Have I been compromised? chkrootkit: "Warning: Possible LKM Trojan installed" - nmap: "port 1313 open"
Tom
and that sort of thing. I've been using Debian for about a month and
a half now. I try to keep things simple, and run my box as secure as
possible, from what I know. I run apt-get update & upgrade every day
or two.
Every week or so I'll run chkrootkit, mostly just because I feel I
should. Every time I've run it, I've come up clean, no problems.
Today it's started saying:
"You have 4 process hidden for ps command
Warning: Possible LKM Trojan installed"
This worried me, so I spent an hour and a half on Google Groups
looking over news postings about this, and could not gleam any info
that could help me determine if I was compromised.
I did an nmap scan (from my own computer) of all ports, and port 1313
was open. Research showed this is used by the NETrojan program, but
this program is for windows. I do not know how long port 1313 has
been open.
On October 26, I ran a script which computed md5sums for all files in
"/bin/ /sbin/ /usr/bin/ /usr/sbin/ /lib/ /usr/lib/". I ran a diff on
the current md5s to the md5s that were computed on October 26, and
several programs, for example "ps, su, sed, dash, kill, sash, login,
mbchk, tempfile, mktemp, run-parts, top, dpkg, file, find, flea, free"
and so on have different MD5s than before.
HOWEVER, I do remember during on apt-get upgrade, seeing that new
versions of login and such were out, and that I did have apt-get
upgrade to them.
Using ls to check the modified dates of a few of these files shows
nothing suspiciuos like them all being modified on the same day.
I don't like port 1313 being open without me knowing why it's open,
and when I telnet to 1313 no server banner is displayed, only that I"m
connected and what the escape character is.
Those binaries could have been changed legimately, through my daily
updates, and chkrootkit sometimes gives false-positives.
Could someone please tell me what's going on and if I've been
compromised or not?
Thanks in advance, Tom
Stu
Since you are running chkrootkit you can use `chkproc -v` to findout which
processes are hidden. Next, assuming netstat wasn't one of the programs
that was replaced, run `netstat -nltup` and see if any of the processes
listed there for port 1313 correspond to the PIDs chkproc spit out. If by
chance netstat was replaced, then cd into each /proc/<proc id>/fd and do a
`ls -l` (assuming that these are cracked versions of ls and cd, provided
the person wasn't crafty enough to disallow cd-ing into the directory and
filter out any listings in <proc id> directory tree, this should work--I
haven't seen anyone go to these lengths, since modding the kernel to do the
same thing would be less work), if there is a file symlink'd to a socket
(it'll have socket:[socket number] in the output), do `grep <socket
number> /proc/net/udp` and `grep <socket number> /proc/net/tcp`, in the
second column of the output there will be two hexidecimal numbers seperated
by a colon, if the second number is 0521 that process is the one listening
on port 1313.
If one of those processes is listening on that port, then more likely than
not you have been hacked and you should probably restore from a reliable
(pre-hacked) backup. Actually, if you are still a little worried--even if
you didn't find anything wrong--you could restore from a backup, just for
"peace of mind".
If you had to restore from a backup, then you definitely want to turn off
all your services while you upgrade all the software that needs upgrading.
Then think seriously about what services are absolutely necessary, and
before you bring the ones that you absolutely need online make sure they
are tightly locked down. Also, you should change all the users' passwords
(including root) on the machine and if your users use keys for remote
access you should have them generate new ones (you might also consider
limiting the IP addresses that can access the machine remotely), do this
before you connect your machine back to the network. Finally, contact
everyone that has a user account on the machine, let them know it was
hacked, and ask them to check their machines to see if they were hacked
(could be your machine was broken into using information gathered from one
of your users' machines).
Stu
Richard Kimber
> I run Debian Linux. I've been keeping current with security updates
> and that sort of thing. I've been using Debian for about a month and
> a half now. I try to keep things simple, and run my box as secure as
> possible, from what I know. I run apt-get update & upgrade every day
> or two.
>
> Every week or so I'll run chkrootkit, mostly just because I feel I
> should. Every time I've run it, I've come up clean, no problems.
>
> Today it's started saying:
> "You have 4 process hidden for ps command
> Warning: Possible LKM Trojan installed"
I get this too with Debian. I'm not sure these processes are actually
hidden. If I run ps it gives:
1 ? S 0:07 init
2 ? SW 0:00 [keventd]
0 ? SWN 0:00 [ksoftirqd_CPU0]
0 ? SW 0:05 [kswapd]
0 ? SW 0:00 [bdflush]
0 ? SW 0:00 [kupdated]
8 ? SW 0:00 [i2oevtd]
etc
the processes with zero pid seem to be the processes reported as hidden by
chkrootkit and chkproc says they are 3,4,5,6
I'm not an expert, but this looks more like some sort of bug than a
compromise. But I could be wrong.
- Richard.
Tim Haynes
> I get this too with Debian. I'm not sure these processes are actually
> hidden. If I run ps it gives:
>
> 1 ? S 0:07 init
> 2 ? SW 0:00 [keventd]
> 0 ? SWN 0:00 [ksoftirqd_CPU0]
> 0 ? SW 0:05 [kswapd]
> 0 ? SW 0:00 [bdflush]
> 0 ? SW 0:00 [kupdated]
> 8 ? SW 0:00 [i2oevtd]
> etc
>
> the processes with zero pid seem to be the processes reported as hidden by
> chkrootkit and chkproc says they are 3,4,5,6
>
> I'm not an expert, but this looks more like some sort of bug than a
> compromise. But I could be wrong.
We did this over on uk.comp.os.linux a couple of days ago. Apparently the
psutils (or whatever) package in Debian has changed from using something
known as the PID to something more representative of a `thread-group' or
something, all in the name of increased POSIX-compliance.
Hence kernel-processes all appear as "pid" 0 while individually they still
have separate pids.
Google-groups will have the answer.
~Tim
--
There's a lighthouse, Shining in the black, |pig...@stirfried.vegetable.org.uk
A lighthouse, Standing in the dark |http://spodzone.org.uk/
Christopher Browne
> Today it's started saying:
> "You have 4 process hidden for ps command
> Warning: Possible LKM Trojan installed"
Do you perchance have portsentry installed? I seem to recall that
setting off alerts.
Portsentry would attach to various ports commonly used as 'control
ports' by rootkits and other sorts of "attackers," and look for
requests, as this would nicely indicate a wannabe-incoming-attack.
My conclusion has been that chkrootkit sets off a lot of
false-positive alarms :-(.
--
(format nil "~S@~S" "cbbrowne" "cbbrowne.com")
http://www.ntlug.org/~cbbrowne/spreadsheets.html
Rules of the Evil Overlord #167. "If I am recruiting to find someone
to run my computer systems, and my choice is between the brilliant
programmer who's head of the world's largest international technology
conglomerate and an obnoxious 15-year-old dork who's trying to impress
his dream girl, I'll take the brat and let the hero get stuck with the
genius." <http://www.eviloverlord.com/>
Christopher Browne
If this was helpful, <http://svcs.affero.net/rm.php?r=cbbrowne> rate me
http://www.ntlug.org/~cbbrowne/sgml.html
"I really only meant to point out how nice InterOp was for someone who
doesn't have the weight of the Pentagon behind him. I really don't
imagine that the Air Force will ever be able to operate like a small,
competitive enterprise like GM or IBM." -- Kent England
Tom
what I needed!
Rather ironically perhaps, I tried chkproc, but it says command not
found. I am using v0.42 of chkrootkit.
Stu <s...@santa-li.com> wrote in message news:<o_-dnebB4u-...@comcast.com>...
Stu
output--because it said you had 4 hidden processes--it's definitely there.
If it wasn't there, you would've just had the "Warning: Possible LKM Trojan
installed" without the hidden process count...
Stu
Christopher Browne
Richard Kimber
>> the processes with zero pid seem to be the processes reported as hidden by
>> chkrootkit and chkproc says they are 3,4,5,6
>>
>> I'm not an expert, but this looks more like some sort of bug than a
>> compromise. But I could be wrong.
>
> We did this over on uk.comp.os.linux a couple of days ago. Apparently the
> psutils (or whatever) package in Debian has changed from using something
> known as the PID to something more representative of a `thread-group' or
> something, all in the name of increased POSIX-compliance.
>
> Hence kernel-processes all appear as "pid" 0 while individually they still
> have separate pids.
Fine. Thanks, that's interesting. However, the bottom line would seem to
be that it fools chkrootkit into giving the false positive.
- Richard.