Re: chkrootkit - possible bad news`
* Quoting Bas ([EMAIL PROTECTED]): > If you do not run Portsentry you have a problem.. I disagree. There could be another process listening at that. - Rolf -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: chkrootkit - possible bad news`
I presume you run Portsentry on the same machine if you do than the blindshell INFECTED is nothing to worry about ITs normal behavior if you run Portsentry and chkrootkit on the same machine. If you do not run Portsentry you have a problem.. Bas -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: chkrootkit - possible bad news`
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Tue, 24 Feb 2004 14:32:26 +0100, Greg <[EMAIL PROTECTED]> wrote: > I am running Debian on a Dec Alpha PC164. > > I decided to run chkrootkit and was surprised by the following line. > > Checking `bindshell'... INFECTED (PORTS: 1524 31337) > > I am not sure how no interpret this. I have checked logs, as well as binary > checks and everything "seems" fine. Can someone help me interpret the logs. > I will attach them at the tail of the email in case the may be helpful. > > > I don't know what my next step would be. If in deed I have been 'rooted' > then I should obviously format and rebuild the server. Are you running portsentry? if you are, shut it off, and rerun chkrootkit. If not, nmap the box from outside, and see if there is something listening on those ports, if there is, but netstat shows nothing there, then you've probably been cracked, and you know what to do. -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.4 (GNU/Linux) iD8DBQFAO6aUd90bcYOAWPYRAquCAKDfxWteagmgU8Qi4qDoY7TrMsPvPwCfQ8oA vfluFUl7UE5kvbbeT6XCVYU= =lM19 -END PGP SIGNATURE- -- Jim Richardson http://www.eskimo.com/~warlock Life imitates art, but does it have to imitate satire?
Re: chkrootkit - possible bad news`
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Tue, 24 Feb 2004 14:32:26 +0100, Greg <[EMAIL PROTECTED]> wrote: > I am running Debian on a Dec Alpha PC164. > > I decided to run chkrootkit and was surprised by the following line. > > Checking `bindshell'... INFECTED (PORTS: 1524 31337) > > I am not sure how no interpret this. I have checked logs, as well as binary > checks and everything "seems" fine. Can someone help me interpret the logs. > I will attach them at the tail of the email in case the may be helpful. > > > I don't know what my next step would be. If in deed I have been 'rooted' > then I should obviously format and rebuild the server. Are you running portsentry? if you are, shut it off, and rerun chkrootkit. If not, nmap the box from outside, and see if there is something listening on those ports, if there is, but netstat shows nothing there, then you've probably been cracked, and you know what to do. -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.4 (GNU/Linux) iD8DBQFAO6aUd90bcYOAWPYRAquCAKDfxWteagmgU8Qi4qDoY7TrMsPvPwCfQ8oA vfluFUl7UE5kvbbeT6XCVYU= =lM19 -END PGP SIGNATURE- -- Jim Richardson http://www.eskimo.com/~warlock Life imitates art, but does it have to imitate satire? -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: chkrootkit - possible bad news`
On Tue, Feb 24, 2004 at 10:37:44AM -0500, Noah Meyerhans wrote: > On Tue, Feb 24, 2004 at 09:14:05AM +0200, Sneferu wrote: > > > > Looks like there are a lot of false positives on it. > > > > It looks like there are a lot of false positives with chkrootkit in > general. Seriously, has anybody here ever had chkrootkit detect an > actual rootkit? [...snip...] > Well, I've had it confirm suspicions that a rootkit was installed, but no correct automated detection. I'm considering killing teh crontab entry, because it's getting too annoying having to verify that the entries it produces are false. Neil -- A. Because it breaks the logical sequence of discussion Q. Why is top posting bad? gpg key - http://www.halon.org.uk/pubkey.txt ; the.earth.li 8DEC67C5 pgp8qftTDZ0fF.pgp Description: PGP signature
Re: chkrootkit - possible bad news`
Alohá! Noah Meyerhans wrote: > On Tue, Feb 24, 2004 at 09:14:05AM +0200, Sneferu wrote: > >> Looks like there are a lot of false positives on it. >> > > > It looks like there are a lot of false positives with chkrootkit in > general. Seriously, has anybody here ever had chkrootkit detect an > actual rootkit? [...] Had about half a dozen public machines with old SuSe 6.4 default installations half-way in my area of responsibility that were 'uprooted'. Diagnosing them with chkrootkit when they started creating unusual network traffic let me make for a reinstall pretty quickly A friends small dyndns-server was hacked within two weeks after installation. Maybe chkrootkit is not that needed for 'big' server installations with somebody keeping an eye full-time on security related stuff and fs monitors reporting every change that might be suspicious to well kept logs, but for lazy admins that weight the cost of keeping things tight and secure higher than an occasional reinstallation (don't count me in there) chkrootkit is a welcome diagnosis tool. IMHO the biggest problem creating false positives are hidden processes that are actually supposed to be there for whatever conceptual reasons. best regards Martin
Re: chkrootkit - possible bad news`
On Tue, Feb 24, 2004 at 10:37:44AM -0500, Noah Meyerhans wrote: > On Tue, Feb 24, 2004 at 09:14:05AM +0200, Sneferu wrote: > > > > Looks like there are a lot of false positives on it. > > > > It looks like there are a lot of false positives with chkrootkit in > general. Seriously, has anybody here ever had chkrootkit detect an > actual rootkit? [...snip...] > Well, I've had it confirm suspicions that a rootkit was installed, but no correct automated detection. I'm considering killing teh crontab entry, because it's getting too annoying having to verify that the entries it produces are false. Neil -- A. Because it breaks the logical sequence of discussion Q. Why is top posting bad? gpg key - http://www.halon.org.uk/pubkey.txt ; the.earth.li 8DEC67C5 pgp0.pgp Description: PGP signature
Re: chkrootkit - possible bad news`
On Tue, Feb 24, 2004 at 09:14:05AM +0200, Sneferu wrote: > > Looks like there are a lot of false positives on it. > It looks like there are a lot of false positives with chkrootkit in general. Seriously, has anybody here ever had chkrootkit detect an actual rootkit? Questions about its output have become relatively common on this list in the past few months, and I honestly don't remember any that didn't turn out to be false positives. noah pgpsDe9NDZC6c.pgp Description: PGP signature
Re: chkrootkit - possible bad news`
Alohá! Noah Meyerhans wrote: > On Tue, Feb 24, 2004 at 09:14:05AM +0200, Sneferu wrote: > >> Looks like there are a lot of false positives on it. >> > > > It looks like there are a lot of false positives with chkrootkit in > general. Seriously, has anybody here ever had chkrootkit detect an > actual rootkit? [...] Had about half a dozen public machines with old SuSe 6.4 default installations half-way in my area of responsibility that were 'uprooted'. Diagnosing them with chkrootkit when they started creating unusual network traffic let me make for a reinstall pretty quickly A friends small dyndns-server was hacked within two weeks after installation. Maybe chkrootkit is not that needed for 'big' server installations with somebody keeping an eye full-time on security related stuff and fs monitors reporting every change that might be suspicious to well kept logs, but for lazy admins that weight the cost of keeping things tight and secure higher than an occasional reinstallation (don't count me in there) chkrootkit is a welcome diagnosis tool. IMHO the biggest problem creating false positives are hidden processes that are actually supposed to be there for whatever conceptual reasons. best regards Martin -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: chkrootkit - possible bad news`
On Tue, Feb 24, 2004 at 09:14:05AM +0200, Sneferu wrote: > > Looks like there are a lot of false positives on it. > It looks like there are a lot of false positives with chkrootkit in general. Seriously, has anybody here ever had chkrootkit detect an actual rootkit? Questions about its output have become relatively common on this list in the past few months, and I honestly don't remember any that didn't turn out to be false positives. noah pgp0.pgp Description: PGP signature
Re: chkrootkit - possible bad news`
31337 - are your runing portsentry on that machine ? Quote from the www.chkrootkit.org site: I'm running PortSentry/klaxon. What's wrong with the bindshell test? If you're running PortSentry/klaxon or another program that binds itself to unused ports probably chkrootkit will give you a false positive on the bindshell test (ports 114/tcp, 465/tcp, 511/tcp, 1008/tcp, 1524/tcp, 1999/tcp, 3879/tcp, 5665/tcp, 10008/tcp, 12321/tcp, 23132/tcp, 27374/tcp, 29364/tcp, 31336/tcp, 31337/tcp, 45454/tcp, 47017/tcp, 47889/tcp, 60001/tcp). - Original Message - From: "Greg" <[EMAIL PROTECTED]> To: Sent: Tuesday, February 24, 2004 8:53 AM Subject: chkrootkit - possible bad news` > I am running Debian on a Dec Alpha PC164. > > I decided to run chkrootkit and was surprised by the following line. > > Checking `bindshell'... INFECTED (PORTS: 1524 31337) > > I am not sure how no interpret this. I have checked logs, as well as binary > checks and everything "seems" fine. Can someone help me interpret the logs. > I will attach them at the tail of the email in case the may be helpful. > > > I don't know what my next step would be. If in deed I have been 'rooted' > then I should obviously format and rebuild the server. > > Thanks in advance. > > Greg MEATPLOW > > # > #chkrootkit > > alpha:~# chkrootkit > ROOTDIR is `/' > Checking `amd'... not found > Checking `basename'... not infected > Checking `biff'... not found > Checking `chfn'... not infected > Checking `chsh'... not infected > Checking `cron'... not infected > Checking `date'... not infected > Checking `du'... not infected > Checking `dirname'... not infected > Checking `echo'... not infected > Checking `egrep'... not infected > Checking `env'... not infected > Checking `find'... not infected > Checking `fingerd'... not found > Checking `gpm'... not found > Checking `grep'... not infected > Checking `hdparm'... not found > Checking `su'... not infected > Checking `ifconfig'... not infected > Checking `inetd'... not infected > Checking `inetdconf'... not infected > Checking `identd'... not found > Checking `killall'... not found > Checking `ldsopreload'... not infected > Checking `login'... not infected > Checking `ls'... not infected > Checking `lsof'... not found > Checking `mail'... not infected > Checking `mingetty'... not found > Checking `netstat'... not infected > Checking `named'... not infected > Checking `passwd'... not infected > Checking `pidof'... not infected > Checking `pop2'... not found > Checking `pop3'... not found > Checking `ps'... not infected > Checking `pstree'... not found > Checking `rpcinfo'... not infected > Checking `rlogind'... not found > Checking `rshd'... not found > Checking `slogin'... not infected > Checking `sendmail'... not infected > Checking `sshd'... not infected > Checking `syslogd'... not infected > Checking `tar'... not infected > Checking `tcpd'... not infected > Checking `top'... not infected > Checking `telnetd'... not found > Checking `timed'... not found > Checking `traceroute'... not infected > Checking `write'... not infected > Checking `aliens'... > /dev/st- /dev/sto > Searching for sniffer's logs, it may take a while... nothing found > Searching for HiDrootkit's default dir... nothing found > Searching for t0rn's default files and dirs... nothing found > Searching for t0rn's v8 defaults... nothing found > Searching for Lion Worm default files and dirs... nothing found > Searching for RSHA's default files and dir... nothing found > Searching for RH-Sharpe's default files... nothing found > Searching for Ambient's rootkit (ark) default files and dirs... nothing > found > Searching for suspicious files and dirs, it may take a while... nothing > found > Searching for LPD Worm files and dirs... nothing found > Searching for Ramen Worm files and dirs... nothing found > Searching for Maniac files and dirs... nothing found > Searching for RK17 files and dirs... nothing found > Searching for Ducoci rootkit... nothing found > Searching for Adore Worm... nothing found > Searching for ShitC Worm... nothing found > Searching for Omega Worm... nothing found > Searching for Sadmind/IIS Worm... nothing found > Searching for MonKit... nothing found > Searching for anomalies in shell history files... nothing found > Checking `asp'... not infected > Checking `bindshell'... INFECTED (PORTS: 1524 31337) > Checking `lkm'... nothing detected > Checking `rexedcs'... not found > Checking `sniffer'... eth0 is not promisc > Checking `wted'... nothing deleted > Checking `z2'... > nothing deleted > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] >
Re: chkrootkit - possible bad news`
May be you have installed "fakebo"? Billy
Re: chkrootkit - possible bad news`
You might not be hacked after all. Read this: http://www.webhostgear.com/25.html Also some googling might help ;-) http://www.google.ro/search?q=%27bindshell%27...+INFECTED+%28PORTS%3A++1524+31337&ie=UTF-8&oe=UTF-8&hl=ro&btnG=Caut%C4%83&meta= Looks like there are a lot of false positives on it. Still, you should do a tripwire (or any other file checking) test if you have a previous record to match against. Nmap should give you a good idea about opened ports. Logs? Probably there are some other things you can do...but this is what crosses my mind now. Regards, S At 08:53 AM 2/24/2004, Greg wrote: I am running Debian on a Dec Alpha PC164. I decided to run chkrootkit and was surprised by the following line. Checking `bindshell'... INFECTED (PORTS: 1524 31337) I am not sure how no interpret this. I have checked logs, as well as binary checks and everything "seems" fine. Can someone help me interpret the logs. I will attach them at the tail of the email in case the may be helpful. I don't know what my next step would be. If in deed I have been 'rooted' then I should obviously format and rebuild the server. Thanks in advance. Greg MEATPLOW # #chkrootkit alpha:~# chkrootkit ROOTDIR is `/' Checking `amd'... not found Checking `basename'... not infected Checking `biff'... not found Checking `chfn'... not infected Checking `chsh'... not infected Checking `cron'... not infected Checking `date'... not infected Checking `du'... not infected Checking `dirname'... not infected Checking `echo'... not infected Checking `egrep'... not infected Checking `env'... not infected Checking `find'... not infected Checking `fingerd'... not found Checking `gpm'... not found Checking `grep'... not infected Checking `hdparm'... not found Checking `su'... not infected Checking `ifconfig'... not infected Checking `inetd'... not infected Checking `inetdconf'... not infected Checking `identd'... not found Checking `killall'... not found Checking `ldsopreload'... not infected Checking `login'... not infected Checking `ls'... not infected Checking `lsof'... not found Checking `mail'... not infected Checking `mingetty'... not found Checking `netstat'... not infected Checking `named'... not infected Checking `passwd'... not infected Checking `pidof'... not infected Checking `pop2'... not found Checking `pop3'... not found Checking `ps'... not infected Checking `pstree'... not found Checking `rpcinfo'... not infected Checking `rlogind'... not found Checking `rshd'... not found Checking `slogin'... not infected Checking `sendmail'... not infected Checking `sshd'... not infected Checking `syslogd'... not infected Checking `tar'... not infected Checking `tcpd'... not infected Checking `top'... not infected Checking `telnetd'... not found Checking `timed'... not found Checking `traceroute'... not infected Checking `write'... not infected Checking `aliens'... /dev/st- /dev/sto Searching for sniffer's logs, it may take a while... nothing found Searching for HiDrootkit's default dir... nothing found Searching for t0rn's default files and dirs... nothing found Searching for t0rn's v8 defaults... nothing found Searching for Lion Worm default files and dirs... nothing found Searching for RSHA's default files and dir... nothing found Searching for RH-Sharpe's default files... nothing found Searching for Ambient's rootkit (ark) default files and dirs... nothing found Searching for suspicious files and dirs, it may take a while... nothing found Searching for LPD Worm files and dirs... nothing found Searching for Ramen Worm files and dirs... nothing found Searching for Maniac files and dirs... nothing found Searching for RK17 files and dirs... nothing found Searching for Ducoci rootkit... nothing found Searching for Adore Worm... nothing found Searching for ShitC Worm... nothing found Searching for Omega Worm... nothing found Searching for Sadmind/IIS Worm... nothing found Searching for MonKit... nothing found Searching for anomalies in shell history files... nothing found Checking `asp'... not infected Checking `bindshell'... INFECTED (PORTS: 1524 31337) Checking `lkm'... nothing detected Checking `rexedcs'... not found Checking `sniffer'... eth0 is not promisc Checking `wted'... nothing deleted Checking `z2'... nothing deleted -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] --- Cauta-ti perechea pe http://dating.acasa.ro --- Cauta-ti perechea pe http://dating.acasa.ro
Re: chkrootkit - possible bad news`
On Tuesday 24 February 2004 07:53, Greg wrote: > I am running Debian on a Dec Alpha PC164. > > I decided to run chkrootkit and was surprised by the following line. > > Checking `bindshell'... INFECTED (PORTS: 1524 31337) Try a nmap port scan from the outside to your ip address. If those ports are open but netstat doesn't show them as LISTENING chances are your netstat is modified to hide the connections. You may also want to run chkrootkit when booted from single user mode. Regards, Ricardo. > > I am not sure how no interpret this. I have checked logs, as well as > binary checks and everything "seems" fine. Can someone help me interpret > the logs. I will attach them at the tail of the email in case the may be > helpful. > > > I don't know what my next step would be. If in deed I have been 'rooted' > then I should obviously format and rebuild the server. > > Thanks in advance. > > Greg MEATPLOW > > # > #chkrootkit > > alpha:~# chkrootkit > ROOTDIR is `/' > Checking `amd'... not found > Checking `basename'... not infected > Checking `biff'... not found > Checking `chfn'... not infected > Checking `chsh'... not infected > Checking `cron'... not infected > Checking `date'... not infected > Checking `du'... not infected > Checking `dirname'... not infected > Checking `echo'... not infected > Checking `egrep'... not infected > Checking `env'... not infected > Checking `find'... not infected > Checking `fingerd'... not found > Checking `gpm'... not found > Checking `grep'... not infected > Checking `hdparm'... not found > Checking `su'... not infected > Checking `ifconfig'... not infected > Checking `inetd'... not infected > Checking `inetdconf'... not infected > Checking `identd'... not found > Checking `killall'... not found > Checking `ldsopreload'... not infected > Checking `login'... not infected > Checking `ls'... not infected > Checking `lsof'... not found > Checking `mail'... not infected > Checking `mingetty'... not found > Checking `netstat'... not infected > Checking `named'... not infected > Checking `passwd'... not infected > Checking `pidof'... not infected > Checking `pop2'... not found > Checking `pop3'... not found > Checking `ps'... not infected > Checking `pstree'... not found > Checking `rpcinfo'... not infected > Checking `rlogind'... not found > Checking `rshd'... not found > Checking `slogin'... not infected > Checking `sendmail'... not infected > Checking `sshd'... not infected > Checking `syslogd'... not infected > Checking `tar'... not infected > Checking `tcpd'... not infected > Checking `top'... not infected > Checking `telnetd'... not found > Checking `timed'... not found > Checking `traceroute'... not infected > Checking `write'... not infected > Checking `aliens'... > /dev/st- /dev/sto > Searching for sniffer's logs, it may take a while... nothing found > Searching for HiDrootkit's default dir... nothing found > Searching for t0rn's default files and dirs... nothing found > Searching for t0rn's v8 defaults... nothing found > Searching for Lion Worm default files and dirs... nothing found > Searching for RSHA's default files and dir... nothing found > Searching for RH-Sharpe's default files... nothing found > Searching for Ambient's rootkit (ark) default files and dirs... nothing > found > Searching for suspicious files and dirs, it may take a while... nothing > found > Searching for LPD Worm files and dirs... nothing found > Searching for Ramen Worm files and dirs... nothing found > Searching for Maniac files and dirs... nothing found > Searching for RK17 files and dirs... nothing found > Searching for Ducoci rootkit... nothing found > Searching for Adore Worm... nothing found > Searching for ShitC Worm... nothing found > Searching for Omega Worm... nothing found > Searching for Sadmind/IIS Worm... nothing found > Searching for MonKit... nothing found > Searching for anomalies in shell history files... nothing found > Checking `asp'... not infected > Checking `bindshell'... INFECTED (PORTS: 1524 31337) > Checking `lkm'... nothing detected > Checking `rexedcs'... not found > Checking `sniffer'... eth0 is not promisc > Checking `wted'... nothing deleted > Checking `z2'... > nothing deleted --
chkrootkit - possible bad news`
I am running Debian on a Dec Alpha PC164. I decided to run chkrootkit and was surprised by the following line. Checking `bindshell'... INFECTED (PORTS: 1524 31337) I am not sure how no interpret this. I have checked logs, as well as binary checks and everything "seems" fine. Can someone help me interpret the logs. I will attach them at the tail of the email in case the may be helpful. I don't know what my next step would be. If in deed I have been 'rooted' then I should obviously format and rebuild the server. Thanks in advance. Greg MEATPLOW # #chkrootkit alpha:~# chkrootkit ROOTDIR is `/' Checking `amd'... not found Checking `basename'... not infected Checking `biff'... not found Checking `chfn'... not infected Checking `chsh'... not infected Checking `cron'... not infected Checking `date'... not infected Checking `du'... not infected Checking `dirname'... not infected Checking `echo'... not infected Checking `egrep'... not infected Checking `env'... not infected Checking `find'... not infected Checking `fingerd'... not found Checking `gpm'... not found Checking `grep'... not infected Checking `hdparm'... not found Checking `su'... not infected Checking `ifconfig'... not infected Checking `inetd'... not infected Checking `inetdconf'... not infected Checking `identd'... not found Checking `killall'... not found Checking `ldsopreload'... not infected Checking `login'... not infected Checking `ls'... not infected Checking `lsof'... not found Checking `mail'... not infected Checking `mingetty'... not found Checking `netstat'... not infected Checking `named'... not infected Checking `passwd'... not infected Checking `pidof'... not infected Checking `pop2'... not found Checking `pop3'... not found Checking `ps'... not infected Checking `pstree'... not found Checking `rpcinfo'... not infected Checking `rlogind'... not found Checking `rshd'... not found Checking `slogin'... not infected Checking `sendmail'... not infected Checking `sshd'... not infected Checking `syslogd'... not infected Checking `tar'... not infected Checking `tcpd'... not infected Checking `top'... not infected Checking `telnetd'... not found Checking `timed'... not found Checking `traceroute'... not infected Checking `write'... not infected Checking `aliens'... /dev/st- /dev/sto Searching for sniffer's logs, it may take a while... nothing found Searching for HiDrootkit's default dir... nothing found Searching for t0rn's default files and dirs... nothing found Searching for t0rn's v8 defaults... nothing found Searching for Lion Worm default files and dirs... nothing found Searching for RSHA's default files and dir... nothing found Searching for RH-Sharpe's default files... nothing found Searching for Ambient's rootkit (ark) default files and dirs... nothing found Searching for suspicious files and dirs, it may take a while... nothing found Searching for LPD Worm files and dirs... nothing found Searching for Ramen Worm files and dirs... nothing found Searching for Maniac files and dirs... nothing found Searching for RK17 files and dirs... nothing found Searching for Ducoci rootkit... nothing found Searching for Adore Worm... nothing found Searching for ShitC Worm... nothing found Searching for Omega Worm... nothing found Searching for Sadmind/IIS Worm... nothing found Searching for MonKit... nothing found Searching for anomalies in shell history files... nothing found Checking `asp'... not infected Checking `bindshell'... INFECTED (PORTS: 1524 31337) Checking `lkm'... nothing detected Checking `rexedcs'... not found Checking `sniffer'... eth0 is not promisc Checking `wted'... nothing deleted Checking `z2'... nothing deleted
Re: chkrootkit - possible bad news`
31337 - are your runing portsentry on that machine ? Quote from the www.chkrootkit.org site: I'm running PortSentry/klaxon. What's wrong with the bindshell test? If you're running PortSentry/klaxon or another program that binds itself to unused ports probably chkrootkit will give you a false positive on the bindshell test (ports 114/tcp, 465/tcp, 511/tcp, 1008/tcp, 1524/tcp, 1999/tcp, 3879/tcp, 5665/tcp, 10008/tcp, 12321/tcp, 23132/tcp, 27374/tcp, 29364/tcp, 31336/tcp, 31337/tcp, 45454/tcp, 47017/tcp, 47889/tcp, 60001/tcp). - Original Message - From: "Greg" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Tuesday, February 24, 2004 8:53 AM Subject: chkrootkit - possible bad news` > I am running Debian on a Dec Alpha PC164. > > I decided to run chkrootkit and was surprised by the following line. > > Checking `bindshell'... INFECTED (PORTS: 1524 31337) > > I am not sure how no interpret this. I have checked logs, as well as binary > checks and everything "seems" fine. Can someone help me interpret the logs. > I will attach them at the tail of the email in case the may be helpful. > > > I don't know what my next step would be. If in deed I have been 'rooted' > then I should obviously format and rebuild the server. > > Thanks in advance. > > Greg MEATPLOW > > # > #chkrootkit > > alpha:~# chkrootkit > ROOTDIR is `/' > Checking `amd'... not found > Checking `basename'... not infected > Checking `biff'... not found > Checking `chfn'... not infected > Checking `chsh'... not infected > Checking `cron'... not infected > Checking `date'... not infected > Checking `du'... not infected > Checking `dirname'... not infected > Checking `echo'... not infected > Checking `egrep'... not infected > Checking `env'... not infected > Checking `find'... not infected > Checking `fingerd'... not found > Checking `gpm'... not found > Checking `grep'... not infected > Checking `hdparm'... not found > Checking `su'... not infected > Checking `ifconfig'... not infected > Checking `inetd'... not infected > Checking `inetdconf'... not infected > Checking `identd'... not found > Checking `killall'... not found > Checking `ldsopreload'... not infected > Checking `login'... not infected > Checking `ls'... not infected > Checking `lsof'... not found > Checking `mail'... not infected > Checking `mingetty'... not found > Checking `netstat'... not infected > Checking `named'... not infected > Checking `passwd'... not infected > Checking `pidof'... not infected > Checking `pop2'... not found > Checking `pop3'... not found > Checking `ps'... not infected > Checking `pstree'... not found > Checking `rpcinfo'... not infected > Checking `rlogind'... not found > Checking `rshd'... not found > Checking `slogin'... not infected > Checking `sendmail'... not infected > Checking `sshd'... not infected > Checking `syslogd'... not infected > Checking `tar'... not infected > Checking `tcpd'... not infected > Checking `top'... not infected > Checking `telnetd'... not found > Checking `timed'... not found > Checking `traceroute'... not infected > Checking `write'... not infected > Checking `aliens'... > /dev/st- /dev/sto > Searching for sniffer's logs, it may take a while... nothing found > Searching for HiDrootkit's default dir... nothing found > Searching for t0rn's default files and dirs... nothing found > Searching for t0rn's v8 defaults... nothing found > Searching for Lion Worm default files and dirs... nothing found > Searching for RSHA's default files and dir... nothing found > Searching for RH-Sharpe's default files... nothing found > Searching for Ambient's rootkit (ark) default files and dirs... nothing > found > Searching for suspicious files and dirs, it may take a while... nothing > found > Searching for LPD Worm files and dirs... nothing found > Searching for Ramen Worm files and dirs... nothing found > Searching for Maniac files and dirs... nothing found > Searching for RK17 files and dirs... nothing found > Searching for Ducoci rootkit... nothing found > Searching for Adore Worm... nothing found > Searching for ShitC Worm... nothing found > Searching for Omega Worm... nothing found > Searching for Sadmind/IIS Worm... nothing found > Searching for MonKit... nothing found > Searching for anomalies in shell history files... nothing found > Checking `asp'... not infected > Checking `bindshell'... INFECTED (PORTS: 1524 31337) > Checking `lkm'... nothing detected > Checking `rexedcs'... not found > Checking `sniffer'... eth0 is not promisc > Checking `wted'... nothing deleted > Checking `z2'... > nothing deleted > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] > -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: chkrootkit - possible bad news`
May be you have installed "fakebo"? Billy -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: chkrootkit - possible bad news`
You might not be hacked after all. Read this: http://www.webhostgear.com/25.html Also some googling might help ;-) http://www.google.ro/search?q=%27bindshell%27...+INFECTED+%28PORTS%3A++1524+31337&ie=UTF-8&oe=UTF-8&hl=ro&btnG=Caut%C4%83&meta= Looks like there are a lot of false positives on it. Still, you should do a tripwire (or any other file checking) test if you have a previous record to match against. Nmap should give you a good idea about opened ports. Logs? Probably there are some other things you can do...but this is what crosses my mind now. Regards, S At 08:53 AM 2/24/2004, Greg wrote: I am running Debian on a Dec Alpha PC164. I decided to run chkrootkit and was surprised by the following line. Checking `bindshell'... INFECTED (PORTS: 1524 31337) I am not sure how no interpret this. I have checked logs, as well as binary checks and everything "seems" fine. Can someone help me interpret the logs. I will attach them at the tail of the email in case the may be helpful. I don't know what my next step would be. If in deed I have been 'rooted' then I should obviously format and rebuild the server. Thanks in advance. Greg MEATPLOW # #chkrootkit alpha:~# chkrootkit ROOTDIR is `/' Checking `amd'... not found Checking `basename'... not infected Checking `biff'... not found Checking `chfn'... not infected Checking `chsh'... not infected Checking `cron'... not infected Checking `date'... not infected Checking `du'... not infected Checking `dirname'... not infected Checking `echo'... not infected Checking `egrep'... not infected Checking `env'... not infected Checking `find'... not infected Checking `fingerd'... not found Checking `gpm'... not found Checking `grep'... not infected Checking `hdparm'... not found Checking `su'... not infected Checking `ifconfig'... not infected Checking `inetd'... not infected Checking `inetdconf'... not infected Checking `identd'... not found Checking `killall'... not found Checking `ldsopreload'... not infected Checking `login'... not infected Checking `ls'... not infected Checking `lsof'... not found Checking `mail'... not infected Checking `mingetty'... not found Checking `netstat'... not infected Checking `named'... not infected Checking `passwd'... not infected Checking `pidof'... not infected Checking `pop2'... not found Checking `pop3'... not found Checking `ps'... not infected Checking `pstree'... not found Checking `rpcinfo'... not infected Checking `rlogind'... not found Checking `rshd'... not found Checking `slogin'... not infected Checking `sendmail'... not infected Checking `sshd'... not infected Checking `syslogd'... not infected Checking `tar'... not infected Checking `tcpd'... not infected Checking `top'... not infected Checking `telnetd'... not found Checking `timed'... not found Checking `traceroute'... not infected Checking `write'... not infected Checking `aliens'... /dev/st- /dev/sto Searching for sniffer's logs, it may take a while... nothing found Searching for HiDrootkit's default dir... nothing found Searching for t0rn's default files and dirs... nothing found Searching for t0rn's v8 defaults... nothing found Searching for Lion Worm default files and dirs... nothing found Searching for RSHA's default files and dir... nothing found Searching for RH-Sharpe's default files... nothing found Searching for Ambient's rootkit (ark) default files and dirs... nothing found Searching for suspicious files and dirs, it may take a while... nothing found Searching for LPD Worm files and dirs... nothing found Searching for Ramen Worm files and dirs... nothing found Searching for Maniac files and dirs... nothing found Searching for RK17 files and dirs... nothing found Searching for Ducoci rootkit... nothing found Searching for Adore Worm... nothing found Searching for ShitC Worm... nothing found Searching for Omega Worm... nothing found Searching for Sadmind/IIS Worm... nothing found Searching for MonKit... nothing found Searching for anomalies in shell history files... nothing found Checking `asp'... not infected Checking `bindshell'... INFECTED (PORTS: 1524 31337) Checking `lkm'... nothing detected Checking `rexedcs'... not found Checking `sniffer'... eth0 is not promisc Checking `wted'... nothing deleted Checking `z2'... nothing deleted -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] --- Cauta-ti perechea pe http://dating.acasa.ro --- Cauta-ti perechea pe http://dating.acasa.ro -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: chkrootkit - possible bad news`
On Tuesday 24 February 2004 07:53, Greg wrote: > I am running Debian on a Dec Alpha PC164. > > I decided to run chkrootkit and was surprised by the following line. > > Checking `bindshell'... INFECTED (PORTS: 1524 31337) Try a nmap port scan from the outside to your ip address. If those ports are open but netstat doesn't show them as LISTENING chances are your netstat is modified to hide the connections. You may also want to run chkrootkit when booted from single user mode. Regards, Ricardo. > > I am not sure how no interpret this. I have checked logs, as well as > binary checks and everything "seems" fine. Can someone help me interpret > the logs. I will attach them at the tail of the email in case the may be > helpful. > > > I don't know what my next step would be. If in deed I have been 'rooted' > then I should obviously format and rebuild the server. > > Thanks in advance. > > Greg MEATPLOW > > # > #chkrootkit > > alpha:~# chkrootkit > ROOTDIR is `/' > Checking `amd'... not found > Checking `basename'... not infected > Checking `biff'... not found > Checking `chfn'... not infected > Checking `chsh'... not infected > Checking `cron'... not infected > Checking `date'... not infected > Checking `du'... not infected > Checking `dirname'... not infected > Checking `echo'... not infected > Checking `egrep'... not infected > Checking `env'... not infected > Checking `find'... not infected > Checking `fingerd'... not found > Checking `gpm'... not found > Checking `grep'... not infected > Checking `hdparm'... not found > Checking `su'... not infected > Checking `ifconfig'... not infected > Checking `inetd'... not infected > Checking `inetdconf'... not infected > Checking `identd'... not found > Checking `killall'... not found > Checking `ldsopreload'... not infected > Checking `login'... not infected > Checking `ls'... not infected > Checking `lsof'... not found > Checking `mail'... not infected > Checking `mingetty'... not found > Checking `netstat'... not infected > Checking `named'... not infected > Checking `passwd'... not infected > Checking `pidof'... not infected > Checking `pop2'... not found > Checking `pop3'... not found > Checking `ps'... not infected > Checking `pstree'... not found > Checking `rpcinfo'... not infected > Checking `rlogind'... not found > Checking `rshd'... not found > Checking `slogin'... not infected > Checking `sendmail'... not infected > Checking `sshd'... not infected > Checking `syslogd'... not infected > Checking `tar'... not infected > Checking `tcpd'... not infected > Checking `top'... not infected > Checking `telnetd'... not found > Checking `timed'... not found > Checking `traceroute'... not infected > Checking `write'... not infected > Checking `aliens'... > /dev/st- /dev/sto > Searching for sniffer's logs, it may take a while... nothing found > Searching for HiDrootkit's default dir... nothing found > Searching for t0rn's default files and dirs... nothing found > Searching for t0rn's v8 defaults... nothing found > Searching for Lion Worm default files and dirs... nothing found > Searching for RSHA's default files and dir... nothing found > Searching for RH-Sharpe's default files... nothing found > Searching for Ambient's rootkit (ark) default files and dirs... nothing > found > Searching for suspicious files and dirs, it may take a while... nothing > found > Searching for LPD Worm files and dirs... nothing found > Searching for Ramen Worm files and dirs... nothing found > Searching for Maniac files and dirs... nothing found > Searching for RK17 files and dirs... nothing found > Searching for Ducoci rootkit... nothing found > Searching for Adore Worm... nothing found > Searching for ShitC Worm... nothing found > Searching for Omega Worm... nothing found > Searching for Sadmind/IIS Worm... nothing found > Searching for MonKit... nothing found > Searching for anomalies in shell history files... nothing found > Checking `asp'... not infected > Checking `bindshell'... INFECTED (PORTS: 1524 31337) > Checking `lkm'... nothing detected > Checking `rexedcs'... not found > Checking `sniffer'... eth0 is not promisc > Checking `wted'... nothing deleted > Checking `z2'... > nothing deleted -- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
chkrootkit - possible bad news`
I am running Debian on a Dec Alpha PC164. I decided to run chkrootkit and was surprised by the following line. Checking `bindshell'... INFECTED (PORTS: 1524 31337) I am not sure how no interpret this. I have checked logs, as well as binary checks and everything "seems" fine. Can someone help me interpret the logs. I will attach them at the tail of the email in case the may be helpful. I don't know what my next step would be. If in deed I have been 'rooted' then I should obviously format and rebuild the server. Thanks in advance. Greg MEATPLOW # #chkrootkit alpha:~# chkrootkit ROOTDIR is `/' Checking `amd'... not found Checking `basename'... not infected Checking `biff'... not found Checking `chfn'... not infected Checking `chsh'... not infected Checking `cron'... not infected Checking `date'... not infected Checking `du'... not infected Checking `dirname'... not infected Checking `echo'... not infected Checking `egrep'... not infected Checking `env'... not infected Checking `find'... not infected Checking `fingerd'... not found Checking `gpm'... not found Checking `grep'... not infected Checking `hdparm'... not found Checking `su'... not infected Checking `ifconfig'... not infected Checking `inetd'... not infected Checking `inetdconf'... not infected Checking `identd'... not found Checking `killall'... not found Checking `ldsopreload'... not infected Checking `login'... not infected Checking `ls'... not infected Checking `lsof'... not found Checking `mail'... not infected Checking `mingetty'... not found Checking `netstat'... not infected Checking `named'... not infected Checking `passwd'... not infected Checking `pidof'... not infected Checking `pop2'... not found Checking `pop3'... not found Checking `ps'... not infected Checking `pstree'... not found Checking `rpcinfo'... not infected Checking `rlogind'... not found Checking `rshd'... not found Checking `slogin'... not infected Checking `sendmail'... not infected Checking `sshd'... not infected Checking `syslogd'... not infected Checking `tar'... not infected Checking `tcpd'... not infected Checking `top'... not infected Checking `telnetd'... not found Checking `timed'... not found Checking `traceroute'... not infected Checking `write'... not infected Checking `aliens'... /dev/st- /dev/sto Searching for sniffer's logs, it may take a while... nothing found Searching for HiDrootkit's default dir... nothing found Searching for t0rn's default files and dirs... nothing found Searching for t0rn's v8 defaults... nothing found Searching for Lion Worm default files and dirs... nothing found Searching for RSHA's default files and dir... nothing found Searching for RH-Sharpe's default files... nothing found Searching for Ambient's rootkit (ark) default files and dirs... nothing found Searching for suspicious files and dirs, it may take a while... nothing found Searching for LPD Worm files and dirs... nothing found Searching for Ramen Worm files and dirs... nothing found Searching for Maniac files and dirs... nothing found Searching for RK17 files and dirs... nothing found Searching for Ducoci rootkit... nothing found Searching for Adore Worm... nothing found Searching for ShitC Worm... nothing found Searching for Omega Worm... nothing found Searching for Sadmind/IIS Worm... nothing found Searching for MonKit... nothing found Searching for anomalies in shell history files... nothing found Checking `asp'... not infected Checking `bindshell'... INFECTED (PORTS: 1524 31337) Checking `lkm'... nothing detected Checking `rexedcs'... not found Checking `sniffer'... eth0 is not promisc Checking `wted'... nothing deleted Checking `z2'... nothing deleted -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
