Re: My machine compromised?
First thing, you sent this to me instead of the list which seems like what you wanted considering the last question. On Wed, Dec 03, 2003 at 10:38:10PM -0800, Vanh Phom wrote: On Wed, 2003-12-03 at 02:07, Micha Feigin wrote: On Wed, Dec 03, 2003 at 01:03:34AM -0800, Vanh Phom wrote: Hi folk, After reading on report of servers compromised. Just for curiorsity I run chkrootkit on my own machine and come up with this result: Searching for anomalies in shell history files... nothing found Checking `asp'... not infected Checking `bindshell'... not infected Checking `lkm'... You have12 process hidden for readdir command You have12 process hidden for ps command Warning: Possible LKM Trojan installed Checking `rexedcs'... not found Checking `sniffer'... eth0: PROMISC Is my machine compromised? How to fix this? Vanh If its unstable, then there is a bug with chkrootkit. do a ps ax and see how many processes you have with pid 0. Don't remember the criterion, but some processes owned by the kernel are started with the kernel's pid which is 0 (I hope I am not mixing things up, but that is the essential idea, search the archives on this if you want the exact story). also try running /usr/lib/chkrootkit/chkproc -v and it will tell you exactly which processes are seen as hidden. You can then try to do: cat /proc/pid/status (hoping that wasn't compromised if the computer was, which it probably wasn't) to see what the process actually is. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] I'm running 2.6.0test11 sid. /usr/lib/chkrootkit/chkproc -v report no pid 0 This will not show you pid 0 but what pids it thinks are hidden. You should see pid 0 on ps ax. What pid does ps ax shows for those processes? could it be that they have the same pid as their parent process instead of a seperate pid? cat /proc/pid/status report all 8 process are either nautilus or evolution as sleep. I guess is just a false positive for checkrootkit. I'm just starting to run debian in the last month or so. So I'm pretty green on debian. BTW, is anyone know how how to setup guarddog to start whenever the machine is booting. On SuSe the firewall automatically configure to start when machine is booting. Vanh -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: My machine compromised?
On Wed, 2003-12-03 at 03:03, Vanh Phom wrote: Hi folk, After reading on report of servers compromised. Just for curiorsity I run chkrootkit on my own machine and come up with this result: Searching for anomalies in shell history files... nothing found Checking `asp'... not infected Checking `bindshell'... not infected Checking `lkm'... You have12 process hidden for readdir command You have12 process hidden for ps command Warning: Possible LKM Trojan installed Checking `rexedcs'... not found Checking `sniffer'... eth0: PROMISC Is my machine compromised? How to fix this? Vanh Vanh, Try this link: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=217525 Regards, Brian -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
My machine compromised?
Hi folk, After reading on report of servers compromised. Just for curiorsity I run chkrootkit on my own machine and come up with this result: Searching for anomalies in shell history files... nothing found Checking `asp'... not infected Checking `bindshell'... not infected Checking `lkm'... You have12 process hidden for readdir command You have12 process hidden for ps command Warning: Possible LKM Trojan installed Checking `rexedcs'... not found Checking `sniffer'... eth0: PROMISC Is my machine compromised? How to fix this? Vanh -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: My machine compromised?
Am Mi, den 03.12.2003 schrieb Vanh Phom um 10:03: Hi folk, After reading on report of servers compromised. Just for curiorsity I run chkrootkit on my own machine and come up with this result: Searching for anomalies in shell history files... nothing found Checking `asp'... not infected Checking `bindshell'... not infected Checking `lkm'... You have12 process hidden for readdir command You have12 process hidden for ps command Warning: Possible LKM Trojan installed Checking `rexedcs'... not found Checking `sniffer'... eth0: PROMISC Is my machine compromised? How to fix this? Did you read /usr/share/doc/chkrootkit/README.Debian ? No you didn't. noflushd: A running noflushd and a 2.2 kernel may cause chkrootkit to warn about the presence of lkm. On 2.4.20: noflushd may trigger lkm warnings as well. --paolo lkm: In general, any process starting at around same time as lkm test may trigger a warning. Just try while true;do chkrootkit lkm;sleep 1;done during normal system use. See also FAQ 6 on www.chkrootkit.org r-- paolo Vanh joerg -- Gib GATES keine Chance! signature.asc Description: Dies ist ein digital signierter Nachrichtenteil
Re: My machine compromised?
Am Mittwoch, 3. Dezember 2003 10:03 schrieb Vanh Phom: Hi folk, After reading on report of servers compromised. Just for curiorsity I run chkrootkit on my own machine and come up with this result: Searching for anomalies in shell history files... nothing found Checking `asp'... not infected Checking `bindshell'... not infected Checking `lkm'... You have12 process hidden for readdir command You have12 process hidden for ps command Warning: Possible LKM Trojan installed Checking `rexedcs'... not found Checking `sniffer'... eth0: PROMISC Is my machine compromised? How to fix this? Find out, who uses your eth0 interface in promiscous mode. Maybe you have programs like ntop or network analysers running. Switch them off and try again chkrootkit. 12 processes? On 2.2 kernel you should no such processes, on 2.4 4 processes seem to be 'normal'. You should find out details about 'LKM' (e.g. google), maybe consult www.chkrootkit.org. Tim -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: My machine compromised?
on Wed, Dec 03, 2003 at 01:03:34AM -0800, Vanh Phom ([EMAIL PROTECTED]) wrote: Hi folk, After reading on report of servers compromised. Just for curiorsity I run chkrootkit on my own machine and come up with this result: Searching for anomalies in shell history files... nothing found Checking `asp'... not infected Checking `bindshell'... not infected Checking `lkm'... You have12 process hidden for readdir command You have12 process hidden for ps command Warning: Possible LKM Trojan installed Checking `rexedcs'... not found Checking `sniffer'... eth0: PROMISC Is my machine compromised? How to fix this? 12 hidden processes is more than I've typically seen (4). # chkrootkit -v lkm ...for more verbose diagnostics. Peace. -- Karsten M. Self [EMAIL PROTECTED]http://kmself.home.netcom.com/ What Part of Gestalt don't you understand? Integrity, we've heard of it: http://www.theregister.co.uk/ pgp0.pgp Description: PGP signature
Re: My machine compromised?
great tool ... never knew it existed until this post. At Wednesday, 3 December 2003, Karsten M. Self [EMAIL PROTECTED] com wrote: on Wed, Dec 03, 2003 at 01:03:34AM -0800, Vanh Phom ([EMAIL PROTECTED] net) wrote: Hi folk, After reading on report of servers compromised. Just for curiorsity I run chkrootkit on my own machine and come up with this result: Searching for anomalies in shell history files... nothing found Checking `asp'... not infected Checking `bindshell'... not infected Checking `lkm'... You have12 process hidden for readdir command You have12 process hidden for ps command Warning: Possible LKM Trojan installed Checking `rexedcs'... not found Checking `sniffer'... eth0: PROMISC Is my machine compromised? How to fix this? 12 hidden processes is more than I've typically seen (4). # chkrootkit -v lkm ...for more verbose diagnostics. Peace. -- Karsten M. Self [EMAIL PROTECTED]http://kmself.home. netcom.com/ What Part of Gestalt don't you understand? Integrity, we've heard of it: http://www.theregister.co.uk/ Attached file Save attachment View attachment as text Name: attachment.38 Type: application/pgp-signature -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: My machine compromised?
On Wed, Dec 03, 2003 at 01:03:34AM -0800, Vanh Phom wrote: Hi folk, After reading on report of servers compromised. Just for curiorsity I run chkrootkit on my own machine and come up with this result: Searching for anomalies in shell history files... nothing found Checking `asp'... not infected Checking `bindshell'... not infected Checking `lkm'... You have12 process hidden for readdir command You have12 process hidden for ps command Warning: Possible LKM Trojan installed Checking `rexedcs'... not found Checking `sniffer'... eth0: PROMISC Is my machine compromised? How to fix this? Vanh If its unstable, then there is a bug with chkrootkit. do a ps ax and see how many processes you have with pid 0. Don't remember the criterion, but some processes owned by the kernel are started with the kernel's pid which is 0 (I hope I am not mixing things up, but that is the essential idea, search the archives on this if you want the exact story). also try running /usr/lib/chkrootkit/chkproc -v and it will tell you exactly which processes are seen as hidden. You can then try to do: cat /proc/pid/status (hoping that wasn't compromised if the computer was, which it probably wasn't) to see what the process actually is. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: My machine compromised?
On Wed, 03 Dec 2003 01:03:34 -0800, Vanh Phom wrote: Hi folk, After reading on report of servers compromised. Just for curiorsity I run chkrootkit on my own machine and come up with this result: Searching for anomalies in shell history files... nothing found Checking `asp'... not infected Checking `bindshell'... not infected Checking `lkm'... You have12 process hidden for readdir command You have12 process hidden for ps command Warning: Possible LKM Trojan installed Checking `rexedcs'... not found Checking `sniffer'... eth0: PROMISC Is my machine compromised? How to fix this? Vanh Read Running chrootkit in http://www.wiggy.net/debian/developer-securing/ ...oh, and try searching the list before posting, this question's been covered at length over the last few days... -- paul I think that gay marriage is something that should be between a man and a woman. -- Arnold Schwarzenegger, Governor of California -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: My machine compromised?
In article [EMAIL PROTECTED], Vanh Phom [EMAIL PROTECTED] wrote: Hi folk, After reading on report of servers compromised. Just for curiorsity I run chkrootkit on my own machine and come up with this result: Searching for anomalies in shell history files... nothing found Checking `asp'... not infected Checking `bindshell'... not infected Checking `lkm'... You have12 process hidden for readdir command You have12 process hidden for ps command Bet you're running a 2.6 kernel. See http://bugs.debian.org/chkrootkit Mike. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]