hi guys,
Im running CentOS with the firewall script supplied with the toaster. Installed chkrootkit and rkhunter then checked for root kits the results was clear from rootkit. But when portsentry was installed then on the next morning when I checked for rootkits bindshell on port 600 was detected by chkrootkit and hidden files were detected by rkhunter this hidden files were already deleted.
When I checked the logs I found out that portsentry continuously restarted with
iptables so I suspected that when the iptables was restarted together with portsentry the hacker got in. Is this possible?
As of now portsentry is out of the picture (I removed it). Is there is there something else to do with this server inorder to correct this problem?
I would appreciate any responce.
Thanks
Here is the part of the logs:
For chkrootkit:
-----
Searching for rootedoor... nothing found
Searching for anomalies in shell history files... nothing found
Checking `asp'... not infected
Checking `bindshell'... INFECTED (PORTS: 600)
Checking `lkm'... chkproc: nothing detected
Checking `rexedcs'... not found
Searching for anomalies in shell history files... nothing found
Checking `asp'... not infected
Checking `bindshell'... INFECTED (PORTS: 600)
Checking `lkm'... chkproc: nothing detected
Checking `rexedcs'... not found
-----
For portsentry and iptables:
-----
Apr 18 23:43:03 santol portsentry[20586]: adminalert: Advanced mode will manually exclude port: 389
Apr 18 23:43:03 santol iptables: succeeded
Apr 18 23:43:03 santol portsentry[20590]: adminalert: Advanced mode will manually exclude port: 513
Apr 18 23:43:03 santol portsentry[20586]: adminalert: Advanced mode will manually exclude port: 443
Apr 18 23:43:03 santol kernel: ip_tables: (C) 2000-2002 Netfilter core team
Apr 18 23:43:03 santol portsentry[20590]: adminalert: Advanced mode will manually exclude port: 138
Apr 18 23:43:03 santol iptables: succeeded
Apr 18 23:43:03 santol portsentry[20586]: adminalert: Advanced mode will manually exclude port: 783
Apr 18 23:43:03 santol kernel: ip_conntrack version 2.1 (4031 buckets, 32248 max) - 356 bytes per conntrack
Apr 18 23:43:03 santol portsentry[20590]: adminalert: Advanced mode will manually exclude port: 137
Apr 18 23:43:03 santol iptables: succeeded
Apr 18 23:43:03 santol portsentry[20590]: adminalert: Advanced mode will manually exclude port: 513
Apr 18 23:43:03 santol portsentry[20586]: adminalert: Advanced mode will manually exclude port: 443
Apr 18 23:43:03 santol kernel: ip_tables: (C) 2000-2002 Netfilter core team
Apr 18 23:43:03 santol portsentry[20590]: adminalert: Advanced mode will manually exclude port: 138
Apr 18 23:43:03 santol iptables: succeeded
Apr 18 23:43:03 santol portsentry[20586]: adminalert: Advanced mode will manually exclude port: 783
Apr 18 23:43:03 santol kernel: ip_conntrack version 2.1 (4031 buckets, 32248 max) - 356 bytes per conntrack
Apr 18 23:43:03 santol portsentry[20590]: adminalert: Advanced mode will manually exclude port: 137
-----
:( sandeil
Talk is cheap. Use Yahoo! Messenger to make PC-to-Phone calls. Great rates starting at 1¢/min.
