Re: Hmm, have I been rootkitted?

From: Ingo Pakleppa (ingo-immigration@kkeane.com)
Date: 11/19/02


From: Ingo Pakleppa <ingo-immigration@kkeane.com>
Date: Tue, 19 Nov 2002 00:03:47 GMT

On Mon, 18 Nov 2002 07:01:58 -0800, Jared wrote:

> Two weeks ago I was rootkitted (found it thanks to chkrootkit). At the
> time I decided to migrate from MDK 8.2 to RH 8.0. It's in and working,
> as is chkrootkit-0.37.
>
> Now I am seeing something I don't understand. Chkrootkit-0.37 reports
> no anomalies; however, LogWatch reports:
>
>
>
>
> ################## LogWatch 2.6 Begin #####################
>
> ---------------- Connections (secure-log) Begin -------------------
>
> Connections:
> Service imap:
> 127.0.0.1: 263 Time(s)
> 192.168.0.7: 1 Time(s)
>
>
> ----------------- Connections (secure-log) End --------------------
>
>
>
> ###################### LogWatch End #########################
>
> The second line represents me checking my email (hey, it was Sunday, I
> only logged in once. It happens when you have young children).
>
> I am running UW-imap, postfix and fetchmail. Between myself and my wife
> we may have had 150 messages or so (I really have to make an hour or so
> to put in Spamassassin again. Real Soon Now). I don't think we have
> gotten 263 messages in twenty-four hours. I do have fetchmail checking
> our ISP accounts every five minutes, but that would only account for 120
> accesses max, and I question getting 143 messages directly via SMTP.
> System logs don't show anything suspicious. The only possible
> explanation I can come up with is that I left a Squirrelmail window open
> at work and possibly the browser was updating itself; but I saw no
> settings in the browser that would do so. Is there a default? (I am
> forced to labor in a Micro$oft environment, so the browser was IE 6.0).
>
> Does anyone have an idea as to why the localhost imap login would be so
> high?
> Comments, opinions, feedback all welcomed. Please pardon my paranoia,
> but I've been rootkitted twice this year already.

My guess is that Squirrelmail is indeed the culprit. Some of the HTML
pages in Squirrelmail have HTTP refresh headers. I observed the folder
pane (on the left) refreshing itself regularly every few minutes.