Gentoo Archives: gentoo-user

From: Paul Hartman <paul.hartman+gentoo@×××××.com>
To: gentoo-user@l.g.o
Subject: [gentoo-user] Re: Rooted/compromised Gentoo, seeking advice [Solved?]
Date: Tue, 10 Aug 2010 06:12:15
1 On Mon, Aug 9, 2010 at 11:25 AM, Paul Hartman
2 <paul.hartman+gentoo@×××××.com> wrote:
3 > Hi, today when working remotely I ran nethogs and noticed suspicious
4 > network traffic coming from my home gentoo box. It was very low
5 > traffic (less than 1KB/sec bandwidth usage) but according to nethogs
6 > it was between a root user process and various suspicious-looking
7 > ports on outside hosts in other countries that I have no business
8 > with. netstat didn't show anything, however, but when I ran chkrootkit
9 > told me that netstat was INFECTED. I immediately issued "shutdown -h
10 > now" and now I won't be able to take a further look at it until I get
11 > home and have physical access to the box. System uptime was a few
12 > months. It was last updated for installation of a 2.6.33 kernel
13 > (2.6.35 is out now).
15 Well, so far everything I'm seeing points to a false alarm. :) It
16 seems I may have overreacted due to my lack of understanding.
18 First, when I got home and inspected router settings I realized the
19 strange activity I saw earlier was happening on a port I had opened
20 for Vuze (the bittorrent client). Nethogs output was like this:
22 NetHogs version 0.7.0
24 0 root ..7423- 0.032 0.038 KB/sec
25 0 root ..7423- 0.000 0.000 KB/sec
26 0 root ..00:17423- 0.000 0.000 KB/sec
27 0 root unknown TCP 0.000
28 0.000 KB/sec
29 TOTAL 0.032 0.038 KB/sec
31 Based on my Googling tonight, it seems this may simply be how it
32 displays incoming connection attempts. I found a post on the Ubuntu
33 Launchpad site that is basically asking the same question:
36 I changed my designated port setting in Vuze, opened that port on my
37 firewall, and then waited a few minutes and sure enough this same kind
38 of "mystery traffic" started to appear on that port. So it would seem
39 to be innocent bittorrent traffic. Egg on my face.
41 Second, the problem of chkrootkit telling me "find" and "netstat" were
42 INFECTED, in big scary upper-case letters. The files appear to be
43 genuine, I checked and double-checked and they appear to be
44 legitimate. I re-emerged them and the files match and still fail the
45 test. After looking into how chkroot does its tests, it's simply
46 grepping the strings from the file. I have debugging info compiled
47 into everything on my system and perhaps that means the files are
48 quite a bit more chatty than usual when it comes to strings. The
49 damning strings that caused it to give me an INFECTED warning? (using
50 the pattern from chkrootkit's test)
52 /usr/bin/find: sharefile.h
53 /bin/netstat: sockaddr.h
55 To further test this false-positive theory, I stripped those two
56 binaries of debugging data and now they do not appear as INFECTED by
57 the test. If anyone else wants to compile net-tools or findutils with
58 debugging data and nostrip and then run chkrootkit to see what results
59 you get on these files, that would be quite helpful in confirming
60 this.
62 I then tried rkhunter. It gave me numerous warnings, but after
63 checking the log for details they all appear to be harmless (For
64 example, it warns that /usr/bin/ldd is a script, not a binary... as
65 far as I can tell, that is how it's supposed to be)
67 Next I ran app-forensics/lynis, which is a more general system
68 settings audit. Everything looked normal there, too.
70 I've audited all of my logs, bash history, etc and everything looks
71 fine. The logs are complete. I use metalog so I've got duplicate log
72 data in most cases, split up into different files and directories, and
73 they all match. I've checked the other computers/devices in the house
74 and don't see any signs of any funny business.
76 The router settings and activity all look normal as well. I already
77 had non-default password, telnet disabled, external admin interface
78 disabled, web interface disabled, etc. and the firmware is the latest
79 version, supposedly not vulnerable to the milw0rm attack so I think it
80 is secure as can be expected.
82 I've checked all servers & online services that allow me to view my
83 login history and I don't see any unusual activity.
85 At this point I feel pretty good that my box was not compromised and
86 it was only ignorance and panic on my part. To play it safe, I'm going
87 to leave it disconnected for tonight and do some monitoring tomorrow
88 with wireshark just to be absolutely sure there's nothing going on.
89 Wish me luck! :)
91 I am grateful to everyone for their ideas and suggestions, and I'm
92 definitely going to change my sudoers privileges and more importantly
93 my habits and assumptions. The grace period that William alluded to
94 (timestamp_timeout is what Google tells me) may help to relieve a bit
95 of the "pain" of having to type my password so often.
97 Thanks,
98 Paul