Have I been compromised? chkrootkit: "Warning: Possible LKM Trojan installed" - nmap: "port 1313 open"
From: Tom (northofthecold_at_yahoo.com)
Date: 11/14/03
- Next message: Newsbox: "Re: Been hacked"
- Previous message: Dale Pontius: "Re: gentoo you decide"
- Next in thread: Stu: "Re: Have I been compromised? chkrootkit: "Warning: Possible LKM Trojan installed" - nmap: "port 1313 open""
- Reply: Stu: "Re: Have I been compromised? chkrootkit: "Warning: Possible LKM Trojan installed" - nmap: "port 1313 open""
- Reply: Richard Kimber: "Re: Have I been compromised? chkrootkit: "Warning: Possible LKM Trojan installed" - nmap: "port 1313 open""
- Reply: Christopher Browne: "Re: Have I been compromised? chkrootkit: "Warning: Possible LKM Trojan installed" - nmap: "port 1313 open""
- Reply: Christopher Browne: "Re: Have I been compromised? chkrootkit: "Warning: Possible LKM Trojan installed" - nmap: "port 1313 open""
- Reply: Christopher Browne: "Re: Have I been compromised? chkrootkit: "Warning: Possible LKM Trojan installed" - nmap: "port 1313 open""
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: 13 Nov 2003 21:31:01 -0800
I run Debian Linux. I've been keeping current with security updates
and that sort of thing. I've been using Debian for about a month and
a half now. I try to keep things simple, and run my box as secure as
possible, from what I know. I run apt-get update & upgrade every day
or two.
Every week or so I'll run chkrootkit, mostly just because I feel I
should. Every time I've run it, I've come up clean, no problems.
Today it's started saying:
"You have 4 process hidden for ps command
Warning: Possible LKM Trojan installed"
This worried me, so I spent an hour and a half on Google Groups
looking over news postings about this, and could not gleam any info
that could help me determine if I was compromised.
I did an nmap scan (from my own computer) of all ports, and port 1313
was open. Research showed this is used by the NETrojan program, but
this program is for windows. I do not know how long port 1313 has
been open.
On October 26, I ran a script which computed md5sums for all files in
"/bin/ /sbin/ /usr/bin/ /usr/sbin/ /lib/ /usr/lib/". I ran a diff on
the current md5s to the md5s that were computed on October 26, and
several programs, for example "ps, su, sed, dash, kill, sash, login,
mbchk, tempfile, mktemp, run-parts, top, dpkg, file, find, flea, free"
and so on have different MD5s than before.
HOWEVER, I do remember during on apt-get upgrade, seeing that new
versions of login and such were out, and that I did have apt-get
upgrade to them.
Using ls to check the modified dates of a few of these files shows
nothing suspiciuos like them all being modified on the same day.
I don't like port 1313 being open without me knowing why it's open,
and when I telnet to 1313 no server banner is displayed, only that I"m
connected and what the escape character is.
Those binaries could have been changed legimately, through my daily
updates, and chkrootkit sometimes gives false-positives.
Could someone please tell me what's going on and if I've been
compromised or not?
Thanks in advance, Tom
- Next message: Newsbox: "Re: Been hacked"
- Previous message: Dale Pontius: "Re: gentoo you decide"
- Next in thread: Stu: "Re: Have I been compromised? chkrootkit: "Warning: Possible LKM Trojan installed" - nmap: "port 1313 open""
- Reply: Stu: "Re: Have I been compromised? chkrootkit: "Warning: Possible LKM Trojan installed" - nmap: "port 1313 open""
- Reply: Richard Kimber: "Re: Have I been compromised? chkrootkit: "Warning: Possible LKM Trojan installed" - nmap: "port 1313 open""
- Reply: Christopher Browne: "Re: Have I been compromised? chkrootkit: "Warning: Possible LKM Trojan installed" - nmap: "port 1313 open""
- Reply: Christopher Browne: "Re: Have I been compromised? chkrootkit: "Warning: Possible LKM Trojan installed" - nmap: "port 1313 open""
- Reply: Christopher Browne: "Re: Have I been compromised? chkrootkit: "Warning: Possible LKM Trojan installed" - nmap: "port 1313 open""
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
