Re: Have I been compromised? chkrootkit: "Warning: Possible LKM Trojan installed" - nmap: "port 1313 open"

From: Stu (stu_at_santa-li.com)
Date: 11/14/03 

Date: Fri, 14 Nov 2003 06:44:36 -0500

First and foremost, unplug your network card immediately!

Since you are running chkrootkit you can use `chkproc -v` to findout which
processes are hidden. Next, assuming netstat wasn't one of the programs
that was replaced, run `netstat -nltup` and see if any of the processes
listed there for port 1313 correspond to the PIDs chkproc spit out. If by
chance netstat was replaced, then cd into each /proc/<proc id>/fd and do a
`ls -l` (assuming that these are cracked versions of ls and cd, provided
the person wasn't crafty enough to disallow cd-ing into the directory and
filter out any listings in <proc id> directory tree, this should work--I
haven't seen anyone go to these lengths, since modding the kernel to do the
same thing would be less work), if there is a file symlink'd to a socket
(it'll have socket:[socket number] in the output), do `grep <socket
number> /proc/net/udp` and `grep <socket number> /proc/net/tcp`, in the
second column of the output there will be two hexidecimal numbers seperated
by a colon, if the second number is 0521 that process is the one listening
on port 1313.

If one of those processes is listening on that port, then more likely than
not you have been hacked and you should probably restore from a reliable
(pre-hacked) backup. Actually, if you are still a little worried--even if
you didn't find anything wrong--you could restore from a backup, just for
"peace of mind".

If you had to restore from a backup, then you definitely want to turn off
all your services while you upgrade all the software that needs upgrading.
Then think seriously about what services are absolutely necessary, and
before you bring the ones that you absolutely need online make sure they
are tightly locked down. Also, you should change all the users' passwords
(including root) on the machine and if your users use keys for remote
access you should have them generate new ones (you might also consider
limiting the IP addresses that can access the machine remotely), do this
before you connect your machine back to the network. Finally, contact
everyone that has a user account on the machine, let them know it was
hacked, and ask them to check their machines to see if they were hacked
(could be your machine was broken into using information gathered from one
of your users' machines).

Stu

Tom wrote:

> I run Debian Linux. I've been keeping current with security updates
> and that sort of thing. I've been using Debian for about a month and
> a half now. I try to keep things simple, and run my box as secure as
> possible, from what I know. I run apt-get update & upgrade every day
> or two.
>
> Every week or so I'll run chkrootkit, mostly just because I feel I
> should. Every time I've run it, I've come up clean, no problems.
>
> Today it's started saying:
> "You have 4 process hidden for ps command
> Warning: Possible LKM Trojan installed"
>
> This worried me, so I spent an hour and a half on Google Groups
> looking over news postings about this, and could not gleam any info
> that could help me determine if I was compromised.
>
> I did an nmap scan (from my own computer) of all ports, and port 1313
> was open. Research showed this is used by the NETrojan program, but
> this program is for windows. I do not know how long port 1313 has
> been open.
>
> On October 26, I ran a script which computed md5sums for all files in
> "/bin/ /sbin/ /usr/bin/ /usr/sbin/ /lib/ /usr/lib/". I ran a diff on
> the current md5s to the md5s that were computed on October 26, and
> several programs, for example "ps, su, sed, dash, kill, sash, login,
> mbchk, tempfile, mktemp, run-parts, top, dpkg, file, find, flea, free"
> and so on have different MD5s than before.
>
> HOWEVER, I do remember during on apt-get upgrade, seeing that new
> versions of login and such were out, and that I did have apt-get
> upgrade to them.
>
> Using ls to check the modified dates of a few of these files shows
> nothing suspiciuos like them all being modified on the same day.
>
> I don't like port 1313 being open without me knowing why it's open,
> and when I telnet to 1313 no server banner is displayed, only that I"m
> connected and what the escape character is.
>
> Those binaries could have been changed legimately, through my daily
> updates, and chkrootkit sometimes gives false-positives.
>
> Could someone please tell me what's going on and if I've been
> compromised or not?
>
> Thanks in advance, Tom