Home Forums Articles Downloads Hosting Freebies Jobs
Welcome to Linux Forums! With a comprehensive Linux Forum, information on various types of Linux software and many Linux Reviews articles, we have all the knowledge you need a click away, or accessible via our knowledgeable members.
Write an article for LinuxForums Today! Win Great Prizes!
Find the answer to your Linux question:
New to Linux Forums? Register here for free!
    Linux Forums > GNU Linux Zone > Linux Security > strange root@(ip address) found

Forgot Password?
 Linux Security   Discussion about keeping your machines secure, and the crackers out.

Site Navigation
Linux Articles
Linux Forums
Linux Downloads
Linux Hosting
Free Magazines
Job Board
IRC Chat
RSS Feeds
Linux Forum Topics
Linux Forums
Your Distro
Linux Resources
GNU Linux Zone
The Community
Reply
 
Thread Tools Display Modes
Old 09-12-2007   #1 (permalink)
Super Moderator
 
Dapper Dan's Avatar
 
Join Date: Oct 2004
Location: The Sovereign State of South Carolina
Posts: 4,155
Send a message via AIM to Dapper Dan
strange root@(ip address) found
While doing the commands from this post, I found this within the output...
Code:
 root@72.9.233.132
A whois returns this...
Code:
OrgName:    Global Net Access, LLC 
OrgID:      GNAL-2
Address:    1100 White St SW
City:       Atlanta
StateProv:  GA
PostalCode: 30310
Country:    US

ReferralServer: rwhois://rwhois.gnax.net:4321

NetRange:   72.9.224.0 - 72.9.255.255 
CIDR:       72.9.224.0/19 
OriginAS:   AS3595,  AS16626
NetName:    GNAXNET
NetHandle:  NET-72-9-224-0-1
Parent:     NET-72-0-0-0-0
NetType:    Direct Allocation
NameServer: DNS1.GNAX.NET
NameServer: DNS2.GNAX.NET
NameServer: NS1.GNAX.NET
NameServer: NS2.GNAX.NET
Comment:    ADDRESSES WITHIN THIS BLOCK ARE NON-PORTABLE
Comment:    ********************************************
Comment:    Reassignment information for this block is
Comment:    available at rwhois.gnax.net port 4321
Comment:    ********************************************
RegDate:    2004-10-11
Updated:    2007-06-01

RAbuseHandle: ABUSE745-ARIN
RAbuseName:   GNAX ABUSE 
RAbusePhone:  +1-404-230-9150
RAbuseEmail:  abuse@gnax.net 

RNOCHandle: ENGIN7-ARIN
RNOCName:   GNAX ENGINEERING 
RNOCPhone:  +1-404-230-9150
RNOCEmail:  engineering@gnax.net 

RTechHandle: ENGIN7-ARIN
RTechName:   GNAX ENGINEERING 
RTechPhone:  +1-404-230-9150
RTechEmail:  engineering@gnax.net 

OrgAbuseHandle: ABUSE745-ARIN
OrgAbuseName:   GNAX ABUSE 
OrgAbusePhone:  +1-404-230-9150
OrgAbuseEmail:  abuse@gnax.net

OrgNOCHandle: ENGIN7-ARIN
OrgNOCName:   GNAX ENGINEERING 
OrgNOCPhone:  +1-404-230-9150
OrgNOCEmail:  engineering@gnax.net

OrgTechHandle: ENGIN7-ARIN
OrgTechName:   GNAX ENGINEERING 
OrgTechPhone:  +1-404-230-9150
OrgTechEmail:  engineering@gnax.net

# ARIN WHOIS database, last updated 2007-09-11 19:10
# Enter ? for additional hints on searching ARIN's WHOIS database.


Found a referral to rwhois.gnax.net:4321.

%rwhois V-1.5:003fff:00 rwhois.gnax.net (by Network Solutions, Inc. V-1.5.7.3)
network:Class-Name:network
network:ID:108.72.9.224.0/19
network:Auth-Area:72.9.224.0/19
network:Network-Name:RackWan
network:IP-Network:72.9.233.128/26
network:Organization;I:RackWan
network:Tech-Contact;I:soporte@rackwan.com
network:Admin-Contact;I:sebastian@rackwan.com
network:Created:20041213
network:Updated:20060417
network:Updated-By:engineering@gnax.net
I ran rkhunter and it didn't return anything out of the ordinary. When I checked my router, all ports are closed and nmap revealed that only port 80 was open.

I ssh'd root@72.9.233.132 and it asked for a password. I have no idea who this is. Why would this be on my Ubuntu box as a command? Any ideas about this? Any thoughts or help appreciated.
__________________
CRUX 2.6 + IceWM Registered:#371367 New Members: click here
Last edited by Dapper Dan; 09-12-2007 at 01:33 PM..
Dapper Dan is online now  



Reply With Quote
Old 09-12-2007   #2 (permalink)
Linux Engineer
 
RobinVossen's Avatar
 
Join Date: Aug 2007
Location: The Netherlands
Posts: 1,381
Send a message via ICQ to RobinVossen Send a message via MSN to RobinVossen
Check the logs
Check SElinux?
Dont use Ubuntu (My Opinion)
__________________
My webpage: codeinject.org
New Users, please read this..
Google first, then ask..
RobinVossen is offline   Reply With Quote
Old 09-12-2007   #3 (permalink)
Linux Guru
 
anomie's Avatar
 
Join Date: Mar 2005
Location: Texas
Posts: 1,696
Are you saying the entry
root@72.9.233.132
shows up in your user's bash history?

It's strange because that is not a command. Even so, it is a little ominous. Maybe review the history more carefully to make sure you have the full entry. (Just pipe the whole thing to less and search for that.)

rkhunter is pretty good because it checks (for supported OSes) md5 sums for a long list of binaries. It also checks for rootkit signatures and some other things like new groups and accounts on the system. When was the last time you ran it before the most recent run? For an extra sanity check you can also run chkrootkit. (I'd also add that it is possible for any binary - including your rootkit checker - to become compromised.)

Do you have any services that are listening on external, web-facing interfaces? Use netstat -ltun to double-check.

More possibilities once we know the answer to that question.
anomie is offline   Reply With Quote
Old 09-12-2007   #4 (permalink)
Super Moderator
 
Dapper Dan's Avatar
 
Join Date: Oct 2004
Location: The Sovereign State of South Carolina
Posts: 4,155
Send a message via AIM to Dapper Dan
Hi fellows and thanks for the insight and help. RobinVossen, I checked over the logs and didn't see anything suspicious. anomie, I felt the same way. Why is this listed as a command?? Here is the output of netstat -ltun...

For Ubuntu...
Code:
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State
tcp        0      0 127.0.0.1:2208          0.0.0.0:*               LISTEN
tcp        0      0 127.0.0.1:631           0.0.0.0:*               LISTEN
tcp        0      0 127.0.0.1:2207          0.0.0.0:*               LISTEN
tcp6       0      0 :::22                   :::*                    LISTEN
udp        0      0 0.0.0.0:32768           0.0.0.0:*
udp        0      0 0.0.0.0:5353            0.0.0.0:*
...and the same box under Slackware 12...
Code:
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State
tcp        0      0 127.0.0.1:2208          0.0.0.0:*               LISTEN
tcp        0      0 0.0.0.0:37              0.0.0.0:*               LISTEN
tcp        0      0 0.0.0.0:111             0.0.0.0:*               LISTEN
tcp        0      0 0.0.0.0:113             0.0.0.0:*               LISTEN
tcp        0      0 127.0.0.1:631           0.0.0.0:*               LISTEN
tcp        0      0 0.0.0.0:52635           0.0.0.0:*               LISTEN
tcp        0      0 127.0.0.1:2207          0.0.0.0:*               LISTEN
tcp6       0      0 :::22                   :::*                    LISTEN
udp        0      0 0.0.0.0:512             0.0.0.0:*
udp        0      0 0.0.0.0:32768           0.0.0.0:*
udp        0      0 0.0.0.0:37              0.0.0.0:*
udp        0      0 0.0.0.0:111             0.0.0.0:*
udp        0      0 0.0.0.0:631             0.0.0.0:*
udp        0      0 192.168.1.101:123       0.0.0.0:*
udp        0      0 127.0.0.1:123           0.0.0.0:*
udp        0      0 0.0.0.0:123             0.0.0.0:*
udp        0      0 0.0.0.0:766             0.0.0.0:*
udp6       0      0 fe80::219:d1ff:fe41:123 :::*
udp6       0      0 ::1:123                 :::*
udp6       0      0 :::123                  :::*
__________________
CRUX 2.6 + IceWM Registered:#371367 New Members: click here
Dapper Dan is online now   Reply With Quote
Old 09-12-2007   #5 (permalink)
Linux Guru
 
anomie's Avatar
 
Join Date: Mar 2005
Location: Texas
Posts: 1,696
Since the command appeared in your Ubuntu installation I'll focus on that. These are the listening sockets to look at for now:
Code:
tcp6       0      0 :::22                   :::*                    LISTEN
udp        0      0 0.0.0.0:32768           0.0.0.0:*
udp        0      0 0.0.0.0:5353            0.0.0.0:*
First, I don't have a Linux box in front of me at the moment, so I am not exactly sure how to interpret the first column of the first line. It may mean both ipv4 and ipv6 are enabled for listening tcp port 22, or it may just mean ipv6 is enabled for tcp port 22. (Either way it could be an issue.)

A couple more questions:
1. Are you running a firewall?
2. If so, are connections allowed from the outside world to tcp port 22?
3. Are any of the following enabled in sshd_config: PasswordAuthentication, Challenge-Response Authentication, UsePAM ?

It might be a good idea to check /var/log/secure (at least that's the naming CentOS uses) for ssh connections and connection attempts over the past few weeks. If your system is running logwatch this automatically reports ssh connections to you. (You may need to check root's mail.)

As for the two udp sockets, some quick notes:

udp 32768 summarized here. I am not familiar with Filenet TMS. Maybe it is something one of your apps requires.

udp 5353 summarized here. Sounds like iTunes or similar application using multicast DNS.
anomie is offline   Reply With Quote
Old 09-12-2007   #6 (permalink)
Linux Engineer
 
RobinVossen's Avatar
 
Join Date: Aug 2007
Location: The Netherlands
Posts: 1,381
Send a message via ICQ to RobinVossen Send a message via MSN to RobinVossen
Well, I think I cant help you now..
Since I cant *touch* the Terminal.
I might be able to look into it but then you need to trust me by giving me a SSH account :/ (Guess you wont do that, since neither will I )

Well, umm What command did you use to show that "root@72.9.233.132"
Since if it was the Search Function I give there you or some program uses that all the time :/
__________________
My webpage: codeinject.org
New Users, please read this..
Google first, then ask..
RobinVossen is offline   Reply With Quote
Reply

« Previous Thread | Next Thread »

Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 
Thread Tools
Display Modes
Linear Mode Linear Mode

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are Off
Pingbacks are Off
Refbacks are Off

Free Magazines
A Newbie's Getting Started Guide to Linux
Learn the basics of the Linux operating systems. Get to know what it is all about, and familiarize yourself with the practical side. Basically, if you're a complete Linux newbie and looking for a quick and easy guide to get you started this is it.
subscribe
Run Your Own Web Server Using Linux & Apache - Free 191 Page Preview
Learn about everything you'll need to build and maintain your Linux servers, and to deploy Web applications to them.
subscribe
Open Source Security Myths Dispelled
Dispel the five major myths surrounding Open Source Security and gain the tools necessary to make a truly informed decision for your IT organization
subscribe
InformationWeek
InformationWeek is the only newsweekly you'll need to stay on top of the latest developments in information technology.
subscribe



All times are GMT. The time now is 12:52 PM.





Advertise About Us Contact Us Write For Us Archive Top
© 2000 - - All Rights Reserved - Property of  MAS Media

Content Relevant URLs by vBSEO 3.3.1