |
Alternatively I was running vulnerable/compromised software. My box |
31 |
has sshd running, root login in ssh is not allowed, and pubkey only |
32 |
logins (no passwords). It is behind a wireless router but port 22 is |
33 |
open and pointing to this box, and a few others needed by other |
34 |
applications. So I will check out which keys exist on the compromised |
35 |
machine and make sure I recognize them all. I'll also need to check |
36 |
the status of any other computer my key is stored on (a mix of linux & |
37 |
windows, and my mobile phone). Sigh... |
38 |
|
39 |
I am using ~amd64 and I update deep world about 3 times a week normally. |
40 |
|
41 |
The computer is only a few months old, but it was created by cloning a |
42 |
~2-years-old computer. I did emerge -e world as part of the upgrade |
43 |
process. |
44 |
|
45 |
If anyone has advice on what I should look at forensically to |
46 |
determine the cause of this, it is appreciated. I'll first dig into |
47 |
the logs, bash history etc. and really hope that this very happened |
48 |
recently. |
49 |
|
50 |
Thanks for any tips and wish me good luck. :) |