Results 1 to 10 of 23
I ran chkrootkit and got this:
Checking `bindshell'... INFECTED (PORTS: 465)
Checking `lkm'... You have 1 process hidden for readdir command
You have 1 process hidden for ps command
Warning: ...
- 06-09-2005 #1Linux Newbie
- Join Date
- Dec 2004
- Posts
- 105
hacked!
I ran chkrootkit and got this:
Checking `bindshell'... INFECTED (PORTS: 465)
Checking `lkm'... You have 1 process hidden for readdir command
You have 1 process hidden for ps command
Warning: Possible LKM Trojan installed
Checking `rexedcs'... not found
Checking `sniffer'... /proc/11167/fd: No such file or directory
/proc/12463/fd: No such file or directory
I ran rkhunter and got this:
How can I resolve this? I'll do anything but having to do an OS reload.Code:Info: prelinked files found Performing 'known good' check... /usr/bin/find [ OK ] /usr/bin/file [ OK ] /usr/bin/kill [ BAD ] /usr/bin/killall [ OK ] /usr/bin/lsattr [ OK ] /usr/bin/pstree [ OK ] /usr/bin/sha1sum [ OK ] /usr/bin/stat [ OK ] /usr/bin/users [ OK ] /usr/bin/w [ BAD ] /usr/bin/watch [ BAD ] /usr/bin/who [ OK ] /usr/bin/whoami [ OK ] /bin/mount [ BAD ] /bin/netstat [ OK ] /bin/egrep [ OK ] /bin/fgrep [ OK ] /bin/grep [ OK ] /bin/cat [ OK ] /bin/chmod [ OK ] /bin/chown [ OK ] /bin/env [ OK ] /bin/ls [ OK ] /bin/su [ OK ] /bin/ps [ BAD ] /bin/dmesg [ BAD ] /bin/kill [ BAD ] /bin/login [ BAD ] /sbin/chkconfig [ OK ] /sbin/depmod [ OK ] /sbin/ifconfig [ OK ] /sbin/insmod [ OK ] /sbin/ip [ OK ] /sbin/modinfo [ OK ] /sbin/sysctl [ BAD ] /sbin/syslogd [ OK ] /sbin/init [ OK ] /sbin/runlevel [ OK ] Checking /dev for suspicious files... [ Warning! (unusual files found) ] MD5 MD5 compared: 40 Incorrect MD5 checksums: 9 File scan Scanned files: 342 Possible infected files: 0 Application scan Vulnerable applications: 2
I got the following specs:
Fedora Core 2
APF Firewall / BFD
cPanel 10.2x
PHP 4.3.11
Apache 1.33x
Some security measure:
APF
BFD
Bind masked
Apache masked
LES
mod security
mod dosevasive
Sysctl.conf hardened
Exim Dictionary Attack ACL
Thank you for your help
- 06-09-2005 #2Linux Engineer
- Join Date
- Apr 2005
- Location
- Buenos Aires, Argentina
- Posts
- 908
I would suggest you to run rk-hunter, just to make sure.
In this cases, the best thing you can do is re-install, no doubts.serzsite.com.ar
"All the drugs in this world won\'t save you from yourself"
- 06-09-2005 #3Linux Newbie
- Join Date
- May 2005
- Location
- Nashville, TN
- Posts
- 212
sounds like a reinstall to me. some of these linux gurus may be able to help you without doing that, but thats all i know to do. sorry about your troubles.
Today I fell and felt better, Just knowing this matters, I just feel stronger and SHARPER!!!, Found a box of sharp objects, What a beautiful THING!!! Box of Sharp Objects - The Used
- 06-09-2005 #4Linux Guru
- Join Date
- Mar 2005
- Location
- Texas
- Posts
- 1,692
1. Take your machine off the network immediately and leave it off the network.
2. Back up your important data.
3. Investigate to try to determine what the attacker was doing. Was data tampered with? Are any files missing?
4. Try to determine how the attack was successful. Were you running unpatched software? Are you running any unnecessary services?
5. Make a note of all the user accounts on the system and when (most recent and how frequently) they have been logging on. Start by checking /var/log/messages, assuming that has not been tampered with. I would suggest taking a snapshot of your /etc/passwd and then making notes for yourself on who the user is for each account.
6. REINSTALL Linux from scratch.
7. Secure your system appropriately.
8. Attach it back to the network.
9. Monitor it carefully.
IMO, if you skip step 6, you're taking a huge risk.
- 06-09-2005 #5Linux Newbie
- Join Date
- Dec 2004
- Posts
- 105
My server rebooted by itself agian
What are "unnecessary services" you recommend disabling? This is a hosting serer with cPanel.
- 06-09-2005 #6Linux Guru
- Join Date
- Mar 2005
- Location
- Texas
- Posts
- 1,692
I don't know what cPanel is.
Some services that may be unnecessary in your case (and are often enabled by default) include:
- alsasound
- cups
- isdn
- joystick
- nfs
- portmap
- postfix / sendmail
- smbfs
- sshd
It will depend on what services you legitimately need running for your users.
- 06-09-2005 #7Linux Guru
- Join Date
- Mar 2005
- Location
- Texas
- Posts
- 1,692
And this is your call of course, but I would take that thing off the network and begin investigating...
- 06-09-2005 #8Linux Newbie
- Join Date
- Dec 2004
- Posts
- 105
Around the time of the reboot /var/log/messages shows this portion
Maybe a dos attack?Code:Jun 9 12:32:50 server stunnel[4067]: Connection closed: 15529 bytes sent to SSL, 10576 bytes sent to socket Jun 9 12:32:57 server stunnel[4067]: Connection closed: 14581 bytes sent to SSL, 6962 bytes sent to socket Jun 9 12:32:58 server stunnel[4067]: webmailhttps connected from 63.164.145.33:56068 Jun 9 12:32:58 server stunnel[4067]: webmailhttps connected from 63.164.145.33:56069 Jun 9 12:33:05 server stunnel[4067]: Connection closed: 8445 bytes sent to SSL, 1528 bytes sent to socket Jun 9 12:33:06 server pure-ftpd: (?@127.0.0.1) [INFO] New connection from 127.0.0.1 Jun 9 12:33:06 server pure-ftpd: (?@127.0.0.1) [INFO] Logout. Jun 9 12:34:02 server stunnel[4067]: SSL_read (SSL_ERROR_SYSCALL): Connection reset by peer (104) Jun 9 12:34:02 server stunnel[4067]: Connection reset: 1669 bytes sent to SSL, 1184 bytes sent to socket Jun 9 12:34:12 server stunnel[4067]: SSL_read (SSL_ERROR_SYSCALL): Connection reset by peer (104) Jun 9 12:34:12 server stunnel[4067]: Connection reset: 7080 bytes sent to SSL, 6086 bytes sent to socket Jun 9 12:34:12 server stunnel[4067]: SSL_read (SSL_ERROR_SYSCALL): Connection reset by peer (104) Jun 9 12:34:12 server stunnel[4067]: Connection reset: 3615 bytes sent to SSL, 2973 bytes sent to socket Jun 9 12:34:56 server stunnel[4067]: webmailhttps connected from 208.20.220.72:34121 Jun 9 12:34:57 server stunnel[4067]: Connection closed: 649 bytes sent to SSL, 749 bytes sent to socket Jun 9 12:34:58 server stunnel[4067]: webmailhttps connected from 208.20.220.72:34639 Jun 9 12:34:58 server stunnel[4067]: Connection closed: 962 bytes sent to SSL, 703 bytes sent to socket Jun 9 12:35:24 server stunnel[4067]: imaps connected from 206.51.26.90:42570 Jun 9 12:35:26 server stunnel[4067]: Connection closed: 19225 bytes sent to SSL, 147 bytes sent to socket Jun 9 12:36:04 server stunnel[4067]: webmailhttps connected from 201.255.31.109:1634 Jun 9 12:36:04 server stunnel[4067]: Connection closed: 4618 bytes sent to SSL, 479 bytes sent to socket Jun 9 12:36:09 server stunnel[4067]: webmailhttps connected from 201.255.31.109:1635 Jun 9 12:36:09 server stunnel[4067]: Connection closed: 6037 bytes sent to SSL, 478 bytes sent to socket Jun 9 12:36:10 server stunnel[4067]: webmailhttps connected from 201.255.31.109:1636 Jun 9 12:36:11 server stunnel[4067]: webmailhttps connected from 201.255.31.109:1637 Jun 9 12:36:11 server stunnel[4067]: webmailhttps connected from 201.255.31.109:1638 Jun 9 12:36:11 server stunnel[4067]: webmailhttps connected from 201.255.31.109:1639 Jun 9 12:36:13 server stunnel[4067]: SSL_read (SSL_ERROR_SYSCALL): Connection reset by peer (104) Jun 9 12:36:13 server stunnel[4067]: Connection reset: 450 bytes sent to SSL, 1313 bytes sent to socket Jun 9 12:36:13 server stunnel[4067]: SSL_read (SSL_ERROR_SYSCALL): Connection reset by peer (104) Jun 9 12:36:13 server stunnel[4067]: Connection reset: 750 bytes sent to SSL, 2192 bytes sent to socket Jun 9 12:36:13 server stunnel[4067]: SSL_read (SSL_ERROR_SYSCALL): Connection reset by peer (104) Jun 9 12:36:13 server stunnel[4067]: Connection reset: 600 bytes sent to SSL, 1753 bytes sent to socket Jun 9 12:36:13 server stunnel[4067]: SSL_read (SSL_ERROR_SYSCALL): Connection reset by peer (104) Jun 9 12:36:13 server stunnel[4067]: Connection reset: 600 bytes sent to SSL, 1751 bytes sent to socket Jun 9 12:36:13 server stunnel[4067]: webmailhttps connected from 201.255.31.109:1640 Jun 9 12:36:13 server stunnel[4067]: Connection closed: 7673 bytes sent to SSL, 536 bytes sent to socket Jun 9 12:36:14 server stunnel[4067]: webmailhttps connected from 201.255.31.109:1641 Jun 9 12:36:14 server stunnel[4067]: webmailhttps connected from 201.255.31.109:1642 Jun 9 12:36:14 server stunnel[4067]: webmailhttps connected from 201.255.31.109:1643 Jun 9 12:36:14 server stunnel[4067]: webmailhttps connected from 201.255.31.109:1644 Jun 9 12:36:20 server stunnel[4067]: Connection closed: 8330 bytes sent to SSL, 2105 bytes sent to socket Jun 9 12:36:21 server stunnel[4067]: webmailhttps connected from 201.255.31.109:1645 Jun 9 12:36:25 server stunnel[4067]: Connection closed: 77210 bytes sent to SSL, 3455 bytes sent to socket Jun 9 12:36:27 server stunnel[4067]: webmailhttps connected from 201.255.31.109:1646 Jun 9 12:36:32 server stunnel[4067]: Connection closed: 9849 bytes sent to SSL, 5676 bytes sent to socket Jun 9 12:36:33 server stunnel[4067]: webmailhttps connected from 201.255.31.109:1647 Jun 9 12:36:55 server stunnel[4067]: Connection closed: 9165 bytes sent to SSL, 5288 bytes sent to socket Jun 9 12:41:24 server syslogd 1.4.1: restart.
- 06-09-2005 #9Linux Guru
- Join Date
- Mar 2005
- Location
- Texas
- Posts
- 1,692
Not sure. Could also be buffer overflow attack.
I will just say this once more: It is a big risk for you to be staying on the network. I would follow the basic steps I posted.
When you are rebuilding your system and securing it, I would take a good look at your firewall rules. Are you keeping only the necessary ports open?
Also, if all of your customers come from just a few different subnets it would be ideal for you to restrict access to those subnets. You can do this if you're launching the service with inted or xinetd.
Also, get your software patched to the latest version.
- 07-25-2005 #10Just Joined!
- Join Date
- Dec 2004
- Posts
- 22
The bindshell warning you get on port 465 is a false alarm. I have seen it many times on machines that are not network ready.
For some reason the root kit tools pull this out.
Reply With Quote 
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
