Re: Hacked - is it my turn? - interesting
hi ya Johannes
if you ( a debian box?? ) have been hacked .. other hosts are equally
susceptable .. finding out what is going on is important
On Sun, 1 Feb 2004, Eric Nelson wrote:
> Yep, it definately looks like you're hacked with those ports open unless
hummm... i'm not as sure .. so i'd like to pose a few questions
> you've installed something that uses them. I'd look into those hidden
> processes also but I know there's a problem with procfs or something
> that causes some hidden pid's 2-5 or something.
> check out http://www.soohrt.org/stuff/linux/suckit/ if in doubt.
> Johannes Graumann wrote:
> > Hello,
> > As of this morning two of my machines - which are regularly contacted
> > trough ssh from each other - showed this message upon 'chkrootkit':
> >>Checking 'bindshell'... INFECTED [PORTS: 1524 31337]
> >>Checking 'lkm'... You have 4 processes hidden for ps command
i'd ignore the chkrootkit flagging lkm ... known problem ??
i'd ignore the misleading bindshell problem on those ports
> > 'nmap' to those ports gives me:
> >>PORT STATE SERVICE
> >>1524/tcp filtered ingreslock
> >>31337/tcp filtered Elite
turn off those ports ... kill ingress and whatever uses elite
and keep poking around with nmap till it doesn show those
this should tell you which binary is running on that port
lsof -V -i :1524
this is your homework to keep fiddling till nmap doesnt
report ports you cannot answer as what app is running on it
> > 'tiger' also reports - while performing signature check of system
> > binaries, that /bin/ping, /usr/bin/chage, /usr/bin/at, /usr/bin/write
> > and /usr/bin/inetd don not match.
what precisely doesnt match ???
- time stamps ?? size of the files ??
- if the binaries ( size of the files ) doesn't match,
was there an upgrade from "apt-get update ; apt-get update .. "
( ps-util package and other basic packages, i forgot which ones
( that contains those binaries, looks like a couple 2-3 packages
is the tiger db up to date
did you make a binary copy of all of your important files BEFORE
teh system go online so you can verify anything that is claimed
to be not matching the clean ( un-infected/un-modified ) copy
tar zcvf /mnt/safeplace/root.clean.tgz /root /boot /lib /sbin /bin
tar zcvf /mnt/safeplace/var.clean.tgz /var
tar zcvf /mnt/safeplace/usr.clean.tgz /usr
where "/mnt/safeplace" is while the system is NOT
accessible from the outside and you can write *.clean.tgz
off onto cdrom BEFORE going live
always double check everything against a cdrom ...
BEFORE that system went live. ... than there'd be no
doubt .. you can rebuild from cdrom, apply the patches
and updates and you should have the same as your current
"suspect box" or different if it was modified
> > This can not be confirmed by aide
> > (cd-burned database, unsafe binary) or debsums (unsafe binary).
why not ??
aide should be able to tell you what matches and doesnt match its db ???
> > Am I hacked? What else can I do to investigate the situation further?
get the ports cleared up from nmap's view
fix tiger and aide db ...
- keep your previous db on cdrom ...