It's looking for hidden leftovers from compiling a kit on your box. Looks like it found some KDE stuff, I wouldn't be too concerned. However, I would still be concerned that you might have a visitor who isn't using a rootkit. Chances are that you're using your regular account name and password to POP mail off via 110 or IMAP via 143, right? Anyone sitting on an untrusted network with you can sniff that and use it to login via SSH as you. You should look into using stunnel to wrap those protocols in SSL, there's a good write-up on Mandrake Security. You can also SSL-wrap SMTP using a protocol called SASL, which is also covered in the same article.
On Fri, 2002-12-27 at 09:03, David Rankin wrote: > Well, > > I have now compiled and run chkrootkit and I need help interpreting the > output. The thing I don't understand is the suspicious files output. I would be > greatful if someone smarter than I would take a quick look at the output and tell > me if you think I was hacked. Everything is working OK, but that's what concers > me. My internet connect setup is a cable setup that goes through a Linksys > Cable/DSL Router and the only ports forwarded are 22, 25, 80, 110, 143, 1723 & > 10000. All others are closed. I thought I was fairly secure. Here is what > chkrootkit said: > > [root@Nemesis chkrootkit-0.38]# ./chkrootkit > ROOTDIR is `/' > Checking `amd'... not infected > Checking `basename'... not infected > Checking `biff'... not infected > Checking `chfn'... not infected > Checking `chsh'... not infected > Checking `cron'... not infected > Checking `date'... not infected > Checking `du'... not infected > Checking `dirname'... not infected > Checking `echo'... not infected > Checking `egrep'... not infected > Checking `env'... not infected > Checking `find'... not infected > Checking `fingerd'... not infected > Checking `gpm'... not infected > Checking `grep'... not infected > Checking `hdparm'... not infected > Checking `su'... not infected > Checking `ifconfig'... not infected > Checking `inetd'... not tested > Checking `inetdconf'... not infected > Checking `identd'... not infected > Checking `killall'... not infected > Checking `ldsopreload'... not infected > Checking `login'... not infected > Checking `ls'... not infected > Checking `lsof'... not found > Checking `mail'... not infected > Checking `mingetty'... not infected > Checking `netstat'... not infected > Checking `named'... not infected > Checking `passwd'... not infected > Checking `pidof'... not infected > Checking `pop2'... not found > Checking `pop3'... not found > Checking `ps'... not infected > Checking `pstree'... not infected > Checking `rpcinfo'... not infected > Checking `rlogind'... not infected > Checking `rshd'... not infected > Checking `slogin'... not infected > Checking `sendmail'... not infected > Checking `sshd'... not infected > Checking `syslogd'... not infected > Checking `tar'... not infected > Checking `tcpd'... not infected > Checking `tcpdump'... not infected > Checking `top'... not infected > Checking `telnetd'... not infected > Checking `timed'... not infected > Checking `traceroute'... not infected > Checking `w'... not infected > Checking `write'... not infected > Checking `aliens'... no suspect files > Searching for sniffer's logs, it may take a while... nothing found > Searching for HiDrootkit's default dir... nothing found > Searching for t0rn's default files and dirs... nothing found > Searching for t0rn's v8 defaults... nothing found > Searching for Lion Worm default files and dirs... nothing found > Searching for RSHA's default files and dir... nothing found > Searching for RH-Sharpe's default files... nothing found > Searching for Ambient's rootkit (ark) default files and dirs... nothing found > Searching for suspicious files and dirs, it may take a while... > /usr/lib/qt2/tools/designer/designer/.obj > /usr/lib/qt2/tools/designer/designer/.tmp /usr/lib/qt2/tools/designer/util/.tmp > /usr/lib/libDrakX/auto/Newt/.exists /usr/lib/libDrakX/auto/c/stuff/.exists > /usr/lib/libDrakX/auto/resize_fat/c_rewritten/.exists > /lib/modules/2.2.19-4.1mdk/.rhkmvtag > /usr/lib/qt2/tools/designer/designer/.obj > /usr/lib/qt2/tools/designer/designer/.tmp /usr/lib/qt2/tools/designer/util/.tmp > Searching for LPD Worm files and dirs... nothing found > Searching for Ramen Worm files and dirs... nothing found > Searching for Maniac files and dirs... nothing found > Searching for RK17 files and dirs... nothing found > Searching for Ducoci rootkit... nothing found > Searching for Adore Worm... nothing found > Searching for ShitC Worm... nothing found > Searching for Omega Worm... nothing found > Searching for Sadmind/IIS Worm... nothing found > Searching for MonKit... nothing found > Searching for Showtee... nothing found > Searching for OpticKit... nothing found > Searching for T.R.K... nothing found > Searching for Mithra... nothing found > Searching for OBSD rk v1... nothing found > Searching for LOC rootkit ... nothing found > Searching for Romanian rootkit ... nothing found > Searching for anomalies in shell history files... nothing found > Checking `asp'... not infected > Checking `bindshell'... not infected > Checking `lkm'... nothing detected > Checking `rexedcs'... not found > Checking `sniffer'... > eth0 is not promisc > Checking `wted'... nothing deleted > Checking `scalper'... not infected > Checking `slapper'... not infected > Checking `z2'... > nothing deleted > [root@Nemesis chkrootkit-0.38]# > > What do you think? > > > Lorne wrote: > > > I'm sure you have downloaded the chkroot kit by now, but it sure looks to me > > like your system is compromised! It looks like he has managed to replace some > > files with modified ones and your system caught the permissions. I'm overly > > paranoid, but I'd sure rebuild the box. Do NOT take the chance. It isn't > > worth it. I highly recomend snort. I want to do tripwire but haven't had the > > time. > > > > On Thursday 26 December 2002 12:20 pm, David Rankin wrote: > > > Guy & Gals, > > > > > > I need help. Something went whacko with eth0 and with my system just > > > before my nightly cron job ran and I got a lot of weird messages in my > > > log files. I don't know if this was a successful hack or if it was just > > > a noral response from the system after eth0 went bonkers. The log > > > entries are as follows: > > > > > > Dec 26 03:54:01 Nemesis kernel: eth0: Tx hung, 2256843 vs. 2256833. > > > Dec 26 03:54:01 Nemesis kernel: eth0: PNIC2 transmit timed out, status > > > e4000000, CSR6/7 0100c000 / effffbff CSR12 000090ce, > > > resetting... > > > Dec 26 04:00:00 Nemesis CROND[22621]: (root) CMD ( > > > /usr/share/msec/security.sh) > > > Dec 26 04:00:00 Nemesis CROND[22622]: (root) CMD ( /sbin/rmmod -as) > > > Dec 26 04:00:00 Nemesis kernel: smb_get_length: recv error = 5 > > > Dec 26 04:00:00 Nemesis kernel: smb_request: result -5, setting invalid > > > Dec 26 04:00:15 Nemesis : > > > Dec 26 04:00:15 Nemesis : Security Warning: Change in Suid Root files > > > found : > > > Dec 26 04:00:15 Nemesis : - Removed suid root files : /bin/mount > > > Dec 26 04:00:15 Nemesis : - Removed suid root files : /bin/ping > > > Dec 26 04:00:15 Nemesis : - Removed suid root files : /bin/su > > > Dec 26 04:00:15 Nemesis : - Removed suid root files : /bin/umount > > > Dec 26 04:00:15 Nemesis : - Removed suid root files : /sbin/dump > > > Dec 26 04:00:15 Nemesis : - Removed suid root files : /sbin/linuxconf > > > Dec 26 04:00:15 Nemesis : - Removed suid root files : /sbin/pwdb_chkpwd > > > Dec 26 04:00:15 Nemesis : - Removed suid root files : /sbin/restore > > > Dec 26 04:00:15 Nemesis : - Removed suid root files : /sbin/unix_chkpwd > > > Dec 26 04:00:15 Nemesis : > > > Dec 26 04:00:15 Nemesis : Security Warning: Changes in Suid Group files > > > found : > > > Dec 26 04:00:15 Nemesis : - Removed suid group files : /sbin/dump > > > Dec 26 04:00:15 Nemesis : - Removed suid group files : /sbin/netreport > > > Dec 26 04:00:15 Nemesis : - Removed suid group files : /sbin/restore > > > Dec 26 04:00:15 Nemesis : > > > Dec 26 04:00:15 Nemesis : Security Warning: Change in World Writeable > > > Files found : > > > Dec 26 04:00:15 Nemesis : - Removed writables files : /tmp > > > Dec 26 04:00:15 Nemesis : - Removed writables files : /tmp/.ICE-unix > > > Dec 26 04:00:15 Nemesis : - Removed writables files : /tmp/.X11-unix > > > Dec 26 04:00:15 Nemesis : - Removed writables files : /tmp/.font-unix > > > Dec 26 04:00:15 Nemesis : - Removed writables files : > > > /tmp/.font-unix/fs-1 > > > Dec 26 04:00:15 Nemesis : - Removed writables files : /tmp/.s.PGSQL.5432 > > > > > > Dec 26 04:00:15 Nemesis : > > > > > > I understand that the eth0 PNIC2 error is from my tulip driver, but I > > > haven't seen this error in the 2 years this box has been running. I have > > > never seen the kernel smb errors. > > > > > > What concerns me is the Change in Suid Root files found. I haven't > > > changed a thing on this LM 7.2 box for a long time. This is the first > > > time I have seen this Security Warning and I am concerned I may have > > > been hacked. Has anyone else seen something like this? Does it look like > > > a hack? Where can I get a good check root kit package? > > > > > > Any help will be greatly appreciated. > > > > ------------------------------------------------------------------------ > > Want to buy your Pack or Services from MandrakeSoft? > > Go to http://www.mandrakestore.com > > -- > David C. Rankin, J.D., P.E. > RANKIN * BERTIN, PLLC > 510 Ochiltree Street > Nacogdoches, Texas 75961 > (936) 715-9333 > (936) 715-9339 fax > > > > ---- > > Want to buy your Pack or Services from MandrakeSoft? > Go to http://www.mandrakestore.com -- Jack Coates Monkeynoodle: A Scientific Venture...
Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
