Security Basics mailing list archives
chkrootkit output question. Follow up #xxx1
From: Al <omega0x () yahoo com>
Date: Wed, 03 Sep 2003 16:19:45 -0400
Hello world: 2003, Year of Hope !!! Hi all, Thank you Michael for your help and your time.
Thank you all for your help but All I did Is just reformat my hard drives except /home and installed my gentto from scratch.
Urgs... that is unwise. Hope ypur have a backup from your logfiles? It would be better... but that is unimportant now :-) Al: I have no backups from logfiles.
I am still scared about my /home if anything was INFECTED. Hope not !!!
write a simple iptables script and log the *outgoing* traffic from those ports. If there is any - examine which application use it. Al: Well I have to study first how iptables work and write those scripts. I think The netgear Firewall gives the option to send all traffic to /var/syslog. I will check that.
My questions are: 1- if I was "owned by a trojan" which trojan ???
After formating your harddrive noone can answer this. Al: Sir, You are right !!!
2- How Can I make sure that my /home is safe.
chkrootkit
chkproc -v for a closer look if lkm show suspicious process
* nmap -v -sT -O [IP] - examine which ports are open
'netstat -pltn' examine which process is listening on which TCP port
'netstat -plun' the same for UDP
look for the process in /proc - here you find the binary
Looks like this: (dir is /proc/.15247 - what means a 'hidden' process
which results under some Linux and chkrootkit as 'possible LKM trojan'
Al:
output of chkproc:
# chkproc -v
#
Nothing.
# nmap -v -sT -O 192.168.0.3 ----->>> ip for gentoo.
Starting nmap 3.30 ( http://www.insecure.org/nmap/ ) at 2003-09-03 14:38
EDT
Host staw.mat.net (192.168.0.3) appears to be up ... good.
Initiating Connect() Scan against staw.mat.net (192.168.0.3) at 14:38
Adding open port 6000/tcp
Adding open port 25/tcp
The Connect() Scan took 0 seconds to scan 1644 ports.
For OSScan assuming that port 25 is open and port 1 is closed and neither are
firewalled
Interesting ports on staw.mat.net (192.168.0.3):
(The 1642 ports scanned but not shown below are in state: closed)
Port State Service
25/tcp open smtp
6000/tcp open X11
Device type: general purpose
Running: Linux 2.4.X|2.5.X
OS details: Linux Kernel 2.4.0 - 2.5.20
Uptime 0.519 days (since Wed Sep 3 02:11:08 2003)
TCP Sequence Prediction: Class=random positive increments
Difficulty=2050440 (Good luck!)
IPID Sequence Generation: All zeros
----->> End of the Output. <<------
Output of: netstat
# netstat -pltn
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State
PID/Program name
tcp 0 0 0.0.0.0:6000 0.0.0.0:* LISTEN
16725/X
tcp 0 0 0.0.0.0:41426 0.0.0.0:* LISTEN
16794/artsd
tcp 0 0 127.0.0.1:631 0.0.0.0:* LISTEN
731/cupsd
tcp 0 0 192.168.0.3:25 0.0.0.0:* LISTEN
1387/master
tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN
1387/master
# netstat -plun
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State
PID/Program name
udp 0 0 0.0.0.0:631 0.0.0.0:*
731/cupsd
Under /proc no hidden files.
I also scaned /home using f-prot and it gave me some infected files.
Deleted them... rescan /home and here is the report:
Results of virus scanning:
Files: 117770
MBRs: 0
Boot sectors: 0
Objects scanned: 177315
Time: 6:55
No viruses or suspicious files/boot sectors were found.
Many thanks.
Al
---------------------------------------------------------------------------
Attend Black Hat Briefings & Training Federal, September 29-30 (Training),
October 1-2 (Briefings) in Tysons Corner, VA; the world's premier
technical IT security event. Modeled after the famous Black Hat event in
Las Vegas! 6 tracks, 12 training sessions, top speakers and sponsors.
Symantec is the Diamond sponsor. Early-bird registration ends September 6.Visit us: www.blackhat.com
----------------------------------------------------------------------------
Current thread:
- chkrootkit output question. Follow up #xxx1 Al (Sep 04)
- Re: chkrootkit output question. Follow up #xxx1 Michael Weber (Sep 04)