Re: Have I been compromised? chkrootkit: "Warning: Possible LKM Trojan installed" - nmap: "port 1313 open"
From: Tom (northofthecold_at_yahoo.com)
Date: 14 Nov 2003 08:54:25 -0800
Thanks for all the information, these explicit intructions are just
what I needed!
Rather ironically perhaps, I tried chkproc, but it says command not
found. I am using v0.42 of chkrootkit.
Stu <firstname.lastname@example.org> wrote in message news:<o_-dnebB4u-6XSmi4p2dnA@comcast.com>...
> First and foremost, unplug your network card immediately!
> Since you are running chkrootkit you can use `chkproc -v` to findout which
> processes are hidden. Next, assuming netstat wasn't one of the programs
> that was replaced, run `netstat -nltup` and see if any of the processes
> listed there for port 1313 correspond to the PIDs chkproc spit out. If by
> chance netstat was replaced, then cd into each /proc/<proc id>/fd and do a
> `ls -l` (assuming that these are cracked versions of ls and cd, provided
> the person wasn't crafty enough to disallow cd-ing into the directory and
> filter out any listings in <proc id> directory tree, this should work--I
> haven't seen anyone go to these lengths, since modding the kernel to do the
> same thing would be less work), if there is a file symlink'd to a socket
> (it'll have socket:[socket number] in the output), do `grep <socket
> number> /proc/net/udp` and `grep <socket number> /proc/net/tcp`, in the
> second column of the output there will be two hexidecimal numbers seperated
> by a colon, if the second number is 0521 that process is the one listening
> on port 1313.
> If one of those processes is listening on that port, then more likely than
> not you have been hacked and you should probably restore from a reliable
> (pre-hacked) backup. Actually, if you are still a little worried--even if
> you didn't find anything wrong--you could restore from a backup, just for
> "peace of mind".
> If you had to restore from a backup, then you definitely want to turn off
> all your services while you upgrade all the software that needs upgrading.
> Then think seriously about what services are absolutely necessary, and
> before you bring the ones that you absolutely need online make sure they
> are tightly locked down. Also, you should change all the users' passwords
> (including root) on the machine and if your users use keys for remote
> access you should have them generate new ones (you might also consider
> limiting the IP addresses that can access the machine remotely), do this
> before you connect your machine back to the network. Finally, contact
> everyone that has a user account on the machine, let them know it was
> hacked, and ask them to check their machines to see if they were hacked
> (could be your machine was broken into using information gathered from one
> of your users' machines).
> Tom wrote:
> > I run Debian Linux. I've been keeping current with security updates
> > and that sort of thing. I've been using Debian for about a month and
> > a half now. I try to keep things simple, and run my box as secure as
> > possible, from what I know. I run apt-get update & upgrade every day
> > or two.
> > Every week or so I'll run chkrootkit, mostly just because I feel I
> > should. Every time I've run it, I've come up clean, no problems.
> > Today it's started saying:
> > "You have 4 process hidden for ps command
> > Warning: Possible LKM Trojan installed"
> > This worried me, so I spent an hour and a half on Google Groups
> > looking over news postings about this, and could not gleam any info
> > that could help me determine if I was compromised.
> > I did an nmap scan (from my own computer) of all ports, and port 1313
> > was open. Research showed this is used by the NETrojan program, but
> > this program is for windows. I do not know how long port 1313 has
> > been open.
> > On October 26, I ran a script which computed md5sums for all files in
> > "/bin/ /sbin/ /usr/bin/ /usr/sbin/ /lib/ /usr/lib/". I ran a diff on
> > the current md5s to the md5s that were computed on October 26, and
> > several programs, for example "ps, su, sed, dash, kill, sash, login,
> > mbchk, tempfile, mktemp, run-parts, top, dpkg, file, find, flea, free"
> > and so on have different MD5s than before.
> > HOWEVER, I do remember during on apt-get upgrade, seeing that new
> > versions of login and such were out, and that I did have apt-get
> > upgrade to them.
> > Using ls to check the modified dates of a few of these files shows
> > nothing suspiciuos like them all being modified on the same day.
> > I don't like port 1313 being open without me knowing why it's open,
> > and when I telnet to 1313 no server banner is displayed, only that I"m
> > connected and what the escape character is.
> > Those binaries could have been changed legimately, through my daily
> > updates, and chkrootkit sometimes gives false-positives.
> > Could someone please tell me what's going on and if I've been
> > compromised or not?
> > Thanks in advance, Tom