1 |
On Mon, Aug 9, 2010 at 11:48 AM, Alan McKinnon <alan.mckinnon@×××××.com> wrote: |
2 |
> On Monday 09 August 2010 18:25:56 Paul Hartman wrote: |
3 |
>> Hi, today when working remotely I ran nethogs and noticed suspicious |
4 |
>> network traffic coming from my home gentoo box. It was very low |
5 |
>> traffic (less than 1KB/sec bandwidth usage) but according to nethogs |
6 |
>> it was between a root user process and various suspicious-looking |
7 |
>> ports on outside hosts in other countries that I have no business |
8 |
>> with. netstat didn't show anything, however, but when I ran chkrootkit |
9 |
>> told me that netstat was INFECTED. I immediately issued "shutdown -h |
10 |
>> now" and now I won't be able to take a further look at it until I get |
11 |
>> home and have physical access to the box. System uptime was a few |
12 |
>> months. It was last updated for installation of a 2.6.33 kernel |
13 |
>> (2.6.35 is out now). |
14 |
>> |
15 |
>> I have 3 goals now: |
16 |
>> |
17 |
>> 1) Figure out what is running on my box and how long it has been there. |
18 |
>> 2) Find out how it got there. |
19 |
>> 3) Sanitizing, or most likely rebuilding the system from scratch. |
20 |
> |
21 |
> Here's the bad news: |
22 |
> |
23 |
> An intruder probably gained access through a script kiddie script, which has |
24 |
> likely already removed all the logs. Or they have possibly been rotated away |
25 |
> by now. |
26 |
> |
27 |
> I would proceed as follows: |
28 |
> |
29 |
> 1. Keep that machine off the internet till it is reinstalled |
30 |
> 2. Fresh reinstall using boot media that you have downloaded and written |
31 |
> elsewhere, plus a portage tree. Don't worry about distfiles - a fresh portage |
32 |
> tree won't use existing copies on that machine if the hashes don't match. So |
33 |
> you can re-use them. If you boot off new install media it is safe to download |
34 |
> new distfiles using it. |
35 |
> 3. Keep your old partitions around if you want to do forensics, you can mount |
36 |
> them somewhere when a reinstall is done and peruse them at your leisure. |
37 |
> However, doing that is often a waste of time unless you still have logs. You |
38 |
> can use a scanner like nessus to look things over. |
39 |
> 4. And it goes without saying that you should change all passwords and keys |
40 |
> used on that trojaned machine. |
41 |
|
42 |
Hi Alan, thanks for the advice. |
43 |
|
44 |
I just remembered that my DD-WRT router stats page had an anomaly, on |
45 |
31st of July it showed I had over 700 terabytes of traffic, which is |
46 |
impossible. Coincidentally, my cable modem stopped working on the same |
47 |
day, so I wrote it off as a bug or a result of the broken modem. I |
48 |
replaced the modem and everything seemed to work normally after that. |
49 |
|
50 |
At this point my mind is running wild thinking of all of the |
51 |
possibilities. Could the router have been infected? The modem? It'll |
52 |
still be another 5 or 6 hours before I'm able to lay my hands on the |
53 |
machine. I'm imagining every doomsday scenario. :) |
54 |
|
55 |
My hope is that it was "only" a botnet or ssh-scanner or something, |
56 |
and not sniffer or keylogger or anything nefarious. I fear I may never |
57 |
truly be able to know, though. |