| 1 |
On Mon, Aug 9, 2010 at 11:48 AM, Alan McKinnon <alan.mckinnon@×××××.com> wrote: |
| 2 |
> On Monday 09 August 2010 18:25:56 Paul Hartman wrote: |
| 3 |
>> Hi, today when working remotely I ran nethogs and noticed suspicious |
| 4 |
>> network traffic coming from my home gentoo box. It was very low |
| 5 |
>> traffic (less than 1KB/sec bandwidth usage) but according to nethogs |
| 6 |
>> it was between a root user process and various suspicious-looking |
| 7 |
>> ports on outside hosts in other countries that I have no business |
| 8 |
>> with. netstat didn't show anything, however, but when I ran chkrootkit |
| 9 |
>> told me that netstat was INFECTED. I immediately issued "shutdown -h |
| 10 |
>> now" and now I won't be able to take a further look at it until I get |
| 11 |
>> home and have physical access to the box. System uptime was a few |
| 12 |
>> months. It was last updated for installation of a 2.6.33 kernel |
| 13 |
>> (2.6.35 is out now). |
| 14 |
>> |
| 15 |
>> I have 3 goals now: |
| 16 |
>> |
| 17 |
>> 1) Figure out what is running on my box and how long it has been there. |
| 18 |
>> 2) Find out how it got there. |
| 19 |
>> 3) Sanitizing, or most likely rebuilding the system from scratch. |
| 20 |
> |
| 21 |
> Here's the bad news: |
| 22 |
> |
| 23 |
> An intruder probably gained access through a script kiddie script, which has |
| 24 |
> likely already removed all the logs. Or they have possibly been rotated away |
| 25 |
> by now. |
| 26 |
> |
| 27 |
> I would proceed as follows: |
| 28 |
> |
| 29 |
> 1. Keep that machine off the internet till it is reinstalled |
| 30 |
> 2. Fresh reinstall using boot media that you have downloaded and written |
| 31 |
> elsewhere, plus a portage tree. Don't worry about distfiles - a fresh portage |
| 32 |
> tree won't use existing copies on that machine if the hashes don't match. So |
| 33 |
> you can re-use them. If you boot off new install media it is safe to download |
| 34 |
> new distfiles using it. |
| 35 |
> 3. Keep your old partitions around if you want to do forensics, you can mount |
| 36 |
> them somewhere when a reinstall is done and peruse them at your leisure. |
| 37 |
> However, doing that is often a waste of time unless you still have logs. You |
| 38 |
> can use a scanner like nessus to look things over. |
| 39 |
> 4. And it goes without saying that you should change all passwords and keys |
| 40 |
> used on that trojaned machine. |
| 41 |
|
| 42 |
Hi Alan, thanks for the advice. |
| 43 |
|
| 44 |
I just remembered that my DD-WRT router stats page had an anomaly, on |
| 45 |
31st of July it showed I had over 700 terabytes of traffic, which is |
| 46 |
impossible. Coincidentally, my cable modem stopped working on the same |
| 47 |
day, so I wrote it off as a bug or a result of the broken modem. I |
| 48 |
replaced the modem and everything seemed to work normally after that. |
| 49 |
|
| 50 |
At this point my mind is running wild thinking of all of the |
| 51 |
possibilities. Could the router have been infected? The modem? It'll |
| 52 |
still be another 5 or 6 hours before I'm able to lay my hands on the |
| 53 |
machine. I'm imagining every doomsday scenario. :) |
| 54 |
|
| 55 |
My hope is that it was "only" a botnet or ssh-scanner or something, |
| 56 |
and not sniffer or keylogger or anything nefarious. I fear I may never |
| 57 |
truly be able to know, though. |
Archives