I don't think you've been hacked.... but the box did go nuts when it couldn't access the NIC. I'd say that is your only problem. Chkrootkit is good. All (OK I only checked the first few) the ones mentioned are supposed to be suid root. (checked a few against an fairly new install that hasn't gone out to the net yet.) Noting that this box is a system in and of it's self it's not unusual for a box to show all kinds of "errors" when a part of the system crashes. Rule of thumb fix the first error on the list... retest. You'll be amazed how often all the errors are fixed.
James On Fri, 2002-12-27 at 09:03, David Rankin wrote: > Well, > > I have now compiled and run chkrootkit and I need help interpreting the > output. The thing I don't understand is the suspicious files output. I would be > greatful if someone smarter than I would take a quick look at the output and tell > me if you think I was hacked. Everything is working OK, but that's what concers > me. My internet connect setup is a cable setup that goes through a Linksys > Cable/DSL Router and the only ports forwarded are 22, 25, 80, 110, 143, 1723 & > 10000. All others are closed. I thought I was fairly secure. Here is what > chkrootkit said: > > [root@Nemesis chkrootkit-0.38]# ./chkrootkit > ROOTDIR is `/' > Checking `amd'... not infected > Checking `basename'... not infected > Checking `biff'... not infected > Checking `chfn'... not infected > Checking `chsh'... not infected > Checking `cron'... not infected > Checking `date'... not infected > Checking `du'... not infected > Checking `dirname'... not infected > Checking `echo'... not infected > Checking `egrep'... not infected > Checking `env'... not infected > Checking `find'... not infected > Checking `fingerd'... not infected > Checking `gpm'... not infected > Checking `grep'... not infected > Checking `hdparm'... not infected > Checking `su'... not infected > Checking `ifconfig'... not infected > Checking `inetd'... not tested > Checking `inetdconf'... not infected > Checking `identd'... not infected > Checking `killall'... not infected > Checking `ldsopreload'... not infected > Checking `login'... not infected > Checking `ls'... not infected > Checking `lsof'... not found > Checking `mail'... not infected > Checking `mingetty'... not infected > Checking `netstat'... not infected > Checking `named'... not infected > Checking `passwd'... not infected > Checking `pidof'... not infected > Checking `pop2'... not found > Checking `pop3'... not found > Checking `ps'... not infected > Checking `pstree'... not infected > Checking `rpcinfo'... not infected > Checking `rlogind'... not infected > Checking `rshd'... not infected > Checking `slogin'... not infected > Checking `sendmail'... not infected > Checking `sshd'... not infected > Checking `syslogd'... not infected > Checking `tar'... not infected > Checking `tcpd'... not infected > Checking `tcpdump'... not infected > Checking `top'... not infected > Checking `telnetd'... not infected > Checking `timed'... not infected > Checking `traceroute'... not infected > Checking `w'... not infected > Checking `write'... not infected > Checking `aliens'... no suspect files > Searching for sniffer's logs, it may take a while... nothing found > Searching for HiDrootkit's default dir... nothing found > Searching for t0rn's default files and dirs... nothing found > Searching for t0rn's v8 defaults... nothing found > Searching for Lion Worm default files and dirs... nothing found > Searching for RSHA's default files and dir... nothing found > Searching for RH-Sharpe's default files... nothing found > Searching for Ambient's rootkit (ark) default files and dirs... nothing found > Searching for suspicious files and dirs, it may take a while... > /usr/lib/qt2/tools/designer/designer/.obj > /usr/lib/qt2/tools/designer/designer/.tmp /usr/lib/qt2/tools/designer/util/.tmp > /usr/lib/libDrakX/auto/Newt/.exists /usr/lib/libDrakX/auto/c/stuff/.exists > /usr/lib/libDrakX/auto/resize_fat/c_rewritten/.exists > /lib/modules/2.2.19-4.1mdk/.rhkmvtag > /usr/lib/qt2/tools/designer/designer/.obj > /usr/lib/qt2/tools/designer/designer/.tmp /usr/lib/qt2/tools/designer/util/.tmp > Searching for LPD Worm files and dirs... nothing found > Searching for Ramen Worm files and dirs... nothing found > Searching for Maniac files and dirs... nothing found > Searching for RK17 files and dirs... nothing found > Searching for Ducoci rootkit... nothing found > Searching for Adore Worm... nothing found > Searching for ShitC Worm... nothing found > Searching for Omega Worm... nothing found > Searching for Sadmind/IIS Worm... nothing found > Searching for MonKit... nothing found > Searching for Showtee... nothing found > Searching for OpticKit... nothing found > Searching for T.R.K... nothing found > Searching for Mithra... nothing found > Searching for OBSD rk v1... nothing found > Searching for LOC rootkit ... nothing found > Searching for Romanian rootkit ... nothing found > Searching for anomalies in shell history files... nothing found > Checking `asp'... not infected > Checking `bindshell'... not infected > Checking `lkm'... nothing detected > Checking `rexedcs'... not found > Checking `sniffer'... > eth0 is not promisc > Checking `wted'... nothing deleted > Checking `scalper'... not infected > Checking `slapper'... not infected > Checking `z2'... > nothing deleted > [root@Nemesis chkrootkit-0.38]# > > What do you think? > > > Lorne wrote: > > > I'm sure you have downloaded the chkroot kit by now, but it sure looks to me > > like your system is compromised! It looks like he has managed to replace some > > files with modified ones and your system caught the permissions. I'm overly > > paranoid, but I'd sure rebuild the box. Do NOT take the chance. It isn't > > worth it. I highly recomend snort. I want to do tripwire but haven't had the > > time. > > > > On Thursday 26 December 2002 12:20 pm, David Rankin wrote: > > > Guy & Gals, > > > > > > I need help. Something went whacko with eth0 and with my system just > > > before my nightly cron job ran and I got a lot of weird messages in my > > > log files. I don't know if this was a successful hack or if it was just > > > a noral response from the system after eth0 went bonkers. The log > > > entries are as follows: > > > > > > Dec 26 03:54:01 Nemesis kernel: eth0: Tx hung, 2256843 vs. 2256833. > > > Dec 26 03:54:01 Nemesis kernel: eth0: PNIC2 transmit timed out, status > > > e4000000, CSR6/7 0100c000 / effffbff CSR12 000090ce, > > > resetting... > > > Dec 26 04:00:00 Nemesis CROND[22621]: (root) CMD ( > > > /usr/share/msec/security.sh) > > > Dec 26 04:00:00 Nemesis CROND[22622]: (root) CMD ( /sbin/rmmod -as) > > > Dec 26 04:00:00 Nemesis kernel: smb_get_length: recv error = 5 > > > Dec 26 04:00:00 Nemesis kernel: smb_request: result -5, setting invalid > > > Dec 26 04:00:15 Nemesis : > > > Dec 26 04:00:15 Nemesis : Security Warning: Change in Suid Root files > > > found : > > > Dec 26 04:00:15 Nemesis : - Removed suid root files : /bin/mount > > > Dec 26 04:00:15 Nemesis : - Removed suid root files : /bin/ping > > > Dec 26 04:00:15 Nemesis : - Removed suid root files : /bin/su > > > Dec 26 04:00:15 Nemesis : - Removed suid root files : /bin/umount > > > Dec 26 04:00:15 Nemesis : - Removed suid root files : /sbin/dump > > > Dec 26 04:00:15 Nemesis : - Removed suid root files : /sbin/linuxconf > > > Dec 26 04:00:15 Nemesis : - Removed suid root files : /sbin/pwdb_chkpwd > > > Dec 26 04:00:15 Nemesis : - Removed suid root files : /sbin/restore > > > Dec 26 04:00:15 Nemesis : - Removed suid root files : /sbin/unix_chkpwd > > > Dec 26 04:00:15 Nemesis : > > > Dec 26 04:00:15 Nemesis : Security Warning: Changes in Suid Group files > > > found : > > > Dec 26 04:00:15 Nemesis : - Removed suid group files : /sbin/dump > > > Dec 26 04:00:15 Nemesis : - Removed suid group files : /sbin/netreport > > > Dec 26 04:00:15 Nemesis : - Removed suid group files : /sbin/restore > > > Dec 26 04:00:15 Nemesis : > > > Dec 26 04:00:15 Nemesis : Security Warning: Change in World Writeable > > > Files found : > > > Dec 26 04:00:15 Nemesis : - Removed writables files : /tmp > > > Dec 26 04:00:15 Nemesis : - Removed writables files : /tmp/.ICE-unix > > > Dec 26 04:00:15 Nemesis : - Removed writables files : /tmp/.X11-unix > > > Dec 26 04:00:15 Nemesis : - Removed writables files : /tmp/.font-unix > > > Dec 26 04:00:15 Nemesis : - Removed writables files : > > > /tmp/.font-unix/fs-1 > > > Dec 26 04:00:15 Nemesis : - Removed writables files : /tmp/.s.PGSQL.5432 > > > > > > Dec 26 04:00:15 Nemesis : > > > > > > I understand that the eth0 PNIC2 error is from my tulip driver, but I > > > haven't seen this error in the 2 years this box has been running. I have > > > never seen the kernel smb errors. > > > > > > What concerns me is the Change in Suid Root files found. I haven't > > > changed a thing on this LM 7.2 box for a long time. This is the first > > > time I have seen this Security Warning and I am concerned I may have > > > been hacked. Has anyone else seen something like this? Does it look like > > > a hack? Where can I get a good check root kit package? > > > > > > Any help will be greatly appreciated. > > > > ------------------------------------------------------------------------ > > Want to buy your Pack or Services from MandrakeSoft? > > Go to http://www.mandrakestore.com > > -- > David C. Rankin, J.D., P.E. > RANKIN * BERTIN, PLLC > 510 Ochiltree Street > Nacogdoches, Texas 75961 > (936) 715-9333 > (936) 715-9339 fax > > > > > ______________________________________________________________________ > > Want to buy your Pack or Services from MandrakeSoft? > Go to http://www.mandrakestore.com
Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
