Re: am I hacked?

To: debian-security@lists.debian.org
Subject: Re: am I hacked?
From: Calvin Yeh <elpatoz@microntec.com.br>
Date: Sun, 31 Oct 2004 14:34:25 -0300
Message-id: <[🔎] 41852221.1040800@microntec.com.br>
In-reply-to: <[🔎] 20041031190645.3129b878.emilper@emilper.ro>
References: <[🔎] pan.2004.10.31.15.16.47.303190@babysnakes.org> <[🔎] 1099238352.4322.6.camel@spiritus.thuis.net> <[🔎] 20041031190645.3129b878.emilper@emilper.ro>

I've also received a lot of connection attempts, and it's almost certainthat these attempts were originated from a Brute Force Cracker Utility


See http://www.k-otik.com/exploits/08202004.brutessh2.c.php

Calvin

Emil Perhinschi wrote:

False alerts or rootkit?

I got a lot of similar (no root among users, but a lot of
"admin", "administrator" etc.) attempts to connect to my ssd(some from
the McGill University in Montreal ... they might have a compromised host
on the ip-s that belonged to the electrical engineering dep. in 1994..
if anyone is from there, let them know, because the contact they filed
in 1994 does not exit anymore and their lawyers don't seem to care).

the attempts continued even after I disabled sshd, and my firewall
reports communication (syn, ack ... I did not log outgoing traffic)
from a single foreing host (from Koreea) on my 22 port.

eth0 seems to be entering promiscuous mode from time to time,
without this being reported in logs.

chkrootkit 0.43 reports processes that can not be seen with ps and
also:
Warning: Possible LKM Trojan installed.

but rkhunter 1.1.8 found nothing.

I am running debian sarge, with kernel 2.6.7, with modules enabled.
I did run Gtk-Gnutella, but almos a month ago, and in the meantime I
did a clean install and now I do not have gtpk-gnuetlla
installed on the system, nor other p2p software.


thank you

Emil Per.

On Sun, 31 Oct 2004 16:59:12 +0100
Arthur de Jong <adejong@debian.org> wrote:

On Sun, 2004-10-31 at 17:16 +0200, Haim Ashkenazi wrote:

for a few days now I see in the logs of my firewall (debian/stable)
entries about someone trying to connect to my SSH server with
several users (root, test, mysql, etc..) without success. today I
saw an entry which alarmed me:
Oct 31 14:37:17 coltrane sshd[17927]: Bad protocol version
identification 'GNUTELLA CONNECT/0.6' from 192.168.0.5

This is probably what you would see if someone advertised a gnutella
host with ip 192.168.0.1 (or whatever your server's ip is) and port
22. Noting to worry about.

running chkrootkit (0.43) I got this surprise (the short version):
parker:~/src/rkhunter# chkrootkit  lkm
ROOTDIR is `/'
Checking `lkm'... You have    36 process hidden for readdir command
You have    36 process hidden for ps command
Warning: Possible LKM Trojan installed

chkrootkit is know to sometimes produce false positives but these
generally don't show up on repeated calls. There was a problem once
with an incompatible libc or somesuch that could explain this (maybe
see http://bugs.debian.org/chkrootkit).

--
-- arthur - adejong@debian.org - http://people.debian.org/~adejong --

Reply to:

References:
- am I hacked?
  - From: Haim Ashkenazi <haim@babysnakes.org>
- Re: am I hacked?
  - From: Arthur de Jong <adejong@debian.org>
- Re: am I hacked?
  - From: Emil Perhinschi <emilper@emilper.ro>

Prev by Date: Re: am I hacked?
Previous by thread: Re: am I hacked?
Index(es):
- Date
- Thread