Re: Hacked - is it my turn?
On Tue, 3 Feb 2004 09:55:04 +1300 (NZDT)
"TiM" <tim@muppetz.com> wrote:
>
> > Hello,
> >
> > As of this morning two of my machines - which are regularly
> > contacted trough ssh from each other - showed this message upon
> > 'chkrootkit':
> >> Checking 'bindshell'... INFECTED [PORTS: 1524 31337]
> >> Checking 'lkm'... You have 4 processes hidden for ps command
> > The latter happened to me before and I had gotten info on how this
> > check doesn't work from this newsgroup ... but the former never
> > showed up before.
> >
> > 'nmap' to those ports gives me:
> >> PORT STATE SERVICE
> >> 1524/tcp filtered ingreslock
> >> 31337/tcp filtered Elite
> >
> > Checksecurity reports this:
> >
> >> Security Violations for su
> >> =-=-=-=-=-=-=-=-=-=-=-=-=-
> >> Feb 2 06:33:11 server_name su[16863]: + ??? root:nobody
> >
> > 'tiger' also reports - while performing signature check of system
> > binaries, that /bin/ping, /usr/bin/chage, /usr/bin/at,
> > /usr/bin/write and /usr/bin/inetd don not match. This can not be
> > confirmed by aide(cd-burned database, unsafe binary) or debsums
> > (unsafe binary).
> >
> > Am I hacked? What else can I do to investigate the situation
> > further?
>
> Yes, I'm afraid you are. Hard to say at this time exactly how you
> were hacked, but it doesn't look good I'm afriad! What kernel version
> were are you running? Was it patched against the two recent local root
> exploits?
I'm running a Debian 2.4.24-1-k7 stock kernel on the testing/unstable
system and 2.4.18-1-k7 stock kernel on the affected stable system.
I don't know what exploits you are referring to and whether the Debian
team took care of them.
Joh
Reply to: