Re: chkrootkit infected ports 2881

[Adam Hardy <adam.ant@cyberspaceroad.com>]

Adam Hardy on 04/08/08 14:50, wrote:
> thveillon.debian on 04/08/08 13:48, wrote:
> > > > > Adam Hardy on 03/08/08 14:13, wrote:
> > [...snip]
> > > > > I talked to the support at the hosting company and they looked at the
> > > > > system and said they couldn't see anything wrong with it - but they
> > > > > can re-image it for me which normally costs a fee.
> > > > >
> > > > > Is it worth re-imaging my system and re-installing everything?
> > > > >
> > > > > I still have no idea what chkrootkit means when it says a port is
> > > > > infected.
> > > > >
> > > > >
> > > > > Adam
> >
> > Hi,
> > Chkrootkit is known to fall for quite a few false positive, for 
> > example if you run Portsentry or such anti-portscan demon, it also can 
> > detect legitimate services like dhcpd or such as sniffers, which isn't 
> > really incorrect but not a problem. I never heard of 2881 as being one 
> > of those, but maybe getting in touch with the dev team could give you 
> > an easy answer.
> > http://www.chkrootkit.org/
> >
> > Maybe the only way to know for sure would be scanning all traffic from 
> > another system regarding this port to see if anything suspicious can 
> > be spotted, and maybe running an integrity check with debsum or such 
> > on conf files, comparing the result with a backup from an earlier 
> > state or a known sane system.
> >
> > What would really be interesting is to spot the precise day when the 
> > warning first occurred from your system logs, and see if you can spot 
> > any change in configuration that could have triggered it (update ?). 
> > That is, if your system really is infected you cannot trust anything 
> > and especially not the logs...
>
>
> I got that message in the email from early Saturday morning's cronjob.
>
> I have been following instructions on
>
> http://www.cert.org/tech_tips/intruder_detection_checklist.html
>
> and I found that step 2 (look for setuid and setgid files) produces a 
> file list:
>
> root@hardyaa1:~# find / -xdev -user root -perm -4000 -print
> /bin/su
> /bin/mount
> /bin/umount
> /bin/ping
> /bin/ping6
> /sbin/unix_chkpwd
> /usr/bin/newgrp
> /usr/bin/chfn
> /usr/bin/chsh
> /usr/bin/gpasswd
> /usr/bin/passwd
> /usr/bin/X
> /usr/bin/sudo
> /usr/bin/gpg
> /usr/bin/sudoedit
> /usr/bin/netselect
> /usr/bin/traceroute.lbl
> /usr/lib/pt_chown
> /usr/lib/openssh/ssh-keysign
> /usr/lib/apache/suexec.disabled
> /usr/lib/libfakeroot-tcp.so
> /usr/lib/libfakeroot-sysv.so
>
> Again, I'm stumbling in the dark here. cert.org doesn't explain what 
> this list of files signifies, it just implies that I shouldn't see it.
>
> Also, I still have no idea what chkrootkit detected which made it decide 
> to send an INFECTED alert on that port.

More suspicious stuff has turned up in my investigations. The following is the 
nmap output when I run it from the suspect rooted system:

Not shown: 65529 closed ports
PORT      STATE SERVICE
22/tcp    open  ssh
25/tcp    open  smtp
80/tcp    open  http
443/tcp   open  https
3306/tcp  open  mysql
12121/tcp open  unknown


But when I run nmap from my home machine to scan it remotely, I see these extra 
ports are open:

Not shown: 65524 closed ports
PORT      STATE    SERVICE
22/tcp    open     ssh
25/tcp    open     smtp
80/tcp    open     http
443/tcp   open     https
1720/tcp  filtered H.323/Q.931
3306/tcp  open     mysql
6666/tcp  filtered irc
6667/tcp  filtered irc
6668/tcp  filtered irc
6669/tcp  filtered irc
12121/tcp open     unknown

So I have 1720, 6666, 6667, 6668 and 6669 open and nmap is ignoring them. Isn't 
that conclusive evidence that nmap on the suspected machine is some hacker's 
version?