Re: chkrootkit output question. Follow up #xxx1

[Michael Weber <mweber () hitwin com>]

Hi,

sorry for sending the last mail not to the list. I ever forget to click 
to "reply all"... :(

Okay... if you have no backups from the Logfiles, you better forget the 
last crack. It is very unsexy to wonder about how a intruder came in.

> Well I have to study first how iptables work and write those scripts.
Thats a *very* good idea, meanwhile you should use a standard script 
from the net to gather information and learn to read the log. If you 
know enough, delete it and write your own. Besides that the right log 
level is important or you find yourself buried under 10 GigaByte 
Information...

> 2- How Can I make sure that my /home is safe.
> chkrootkit
> output of chkproc:
> # chkproc -v
> Nothing.  
That's fine so far. So there a no hidden process running on your box, 
what - shame on me that i forget this - depends extremly on the System 
you use and the version of chkrootkit. In RH 8, how i could learn here, 
you have a few hidden processes. Thats the way RH handle the 
threading... try another version of chkrootkit to... for the best: Try a 
different tool to. Thats not paranoia...

> Adding open port 6000/tcp
> Adding open port 25/tcp

This is from inside? If it is from outside, it's fine - if you want 
connect to your X and have a mailserver running.

X listen to 0.0.0.0, what means to IN and OUT - so you should be able to 
connect the X and the artsd Daemon (is this the pcmmixer from OSS?) from 
another box.

> 1387/master
> tcp        0      0 127.0.0.1:25            0.0.0.0:*               LISTEN      

> Under /proc no hidden files.

What is /proc/1387/@exe ? Should be the postfix Mailserver... there is 
no rpc and portmap stuff? Thats good.

> I also scaned  /home using f-prot and it gave me some infected files.
Which files? Infected by what? Thats interesting.You do not delete the 
Log? not again :) ? The best way to capture another box is to do the 
following (if i where a bad boy)

#use a exploit to get enough rights or just go to your favorite
 University IT Pool / Internet Cafe (those Cafes restrict Floppy and
 CD Drive success... hopefully noone tell them that you can transport
 files with a simple USB Stick... :-) )
#install whatever intelligent rootkit you want
 (best ones do *not* listen! They grab packets direct from NIC and
 watches for special packets (random TCP and UDP Packets with a defined
 content) and then executes a pre-defined command (/bin/bash or
 whatever)
#wait...
#wait another week...
#try to contact your rootkit. If you gain success and rootaccess... fine
#wait another week

Then you have to hide another rootkit and a simple activate mechanism... 
wherever, however... thats not interesting here. Important is: If you 
now what files are infected you have a good chance to gain information 
about the rootkit he use, and so you have the way he came in.

> Deleted them... rescan /home and here is the report:
Without the infected files it is empty, shure... but what was the origin 
of the infection?

#now you should inform the admin how you came in and what he have to do
#after activate the second rootkit do it again :-) He will be amused...

For remote administration use one of those intelligent backdoors or
http://cmn.listprojects.darklab.org/

regards,
Michael Weber
Berlin, Germany


---------------------------------------------------------------------------
Attend Black Hat Briefings & Training Federal, September 29-30 (Training), 
October 1-2 (Briefings) in Tysons Corner, VA; the world's premier 
technical IT security event.  Modeled after the famous Black Hat event in 
Las Vegas! 6 tracks, 12 training sessions, top speakers and sponsors.  
Symantec is the Diamond sponsor.  Early-bird registration ends September 6.Visit us: www.blackhat.com
----------------------------------------------------------------------------