Re: UPDATE!! (was Re: Have I been compromised? chkrootkit: "Warning: Possible LKM Trojan installed" - nmap: "port 1313 open")

From: /dev/rob0 (rob0_at_gmx.co.uk)
Date: 11/16/03 

Date: Sat, 15 Nov 2003 15:38:16 -0800

In article <3d9c250c.0311141838.62781d76@posting.google.com>, Tom wrote:
>> This refers to Slackware, but it's the same chkrootkit version (and was
>> posted only 3 days ago!)
>===I might have, but I just read it now, it has 3 messages in the
> thread, and it's not much help it seems.

I was thinking of the link back to the thread in August, in which it was
concluded that this warning was a false positive.

> Forgive me if my searching was faulty.

Searching skills are not easy to develop, but of course are very
important.

>> Unsettling things generally prove to have been innocent. :)
>===But promiscuous mode?

Plenty of examples of it right here in this group. Network monitoring
utilities (run as root) put interfaces into promiscuous mode. I've seen
a proliferation of posters panicking about promiscuity, only to discover
it was something they had done.

> netstat -punta:
> Active Internet connections (servers and established)
> Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
> tcp 0 0 0.0.0.0:1313 0.0.0.0:* LISTEN 1844/inetd

For general reference:
    http://www.isi.edu/in-notes/iana/assignments/port-numbers

In your specific case there may be cause to worry:
    http://www.austin.rr.com/rrsec/computer_ports.html
    http://www.glocksoft.com/trojan_list/NETrojan.htm
The latter says it's a Windows trojan, so that's why I still say "may".

> Note that I first did netstat -punta, than saw "xteld" on 1313, so I
> did fuser xteld and got the process ID and killed it.

("killall xteld" would save you the trouble. "pidof" might help if you
need a scalpel rather than a battle axe.)

> But now it's back, as inetd (restarted prolly).

"man inetd". Check out your inetd.conf. If there's no "1313" listed, see
/etc/services (I don't list 1313 in mine, BTW -- Slackware.) What effect
does it have on 1313 and other inetd ports when you "killall inetd"?

> Yes, going 'down' to runlevel 1 makes no difference, changing
> runlevels does not effect this port 1313.

I would expect that inetd would be stopped in runlevel 1, but I'm not
familiar with Debian. If 1313 is stil LISTENing in runlevel 1, I'd call
that a cause for concern.

>> I'll bet the answers can be found by following leads from this command:
>> less `which ifup` `which ifdown`
>> If you can't read the scripts yourself, other Debian users might be able
>> to help (a Debian NG, perhaps?)
>===These scripts are very large, posting to a newsgroup seems awkward
> (google doesn't support attachments). Should I worry? Is it worth

This definitely sounds like a possible crack. Yes, I would worry ... and
if you read my other contributions to this NG I am among the last to do
so.

Get the ifup and ifdown scripts from a KNOWN CLEAN Debian source, then
compare to yours. "man diff". Post the diff here, inline (and perhaps
add a crosspost to a Debian security or networking group.) Whilst doing
so check out the default inetd.conf. Since you don't sound familiar with
it I doubt you did something to change it.

Consider that if you're generating the diff on the suspect machine, the
attacker may have compromised your diff binary! Nothing it shows you is
above suspicion at this point. Do the diff on a known clean machine; a
Knoppix CD is good for something like this.

>> I don't recall having seen your "netstat -punta" output yet. Is it still
>> listening after a reboot (or appropriate runlevel change if you like to
>> keep your uptime :) ?
>===I love my uptime ;-)

Sorry, but it's quite possible you're about to lose it. If you do find
hard evidence of intrusion, I trust you know the routine: pull the
network cable, do a postmortem examination, wipe, reinstall. 

-- 
  /dev/rob0 - preferred_email=i$((28*28+28))@softhome.net
  or put "not-spam" or "/dev/rob0" in Subject header to reply
Quantcast