Hi Help! I think I've got a rootkit.
I'm running ubuntu dapper behind a D-link DI-604 broadband router. iftop and tcpdump are reporting connections to 172.21.*.* ip addresses. Which wikipedia and whois tell me are on a private network. But my LAN's 192.168.*.* I can't get netstat or lsof to report anything about them, eg: sudo lsof -i -n -r 1|grep 172 sudo netstat -ntuapc|grep 172 don't give anything. sudo tcpdump -XX -vv -l net 172.21.0.0 mask 255.255.0.0 gives eg: """ 00:55:21.052339 IP (tos 0x0, ttl 241, id 0, offset 0, flags [DF], proto: TCP (6), length: 40) 172.21.13.12.11019 > 192.168.0.149.37370: R, cksum 0x362a (correct), 3372710218:3372710218(0) win 0 0x0000: 0013 20aa 8c7f 000d 88af d7d9 0800 4500 ..............E. 0x0010: 0028 0000 4000 f106 0f71 ac15 0d0c c0a8 .([EMAIL PROTECTED] 0x0020: 0095 2b0b 91fa c907 794a 0000 0000 5004 ..+.....yJ....P. 0x0030: 0000 362a 0000 0000 0000 0000 ..6*........ 00:55:36.087562 IP (tos 0x0, ttl 241, id 0, offset 0, flags [DF], proto: TCP (6), length: 40) 172.21.14.12.11019 > 192.168.0.149.37371: R, cksum 0x7a34 (correct), 3381801908:3381801908(0) win 0 0x0000: 0013 20aa 8c7f 000d 88af d7d9 0800 4500 ..............E. 0x0010: 0028 0000 4000 f106 0e71 ac15 0e0c c0a8 .([EMAIL PROTECTED] 0x0020: 0095 2b0b 91fb c992 33b4 0000 0000 5004 ..+.....3.....P. 0x0030: 0000 7a34 0000 0000 0000 0000 ..z4........ """ I've done some basic things to check for a rootkit: Downloaded debs to get md5sum and netstat binaries and checked them against the installed versions. Downloaded chkrootkit and compiled it. As far as I can tell it didn't report anything dodgy apart from some dot files in /usr/lib etc, which seem to be benign. I tired looking in /proc/net/{udp,tcp} as discussed here: http://lists4.opensuse.org/opensuse/1999-06/msg01069.html if my convoluted hex conversion scripts are to be believed there was no mention of any 172* ip addresses there. If you can't trust /proc what can you trust? How can I find out what's going on here? And how can I fix it?! I would be very grateful for any advice. cheers Harry ps here's my script in case anyone's interested: #!/bin/bash sed '/local_address/d' /proc/net/{udp,tcp} | while read i do echo "$i" | awk '{print $2}' | sed '/local_address/d;s/://;s/\(..\)\(..\)\(..\)\(..\)\(....\)/0x\4 0x\3 0x\2 0x\1 0x\5/' | xargs /usr/bin/printf '%d.%d.%d.%d:%d\t' echo "$i" | awk '{print $10}' | sed 's/.*/0x&/g' | xargs /usr/bin/printf '%d\n' done _______________________________________________ Scottish mailing list Scottish@mailman.lug.org.uk https://mailman.lug.org.uk/mailman/listinfo/scottish