[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

am I hacked?

Hi

for a few days now I see in the logs of my firewall (debian/stable)
entries about someone trying to connect to my SSH server with several
users (root, test, mysql, etc..) without success. today I saw an entry
which alarmed me:
Oct 31 14:37:17 coltrane sshd[17927]: Bad protocol version identification
'GNUTELLA CONNECT/0.6' from 192.168.0.5

192.168.0.5 is my desktop (debian unstable). this entry repeats itself
every 12 minutes more or less for about 2 hours (I stopped mldonkey after
I got this message and it seems to stop).

running chkrootkit (0.43) I got this surprise (the short version):
parker:~/src/rkhunter# chkrootkit  lkm
ROOTDIR is `/'
Checking `lkm'... You have    36 process hidden for readdir command
You have    36 process hidden for ps command
Warning: Possible LKM Trojan installed

so I run:
parker:~/src/rkhunter# chkrootkit -x lkm
ROOTDIR is `/'
###
### Output of: ./chkproc -v -v
###
PID  1825: not in readdir output
PID  1825: not in ps output
CWD  1825: /var/lib/mysql
EXE  1825: /usr/sbin/mysqld
PID  1826: not in readdir output
PID  1826: not in ps output
CWD  1826: /var/lib/mysql
EXE  1826: /usr/sbin/mysqld
PID 11144: not in readdir output
PID 11144: not in ps output
CWD 11144: /etc/openvpn
EXE 11144: /usr/sbin/openvpn
PID 18569: not in readdir output
PID 18569: not in ps output
CWD 18569: /home/haim
EXE 18569: /usr/bin/nautilus
PID 18572: not in readdir output
PID 18572: not in ps output
CWD 18572: /home/haim
EXE 18572: /usr/lib/gnome-vfs2/gnome-vfs-daemon
PID 18603: not in readdir output
PID 18603: not in ps output
CWD 18603: /home/haim
EXE 18603: /usr/bin/nautilus
PID 18604: not in readdir output
PID 18604: not in ps output
CWD 18604: /home/haim
EXE 18604: /usr/bin/nautilus
PID 18605: not in readdir output
PID 18605: not in ps output
CWD 18605: /home/haim
EXE 18605: /usr/bin/nautilus
PID 18606: not in readdir output
PID 18606: not in ps output
CWD 18606: /home/haim
EXE 18606: /usr/bin/nautilus
PID 18607: not in readdir output
PID 18607: not in ps output
CWD 18607: /home/haim
EXE 18607: /usr/bin/nautilus
PID 18829: not in readdir output
PID 18829: not in ps output
CWD 18829: /home/haim
EXE 18829: /usr/bin/gnome-terminal
PID 23289: not in readdir output
PID 23289: not in ps output
CWD 23289: /home/haim
EXE 23289: /usr/bin/pan
PID 23290: not in readdir output
PID 23290: not in ps output
CWD 23290: /home/haim
EXE 23290: /usr/bin/pan
PID 23291: not in readdir output
PID 23291: not in ps output
CWD 23291: /home/haim
EXE 23291: /usr/bin/pan
PID 23292: not in readdir output
PID 23292: not in ps output
CWD 23292: /home/haim
EXE 23292: /usr/bin/pan
PID 23293: not in readdir output
PID 23293: not in ps output
CWD 23293: /home/haim
EXE 23293: /usr/bin/pan
PID 23294: not in readdir output
PID 23294: not in ps output
CWD 23294: /home/haim
EXE 23294: /usr/bin/pan
PID 26524: not in readdir output
PID 26524: not in ps output
CWD 26524: /home/haim
EXE 26524: /usr/lib/epiphany/epiphany
PID 26525: not in readdir output
PID 26525: not in ps output
CWD 26525: /home/haim
EXE 26525: /usr/lib/epiphany/epiphany
PID 26939: not in readdir output
PID 26939: not in ps output
CWD 26939: /home/haim
EXE 26939: /usr/lib/epiphany/epiphany
PID 26940: not in readdir output
PID 26940: not in ps output
CWD 26940: /home/haim
EXE 26940: /usr/lib/epiphany/epiphany
PID 26941: not in readdir output
PID 26941: not in ps output
CWD 26941: /home/haim
EXE 26941: /usr/lib/epiphany/epiphany
PID 27761: not in readdir output
PID 27761: not in ps output
CWD 27761: /home/haim
EXE 27761: /usr/bin/evolution-1.4
PID 27762: not in readdir output
PID 27762: not in ps output
CWD 27762: /home/haim
EXE 27762: /usr/bin/evolution-1.4
PID 27763: not in readdir output
PID 27763: not in ps output
CWD 27763: /home/haim
EXE 27763: /usr/bin/evolution-1.4
PID 27764: not in readdir output
PID 27764: not in ps output
CWD 27764: /home/haim
EXE 27764: /usr/bin/evolution-1.4
PID 27765: not in readdir output
PID 27765: not in ps output
CWD 27765: /home/haim
EXE 27765: /usr/bin/evolution-1.4
PID 27766: not in readdir output
PID 27766: not in ps output
CWD 27766: /home/haim
EXE 27766: /usr/bin/evolution-1.4
PID 27767: not in readdir output
PID 27767: not in ps output
CWD 27767: /home/haim
EXE 27767: /usr/bin/evolution-1.4
PID 27768: not in readdir output
PID 27768: not in ps output
CWD 27768: /home/haim
EXE 27768: /usr/bin/evolution-1.4
PID 27769: not in readdir output
PID 27769: not in ps output
CWD 27769: /home/haim
EXE 27769: /usr/bin/evolution-1.4
PID 27770: not in readdir output
PID 27770: not in ps output
CWD 27770: /home/haim
EXE 27770: /usr/bin/evolution-1.4
PID 27771: not in readdir output
PID 27771: not in ps output
CWD 27771: /home/haim
EXE 27771: /usr/bin/evolution-1.4
PID 27772: not in readdir output
PID 27772: not in ps output
CWD 27772: /home/haim
EXE 27772: /usr/bin/evolution-1.4
PID 27773: not in readdir output
PID 27773: not in ps output
CWD 27773: /home/haim
EXE 27773: /usr/bin/evolution-1.4
PID 27779: not in readdir output
PID 27779: not in ps output
CWD 27779: /home/haim
EXE 27779: /usr/bin/evolution-1.4
You have    36 process hidden for readdir command
You have    36 process hidden for ps command

I downloaded and run the latest version (0.44) and the output is ok. also,
I downloaded and run rkhunter and the output is also ok. if it wasn't for
the logs on the server I would be relaxed, but it still bothers me. I have
direct access from the internet to my computer (through DNAT) for mldokey
(which may explains the GNUTELA? ).

I run unstable (although I hadn't updated it in 2 months) with kernel
2.6.5-1-686.

any thoughts?

Bye
-- 
Haim
Reply to: