Am I hacked?
Michal Sedlak
I am nearly sure that my server was hacked, but I want to be sure. Can
anybody say me if it is true.
Here is tiger script output. Do you have any ideas how to repair it {no mkfs
funny stuff please}
There are some line interesting. I have one for every critical system
command like {login, su, etc}
--WARN-- [sig004w] None of the following versions of /bin/netstat
(-rwxr-xr-x) matched the /bin/netstat on this machine.
and something like this for some kernel modules
--FAIL-- [lin005f] Installed file `/lib/modules/2.6.8-2-386/modules.symbols'
checksum differs from installed package 'kernel-image-2.6.8-2-386'.
Thank you very much for any recommendations
Best regards
Michal Sedlak
tiger script output:
Security scripts *** 3.2.1, 2003.10.10.18.00 ***
Wed Jun 15 18:26:19 CEST 2005
18:26> Beginning security report for localhost.localdomain (i686 Linux
2.6.8-2-686-smp).
# Performing check of passwd files...
# Checking entries from /etc/passwd.
--WARN-- [pass014w] Login (backup) is disabled, but has a valid shell.
--WARN-- [pass014w] Login (list) is disabled, but has a valid shell.
--WARN-- [pass014w] Login (nobody) is disabled, but has a valid shell.
--WARN-- [pass017w] Login ID sashroot has uid == 0.
--WARN-- [pass002w] UID 0 exists multiple times (2) in /etc/passwd.
--WARN-- [pass012w] Home directory /root exists multiple times (2) in
/etc/passwd.
--WARN-- [pass006w] Integrity of password files questionable (/usr/sbin/pwck
-r).
# Performing check of group files...
# Performing check of user accounts...
# Checking accounts from /etc/passwd.
--WARN-- [acc006w] Login ID bind's home directory (/var/cache/bind) has
group
`bind' write access.
--WARN-- [acc021w] Login ID bind appears to be a dormant account.
--WARN-- [acc021w] Login ID identd appears to be a dormant account.
--WARN-- [acc023w] Login ID ingo's parent directory (/home/) has group
`staff'
write access.
--WARN-- [acc023w] Login ID michal's parent directory (/home/) has group
`staff' write access.
--WARN-- [acc022w] Login ID nobody home directory (/nonexistent) is not
accessible.
--WARN-- [acc021w] Login ID sshd appears to be a dormant account.
# Performing check of /etc/hosts.equiv and .rhosts files...
# Checking accounts from /etc/passwd...
# Performing check of .netrc files...
# Checking accounts from /etc/passwd...
# Performing common access checks for root (in /etc/default/login,
/securetty, and /etc/ttytab...
--WARN-- [root003w] Root user has message capability turned on.
# Performing check of PATH components...
--WARN-- [path009w] /etc/csh.login does not setenv an initial setting for
PATH.
# Only checking user 'root'
# Performing check of anonymous FTP...
# Performing checks of mail aliases...
# Checking aliases from /etc/aliases.
# Performing check of `cron' entries...
--WARN-- [cron005w] Use of cron is not restricted
# Performing check of 'inetd'...
# Checking inetd entries from /etc/inetd.conf
# Performing check of services with tcp wrappers...
# Analysing inetd entries from /etc/inetd.conf
# Performing check of 'services' ...
# Checking services from /etc/services.
--WARN-- [inet003w] The port for service postgres is also assigned to
service
postgresql.
--WARN-- [inet003w] The port for service postgres is also assigned to
service
postgresql.
--WARN-- [inet003w] The port for service sane is also assigned to service
sane-port.
# Performing NFS exports check...
# Performing check of system file permissions...
# Performing signature check of system binaries...
--WARN-- [sig004w] None of the following versions of /bin/bash (-rwxr-xr-x)
matched the /bin/bash on this machine.
>>>>>> Linux 2.4.17
--WARN-- [sig004w] None of the following versions of /bin/login (-rwsr-xr-x)
matched the /bin/login on this machine.
>>>>>> Linux 2.4.17
--WARN-- [sig004w] None of the following versions of /bin/ls (-rwxr-xr-x)
matched the /bin/ls on this machine.
>>>>>> Linux 2.4.17
--WARN-- [sig004w] None of the following versions of /bin/mount (-rwsr-xr-x)
matched the /bin/mount on this machine.
>>>>>> Linux 2.4.17
--WARN-- [sig004w] None of the following versions of /bin/netstat
(-rwxr-xr-x)
matched the /bin/netstat on this machine.
>>>>>> Linux 2.4.17
--WARN-- [sig004w] None of the following versions of /bin/ping (-rwsr-xr-x)
matched the /bin/ping on this machine.
>>>>>> Linux 2.4.17
--WARN-- [sig004w] None of the following versions of /bin/ps (-rwxr-xr-x)
matched the /bin/ps on this machine.
>>>>>> Linux 2.4.17
--WARN-- [sig004w] None of the following versions of /bin/su (-rwsr-xr-x)
matched the /bin/su on this machine.
>>>>>> Linux 2.4.17
--WARN-- [sig004w] None of the following versions of /bin/tcsh (-rwxr-xr-x)
matched the /bin/tcsh on this machine.
>>>>>> Linux 2.4.17
--WARN-- [sig004w] None of the following versions of /bin/umount
(-rwsr-xr-x)
matched the /bin/umount on this machine.
>>>>>> Linux 2.4.17
--WARN-- [sig004w] None of the following versions of /usr/bin/at
(-rwsr-xr-x)
matched the /usr/bin/at on this machine.
>>>>>> Linux 2.4.17
--WARN-- [sig004w] None of the following versions of /usr/bin/chage
(-rwxr-sr-x) matched the /usr/bin/chage on this machine.
>>>>>> Linux 2.4.17
--WARN-- [sig004w] None of the following versions of /usr/bin/chfn
(-rwsr-xr-x) matched the /usr/bin/chfn on this machine.
>>>>>> Linux 2.4.17
--WARN-- [sig004w] None of the following versions of /usr/bin/chsh
(-rwsr-xr-x) matched the /usr/bin/chsh on this machine.
>>>>>> Linux 2.4.17
--WARN-- [sig004w] None of the following versions of /usr/bin/crontab
(-rwxr-sr-x) matched the /usr/bin/crontab on this machine.
>>>>>> Linux 2.4.17
--WARN-- [sig004w] None of the following versions of /usr/bin/gpasswd
(-rwsr-xr-x) matched the /usr/bin/gpasswd on this machine.
>>>>>> Linux 2.4.17
--WARN-- [sig004w] None of the following versions of /usr/bin/lockfile
(-rwxr-sr-x) matched the /usr/bin/lockfile on this machine.
>>>>>> Linux 2.4.17
--WARN-- [sig004w] None of the following versions of /usr/bin/lpq
(-rwsr-sr-x)
matched the /usr/bin/lpq on this machine.
>>>>>> Linux 2.4.17
--WARN-- [sig004w] None of the following versions of /usr/bin/lpr
(-rwsr-sr-x)
matched the /usr/bin/lpr on this machine.
>>>>>> Linux 2.4.17
--WARN-- [sig004w] None of the following versions of /usr/bin/lprm
(-rwsr-sr-x) matched the /usr/bin/lprm on this machine.
>>>>>> Linux 2.4.17
--WARN-- [sig004w] None of the following versions of /usr/bin/mutt
(-rwxr-xr-x) matched the /usr/bin/mutt on this machine.
>>>>>> Linux 2.4.17
--WARN-- [sig004w] None of the following versions of /usr/bin/newgrp
(-rwsr-xr-x) matched the /usr/bin/newgrp on this machine.
>>>>>> Linux 2.4.17
--WARN-- [sig004w] None of the following versions of /usr/bin/passwd
(-rwsr-xr-x) matched the /usr/bin/passwd on this machine.
>>>>>> Linux 2.4.17
--WARN-- [sig004w] None of the following versions of /usr/bin/procmail
(-rwsr-sr-x) matched the /usr/bin/procmail on this machine.
>>>>>> Linux 2.4.17
--WARN-- [sig004w] None of the following versions of /usr/bin/ssh
(-rwxr-xr-x)
matched the /usr/bin/ssh on this machine.
>>>>>> Linux 2.4.17
--WARN-- [sig004w] None of the following versions of /usr/bin/traceroute
(lrwxrwxrwx) matched the /usr/bin/traceroute on this machine.
>>>>>> Linux 2.4.17
--WARN-- [sig004w] None of the following versions of /usr/bin/wall
(-rwxr-sr-x) matched the /usr/bin/wall on this machine.
>>>>>> Linux 2.4.17
--WARN-- [sig004w] None of the following versions of /usr/bin/write
(lrwxrwxrwx) matched the /usr/bin/write on this machine.
>>>>>> Linux 2.4.17
--WARN-- [sig004w] None of the following versions of /usr/sbin/inetd
(-rwxr-xr-x) matched the /usr/sbin/inetd on this machine.
>>>>>> Linux 2.4.17
--WARN-- [sig004w] None of the following versions of /usr/sbin/lpc
(-rwxr-sr-x) matched the /usr/sbin/lpc on this machine.
>>>>>> Linux 2.4.17
--WARN-- [sig004w] None of the following versions of /usr/sbin/lpd
(-rwxr-xr-x) matched the /usr/sbin/lpd on this machine.
>>>>>> Linux 2.4.17
--WARN-- [sig004w] None of the following versions of /usr/sbin/sshd
(-rwxr-xr-x) matched the /usr/sbin/sshd on this machine.
>>>>>> Linux 2.4.17
--WARN-- [sig004w] None of the following versions of /usr/sbin/tcpd
(-rwxr-xr-x) matched the /usr/sbin/tcpd on this machine.
>>>>>> Linux 2.4.17
# Checking for known intrusion signs...
# Testing for promiscuous interfaces with /bin/ip
# Testing for backdoors in inetd.conf
# Performing check of files in system mail spool...
# Performing check for rookits...
# Running chkrootkit (/usr/sbin/chkrootkit) to perform further checks...
--WARN-- [rootkit004w] Chkrootkit has detected a possible rootkit
installation
Warning: Possible LKM Trojan installed
# Performing system specific checks...
# Performing checks for Linux/2...
# Checking for single user-mode password...
# Checking boot loader file permissions...
--WARN-- [boot02] The configuration file /boot/grub/menu.lst has group
permissions. Should be 0600
--FAIL-- [boot02] The configuration file /boot/grub/menu.lst has world
permissions. Should be 0600
--WARN-- [boot06] The Grub bootloader does not have a password configured.
# Checking for vulnerabilities in inittab configuration...
--FAIL-- [lin007w] Normal users can reboot the system through ctrl+alt+del
in
runlevels 12345
# Checking for correct umask settings for init scripts...
--WARN-- [misc021w] There are no umask entries in /etc/csh.login
# Checking Logins not used on the system ...
# Checking network configuration
--FAIL-- [lin010f] The system is configured to answer to ICMP broadcasts
--WARN-- [lin012w] The system accepts ICMP redirection messages
--FAIL-- [lin013f] The system is not protected against Syn flooding attacks
--WARN-- [lin017w] The system is not configured to log suspicious (martian)
packets
# Verifying system specific password checks...
--WARN-- [pass19w] Login ID root does not have password aging enabled.
--WARN-- [pass19w] Login ID sashroot does not have password aging enabled.
--WARN-- [pass19w] Login ID bin does not have password aging enabled.
--WARN-- [pass19w] Login ID michal does not have password aging enabled.
--WARN-- [pass19w] Login ID ingo does not have password aging enabled.
# Checking OS release...
# Checking installed packages vs Debian Security Advisories...
# Checking md5sums of installed files
--FAIL-- [lin005f] Installed file `/lib/modules/2.6.8-2-386/modules.pcimap'
checksum differs from installed package 'kernel-image-2.6.8-2-386'.
--FAIL-- [lin005f] Installed file `/lib/modules/2.6.8-2-386/modules.dep'
checksum differs from installed package 'kernel-image-2.6.8-2-386'.
--FAIL-- [lin005f] Installed file
`/lib/modules/2.6.8-2-386/modules.ieee1394map' checksum differs from
installed package 'kernel-image-2.6.8-2-386'.
--FAIL-- [lin005f] Installed file `/lib/modules/2.6.8-2-386/modules.usbmap'
checksum differs from installed package 'kernel-image-2.6.8-2-386'.
--FAIL-- [lin005f] Installed file
`/lib/modules/2.6.8-2-386/modules.isapnpmap'
checksum differs from installed package 'kernel-image-2.6.8-2-386'.
--FAIL-- [lin005f] Installed file `/lib/modules/2.6.8-2-386/modules.alias'
checksum differs from installed package 'kernel-image-2.6.8-2-386'.
--FAIL-- [lin005f] Installed file `/lib/modules/2.6.8-2-386/modules.symbols'
checksum differs from installed package 'kernel-image-2.6.8-2-386'.
--FAIL-- [lin005f] Installed file
`/lib/modules/2.6.8-2-686-smp/modules.pcimap' checksum differs from
installed package 'kernel-image-2.6.8-2-686-smp'.
--FAIL-- [lin005f] Installed file `/lib/modules/2.6.8-2-686-smp/modules.dep'
checksum differs from installed package
'kernel-image-2.6.8-2-686-smp'.
--FAIL-- [lin005f] Installed file
`/lib/modules/2.6.8-2-686-smp/modules.ieee1394map' checksum differs
from installed package 'kernel-image-2.6.8-2-686-smp'.
--FAIL-- [lin005f] Installed file
`/lib/modules/2.6.8-2-686-smp/modules.usbmap' checksum differs from
installed package 'kernel-image-2.6.8-2-686-smp'.
--FAIL-- [lin005f] Installed file
`/lib/modules/2.6.8-2-686-smp/modules.isapnpmap' checksum differs
from installed package 'kernel-image-2.6.8-2-686-smp'.
--FAIL-- [lin005f] Installed file
`/lib/modules/2.6.8-2-686-smp/modules.alias'
checksum differs from installed package
'kernel-image-2.6.8-2-686-smp'.
--FAIL-- [lin005f] Installed file
`/lib/modules/2.6.8-2-686-smp/modules.symbols' checksum differs from
installed package 'kernel-image-2.6.8-2-686-smp'.
--FAIL-- [lin005f] Installed file
`/opt/wps2/lib/python/Products/WPSRedirector/WPSRedirector.py'
checksum differs from installed package 'wps-base'.
# Checking installed files against packages...
# Performing check of root directory...
# Checking device permissions...
--WARN-- [dev003w] The directory /dev/cpu resides in a device directory.
--WARN-- [dev003w] The directory /dev/i2o resides in a device directory.
--FAIL-- [dev002f] /dev/log has world permissions
# Checking for existence of log files...
--FAIL-- [logf005f] Log file /var/log/wtmp permission should be 664
--FAIL-- [logf005f] Log file /var/log/btmp permission should be 660
# Checking for correct umask settings...
--WARN-- [misc021w] There are no umask entries in /etc/csh.login
# Checking listening processes
--WARN-- [lin003w] The process `exim4' is listening on socket 25 (TCP on
loopback interface) is run by Debian-exim.
--WARN-- [lin003w] The process `mysqld' is listening on socket 3306 (TCP on
loopback interface) is run by mysql.
--WARN-- [lin003w] The process `named' is listening on socket 53 (TCP on
loopback interface) is run by bind.
--WARN-- [lin003w] The process `named' is listening on socket 953 (TCP on
loopback interface) is run by bind.
--WARN-- [lin003w] The process `named' is listening on socket 53 (TCP on
217.67.26.86 interface) is run by bind.
--WARN-- [lin003w] The process `named' is listening on socket 32768 (UDP on
every interface) is run by bind.
--WARN-- [lin003w] The process `named' is listening on socket 53 (UDP on
loopback interface) is run by bind.
--WARN-- [lin003w] The process `named' is listening on socket 53 (UDP on
217.67.26.86 interface) is run by bind.
--WARN-- [lin002i] The process `python2.2' is listening on socket 9672 (TCP)
on every interface.
--WARN-- [lin002i] The process `python2.2' is listening on socket 9673 (TCP)
on every interface.
--WARN-- [lin002i] The process `python2.2' is listening on socket 9674 (TCP)
on every interface.
# Checking sshd_config configuration files...
# Checking printer configuration files...
# Performing common access checks for root...
--FAIL-- [netw020f] There is no /etc/ftpusers file.
# Checking ntpd configuration...
# Checking unusual file names...
# Looking for unusual device files...
# Checking symbolic links...
--WARN-- [xxxxx] The following files are unowned:
/home/ingo/ssl.conf
--WARN-- [xxxxx] The following files have undefined groups ownership:
/home/ingo/ssl.conf
# Performing check of embedded pathnames...
18:28> Security report completed for localhost.localdomain.
--
To UNSUBSCRIBE, email to debian-us...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listm...@lists.debian.org
Laurent CARON
> Hi all,
> I am nearly sure that my server was hacked, but I want to be sure. Can
> anybody say me if it is true.
>
> Here is tiger script output. Do you have any ideas how to repair it
> {no mkfs funny stuff please}
> There are some line interesting. I have one for every critical system
> command like {login, su, etc}
> --WARN-- [sig004w] None of the following versions of /bin/netstat
> (-rwxr-xr-x) matched the /bin/netstat on this machine.
> and something like this for some kernel modules
> --FAIL-- [lin005f] Installed file
> `/lib/modules/2.6.8-2-386/modules.symbols'
> checksum differs from installed package 'kernel-image-2.6.8-2-386'.
>
> Thank you very much for any recommendations
>
Login ID sashroot has uid == 0.
--WARN-- [pass002w] UID 0 exists multiple times (2) in /etc/passwd.
--WARN-- [pass012w] Home directory /root exists multiple times (2) in
/etc/passwd.
can you please post & copy of /etc/passwd and /etc/group
Thanks
--
Il est aussi vrai de dire que le sujet connaissant est un produit de la
matière que de dire que la matière est une simple représentation du
sujet connaissant.
-+- Arthur Schopenhauer (1788-1860) -+-
Maurits van Rees
> Login ID sashroot has uid == 0.
> --WARN-- [pass002w] UID 0 exists multiple times (2) in /etc/passwd.
> --WARN-- [pass012w] Home directory /root exists multiple times (2) in
> /etc/passwd.
>
> can you please post & copy of /etc/passwd and /etc/group
AFAIK this is perfectly fine. sash is a stand-alone shell with
built-in commands. The sashroot user is a root user (with the same
password as root) that can be used in case you hosed your system and
can't access critical programs like cp, chmod and mount. See 'man
sash'. Try it some time with 'su sashroot'.
So there may still be problems with the original poster, but
it's not in these lines.
--
Maurits van Rees | http://maurits.vanrees.org/ [Dutch/Nederlands]
Public GnuPG key: keyserver.net ID 0x1735C5C2
"Let your advance worrying become advance thinking and planning."
- Winston Churchill
Michal Sedlak
/etc/passwd
root:x:0:0:root:/root:/bin/bash
sashroot:x:0:0:root:/root:/bin/sash
daemon:x:1:1:daemon:/usr/sbin:/bin/sh
bin:x:2:2:bin:/bin:/bin/sh
sys:x:3:3:sys:/dev:/bin/sh
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/bin/sh
man:x:6:12:man:/var/cache/man:/bin/sh
lp:x:7:7:lp:/var/spool/lpd:/bin/sh
mail:x:8:8:mail:/var/mail:/bin/sh
news:x:9:9:news:/var/spool/news:/bin/sh
uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh
proxy:x:13:13:proxy:/bin:/bin/sh
www-data:x:33:33:www-data:/var/www:/bin/sh
backup:x:34:34:backup:/var/backups:/bin/sh
list:x:38:38:Mailing List Manager:/var/list:/bin/sh
irc:x:39:39:ircd:/var/run/ircd:/bin/sh
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh
nobody:x:65534:65534:nobody:/nonexistent:/bin/sh
Debian-exim:x:102:102::/var/spool/exim4:/bin/false
michal:x:1000:1000:Michal Sedlak,,,:/home/michal:/bin/bash
identd:x:100:65534::/var/run/identd:/bin/false
sshd:x:101:65534::/var/run/sshd:/bin/false
mysql:x:103:104:MySQL Server,,,:/var/lib/mysql:/bin/false
logcheck:x:105:105::/var/lib/logcheck:/bin/false
bind:x:104:106::/var/cache/bind:/bin/false
ingo:x:1001:1001:,,,:/home/ingo:/bin/bash
wps:x:108:108::/opt/wps2:/bin/false
ntop:x:107:107::/var/lib/ntop:/bin/false
clamav:x:109:109::/var/lib/clamav:/bin/false
/etc/group
root:x:0:
daemon:x:1:
bin:x:2:
sys:x:3:
adm:x:4:logcheck
tty:x:5:
disk:x:6:
lp:x:7:
mail:x:8:
news:x:9:
uucp:x:10:
man:x:12:
proxy:x:13:
kmem:x:15:
dialout:x:20:michal
fax:x:21:
voice:x:22:
cdrom:x:24:michal
floppy:x:25:michal
tape:x:26:
sudo:x:27:
audio:x:29:michal
dip:x:30:
www-data:x:33:
backup:x:34:
operator:x:37:
list:x:38:
irc:x:39:
src:x:40:
gnats:x:41:
shadow:x:42:
utmp:x:43:
video:x:44:michal
sasl:x:45:
plugdev:x:46:michal
staff:x:50:
games:x:60:
users:x:100:
nogroup:x:65534:
crontab:x:101:
Debian-exim:x:102:
michal:x:1000:
ssh:x:103:
mysql:x:104:
logcheck:x:105:
bind:x:106:
ingo:x:1001:
wps:x:108:
ntop:x:107:
clamav:x:109:
But I thing bigger problem is this
--WARN-- [sig004w] None of the following versions of /bin/bash (-rwxr-xr-x)
matched the /bin/bash on this machine.
>>>>>> Linux 2.4.17
--WARN-- [sig004w] None of the following versions of /bin/login (-rwsr-xr-x)
matched the /bin/login on this machine.
>>>>>> Linux 2.4.17
--WARN-- [sig004w] None of the following versions of /bin/ls (-rwxr-xr-x)
matched the /bin/ls on this machine.
>>>>>> Linux 2.4.17
and this
# Running chkrootkit (/usr/sbin/chkrootkit) to perform further checks...
--WARN-- [rootkit004w] Chkrootkit has detected a possible rootkit
installation
Warning: Possible LKM Trojan installed
Best regards
Michal sedlak
Michal Sedlak a écrit :
Thanks
__________ Informace od NOD32 1.1141 (20050615) __________
Tato zprava byla proverena antivirovym systemem NOD32.
http://www.nod32.cz
Kevin B. McCarty
> I am nearly sure that my server was hacked, but I want to be sure. Can anybody say me if it is true.
>
> Here is tiger script output. Do you have any ideas how to repair it {no mkfs funny stuff please}
> There are some line interesting. I have one for every critical system command like {login, su, etc}
> --WARN-- [sig004w] None of the following versions of /bin/netstat (-rwxr-xr-x) matched the /bin/netstat on this machine.
> and something like this for some kernel modules
> --FAIL-- [lin005f] Installed file `/lib/modules/2.6.8-2-386/modules.symbols'
> checksum differs from installed package 'kernel-image-2.6.8-2-386'.
Could you try running chkrootkit and send the results to this list? A
Debian package exists, but you may want to install it manually (install
the package to another machine and copy over the files) if you don't
know whether apt-get et al. have been trojanned.
--
Kevin B. McCarty <kmcc...@princeton.edu> Physics Department
WWW: http://www.princeton.edu/~kmccarty/ Princeton University
GPG: public key ID 4F83C751 Princeton, NJ 08544
Mike Oliver
> But I thing bigger problem is this
> --WARN-- [sig004w] None of the following versions of /bin/bash (-rwxr-xr-x)
> matched the /bin/bash on this machine.
>
>>>>>>> Linux 2.4.17
>
> --WARN-- [sig004w] None of the following versions of /bin/login
> (-rwsr-xr-x)
> matched the /bin/login on this machine.
>
>>>>>>> Linux 2.4.17
>
> --WARN-- [sig004w] None of the following versions of /bin/ls (-rwxr-xr-x)
> matched the /bin/ls on this machine.
>
>>>>>>> Linux 2.4.17
It looks to me as though tiger checked only one possible version of each
of these commands. Not too surprising you wouldn't match that particular
one. I think you should run md5sum on those commands and check the output
against -- well, that I'm not too sure about, but someone must have the
official md5sums for sarge files, now that it's been released?
> and this
>
> # Running chkrootkit (/usr/sbin/chkrootkit) to perform further checks...
> --WARN-- [rootkit004w] Chkrootkit has detected a possible rootkit
> installation
> Warning: Possible LKM Trojan installed
chkrootkit has given me this false positive before, I forget why.
Get the detailed output from chkrootkit.
Alexei Chetroi
> Date: Thu, 16 Jun 2005 11:36:18 -0400
> From: "Kevin B. McCarty" <kmcc...@Princeton.EDU>
> User-Agent: Debian Thunderbird 1.0.2 (X11/20050331)
> To: debia...@lists.debian.org
> Subject: Re: Am I hacked?
>
>
> > I am nearly sure that my server was hacked, but I want to be sure. Can anybody say me if it is true.
> >
> > Here is tiger script output. Do you have any ideas how to repair it {no mkfs funny stuff please}
> > There are some line interesting. I have one for every critical system command like {login, su, etc}
> > --WARN-- [sig004w] None of the following versions of /bin/netstat (-rwxr-xr-x) matched the /bin/netstat on this machine.
> > and something like this for some kernel modules
> > --FAIL-- [lin005f] Installed file `/lib/modules/2.6.8-2-386/modules.symbols'
> > checksum differs from installed package 'kernel-image-2.6.8-2-386'.
>
> Could you try running chkrootkit and send the results to this list? A
> Debian package exists, but you may want to install it manually (install
> the package to another machine and copy over the files) if you don't
> know whether apt-get et al. have been trojanned.
If his kernel have been LKM trojanned, then you cannot trust your
kernel any more. So I think it is better to boot from a live CD and than
run chkrootkit and make sure you copy chkrootkit from a trusted
installation.
Best wishes
--
Alexei Chetroi
Smile... Tomorrow will be worse. (c) Murphy's Law