Hacked - is it my turn?

To: debian-security@lists.debian.org
Subject: Hacked - is it my turn?
From: Johannes Graumann <graumann@caltech.edu>
Date: Mon, 2 Feb 2004 12:08:56 -0800
Message-id: <[🔎] 20040202120856.24cc6b2a.graumann@caltech.edu>

Hello,

As of this morning two of my machines - which are regularly contacted
trough ssh from each other - showed this message upon 'chkrootkit':
> Checking 'bindshell'... INFECTED [PORTS:  1524 31337]
> Checking 'lkm'... You have 4 processes hidden for ps command
The latter happened to me before and I had gotten info on how this check
doesn't work from this newsgroup ... but the former never showed up
before.

'nmap' to those ports gives me:
> PORT      STATE    SERVICE
> 1524/tcp  filtered ingreslock
> 31337/tcp filtered Elite

Checksecurity reports this:

> Security Violations for su
> =-=-=-=-=-=-=-=-=-=-=-=-=-
> Feb 2 06:33:11 server_name su[16863]: + ??? root:nobody

'tiger' also reports - while performing signature check of system
binaries, that /bin/ping, /usr/bin/chage, /usr/bin/at, /usr/bin/write
and /usr/bin/inetd don not match. This can not be confirmed by aide
(cd-burned database, unsafe binary) or debsums (unsafe binary).

Am I hacked? What else can I do to investigate the situation further?

Thanks, Joh

Reply to:

Follow-Ups:
- Re: Hacked - is it my turn?
  - From: Eric Nelson <en@megahosted.com>
- Re: Hacked - is it my turn?
  - From: Andreas Schmidt <andy@space.wh1.tu-dresden.de>
- Re: Hacked - is it my turn?
  - From: Johannes Graumann <graumann@caltech.edu>

Prev by Date: Re: http://security.debian.org - down?
Next by Date: help me
Previous by thread: Re: http://security.debian.org - down?
Next by thread: Re: Hacked - is it my turn?
Index(es):
- Date
- Thread