Re: am I hacked?

To: debian-security@lists.debian.org
Subject: Re: am I hacked?
From: Emil Perhinschi <emilper@emilper.ro>
Date: Sun, 31 Oct 2004 19:06:45 +0200
Message-id: <[🔎] 20041031190645.3129b878.emilper@emilper.ro>
In-reply-to: <[🔎] 1099238352.4322.6.camel@spiritus.thuis.net>
References: <[🔎] pan.2004.10.31.15.16.47.303190@babysnakes.org> <[🔎] 1099238352.4322.6.camel@spiritus.thuis.net>

False alerts or rootkit?

I got a lot of similar (no root among users, but a lot of
"admin", "administrator" etc.) attempts to connect to my ssd(some from
the McGill University in Montreal ... they might have a compromised host
on the ip-s that belonged to the electrical engineering dep. in 1994..
if anyone is from there, let them know, because the contact they filed
in 1994 does not exit anymore and their lawyers don't seem to care).

the attempts continued even after I disabled sshd, and my firewall
reports communication (syn, ack ... I did not log outgoing traffic)
from a single foreing host (from Koreea) on my 22 port.

eth0 seems to be entering promiscuous mode from time to time,
without this being reported in logs.

chkrootkit 0.43 reports processes that can not be seen with ps and
also:
Warning: Possible LKM Trojan installed.

but rkhunter 1.1.8 found nothing.

I am running debian sarge, with kernel 2.6.7, with modules enabled.
I did run Gtk-Gnutella, but almos a month ago, and in the meantime I
did a clean install and now I do not have gtpk-gnuetlla
installed on the system, nor other p2p software.

thank you

Emil Per.

On Sun, 31 Oct 2004 16:59:12 +0100
Arthur de Jong <adejong@debian.org> wrote:

> On Sun, 2004-10-31 at 17:16 +0200, Haim Ashkenazi wrote:
> > for a few days now I see in the logs of my firewall (debian/stable)
> > entries about someone trying to connect to my SSH server with
> > several users (root, test, mysql, etc..) without success. today I
> > saw an entry which alarmed me:
> > Oct 31 14:37:17 coltrane sshd[17927]: Bad protocol version
> > identification 'GNUTELLA CONNECT/0.6' from 192.168.0.5
> 
> This is probably what you would see if someone advertised a gnutella
> host with ip 192.168.0.1 (or whatever your server's ip is) and port
> 22. Noting to worry about.
> 
> > running chkrootkit (0.43) I got this surprise (the short version):
> > parker:~/src/rkhunter# chkrootkit  lkm
> > ROOTDIR is `/'
> > Checking `lkm'... You have    36 process hidden for readdir command
> > You have    36 process hidden for ps command
> > Warning: Possible LKM Trojan installed
> 
> chkrootkit is know to sometimes produce false positives but these
> generally don't show up on repeated calls. There was a problem once
> with an incompatible libc or somesuch that could explain this (maybe
> see http://bugs.debian.org/chkrootkit).
> 
> -- 
> -- arthur - adejong@debian.org - http://people.debian.org/~adejong --
>

Reply to:

Follow-Ups:
- Re: am I hacked?
  - From: Calvin Yeh <elpatoz@microntec.com.br>

References:
- am I hacked?
  - From: Haim Ashkenazi <haim@babysnakes.org>
- Re: am I hacked?
  - From: Arthur de Jong <adejong@debian.org>

Prev by Date: Re: am I hacked?
Next by Date: Re: am I hacked?
Previous by thread: Re: am I hacked?
Next by thread: Re: am I hacked?
Index(es):
- Date
- Thread