Re: [clug-talk] I think I got rootkitted

[Niels Voll]

wow - that would be a little depressing, installing a brand new distro 
with one of the better reputations, and already an exploited 
vulnerability. So I sincerely hope, that these were false positives, due 
to the fact, that the distro is so new, and maybe chkrootkit was thrown 
off by that a bit.

The user "nobody" is a legitimate id, usually bestowed with very few 
privileges (e.g. no shell). I think it is used by some servers or 
scheduled jobs)  to kick off (sub)processes with very few privileges, 
which tends to be a good thing.

Regarding the disk activity, have you had a look at your scheduled jobs? 
I have been freaked out more than once about sudden extensive disk 
activity only to find out, that these were caused by scheduled jobs, 
which had been part of the default install with a default time setting 
for them to be run. (Log rotations, e-mailing of log extracts, etc.)

I'd be grateful, if you could share your eventual findings with us, 
since, while I take several of the easier precautions (new system 
installs only behind a firewall, open/forward only the required ports in 
the firewall _after_ all patches have been applied to a new install, 
don't even install telnet, etc.). But I'd like to know, if I need to 
increase my own paranoia level, even with a very new and very respected 
distro.

Good luck hunting, let's hope it was a false alarm, and let us know !
...Niels

GRAHAM MONK wrote:
SuSE 9.1 Pro, sorry shoud have given that.
G
----- Original Message -----
From: Jon Copeland <[EMAIL PROTECTED]>
Date: Sunday, May 30, 2004 1:25 pm
Subject: Re: [clug-talk] I think I got rootkitted
 

What Distro are you running?
-j-
GRAHAM MONK wrote:
   

Hi All
This morning while browsing I notice a lot of HD activity,
i ran top and found someone called "nobody" was running find.
i pulled my network connection and tried to find what was going on.
I have downloaded and run chkrootkit and "top" and "find" were 
     

marked INFECTED.
   

I tried running the install disc and "repair system" but the 
     

same result with chkrootkit.
   

I am currently doing a reinstall and leaving my home partition 
     

untouched.> I will install chkrootkit and portsentry once install 
is done, is there anything else I should do?
   

I will change my passwords also.
Thanks for any advice
Graham
_______________________________________________
clug-talk mailing list
[EMAIL PROTECTED]
http://clug.ca/mailman/listinfo/clug-talk_clug.ca
     

_______________________________________________
clug-talk mailing list
[EMAIL PROTECTED]
http://clug.ca/mailman/listinfo/clug-talk_clug.ca
   


_______________________________________________
clug-talk mailing list
[EMAIL PROTECTED]
http://clug.ca/mailman/listinfo/clug-talk_clug.ca
 

_______________________________________________
clug-talk mailing list
[EMAIL PROTECTED]
http://clug.ca/mailman/listinfo/clug-talk_clug.ca