Well,
I have now compiled and run chkrootkit and I need help interpreting the
output. The thing I don't understand is the suspicious files output. I would be
greatful if someone smarter than I would take a quick look at the output and tell
me if you think I was hacked. Everything is working OK, but that's what concers
me. My internet connect setup is a cable setup that goes through a Linksys
Cable/DSL Router and the only ports forwarded are 22, 25, 80, 110, 143, 1723 &
10000. All others are closed. I thought I was fairly secure. Here is what
chkrootkit said:
[root@Nemesis chkrootkit-0.38]# ./chkrootkit
ROOTDIR is `/'
Checking `amd'... not infected
Checking `basename'... not infected
Checking `biff'... not infected
Checking `chfn'... not infected
Checking `chsh'... not infected
Checking `cron'... not infected
Checking `date'... not infected
Checking `du'... not infected
Checking `dirname'... not infected
Checking `echo'... not infected
Checking `egrep'... not infected
Checking `env'... not infected
Checking `find'... not infected
Checking `fingerd'... not infected
Checking `gpm'... not infected
Checking `grep'... not infected
Checking `hdparm'... not infected
Checking `su'... not infected
Checking `ifconfig'... not infected
Checking `inetd'... not tested
Checking `inetdconf'... not infected
Checking `identd'... not infected
Checking `killall'... not infected
Checking `ldsopreload'... not infected
Checking `login'... not infected
Checking `ls'... not infected
Checking `lsof'... not found
Checking `mail'... not infected
Checking `mingetty'... not infected
Checking `netstat'... not infected
Checking `named'... not infected
Checking `passwd'... not infected
Checking `pidof'... not infected
Checking `pop2'... not found
Checking `pop3'... not found
Checking `ps'... not infected
Checking `pstree'... not infected
Checking `rpcinfo'... not infected
Checking `rlogind'... not infected
Checking `rshd'... not infected
Checking `slogin'... not infected
Checking `sendmail'... not infected
Checking `sshd'... not infected
Checking `syslogd'... not infected
Checking `tar'... not infected
Checking `tcpd'... not infected
Checking `tcpdump'... not infected
Checking `top'... not infected
Checking `telnetd'... not infected
Checking `timed'... not infected
Checking `traceroute'... not infected
Checking `w'... not infected
Checking `write'... not infected
Checking `aliens'... no suspect files
Searching for sniffer's logs, it may take a while... nothing found
Searching for HiDrootkit's default dir... nothing found
Searching for t0rn's default files and dirs... nothing found
Searching for t0rn's v8 defaults... nothing found
Searching for Lion Worm default files and dirs... nothing found
Searching for RSHA's default files and dir... nothing found
Searching for RH-Sharpe's default files... nothing found
Searching for Ambient's rootkit (ark) default files and dirs... nothing found
Searching for suspicious files and dirs, it may take a while...
/usr/lib/qt2/tools/designer/designer/.obj
/usr/lib/qt2/tools/designer/designer/.tmp /usr/lib/qt2/tools/designer/util/.tmp
/usr/lib/libDrakX/auto/Newt/.exists /usr/lib/libDrakX/auto/c/stuff/.exists
/usr/lib/libDrakX/auto/resize_fat/c_rewritten/.exists
/lib/modules/2.2.19-4.1mdk/.rhkmvtag
/usr/lib/qt2/tools/designer/designer/.obj
/usr/lib/qt2/tools/designer/designer/.tmp /usr/lib/qt2/tools/designer/util/.tmp
Searching for LPD Worm files and dirs... nothing found
Searching for Ramen Worm files and dirs... nothing found
Searching for Maniac files and dirs... nothing found
Searching for RK17 files and dirs... nothing found
Searching for Ducoci rootkit... nothing found
Searching for Adore Worm... nothing found
Searching for ShitC Worm... nothing found
Searching for Omega Worm... nothing found
Searching for Sadmind/IIS Worm... nothing found
Searching for MonKit... nothing found
Searching for Showtee... nothing found
Searching for OpticKit... nothing found
Searching for T.R.K... nothing found
Searching for Mithra... nothing found
Searching for OBSD rk v1... nothing found
Searching for LOC rootkit ... nothing found
Searching for Romanian rootkit ... nothing found
Searching for anomalies in shell history files... nothing found
Checking `asp'... not infected
Checking `bindshell'... not infected
Checking `lkm'... nothing detected
Checking `rexedcs'... not found
Checking `sniffer'...
eth0 is not promisc
Checking `wted'... nothing deleted
Checking `scalper'... not infected
Checking `slapper'... not infected
Checking `z2'...
nothing deleted
[root@Nemesis chkrootkit-0.38]#
What do you think?
Lorne wrote:
> I'm sure you have downloaded the chkroot kit by now, but it sure looks to me
> like your system is compromised! It looks like he has managed to replace some
> files with modified ones and your system caught the permissions. I'm overly
> paranoid, but I'd sure rebuild the box. Do NOT take the chance. It isn't
> worth it. I highly recomend snort. I want to do tripwire but haven't had the
> time.
>
> On Thursday 26 December 2002 12:20 pm, David Rankin wrote:
> > Guy & Gals,
> >
> > I need help. Something went whacko with eth0 and with my system just
> > before my nightly cron job ran and I got a lot of weird messages in my
> > log files. I don't know if this was a successful hack or if it was just
> > a noral response from the system after eth0 went bonkers. The log
> > entries are as follows:
> >
> > Dec 26 03:54:01 Nemesis kernel: eth0: Tx hung, 2256843 vs. 2256833.
> > Dec 26 03:54:01 Nemesis kernel: eth0: PNIC2 transmit timed out, status
> > e4000000, CSR6/7 0100c000 / effffbff CSR12 000090ce,
> > resetting...
> > Dec 26 04:00:00 Nemesis CROND[22621]: (root) CMD (
> > /usr/share/msec/security.sh)
> > Dec 26 04:00:00 Nemesis CROND[22622]: (root) CMD ( /sbin/rmmod -as)
> > Dec 26 04:00:00 Nemesis kernel: smb_get_length: recv error = 5
> > Dec 26 04:00:00 Nemesis kernel: smb_request: result -5, setting invalid
> > Dec 26 04:00:15 Nemesis :
> > Dec 26 04:00:15 Nemesis : Security Warning: Change in Suid Root files
> > found :
> > Dec 26 04:00:15 Nemesis : - Removed suid root files : /bin/mount
> > Dec 26 04:00:15 Nemesis : - Removed suid root files : /bin/ping
> > Dec 26 04:00:15 Nemesis : - Removed suid root files : /bin/su
> > Dec 26 04:00:15 Nemesis : - Removed suid root files : /bin/umount
> > Dec 26 04:00:15 Nemesis : - Removed suid root files : /sbin/dump
> > Dec 26 04:00:15 Nemesis : - Removed suid root files : /sbin/linuxconf
> > Dec 26 04:00:15 Nemesis : - Removed suid root files : /sbin/pwdb_chkpwd
> > Dec 26 04:00:15 Nemesis : - Removed suid root files : /sbin/restore
> > Dec 26 04:00:15 Nemesis : - Removed suid root files : /sbin/unix_chkpwd
> > Dec 26 04:00:15 Nemesis :
> > Dec 26 04:00:15 Nemesis : Security Warning: Changes in Suid Group files
> > found :
> > Dec 26 04:00:15 Nemesis : - Removed suid group files : /sbin/dump
> > Dec 26 04:00:15 Nemesis : - Removed suid group files : /sbin/netreport
> > Dec 26 04:00:15 Nemesis : - Removed suid group files : /sbin/restore
> > Dec 26 04:00:15 Nemesis :
> > Dec 26 04:00:15 Nemesis : Security Warning: Change in World Writeable
> > Files found :
> > Dec 26 04:00:15 Nemesis : - Removed writables files : /tmp
> > Dec 26 04:00:15 Nemesis : - Removed writables files : /tmp/.ICE-unix
> > Dec 26 04:00:15 Nemesis : - Removed writables files : /tmp/.X11-unix
> > Dec 26 04:00:15 Nemesis : - Removed writables files : /tmp/.font-unix
> > Dec 26 04:00:15 Nemesis : - Removed writables files :
> > /tmp/.font-unix/fs-1
> > Dec 26 04:00:15 Nemesis : - Removed writables files : /tmp/.s.PGSQL.5432
> >
> > Dec 26 04:00:15 Nemesis :
> >
> > I understand that the eth0 PNIC2 error is from my tulip driver, but I
> > haven't seen this error in the 2 years this box has been running. I have
> > never seen the kernel smb errors.
> >
> > What concerns me is the Change in Suid Root files found. I haven't
> > changed a thing on this LM 7.2 box for a long time. This is the first
> > time I have seen this Security Warning and I am concerned I may have
> > been hacked. Has anyone else seen something like this? Does it look like
> > a hack? Where can I get a good check root kit package?
> >
> > Any help will be greatly appreciated.
>
> ------------------------------------------------------------------------
> Want to buy your Pack or Services from MandrakeSoft?
> Go to http://www.mandrakestore.com
--
David C. Rankin, J.D., P.E.
RANKIN * BERTIN, PLLC
510 Ochiltree Street
Nacogdoches, Texas 75961
(936) 715-9333
(936) 715-9339 fax
Want to buy your Pack or Services from MandrakeSoft?
Go to http://www.mandrakestore.com
