Re: chkrootkit infected ports 2881

To: thomas.preudhomme@celest.fr
Cc: debian-user@lists.debian.org
Subject: Re: chkrootkit infected ports 2881
From: Adam Hardy <adam.ant@cyberspaceroad.com>
Date: Mon, 04 Aug 2008 14:52:05 +0100
Message-id: <[🔎] 48970985.3070007@cyberspaceroad.com>
In-reply-to: <[🔎] 200808041439.57809.thomas.preudhomme@celest.fr>
References: <[🔎] 4895AF02.20701@cyberspaceroad.com> <[🔎] 200808041248.20098.thomas.preudhomme@celest.fr> <[🔎] 4896F242.8030602@cyberspaceroad.com> <[🔎] 200808041439.57809.thomas.preudhomme@celest.fr>

Thomas Preud'homme on 04/08/08 13:39, wrote:

Monday 04 August 2008, Adam Hardy wrote :

Thomas Preud'homme on 04/08/08 11:48, wrote:

Le lundi 4 août 2008, Adam Hardy a écrit :

Adam Hardy on 03/08/08 14:13, wrote:

My webserver system is actually a UML slice of a system at
memset.co.uk and all it does is run Apache Tomcat and sshd and
the stuff from memset - I thought it was pretty safe until I came
back today and found my nightly email report from chkrootkit
said:

The following suspicious files and directories were found:
/lib/init/rw/.ramfs

INFECTED (PORTS:  2881)

The .ramfs started appearing when I upgraded chkrootkit, so I
never worried about it, but Friday night's INFECTED alert was a
slap in the face with a wet fish. Saturday night's report went
back to normal - no mention of the port.

I scanned it from grc.com/x/portprobe and it came back as closed.

The only mention I can find in the logs is:

root@hardyaa1:~# grep 2881 /var/log/*
/var/log/setuid.today:
    2881   660   1 root       disk               0 Wed Apr 30
11:32:37 2008 /dev/rd/c1d30
r

and that's a PID, not a port, right?

So how bad does this look? Should I clean the system? If it is
rooted, how can I tell what the security flaw was? My password at
that point (since changed) was CE0dff2*£ so if it was a brute
force attack, then wow, they did well.

I talked to the support at the hosting company and they looked at
the system and said they couldn't see anything wrong with it - but
they can re-image it for me which normally costs a fee.

Is it worth re-imaging my system and re-installing everything?

I still have no idea what chkrootkit means when it says a port is
infected.


Adam

I don't think it's that important. chkrootkit seems a little
hazardous since there was a bug about chkrootkit killing a random
process (in fact one of its test was sending a signal to process
12345, this bug has been corrected).

I think a good anti-rootkit should be launched from another system
to be sure it's not deactivated by a smart rootkit.

Hopefully that is simpler than it sounds! What anti-rootkit are you
thinking of? I use chkrootkit and rkhunter.

Unfortunetely I haven't any reference but hoping a rootkit on yourcomputer being launched once a day will protect you is like hoping ananti-virus will protect you even if a smart virus infect your computerbetween 2 launch. It's better than nothing but I don't think it'ssufficient.

Yes, you are right, and I have been too slack to get around to changing it. I amlooking at installing tripwire (after a fresh install) to be able to check upwhat is going on after the fact.

Reply to:

Follow-Ups:
- Re: chkrootkit infected ports 2881
  - From: Paul Johnson <baloo@ursine.ca>

References:
- chkrootkit infected ports 2881
  - From: Adam Hardy <adam.ant@cyberspaceroad.com>
- Re: chkrootkit infected ports 2881
  - From: Thomas Preud'homme <thomas.preudhomme@celest.fr>
- Re: chkrootkit infected ports 2881
  - From: Adam Hardy <adam.ant@cyberspaceroad.com>
- Re: chkrootkit infected ports 2881
  - From: Thomas Preud'homme <thomas.preudhomme@celest.fr>

Prev by Date: Re: chkrootkit infected ports 2881
Next by Date: need sarge
Previous by thread: Re: chkrootkit infected ports 2881
Next by thread: Re: chkrootkit infected ports 2881
Index(es):
- Date
- Thread