Re: Hacked - is it my turn?

[Eric Nelson <en@megahosted.com>]

Yep, it definately looks like you're hacked with those ports open unless 
you've installed something that uses them. I'd look into those hidden 
processes also but I know there's a problem with procfs or something 
that causes some hidden pid's 2-5 or something.

check out http://www.soohrt.org/stuff/linux/suckit/ if in doubt.

Eric


Johannes Graumann wrote:
> Hello,
>
> As of this morning two of my machines - which are regularly contacted
> trough ssh from each other - showed this message upon 'chkrootkit':
>
> > Checking 'bindshell'... INFECTED [PORTS:  1524 31337]
> > Checking 'lkm'... You have 4 processes hidden for ps command
>
> The latter happened to me before and I had gotten info on how this check
> doesn't work from this newsgroup ... but the former never showed up
> before.
>
> 'nmap' to those ports gives me:
>
> > PORT      STATE    SERVICE
> > 1524/tcp  filtered ingreslock
> > 31337/tcp filtered Elite
>
>
> Checksecurity reports this:
>
>
> > Security Violations for su
> > =-=-=-=-=-=-=-=-=-=-=-=-=-
> > Feb 2 06:33:11 server_name su[16863]: + ??? root:nobody
>
>
> 'tiger' also reports - while performing signature check of system
> binaries, that /bin/ping, /usr/bin/chage, /usr/bin/at, /usr/bin/write
> and /usr/bin/inetd don not match. This can not be confirmed by aide
> (cd-burned database, unsafe binary) or debsums (unsafe binary).
>
> Am I hacked? What else can I do to investigate the situation further?
>
> Thanks, Joh

--
Eric Nelson     <en@megahosted.com>     http://www.megahosted.com/~en/
GPG-key: C4AB5707 Fingerprint: 9E50 D5C2 2B02 A944 1A28  5CA5 366A 0294 
C4AB 5707