Re: Have I been compromised? chkrootkit: "Warning: Possible LKM Trojan installed" - nmap: "port 1313 open"

From: Tom (northofthecold_at_yahoo.com)
Date: 11/14/03

  • Next message: David: "Re: Been hacked"
    Date: 14 Nov 2003 08:54:25 -0800
    
    

    Thanks for all the information, these explicit intructions are just
    what I needed!

    Rather ironically perhaps, I tried chkproc, but it says command not
    found. I am using v0.42 of chkrootkit.

    Stu <stu@santa-li.com> wrote in message news:<o_-dnebB4u-6XSmi4p2dnA@comcast.com>...
    > First and foremost, unplug your network card immediately!
    >
    > Since you are running chkrootkit you can use `chkproc -v` to findout which
    > processes are hidden. Next, assuming netstat wasn't one of the programs
    > that was replaced, run `netstat -nltup` and see if any of the processes
    > listed there for port 1313 correspond to the PIDs chkproc spit out. If by
    > chance netstat was replaced, then cd into each /proc/<proc id>/fd and do a
    > `ls -l` (assuming that these are cracked versions of ls and cd, provided
    > the person wasn't crafty enough to disallow cd-ing into the directory and
    > filter out any listings in <proc id> directory tree, this should work--I
    > haven't seen anyone go to these lengths, since modding the kernel to do the
    > same thing would be less work), if there is a file symlink'd to a socket
    > (it'll have socket:[socket number] in the output), do `grep <socket
    > number> /proc/net/udp` and `grep <socket number> /proc/net/tcp`, in the
    > second column of the output there will be two hexidecimal numbers seperated
    > by a colon, if the second number is 0521 that process is the one listening
    > on port 1313.
    >
    > If one of those processes is listening on that port, then more likely than
    > not you have been hacked and you should probably restore from a reliable
    > (pre-hacked) backup. Actually, if you are still a little worried--even if
    > you didn't find anything wrong--you could restore from a backup, just for
    > "peace of mind".
    >
    > If you had to restore from a backup, then you definitely want to turn off
    > all your services while you upgrade all the software that needs upgrading.
    > Then think seriously about what services are absolutely necessary, and
    > before you bring the ones that you absolutely need online make sure they
    > are tightly locked down. Also, you should change all the users' passwords
    > (including root) on the machine and if your users use keys for remote
    > access you should have them generate new ones (you might also consider
    > limiting the IP addresses that can access the machine remotely), do this
    > before you connect your machine back to the network. Finally, contact
    > everyone that has a user account on the machine, let them know it was
    > hacked, and ask them to check their machines to see if they were hacked
    > (could be your machine was broken into using information gathered from one
    > of your users' machines).
    >
    >
    > Stu
    >
    >
    > Tom wrote:
    >
    > > I run Debian Linux. I've been keeping current with security updates
    > > and that sort of thing. I've been using Debian for about a month and
    > > a half now. I try to keep things simple, and run my box as secure as
    > > possible, from what I know. I run apt-get update & upgrade every day
    > > or two.
    > >
    > > Every week or so I'll run chkrootkit, mostly just because I feel I
    > > should. Every time I've run it, I've come up clean, no problems.
    > >
    > > Today it's started saying:
    > > "You have 4 process hidden for ps command
    > > Warning: Possible LKM Trojan installed"
    > >
    > > This worried me, so I spent an hour and a half on Google Groups
    > > looking over news postings about this, and could not gleam any info
    > > that could help me determine if I was compromised.
    > >
    > > I did an nmap scan (from my own computer) of all ports, and port 1313
    > > was open. Research showed this is used by the NETrojan program, but
    > > this program is for windows. I do not know how long port 1313 has
    > > been open.
    > >
    > > On October 26, I ran a script which computed md5sums for all files in
    > > "/bin/ /sbin/ /usr/bin/ /usr/sbin/ /lib/ /usr/lib/". I ran a diff on
    > > the current md5s to the md5s that were computed on October 26, and
    > > several programs, for example "ps, su, sed, dash, kill, sash, login,
    > > mbchk, tempfile, mktemp, run-parts, top, dpkg, file, find, flea, free"
    > > and so on have different MD5s than before.
    > >
    > > HOWEVER, I do remember during on apt-get upgrade, seeing that new
    > > versions of login and such were out, and that I did have apt-get
    > > upgrade to them.
    > >
    > > Using ls to check the modified dates of a few of these files shows
    > > nothing suspiciuos like them all being modified on the same day.
    > >
    > > I don't like port 1313 being open without me knowing why it's open,
    > > and when I telnet to 1313 no server banner is displayed, only that I"m
    > > connected and what the escape character is.
    > >
    > > Those binaries could have been changed legimately, through my daily
    > > updates, and chkrootkit sometimes gives false-positives.
    > >
    > > Could someone please tell me what's going on and if I've been
    > > compromised or not?
    > >
    > > Thanks in advance, Tom


  • Next message: David: "Re: Been hacked"

    Relevant Pages

    • portmanager looping on libtool on 6.2 -> 6.3 upgrade
      ... I'm in the process of bringing a production web/mail server up to FreeBSD 7.0 from 6.2. ... After practicing the process on a non-production box set up in essentially the same manner, I discovered that the only major issue to look out for was the fact that I needed to hold back the upgrade of Python, since the CMS system running on the box will die if it doesn't have Python 2.4 specifically. ... Port Status Report "forced mode" ... I've tried simply going into /usr/ports/devel/libtool15 and running "suod make install clean", and I end up with this output: ...
      (freebsd-questions)
    • Re: pkgng: how to upgrade a single port?
      ... package without upgrading the dependencies ends up _breaking_ things. ... I guess once you realise pkg is close in syntax and semantics to apt-get then things make more sense. ... it seems counterintuitive that "pkg upgrade" doesn't work for individual packages given that many package managers allow this. ... options that the port maintainer chose. ...
      (freebsd-stable)
    • Re: pkgng: how to upgrade a single port?
      ... Upgrading a single port can be useful. ... See: "pkg help lock" ... upgrade it wants to pull in a bunch of stuff that i do not want, ...
      (freebsd-stable)
    • Re: NEWBIE: how-to for feeding file to gnomealyzer.sh?
      ... The cause of your build failure is not known to nomelogalyzer.sh. ... cups-base port at the moment. ... convinced me to attempt the cups-base upgrade. ...
      (freebsd-questions)
    • Cups-pstoraster 8.15 will not compile with Cups 1.2.2
      ... Attempting to recompile the "cups-pstoraster" port brings no joy, ... worked fine until this latest upgrade of Cups. ... Any attempt at using a non-generic driver with the Epson results in messages ...
      (comp.unix.bsd.freebsd.misc)