Security Basics mailing list archives
chkrootkit output question. Follow up #xxx1
From: Al <omega0x () yahoo com>
Date: Wed, 03 Sep 2003 16:19:45 -0400
Hello world: 2003, Year of Hope !!! Hi all, Thank you Michael for your help and your time.
Thank you all for your help but All I did Is just reformat my hard drives except /home and installed my gentto from scratch.
Urgs... that is unwise. Hope ypur have a backup from your logfiles? It would be better... but that is unimportant now :-) Al: I have no backups from logfiles.
I am still scared about my /home if anything was INFECTED. Hope not !!!
write a simple iptables script and log the *outgoing* traffic from those ports. If there is any - examine which application use it. Al: Well I have to study first how iptables work and write those scripts. I think The netgear Firewall gives the option to send all traffic to /var/syslog. I will check that.
My questions are: 1- if I was "owned by a trojan" which trojan ???
After formating your harddrive noone can answer this. Al: Sir, You are right !!!
2- How Can I make sure that my /home is safe.
chkrootkit chkproc -v for a closer look if lkm show suspicious process * nmap -v -sT -O [IP] - examine which ports are open 'netstat -pltn' examine which process is listening on which TCP port 'netstat -plun' the same for UDP look for the process in /proc - here you find the binary Looks like this: (dir is /proc/.15247 - what means a 'hidden' process which results under some Linux and chkrootkit as 'possible LKM trojan' Al: output of chkproc: # chkproc -v # Nothing. # nmap -v -sT -O 192.168.0.3 ----->>> ip for gentoo. Starting nmap 3.30 ( http://www.insecure.org/nmap/ ) at 2003-09-03 14:38 EDT Host staw.mat.net (192.168.0.3) appears to be up ... good. Initiating Connect() Scan against staw.mat.net (192.168.0.3) at 14:38 Adding open port 6000/tcp Adding open port 25/tcp The Connect() Scan took 0 seconds to scan 1644 ports. For OSScan assuming that port 25 is open and port 1 is closed and neither are firewalled Interesting ports on staw.mat.net (192.168.0.3): (The 1642 ports scanned but not shown below are in state: closed) Port State Service 25/tcp open smtp 6000/tcp open X11 Device type: general purpose Running: Linux 2.4.X|2.5.X OS details: Linux Kernel 2.4.0 - 2.5.20 Uptime 0.519 days (since Wed Sep 3 02:11:08 2003) TCP Sequence Prediction: Class=random positive increments Difficulty=2050440 (Good luck!) IPID Sequence Generation: All zeros ----->> End of the Output. <<------ Output of: netstat # netstat -pltn Active Internet connections (only servers) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 0.0.0.0:6000 0.0.0.0:* LISTEN 16725/X tcp 0 0 0.0.0.0:41426 0.0.0.0:* LISTEN 16794/artsd tcp 0 0 127.0.0.1:631 0.0.0.0:* LISTEN 731/cupsd tcp 0 0 192.168.0.3:25 0.0.0.0:* LISTEN 1387/master tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN 1387/master # netstat -plun Active Internet connections (only servers) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name udp 0 0 0.0.0.0:631 0.0.0.0:* 731/cupsd Under /proc no hidden files. I also scaned /home using f-prot and it gave me some infected files. Deleted them... rescan /home and here is the report: Results of virus scanning: Files: 117770 MBRs: 0 Boot sectors: 0 Objects scanned: 177315 Time: 6:55 No viruses or suspicious files/boot sectors were found. Many thanks. Al --------------------------------------------------------------------------- Attend Black Hat Briefings & Training Federal, September 29-30 (Training), October 1-2 (Briefings) in Tysons Corner, VA; the world's premier technical IT security event. Modeled after the famous Black Hat event in Las Vegas! 6 tracks, 12 training sessions, top speakers and sponsors. Symantec is the Diamond sponsor. Early-bird registration ends September 6.Visit us: www.blackhat.com ----------------------------------------------------------------------------
Current thread:
- chkrootkit output question. Follow up #xxx1 Al (Sep 04)
- Re: chkrootkit output question. Follow up #xxx1 Michael Weber (Sep 04)