Re: Is this a break-in? How do I tell what services to rebuild?

From: Bit Twister (BitTwister@localhost.localdomain)
Date: 01/13/02


From: BitTwister@localhost.localdomain (Bit Twister)
Date: Sun, 13 Jan 2002 21:28:17 GMT

On 13 Jan 2002 13:16:32 -0800, Jared wrote:
> Running chkrootkit just now I got the following message:
>
> Checking `bindshell'... INFECTED (PORTS: 1524 31337)
>
> How do I figure out which services are using these ports? I know
> Bastille has 31337 set up as a port to audit, but I don't know if that
> would yield a 'false positive'. 1524 is traditionally the ingres
> client per /etc/services, but I am not running ingres :-) (though I am
> running postgres). Netstat offers information but I don't see how to
> tie that back to a process.
>
> Basically, my question is, what should I do next? Rebuild the
> machine? Or is there a way to figure out which binaries are infected
> and can I rebuild them to eliminate the problem without wiping out the
> system? Can I simply close those ports via bastille / iptables?

Cannot answer the question "am I exploited"
I can tell you what to do if you have been cracked.

First, Unplug your system from the internet, Your machine is a menace to
society until you've cleaned it up. Even worse is, if it is used to crack
a bank or military site, you and your equipment gets hauled off to jail.

Any time your know a box is cracked, you should:
o Pull the box off the network, you do not want the police taking
        you and your equipment to jail because a cracker used it
        to crack a bank or military site.

o Put the hardrive(s) into a standalone machine,
        mount the disk(s) readonly,
        save any data, user files, ...,

o Save a full copy of the disk(s) for your forensic attempt,
        save the disk(s) for FBI forensics if it's a Big, BIG dollar loss.

o Refomat disk drives and do a fresh install from known clean
        source to remove any possible back doors the cracker installed.

o Restore your saved files, verify that the restored files
        do not have the suid bit set "find / -perms +6000 -ls".

o Have everyone on the box's network change passwords and
        tell them why so they will not use them ever again.
        Any other boxes logged into from the cracked box should
        have their passwords changed.

Here is why you need a clean install
   http://www.linuxdoc.org/LDP/LG/issue36/kuethe.html
4'th paragraph.

Install a firewall

Get all the vendor updates to your distro.

You might want to read Armoring Linux
        http://www.linuxdoc.org/HOWTO/Security-Quickstart-HOWTO/index.html
        http://www.enteract.com/~lspitz/linux.html
        http://www.linuxsecurity.com/docs/colsfaq.html
        http://www.securityportal.com/lskb/articles/
        http://www.securityportal.com/lasg/
        http://www.cert.org/advisories/



Relevant Pages

  • Output from chkrootkit
    ... I'm running chkrootkit 0.45 on Slackware 10.1. ... INFECTED (PORTS: 600) ... Pete ...
    (comp.os.linux.security)
  • Re: subversion on FreeBSD 4.10
    ... I've upgraded all the ports including perl. ... # CFLAGS controls the compiler settings used when compiling C code. ... # or supported for compiling the world or the kernel - please revert any ... # To avoid running MAKEDEV all on /dev during install: ...
    (freebsd-questions)
  • Re: newest PHP port upgrade broke php5-mbstring-5.0.1 ?
    ... # CFLAGS controls the compiler settings used when compiling C code. ... # or supported for compiling the world or the kernel - please revert any ... # certain ports. ... # To avoid running MAKEDEV all on /dev during install: ...
    (freebsd-questions)
  • Re: External drives not installing or working properly on USB
    ... Tne one thing you could try doing is a repair install of XP ... Only one of the five host controllers is connected to the 6 ... As you have 5 host ports, ... operating system to recognise the four additional 'drives'. ...
    (microsoft.public.windowsxp.general)
  • Re: mfi freebsd7
    ... i did update my ports and install the 1.01.40 version... ... A RAID1 config shoudl suit a busy webserver well. ... To unsubscribe, send any mail to ...
    (freebsd-questions)