Find the answer to your Linux question:
Page 1 of 3 1 2 3 LastLast
Results 1 to 10 of 23
I ran chkrootkit and got this: Checking `bindshell'... INFECTED (PORTS: 465) Checking `lkm'... You have 1 process hidden for readdir command You have 1 process hidden for ps command Warning: ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1
    Linux Newbie
    Join Date
    Dec 2004
    Posts
    105

    hacked!


    I ran chkrootkit and got this:

    Checking `bindshell'... INFECTED (PORTS: 465)
    Checking `lkm'... You have 1 process hidden for readdir command
    You have 1 process hidden for ps command
    Warning: Possible LKM Trojan installed
    Checking `rexedcs'... not found
    Checking `sniffer'... /proc/11167/fd: No such file or directory
    /proc/12463/fd: No such file or directory


    I ran rkhunter and got this:

    Code:
    Info: prelinked files found
      Performing 'known good' check...
       /usr/bin/find                                              [ OK ]
       /usr/bin/file                                              [ OK ]
       /usr/bin/kill                                              [ BAD ]
       /usr/bin/killall                                           [ OK ]
       /usr/bin/lsattr                                            [ OK ]
       /usr/bin/pstree                                            [ OK ]
       /usr/bin/sha1sum                                           [ OK ]
       /usr/bin/stat                                              [ OK ]
       /usr/bin/users                                             [ OK ]
       /usr/bin/w                                                 [ BAD ]
       /usr/bin/watch                                             [ BAD ]
       /usr/bin/who                                               [ OK ]
       /usr/bin/whoami                                            [ OK ]
       /bin/mount                                                 [ BAD ]
       /bin/netstat                                               [ OK ]
       /bin/egrep                                                 [ OK ]
       /bin/fgrep                                                 [ OK ]
       /bin/grep                                                  [ OK ]
       /bin/cat                                                   [ OK ]
       /bin/chmod                                                 [ OK ]
       /bin/chown                                                 [ OK ]
       /bin/env                                                   [ OK ]
       /bin/ls                                                    [ OK ]
       /bin/su                                                    [ OK ]
       /bin/ps                                                    [ BAD ]
       /bin/dmesg                                                 [ BAD ]
       /bin/kill                                                  [ BAD ]
       /bin/login                                                 [ BAD ]
       /sbin/chkconfig                                            [ OK ]
       /sbin/depmod                                               [ OK ]
       /sbin/ifconfig                                             [ OK ]
       /sbin/insmod                                               [ OK ]
       /sbin/ip                                                   [ OK ]
       /sbin/modinfo                                              [ OK ]
       /sbin/sysctl                                               [ BAD ]
       /sbin/syslogd                                              [ OK ]
       /sbin/init                                                 [ OK ]
       /sbin/runlevel                                             [ OK ]
    
       Checking /dev for suspicious files...                      [ Warning! (unusual files found) ]
    
    MD5
    MD5 compared: 40
    Incorrect MD5 checksums: 9
    
    File scan
    Scanned files: 342
    Possible infected files: 0
    
    Application scan
    Vulnerable applications: 2
    How can I resolve this? I'll do anything but having to do an OS reload.

    I got the following specs:

    Fedora Core 2
    APF Firewall / BFD
    cPanel 10.2x
    PHP 4.3.11
    Apache 1.33x

    Some security measure:
    APF
    BFD
    Bind masked
    Apache masked
    LES
    mod security
    mod dosevasive
    Sysctl.conf hardened
    Exim Dictionary Attack ACL


    Thank you for your help

  2. #2
    Linux Engineer
    Join Date
    Apr 2005
    Location
    Buenos Aires, Argentina
    Posts
    908
    I would suggest you to run rk-hunter, just to make sure.

    In this cases, the best thing you can do is re-install, no doubts.
    serzsite.com.ar
    "All the drugs in this world won\'t save you from yourself"

  3. #3
    Linux Newbie jamey112's Avatar
    Join Date
    May 2005
    Location
    Nashville, TN
    Posts
    212
    sounds like a reinstall to me. some of these linux gurus may be able to help you without doing that, but thats all i know to do. sorry about your troubles.
    Today I fell and felt better, Just knowing this matters, I just feel stronger and SHARPER!!!, Found a box of sharp objects, What a beautiful THING!!! Box of Sharp Objects - The Used

  4. #4
    Linux Guru anomie's Avatar
    Join Date
    Mar 2005
    Location
    Texas
    Posts
    1,692
    1. Take your machine off the network immediately and leave it off the network.
    2. Back up your important data.
    3. Investigate to try to determine what the attacker was doing. Was data tampered with? Are any files missing?
    4. Try to determine how the attack was successful. Were you running unpatched software? Are you running any unnecessary services?
    5. Make a note of all the user accounts on the system and when (most recent and how frequently) they have been logging on. Start by checking /var/log/messages, assuming that has not been tampered with. I would suggest taking a snapshot of your /etc/passwd and then making notes for yourself on who the user is for each account.
    6. REINSTALL Linux from scratch.
    7. Secure your system appropriately.
    8. Attach it back to the network.
    9. Monitor it carefully.

    IMO, if you skip step 6, you're taking a huge risk.

  5. #5
    Linux Newbie
    Join Date
    Dec 2004
    Posts
    105
    My server rebooted by itself agian

    What are "unnecessary services" you recommend disabling? This is a hosting serer with cPanel.

  6. #6
    Linux Guru anomie's Avatar
    Join Date
    Mar 2005
    Location
    Texas
    Posts
    1,692
    I don't know what cPanel is.

    Some services that may be unnecessary in your case (and are often enabled by default) include:
    • alsasound
    • cups
    • isdn
    • joystick
    • nfs
    • portmap
    • postfix / sendmail
    • smbfs
    • sshd


    It will depend on what services you legitimately need running for your users.

  7. #7
    Linux Guru anomie's Avatar
    Join Date
    Mar 2005
    Location
    Texas
    Posts
    1,692
    And this is your call of course, but I would take that thing off the network and begin investigating...

  8. #8
    Linux Newbie
    Join Date
    Dec 2004
    Posts
    105
    Around the time of the reboot /var/log/messages shows this portion

    Code:
    Jun  9 12:32:50 server stunnel[4067]: Connection closed: 15529 bytes sent to SSL, 10576 bytes sent to socket
    Jun  9 12:32:57 server stunnel[4067]: Connection closed: 14581 bytes sent to SSL, 6962 bytes sent to socket
    Jun  9 12:32:58 server stunnel[4067]: webmailhttps connected from 63.164.145.33:56068
    Jun  9 12:32:58 server stunnel[4067]: webmailhttps connected from 63.164.145.33:56069
    Jun  9 12:33:05 server stunnel[4067]: Connection closed: 8445 bytes sent to SSL, 1528 bytes sent to socket
    Jun  9 12:33:06 server pure-ftpd: (?@127.0.0.1) [INFO] New connection from 127.0.0.1
    Jun  9 12:33:06 server pure-ftpd: (?@127.0.0.1) [INFO] Logout.
    Jun  9 12:34:02 server stunnel[4067]: SSL_read (SSL_ERROR_SYSCALL): Connection reset by peer (104)
    Jun  9 12:34:02 server stunnel[4067]: Connection reset: 1669 bytes sent to SSL, 1184 bytes sent to socket
    Jun  9 12:34:12 server stunnel[4067]: SSL_read (SSL_ERROR_SYSCALL): Connection reset by peer (104)
    Jun  9 12:34:12 server stunnel[4067]: Connection reset: 7080 bytes sent to SSL, 6086 bytes sent to socket
    Jun  9 12:34:12 server stunnel[4067]: SSL_read (SSL_ERROR_SYSCALL): Connection reset by peer (104)
    Jun  9 12:34:12 server stunnel[4067]: Connection reset: 3615 bytes sent to SSL, 2973 bytes sent to socket
    Jun  9 12:34:56 server stunnel[4067]: webmailhttps connected from 208.20.220.72:34121
    Jun  9 12:34:57 server stunnel[4067]: Connection closed: 649 bytes sent to SSL, 749 bytes sent to socket
    Jun  9 12:34:58 server stunnel[4067]: webmailhttps connected from 208.20.220.72:34639
    Jun  9 12:34:58 server stunnel[4067]: Connection closed: 962 bytes sent to SSL, 703 bytes sent to socket
    Jun  9 12:35:24 server stunnel[4067]: imaps connected from 206.51.26.90:42570
    Jun  9 12:35:26 server stunnel[4067]: Connection closed: 19225 bytes sent to SSL, 147 bytes sent to socket
    Jun  9 12:36:04 server stunnel[4067]: webmailhttps connected from 201.255.31.109:1634
    Jun  9 12:36:04 server stunnel[4067]: Connection closed: 4618 bytes sent to SSL, 479 bytes sent to socket
    Jun  9 12:36:09 server stunnel[4067]: webmailhttps connected from 201.255.31.109:1635
    Jun  9 12:36:09 server stunnel[4067]: Connection closed: 6037 bytes sent to SSL, 478 bytes sent to socket
    Jun  9 12:36:10 server stunnel[4067]: webmailhttps connected from 201.255.31.109:1636
    Jun  9 12:36:11 server stunnel[4067]: webmailhttps connected from 201.255.31.109:1637
    Jun  9 12:36:11 server stunnel[4067]: webmailhttps connected from 201.255.31.109:1638
    Jun  9 12:36:11 server stunnel[4067]: webmailhttps connected from 201.255.31.109:1639
    Jun  9 12:36:13 server stunnel[4067]: SSL_read (SSL_ERROR_SYSCALL): Connection reset by peer (104)
    Jun  9 12:36:13 server stunnel[4067]: Connection reset: 450 bytes sent to SSL, 1313 bytes sent to socket
    Jun  9 12:36:13 server stunnel[4067]: SSL_read (SSL_ERROR_SYSCALL): Connection reset by peer (104)
    Jun  9 12:36:13 server stunnel[4067]: Connection reset: 750 bytes sent to SSL, 2192 bytes sent to socket
    Jun  9 12:36:13 server stunnel[4067]: SSL_read (SSL_ERROR_SYSCALL): Connection reset by peer (104)
    Jun  9 12:36:13 server stunnel[4067]: Connection reset: 600 bytes sent to SSL, 1753 bytes sent to socket
    Jun  9 12:36:13 server stunnel[4067]: SSL_read (SSL_ERROR_SYSCALL): Connection reset by peer (104)
    Jun  9 12:36:13 server stunnel[4067]: Connection reset: 600 bytes sent to SSL, 1751 bytes sent to socket
    Jun  9 12:36:13 server stunnel[4067]: webmailhttps connected from 201.255.31.109:1640
    Jun  9 12:36:13 server stunnel[4067]: Connection closed: 7673 bytes sent to SSL, 536 bytes sent to socket
    Jun  9 12:36:14 server stunnel[4067]: webmailhttps connected from 201.255.31.109:1641
    Jun  9 12:36:14 server stunnel[4067]: webmailhttps connected from 201.255.31.109:1642
    Jun  9 12:36:14 server stunnel[4067]: webmailhttps connected from 201.255.31.109:1643
    Jun  9 12:36:14 server stunnel[4067]: webmailhttps connected from 201.255.31.109:1644
    Jun  9 12:36:20 server stunnel[4067]: Connection closed: 8330 bytes sent to SSL, 2105 bytes sent to socket
    Jun  9 12:36:21 server stunnel[4067]: webmailhttps connected from 201.255.31.109:1645
    Jun  9 12:36:25 server stunnel[4067]: Connection closed: 77210 bytes sent to SSL, 3455 bytes sent to socket
    Jun  9 12:36:27 server stunnel[4067]: webmailhttps connected from 201.255.31.109:1646
    Jun  9 12:36:32 server stunnel[4067]: Connection closed: 9849 bytes sent to SSL, 5676 bytes sent to socket
    Jun  9 12:36:33 server stunnel[4067]: webmailhttps connected from 201.255.31.109:1647
    Jun  9 12:36:55 server stunnel[4067]: Connection closed: 9165 bytes sent to SSL, 5288 bytes sent to socket
    Jun  9 12:41:24 server syslogd 1.4.1: restart.
    Maybe a dos attack?

  9. #9
    Linux Guru anomie's Avatar
    Join Date
    Mar 2005
    Location
    Texas
    Posts
    1,692
    Not sure. Could also be buffer overflow attack.

    I will just say this once more: It is a big risk for you to be staying on the network. I would follow the basic steps I posted.

    When you are rebuilding your system and securing it, I would take a good look at your firewall rules. Are you keeping only the necessary ports open?

    Also, if all of your customers come from just a few different subnets it would be ideal for you to restrict access to those subnets. You can do this if you're launching the service with inted or xinetd.

    Also, get your software patched to the latest version.

  10. #10
    Just Joined!
    Join Date
    Dec 2004
    Posts
    22
    The bindshell warning you get on port 465 is a false alarm. I have seen it many times on machines that are not network ready.

    For some reason the root kit tools pull this out.

Page 1 of 3 1 2 3 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •