[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Hacked - is it my turn? - interesting

hi ya  Johannes

if you ( a debian box?? ) have been hacked .. other hosts are equally
susceptable .. finding out what is going on is important

On Sun, 1 Feb 2004, Eric Nelson wrote:

> Yep, it definately looks like you're hacked with those ports open unless 

hummm... i'm not as sure .. so i'd like to pose a few questions

> you've installed something that uses them. I'd look into those hidden 
> processes also but I know there's a problem with procfs or something 
> that causes some hidden pid's 2-5 or something.
> check out http://www.soohrt.org/stuff/linux/suckit/ if in doubt.

> Johannes Graumann wrote:
> > Hello,
> > 
> > As of this morning two of my machines - which are regularly contacted
> > trough ssh from each other - showed this message upon 'chkrootkit':
> > 
> >>Checking 'bindshell'... INFECTED [PORTS:  1524 31337]
> >>Checking 'lkm'... You have 4 processes hidden for ps command

i'd ignore the chkrootkit flagging lkm ... known problem ??

i'd ignore the misleading bindshell problem on those ports
> > 'nmap' to those ports gives me:
> > 
> >>1524/tcp  filtered ingreslock
> >>31337/tcp filtered Elite

turn off those ports ... kill ingress and whatever uses elite

and keep poking around with nmap till it doesn show those
ports listed

this should tell you which binary is running on that port 
	lsof -V -i  :1524 

this is your homework to keep fiddling till nmap doesnt
report ports you cannot answer as what app is running on it
and why

> > 
> > 'tiger' also reports - while performing signature check of system
> > binaries, that /bin/ping, /usr/bin/chage, /usr/bin/at, /usr/bin/write
> > and /usr/bin/inetd don not match.

what precisely doesnt match ???
	- time stamps ?? size of the files ??

	- if the binaries ( size of the files ) doesn't match,
	was there an upgrade from "apt-get update ; apt-get update .. "
	( ps-util package and other basic packages, i forgot which ones
	( that contains those binaries, looks like a couple 2-3 packages 

is the tiger db up to date

did you make a binary copy of all of your important files BEFORE
teh system go online so you can verify anything that is claimed
to be not matching the clean ( un-infected/un-modified ) copy

	tar zcvf /mnt/safeplace/root.clean.tgz /root /boot /lib /sbin /bin
		/etc ...
	tar zcvf /mnt/safeplace/var.clean.tgz /var
	tar zcvf /mnt/safeplace/usr.clean.tgz /usr

	where "/mnt/safeplace" is while the system is NOT
	accessible from the outside and you can write *.clean.tgz
	off onto cdrom BEFORE going live

	always double check everything against a cdrom ...
	BEFORE that system went live. ... than there'd be no
	doubt .. you can rebuild from cdrom, apply the patches
	and updates and you should have the same as your current
	"suspect box" or different if it was modified

> > This can not be confirmed by aide
> > (cd-burned database, unsafe binary) or debsums (unsafe binary).

why not ??

aide should be able to tell you what matches and doesnt match its db ???

> > Am I hacked? What else can I do to investigate the situation further?

get the ports cleared up from nmap's view

fix tiger and aide db ...
	- keep your previous db on cdrom ...
c ya

Reply to: