On Fri, Jul 15, 2011 at 10:26:20AM +0200, Jirtme Schell wrote:
> Hello,
>
> I couldn't file a portable Openntpd dedicated mail address so feel free
> to redirect this mail if necessary.
>
> I am using portable Openntpd on Debian Linux Lenny (v3.9p1).
> I have noticed since some days a suspect behavior of the program:
> * the service has stopped without intervention on some hosts (segfault?)
> with this messages in the logs:
> Jul 13 11:23:09 ******* ntpd[4949]: dispatch_imsg in main: pipe closed
> Jul 13 11:23:09 ******* ntpd[4949]: Terminating
>
> * yesterday, the chkrootkit bindshell check reported me:
> Jul 14 10:03:11 ******* chkrootkit: INFECTED (PORTS: 47017)
I don't want to know what chkrootkit does but I guess it is just some
dumb tool seeing an open ephemeral port and yelling alarm.
OK, I could not resist and looked at it:
bindshell () {
PORT="114|145|465|511|600|1008|1524|1999|1978|2881|3049|3133|3879|4000|4369|5190
|5665|6667|10008|12321|23132|27374|29364|30999|31336|31337|37998|45454|47017|478
89|60001|7222"
OPT="-an"
PI=""
if [ "${ROOTDIR}" != "/" ]; then
echo "not tested"
return ${NOT_TESTED}
fi
if [ "${EXPERT}" = "t" ]; then
expertmode_output "${netstat} ${OPT}"
return 5
fi
for P in `echo $PORT | ${sed} 's/|/ /g'`; do
if ${netstat} "${OPT}" | ${egrep} "^tcp.*LIST|^udp" | ${egrep} \
"[.:]${P}[^0-9.:]" >/dev/null 2>&1
then
PI="${PI} ${P}"
fi
done
if [ "${PI}" != "" ]
then
echo "INFECTED (PORTS: $PI)"
else
if [ "${QUIET}" != "t" ]; then echo "not infected"; fi
fi
}
Ugh. It is as stupid as I thougth.
> After watching the results of "netstat -taupen" it appears that this
> port was used by openntpd and was connected to an external NTP server:
> udp 0 0 *.*.*.*:47017 209.104.4.227:123 ESTABLISHED 104 3529839 14260/ntpd
>
> I then noticed several other TCP sockets that has been opened by ntpd
> with destination internal hosts in my network:
> tcp 38 0 *.*.*.*:41871 *.*.*.*:**** CLOSE_WAIT 0 3453657 14260/ntpd
> tcp 38 0 *.*.*.*:59603 *.*.*.*:**** CLOSE_WAIT 0 3522745 14260/ntpd
> tcp 38 0 *.*.*.*:59577 *.*.*.*:**** CLOSE_WAIT 0 3522605 14260/ntpd
> ...
This information is totaly useless. Without knowing src, dest and ports
we can only guess if the connections are bad or not. Btw. the connectoins
are already closed on this side. It could be a DNS lookup or some other
library code on linux that opens up TCP connections.
> So the question is, could there be a sort of vulnerability in Openntpd
> that could allow an external NTP server to issue TCP connection towards
> internal hosts?
> Or is it just a normal behavior of the program?
Again without information we just guess and my magic crystal ball is at
home. So it could be normal behaviour, or maybe not.
But chkrootkit is just a very dumb script that will trigger false
positives more often then it will actually detect something.
> I am sorry not being able to provide more informations but I am in a
> sensible environment and with that behavior I had to replace Openntpd by
> another NTP daemon.
Without info you need to do your homework alone.
--
:wq Claudio
