[gentoo-user] Re: Rooted/compromised Gentoo, seeking advice [Solved?]
On Mon, Aug 9, 2010 at 11:25 AM, Paul Hartman paul.hartman+gen...@gmail.com wrote: Hi, today when working remotely I ran nethogs and noticed suspicious network traffic coming from my home gentoo box. It was very low traffic (less than 1KB/sec bandwidth usage) but according to nethogs it was between a root user process and various suspicious-looking ports on outside hosts in other countries that I have no business with. netstat didn't show anything, however, but when I ran chkrootkit told me that netstat was INFECTED. I immediately issued shutdown -h now and now I won't be able to take a further look at it until I get home and have physical access to the box. System uptime was a few months. It was last updated for installation of a 2.6.33 kernel (2.6.35 is out now). Well, so far everything I'm seeing points to a false alarm. :) It seems I may have overreacted due to my lack of understanding. First, when I got home and inspected router settings I realized the strange activity I saw earlier was happening on a port I had opened for Vuze (the bittorrent client). Nethogs output was like this: NetHogs version 0.7.0 PID USER PROGRAM DEVSENT RECEIVED 0 root ..7423-213.138.94.110:49971 0.032 0.038 KB/sec 0 root ..7423-72.191.172.228:54861 0.000 0.000 KB/sec 0 root ..00:17423-82.52.3.94:57635 0.000 0.000 KB/sec 0 root unknown TCP 0.000 0.000 KB/sec TOTAL0.032 0.038 KB/sec Based on my Googling tonight, it seems this may simply be how it displays incoming connection attempts. I found a post on the Ubuntu Launchpad site that is basically asking the same question: https://answers.launchpad.net/ubuntu/+source/nethogs/+question/113880 I changed my designated port setting in Vuze, opened that port on my firewall, and then waited a few minutes and sure enough this same kind of mystery traffic started to appear on that port. So it would seem to be innocent bittorrent traffic. Egg on my face. Second, the problem of chkrootkit telling me find and netstat were INFECTED, in big scary upper-case letters. The files appear to be genuine, I checked and double-checked and they appear to be legitimate. I re-emerged them and the files match and still fail the test. After looking into how chkroot does its tests, it's simply grepping the strings from the file. I have debugging info compiled into everything on my system and perhaps that means the files are quite a bit more chatty than usual when it comes to strings. The damning strings that caused it to give me an INFECTED warning? (using the pattern from chkrootkit's test) /usr/bin/find: sharefile.h /bin/netstat: sockaddr.h To further test this false-positive theory, I stripped those two binaries of debugging data and now they do not appear as INFECTED by the test. If anyone else wants to compile net-tools or findutils with debugging data and nostrip and then run chkrootkit to see what results you get on these files, that would be quite helpful in confirming this. I then tried rkhunter. It gave me numerous warnings, but after checking the log for details they all appear to be harmless (For example, it warns that /usr/bin/ldd is a script, not a binary... as far as I can tell, that is how it's supposed to be) Next I ran app-forensics/lynis, which is a more general system settings audit. Everything looked normal there, too. I've audited all of my logs, bash history, etc and everything looks fine. The logs are complete. I use metalog so I've got duplicate log data in most cases, split up into different files and directories, and they all match. I've checked the other computers/devices in the house and don't see any signs of any funny business. The router settings and activity all look normal as well. I already had non-default password, telnet disabled, external admin interface disabled, web interface disabled, etc. and the firmware is the latest version, supposedly not vulnerable to the milw0rm attack so I think it is secure as can be expected. I've checked all servers online services that allow me to view my login history and I don't see any unusual activity. At this point I feel pretty good that my box was not compromised and it was only ignorance and panic on my part. To play it safe, I'm going to leave it disconnected for tonight and do some monitoring tomorrow with wireshark just to be absolutely sure there's nothing going on. Wish me luck! :) I am grateful to everyone for their ideas and suggestions, and I'm definitely going to change my sudoers privileges and more importantly my habits and assumptions. The grace period that William alluded to (timestamp_timeout is what Google tells me) may help to relieve a bit of the pain of having to type my password so often. Thanks, Paul
Re: [gentoo-user] Re: Rooted/compromised Gentoo, seeking advice [Solved?]
On Tue, 10 Aug 2010 01:10:37 -0500, Paul Hartman wrote: Second, the problem of chkrootkit telling me find and netstat were INFECTED, in big scary upper-case letters. The files appear to be genuine, chkrootkit hasn't been updated in over a year, a bit scary for a malware scanner. I then tried rkhunter. It gave me numerous warnings, but after checking the log for details they all appear to be harmless (For example, it warns that /usr/bin/ldd is a script, not a binary... as far as I can tell, that is how it's supposed to be) You can tweak the rkhunter config to skip specific tests on specific files (or patterns) to avoid these false positives. -- Neil Bothwick Top Oxymorons Number 3: Working vacation signature.asc Description: PGP signature
Re: [gentoo-user] Re: Rooted/compromised Gentoo, seeking advice
Another idea to help with your forensics would be to bring a netstat and lsof binary over to your machine and run them to see which actors are running and trying to get out. That could help you detect what is running on that machine and google your way from there. If your kernel has been subverted then userland is irrelevant, a kit can simply hook the system calls those binaries use and return whatever it wants you to know. -- Kyle
[gentoo-user] Re: Rooted/compromised Gentoo, seeking advice
On 08/09/10 12:25, Paul Hartman wrote: [] If anyone has advice on what I should look at forensically to determine the cause of this, it is appreciated. I'll first dig into the logs, bash history etc. and really hope that this very happened recently. Thanks for any tips and wish me good luck. :) AntiVir (Avira) anti-malware scanner has hundreds of Linux rootkit/virus signatures; you might scan your box with that. It has an on-access, realtime monitor option as well, which I use it to monitor anything downloaded and or compiled on my box (in case the distribution screen gets hacked). http://www.free-av.com/en/download/download_servers.php Presuming you're rooted, you might first try their stand-alone, linux live-disk scanner so as to avoid borked kernel and/or core utilities: http://www.free-av.com/en/tools/12/avira_antivir_rescue_system.html
Re: [gentoo-user] Re: Rooted/compromised Gentoo, seeking advice
On Mon, Aug 9, 2010 at 1:59 PM, 7v5w7go9ub0o 7v5w7go9u...@gmail.com wrote: On 08/09/10 12:25, Paul Hartman wrote: [] If anyone has advice on what I should look at forensically to determine the cause of this, it is appreciated. I'll first dig into the logs, bash history etc. and really hope that this very happened recently. Thanks for any tips and wish me good luck. :) AntiVir (Avira) anti-malware scanner has hundreds of Linux rootkit/virus signatures; you might scan your box with that. It has an on-access, realtime monitor option as well, which I use it to monitor anything downloaded and or compiled on my box (in case the distribution screen gets hacked). http://www.free-av.com/en/download/download_servers.php Presuming you're rooted, you might first try their stand-alone, linux live-disk scanner so as to avoid borked kernel and/or core utilities: http://www.free-av.com/en/tools/12/avira_antivir_rescue_system.html Was not aware of that one, I'll give it a try. Thanks.
Re: [gentoo-user] Re: Rooted/compromised Gentoo, seeking advice
On Monday 09 August 2010 19:59:11 7v5w7go9ub0o wrote: On 08/09/10 12:25, Paul Hartman wrote: [] If anyone has advice on what I should look at forensically to determine the cause of this, it is appreciated. I'll first dig into the logs, bash history etc. and really hope that this very happened recently. Thanks for any tips and wish me good luck. :) AntiVir (Avira) anti-malware scanner has hundreds of Linux rootkit/virus signatures; you might scan your box with that. It has an on-access, realtime monitor option as well, which I use it to monitor anything downloaded and or compiled on my box (in case the distribution screen gets hacked). http://www.free-av.com/en/download/download_servers.php Presuming you're rooted, you might first try their stand-alone, linux live-disk scanner so as to avoid borked kernel and/or core utilities: http://www.free-av.com/en/tools/12/avira_antivir_rescue_system.html Another idea to help with your forensics would be to bring a netstat and lsof binary over to your machine and run them to see which actors are running and trying to get out. That could help you detect what is running on that machine and google your way from there. You could also run rkhunter. -- Regards, Mick signature.asc Description: This is a digitally signed message part.