Re: Have I been kitted?

From: Matthew Berg (galt@gothpoodle.com)
Date: 06/12/02


From: Matthew Berg <galt@gothpoodle.com>
To: Terry Browning <terry@nihil.demon.co.uk>
Date: 12 Jun 2002 08:28:11 -0400

On Sun, 2002-06-09 at 07:19, Terry Browning wrote:
> Maybe it's my paranoia, but I've been adding a few tools to my system
> recently, and I've had a small panic as a result.
>
> Using chkrootkit:
>
> Checking `lkm'... You have 1 process hidden for ps command
> Warning: Possible LKM Trojan installed
>
> Should I panic and if so, how much?

Did you run chkrootkit more than once to see if it consistantly reported
a hidden process? From the FAQ:

  # How accurate is chkproc?

  If you run chkproc on a server that runs lots of short time processes
  it could report some false positives. chkproc compares the ps output
  with the /proc contents. If processes are created/killed during this
  operation chkproc could point out these PIDs as suspicious.

When I've suspected a rootkit in the past, I've copied over a static
linked copy of busybox built on a trusted host to check the usual
suspects manually (primarly the process list, and the commonly modified
binaries in /bin and /usr/bin).

Since the suspicion is an LKM rootkit, though, you can't be certain that
the syscalls are returning valid information. However, you can check
for this by comparing the syscalls on the system with the contents of
System.map. There's some good information about LKM rootkits and a
utility for checking for them at:

  http://la-samhna.de/library/lkm.html
  
> Also, `nmap -sS -p 1-65535 127.0.0.1` says:
> 8000/tcp open unknown
> 8200/tcp open unknown
> 10000/tcp open unknown
>
> and `nmap -sS -P0 -p 1-65535 <my ppp0 ipaddress>` says:
> All 65535 scanned ports on (...) are: filtered
>
> Is that a good sign? Has nmap been fooled by an LKM? Have I wasted time
> chasing my tail?

Just because someone manages to get a rootkit installed doesn't mean
that they successfully left a way into the box :) I've run into several
cases where someone got remote access to a machine through a hole,
installed all sorts of rootkits and what have you, but fubared their
method for getting back into the box (in one case they copied a daemon
linked against a newer version of glibc than was on the box, in another
they added entries to inetd.conf when the machine was running xinetd, in
another they put in a hacked sshd binary but failed to restart the
service).

You have to remember that a large number of hacks are done by script
kiddies with little to no real understanding of what they're doing. :)

Another possibility, if you've been doing security changes, is that a
compromise happened before you started filtering ports; e.g. if you
installed ipchains with a default deny policy on incoming connections
the kit might still be listening on the port, but it doesn't matter.

If you get a trusted copy of netstat at the box, you can check for
programs listening on sockets with:

  netstat -lnp

This will list all listeners with the PID that has said socket open.
The same caveat about an LKM rootkit still applies though.

> What is the best strategy for dealing with an LKM kit? Reinstall linux
> from CD or try to remove it?

If you do discover a rootkit, unless you have very very very good
reasons for doing otherwise, reinstall.

Just because you successfully discovered and removed one rootkit doesn't
mean there aren't other potential security problems on the machine. In
at least half the instances of rooted machines I've found multiple
rootkits and other security compromises.

The policy at my company and on my home network is to consider a machine
untrusted if any strong indicator of a exploit is found. The machine is
then rebuilt and not made network accessible until it has been
reinstalled, all relevent security updates installed, and packet
filtering set up.

Anyways, hope this has been helpful. It being a few days later you may
very well have handled this issue already. :)

Matt



Relevant Pages