| 1 |
On Sunday 16 July 2006 22:25, Jerry McBride wrote: |
| 2 |
> On Sunday 16 July 2006 15:54, Dave S wrote: |
| 3 |
> > On Sunday 16 July 2006 19:54, Hemmann, Volker Armin wrote: |
| 4 |
> > > On Sunday 16 July 2006 20:25, Dave S wrote: |
| 5 |
> > > > HI, I have a potential security problem ... |
| 6 |
> > > > |
| 7 |
> > > > and err its not on gentoo, its on ubuntu but I am not getting any |
| 8 |
> > > > response there & you guys are the most tech bunch I know - Thought I |
| 9 |
> > > > would lay it on the table :) |
| 10 |
> > > > |
| 11 |
> > > > I just had an email from chkrootkit last night - |
| 12 |
> > > > |
| 13 |
> > > > --- |
| 14 |
> > > > |
| 15 |
> > > > The following suspicious files and directories were found: |
| 16 |
> > > > |
| 17 |
> > > > You have 3 process hidden for readdir command |
| 18 |
> > > > You have 3 process hidden for ps command |
| 19 |
> > > > chkproc: Warning: Possible LKM Trojan installed |
| 20 |
> > > > |
| 21 |
> > > > --- |
| 22 |
> > > > |
| 23 |
> > > > Running chkrootkit now and all is OK |
| 24 |
> > > > |
| 25 |
> > > > root@dave-comp:~# |
| 26 |
> > > > root@dave-comp:~# chkrootkit | grep chkproc |
| 27 |
> > > > Checking `lkm'... chkproc: nothing detected |
| 28 |
> > > > root@dave-comp:~# |
| 29 |
> > > > |
| 30 |
> > > > I have even 'sudo install --reinstall chkrootkit' in case its binarys |
| 31 |
> > > > have been modified (paranoid) |
| 32 |
> > > |
| 33 |
> > > if you installed using the tools of the system, it could be worthless, |
| 34 |
> > > because compromised. Boot from a cd and check from the cd. |
| 35 |
> > |
| 36 |
> > I understand. Booted from knoppix 5.0.1, executed a |
| 37 |
> > |
| 38 |
> > 'chroot /mnt/hda1 chkrootkit' and a |
| 39 |
> > 'chroot /mnt/hda1 rkhunter -c' |
| 40 |
> > |
| 41 |
> > - both scans brought back nothing. From what I have read the chkrootkit & |
| 42 |
> > rkhunter binarys would have been from the CD and therefore untainted ? Am |
| 43 |
> > I correct ? |
| 44 |
> > |
| 45 |
> > Are there any other checks I can do - re-installing the system is not my |
| 46 |
> > preferred option :) |
| 47 |
> > |
| 48 |
> > Dave |
| 49 |
> |
| 50 |
> Hi Dave, |
| 51 |
> |
| 52 |
> Just went through the same scare with an OLD linux server a few weeks ago. |
| 53 |
> |
| 54 |
> This "could" be a false positive... |
| 55 |
> |
| 56 |
> What you should do is run chkrootkit with verbose option turned on. Take |
| 57 |
> the pids it show you and compare them to what's listed in /proc. |
| 58 |
> |
| 59 |
> Each running process has a pid and it's listed under /proc. In each pid |
| 60 |
> listed under proc there's a /exe link that gives you the path to the |
| 61 |
> program owning the pid. There a /status file that will give you the name of |
| 62 |
> the program. There's other info there also. If there's any discrepancies |
| 63 |
> between what's list in /proc and what ps tells you, you've been infected |
| 64 |
> with LKM for sure. |
| 65 |
> |
| 66 |
> Naturally, you have to be there when chkrootkit complains... |
| 67 |
|
| 68 |
Thats the problem it was an automated email at midnight - all looks OK now - |
| 69 |
apart from my paranoia that is ... |
| 70 |
|
| 71 |
> |
| 72 |
> But don't stop here... |
| 73 |
> |
| 74 |
> You can also try running rootkit-hunter and compare the output. |
| 75 |
|
| 76 |
Done it - it reports clean |
| 77 |
> |
| 78 |
> You can cp known good tools (in your case, ps) from a backup to your |
| 79 |
> infected box and run it to get "true" information. |
| 80 |
> |
| 81 |
> I knew a co-worker that ran "tree" across a suspected infected box and |
| 82 |
> found a number of hidden directories on it. It was indeed infected. |
| 83 |
|
| 84 |
I will look into it. |
| 85 |
|
| 86 |
> |
| 87 |
> Also, if this machine was running a firewall, look in the logs. If you've |
| 88 |
> kept a running archive, hopefully spanning a week or two, you may be able |
| 89 |
> to figure out when and where the attack came from. |
| 90 |
|
| 91 |
Netgear firewall ADSL NAT, tea machine, router - I will have a look in the |
| 92 |
logs for anything suspicious - good idea. |
| 93 |
|
| 94 |
> |
| 95 |
> Hope that helps. |
| 96 |
> |
| 97 |
> Jerry |
| 98 |
|
| 99 |
Cheers |
| 100 |
|
| 101 |
Dave |
| 102 |
-- |
| 103 |
gentoo-user@g.o mailing list |
Archives