1 |
On Mon, Aug 9, 2010 at 11:25 AM, Paul Hartman |
2 |
<paul.hartman+gentoo@×××××.com> wrote: |
3 |
> Hi, today when working remotely I ran nethogs and noticed suspicious |
4 |
> network traffic coming from my home gentoo box. It was very low |
5 |
> traffic (less than 1KB/sec bandwidth usage) but according to nethogs |
6 |
> it was between a root user process and various suspicious-looking |
7 |
> ports on outside hosts in other countries that I have no business |
8 |
> with. netstat didn't show anything, however, but when I ran chkrootkit |
9 |
> told me that netstat was INFECTED. I immediately issued "shutdown -h |
10 |
> now" and now I won't be able to take a further look at it until I get |
11 |
> home and have physical access to the box. System uptime was a few |
12 |
> months. It was last updated for installation of a 2.6.33 kernel |
13 |
> (2.6.35 is out now). |
14 |
|
15 |
Well, so far everything I'm seeing points to a false alarm. :) It |
16 |
seems I may have overreacted due to my lack of understanding. |
17 |
|
18 |
First, when I got home and inspected router settings I realized the |
19 |
strange activity I saw earlier was happening on a port I had opened |
20 |
for Vuze (the bittorrent client). Nethogs output was like this: |
21 |
|
22 |
NetHogs version 0.7.0 |
23 |
PID USER PROGRAM DEV SENT RECEIVED |
24 |
0 root ..7423-213.138.94.110:49971 0.032 0.038 KB/sec |
25 |
0 root ..7423-72.191.172.228:54861 0.000 0.000 KB/sec |
26 |
0 root ..00:17423-82.52.3.94:57635 0.000 0.000 KB/sec |
27 |
0 root unknown TCP 0.000 |
28 |
0.000 KB/sec |
29 |
TOTAL 0.032 0.038 KB/sec |
30 |
|
31 |
Based on my Googling tonight, it seems this may simply be how it |
32 |
displays incoming connection attempts. I found a post on the Ubuntu |
33 |
Launchpad site that is basically asking the same question: |
34 |
https://answers.launchpad.net/ubuntu/+source/nethogs/+question/113880 |
35 |
|
36 |
I changed my designated port setting in Vuze, opened that port on my |
37 |
firewall, and then waited a few minutes and sure enough this same kind |
38 |
of "mystery traffic" started to appear on that port. So it would seem |
39 |
to be innocent bittorrent traffic. Egg on my face. |
40 |
|
41 |
Second, the problem of chkrootkit telling me "find" and "netstat" were |
42 |
INFECTED, in big scary upper-case letters. The files appear to be |
43 |
genuine, I checked and double-checked and they appear to be |
44 |
legitimate. I re-emerged them and the files match and still fail the |
45 |
test. After looking into how chkroot does its tests, it's simply |
46 |
grepping the strings from the file. I have debugging info compiled |
47 |
into everything on my system and perhaps that means the files are |
48 |
quite a bit more chatty than usual when it comes to strings. The |
49 |
damning strings that caused it to give me an INFECTED warning? (using |
50 |
the pattern from chkrootkit's test) |
51 |
|
52 |
/usr/bin/find: sharefile.h |
53 |
/bin/netstat: sockaddr.h |
54 |
|
55 |
To further test this false-positive theory, I stripped those two |
56 |
binaries of debugging data and now they do not appear as INFECTED by |
57 |
the test. If anyone else wants to compile net-tools or findutils with |
58 |
debugging data and nostrip and then run chkrootkit to see what results |
59 |
you get on these files, that would be quite helpful in confirming |
60 |
this. |
61 |
|
62 |
I then tried rkhunter. It gave me numerous warnings, but after |
63 |
checking the log for details they all appear to be harmless (For |
64 |
example, it warns that /usr/bin/ldd is a script, not a binary... as |
65 |
far as I can tell, that is how it's supposed to be) |
66 |
|
67 |
Next I ran app-forensics/lynis, which is a more general system |
68 |
settings audit. Everything looked normal there, too. |
69 |
|
70 |
I've audited all of my logs, bash history, etc and everything looks |
71 |
fine. The logs are complete. I use metalog so I've got duplicate log |
72 |
data in most cases, split up into different files and directories, and |
73 |
they all match. I've checked the other computers/devices in the house |
74 |
and don't see any signs of any funny business. |
75 |
|
76 |
The router settings and activity all look normal as well. I already |
77 |
had non-default password, telnet disabled, external admin interface |
78 |
disabled, web interface disabled, etc. and the firmware is the latest |
79 |
version, supposedly not vulnerable to the milw0rm attack so I think it |
80 |
is secure as can be expected. |
81 |
|
82 |
I've checked all servers & online services that allow me to view my |
83 |
login history and I don't see any unusual activity. |
84 |
|
85 |
At this point I feel pretty good that my box was not compromised and |
86 |
it was only ignorance and panic on my part. To play it safe, I'm going |
87 |
to leave it disconnected for tonight and do some monitoring tomorrow |
88 |
with wireshark just to be absolutely sure there's nothing going on. |
89 |
Wish me luck! :) |
90 |
|
91 |
I am grateful to everyone for their ideas and suggestions, and I'm |
92 |
definitely going to change my sudoers privileges and more importantly |
93 |
my habits and assumptions. The grace period that William alluded to |
94 |
(timestamp_timeout is what Google tells me) may help to relieve a bit |
95 |
of the "pain" of having to type my password so often. |
96 |
|
97 |
Thanks, |
98 |
Paul |