JB,
I figured you or someone else might like to know this. I killed the dhc process and cleaned up the .conf files did a restart on Network Manage and everything worked!
Ran chkrootkit and it hit on netstat as Infected (imagine that). It also reported a possible LKM Trojan intrusion. I then ran rkhunter and it threw warnings on the following files: /bin/netstat /bin/ps /usr/bin/top /usr/bin/lsof
It also reported undocumented password change and group file changes.
Password I could see with me going through Webmin to reset the root password but, I was careful to change nothing else much less groups!
I rebooted and the problem was back just as before!
With that I threw up my hands and have WipeDrive going on the drives in DoD mode!
Hope this might help someone!
Again thanks for the help!
On 09/25/2010 07:14 PM, Mike Dwiggins wrote:
JB,
I figured you or someone else might like to know this. I killed the dhc process and cleaned up the .conf files did a restart on Network Manage and everything worked!
Ran chkrootkit and it hit on netstat as Infected (imagine that). It also reported a possible LKM Trojan intrusion. I then ran rkhunter and it threw warnings on the following files: /bin/netstat /bin/ps /usr/bin/top /usr/bin/lsof
It also reported undocumented password change and group file changes.
Password I could see with me going through Webmin to reset the root password but, I was careful to change nothing else much less groups!
I rebooted and the problem was back just as before!
With that I threw up my hands and have WipeDrive going on the drives in DoD mode!
Hope this might help someone!
Again thanks for the help!
chkrootkit found this, but I have no idea where the process is:
Checking `lkm'... You have 1 process hidden for readdir command You have 1 process hidden for ps command chkproc: Warning: Possible LKM Trojan installed
So, if it will not tell me which process it is, how can I find it?
On 9/25/2010 8:28 PM, JD wrote:
On 09/25/2010 07:14 PM, Mike Dwiggins wrote:
JB,I figured you or someone else might like to know this. I killed the dhc process and cleaned up the .conf files did a restart on Network Manage and everything worked!
Ran chkrootkit and it hit on netstat as Infected (imagine that). It also reported a possible LKM Trojan intrusion. I then ran rkhunter and it threw warnings on the following files: /bin/netstat /bin/ps /usr/bin/top /usr/bin/lsof
It also reported undocumented password change and group file changes.
Password I could see with me going through Webmin to reset the root password but, I was careful to change nothing else much less groups!
I rebooted and the problem was back just as before!
With that I threw up my hands and have WipeDrive going on the drives in DoD mode!
Hope this might help someone!
Again thanks for the help!
chkrootkit found this, but I have no idea where the process is:
Checking `lkm'... You have 1 process hidden for readdir command You have 1 process hidden for ps command chkproc: Warning: Possible LKM Trojan installed
So, if it will not tell me which process it is, how can I find it?
Beats me, this is where it gets above my head! I had enough problems with it I just went Scorched Earth. There should be a lesser way but, I am not that good and admit it!
On 9/25/10 8:34 PM, Mike Dwiggins wrote:
On 9/25/2010 8:28 PM, JD wrote:
On 09/25/2010 07:14 PM, Mike Dwiggins wrote:
JB,I figured you or someone else might like to know this. I killed the dhc process and cleaned up the .conf files did a restart on Network Manage and everything worked!
Ran chkrootkit and it hit on netstat as Infected (imagine that). It also reported a possible LKM Trojan intrusion. I then ran rkhunter and it threw warnings on the following files: /bin/netstat /bin/ps /usr/bin/top /usr/bin/lsof
It also reported undocumented password change and group file changes.
Password I could see with me going through Webmin to reset the root password but, I was careful to change nothing else much less groups!
I rebooted and the problem was back just as before!
With that I threw up my hands and have WipeDrive going on the drives in DoD mode!
Hope this might help someone!
Again thanks for the help!
chkrootkit found this, but I have no idea where the process is:
Checking `lkm'... You have 1 process hidden for readdir command You have 1 process hidden for ps command chkproc: Warning: Possible LKM Trojan installed
So, if it will not tell me which process it is, how can I find it?
Beats me, this is where it gets above my head! I had enough problems with it I just went Scorched Earth. There should be a lesser way but, I am not that good and admit it!
Usually, at this time, it time to hope you backed up your system before you were rooted and blow everything away and start over. Also a good time to upgrade to the latest version of whatever OS you are using.
James McKenzie
On 09/25/2010 08:38 PM, James McKenzie wrote:
On 9/25/10 8:34 PM, Mike Dwiggins wrote:
On 9/25/2010 8:28 PM, JD wrote:On 09/25/2010 07:14 PM, Mike Dwiggins wrote:
JB,I figured you or someone else might like to know this. I killed the dhc process and cleaned up the .conf files did a restart on Network Manage and everything worked!
Ran chkrootkit and it hit on netstat as Infected (imagine that). It also reported a possible LKM Trojan intrusion. I then ran rkhunter and it threw warnings on the following files: /bin/netstat /bin/ps /usr/bin/top /usr/bin/lsof
It also reported undocumented password change and group file changes.
Password I could see with me going through Webmin to reset the root password but, I was careful to change nothing else much less groups!
I rebooted and the problem was back just as before!
With that I threw up my hands and have WipeDrive going on the drives in DoD mode!
Hope this might help someone!
Again thanks for the help!
chkrootkit found this, but I have no idea where the process is:
Checking `lkm'... You have 1 process hidden for readdir command You have 1 process hidden for ps command chkproc: Warning: Possible LKM Trojan installed
So, if it will not tell me which process it is, how can I find it?
Beats me, this is where it gets above my head! I had enough problems with it I just went Scorched Earth. There should be a lesser way but, I am not that good and admit it!
Usually, at this time, it time to hope you backed up your system before you were rooted and blow everything away and start over. Also a good time to upgrade to the latest version of whatever OS you are using.
James McKenzie
Well,if my machine was rooted, and I have a firewall that drops ALL incoming requests, then how was it rooted if not through some package or through the kernel itself?
On 09/26/2010 12:54 PM, JD wrote:
Well,if my machine was rooted, and I have a firewall that drops ALL incoming requests, then how was it rooted if not through some package or through the kernel itself?
I would suggest folks take a step back and do some research on "lkm false positive" before jumping to a conclusion that they have a problem.
On 09/25/2010 10:42 PM, Ed Greshko wrote:
On 09/26/2010 12:54 PM, JD wrote:
Well,if my machine was rooted, and I have a firewall that drops ALL incoming requests, then how was it rooted if not through some package or through the kernel itself?
I would suggest folks take a step back and do some research on "lkm false positive" before jumping to a conclusion that they have a problem.
Well, ... before jumping to conclusion that who has a problem? rkhunter or chkrootkit? I assume you mean rkhunter?? If so, I tend to agree. I saw a lot of google hits reporting false positives by chkrootkit.
On 09/26/2010 01:52 PM, JD wrote:
On 09/25/2010 10:42 PM, Ed Greshko wrote:
On 09/26/2010 12:54 PM, JD wrote:
Well,if my machine was rooted, and I have a firewall that drops ALL incoming requests, then how was it rooted if not through some package or through the kernel itself?
I would suggest folks take a step back and do some research on "lkm false positive" before jumping to a conclusion that they have a problem.
Well, ... before jumping to conclusion that who has a problem? rkhunter or chkrootkit? I assume you mean rkhunter?? If so, I tend to agree. I saw a lot of google hits reporting false positives by chkrootkit.
Any of these "detection applications" can report false positives. Which is why they report "your system *may* be infected" or "*Possible* XXX installed...".
My message is simple. If you run these apps and they say you may be infected...don't jump to a conclusion and nuke your system.
On 9/25/10 11:05 PM, Ed Greshko wrote:
On 09/26/2010 01:52 PM, JD wrote:
On 09/25/2010 10:42 PM, Ed Greshko wrote:
On 09/26/2010 12:54 PM, JD wrote:
Well,if my machine was rooted, and I have a firewall that drops ALL incoming requests, then how was it rooted if not through some package or through the kernel itself?
I would suggest folks take a step back and do some research on "lkm false positive" before jumping to a conclusion that they have a problem.
Well, ... before jumping to conclusion that who has a problem? rkhunter or chkrootkit? I assume you mean rkhunter?? If so, I tend to agree. I saw a lot of google hits reporting false positives by chkrootkit.
Any of these "detection applications" can report false positives. Which is why they report "your system *may* be infected" or "*Possible* XXX installed...".
My message is simple. If you run these apps and they say you may be infected...don't jump to a conclusion and nuke your system.
It is quite interesting that the files that were infected are those files.
And I agree that blowing away the system should be a 'last resort' action, but the OP is under the opinion that the system was indeed rooted due to a review of the auditing logs which show these files were changed from the outside.
Firewalls are breachable, BTW. It was fun to watch the TV ads with the African Female talking with the 17 year old's voice that had cracked her account and then he used her money to build 'a Robot that I'm taking to the Senior Prom'. She was not amused.
Also, it is a good idea to use TWO or more tools to verify that you were 'rooted'. A check of the file change dates will also reveal if you were breached.
James McKenzie
On 09/26/2010 05:49 AM, James McKenzie wrote:
On 9/25/10 11:05 PM, Ed Greshko wrote:
On 09/26/2010 01:52 PM, JD wrote:
On 09/25/2010 10:42 PM, Ed Greshko wrote:
On 09/26/2010 12:54 PM, JD wrote:Well,if my machine was rooted, and I have a firewall that drops ALL incoming requests, then how was it rooted if not through some package or through the kernel itself?
I would suggest folks take a step back and do some research on "lkm false positive" before jumping to a conclusion that they have a problem.
Well, ... before jumping to conclusion that who has a problem? rkhunter or chkrootkit? I assume you mean rkhunter?? If so, I tend to agree. I saw a lot of google hits reporting false positives by chkrootkit.
Any of these "detection applications" can report false positives. Which is why they report "your system *may* be infected" or "*Possible* XXX installed...".
My message is simple. If you run these apps and they say you may be infected...don't jump to a conclusion and nuke your system.
It is quite interesting that the files that were infected are those files.
And I agree that blowing away the system should be a 'last resort' action, but the OP is under the opinion that the system was indeed rooted due to a review of the auditing logs which show these files were changed from the outside.
Firewalls are breachable, BTW. It was fun to watch the TV ads with the African Female talking with the 17 year old's voice that had cracked her account and then he used her money to build 'a Robot that I'm taking to the Senior Prom'. She was not amused.
Also, it is a good idea to use TWO or more tools to verify that you were 'rooted'. A check of the file change dates will also reveal if you were breached.
James McKenzie
It was a false positive. At the end of my $PATH was a bin dir for many scripts I create to make my typing less tedious. One of the scripts was called psu and it invoked ps with different options. I moved it to /tmp and re-ran chkrootkit and it came clean. No rootkit.
On 9/26/10 8:17 AM, JD wrote:
On 09/26/2010 05:49 AM, James McKenzie wrote:
On 9/25/10 11:05 PM, Ed Greshko wrote:On 09/26/2010 01:52 PM, JD wrote:On 09/25/2010 10:42 PM, Ed Greshko wrote:
On 09/26/2010 12:54 PM, JD wrote:Well,if my machine was rooted, and I have a firewall that drops ALL incoming requests, then how was it rooted if not through some package or through the kernel itself?
I would suggest folks take a step back and do some research on "lkm false positive" before jumping to a conclusion that they have a problem.
Well, ... before jumping to conclusion that who has a problem? rkhunter or chkrootkit? I assume you mean rkhunter?? If so, I tend to agree. I saw a lot of google hits reporting false positives by chkrootkit.
Any of these "detection applications" can report false positives. Which is why they report "your system *may* be infected" or "*Possible* XXX installed...".
My message is simple. If you run these apps and they say you may be infected...don't jump to a conclusion and nuke your system.
It is quite interesting that the files that were infected are those files.
And I agree that blowing away the system should be a 'last resort' action, but the OP is under the opinion that the system was indeed rooted due to a review of the auditing logs which show these files were changed from the outside.
Firewalls are breachable, BTW. It was fun to watch the TV ads with the African Female talking with the 17 year old's voice that had cracked her account and then he used her money to build 'a Robot that I'm taking to the Senior Prom'. She was not amused.
Also, it is a good idea to use TWO or more tools to verify that you were 'rooted'. A check of the file change dates will also reveal if you were breached.
James McKenzie
It was a false positive. At the end of my $PATH was a bin dir for many scripts I create to make my typing less tedious. One of the scripts was called psu and it invoked ps with different options. I moved it to /tmp and re-ran chkrootkit and it came clean. No rootkit.
Good news and no need to go nuclear on the system...
James McKenzie
Mike Dwiggins <mike <at> azdwiggins.com> writes:
JB,
I figured you or someone else might like to know this. I killed the dhc process and cleaned up the .conf files did a restart on Network Manage and everything worked!
Ran chkrootkit and it hit on netstat as Infected (imagine that). It also reported a possible LKM Trojan intrusion. I then ran rkhunter and it threw warnings on the following files: /bin/netstat /bin/ps /usr/bin/top /usr/bin/lsof
It also reported undocumented password change and group file changes.
Password I could see with me going through Webmin to reset the root password but, I was careful to change nothing else much less groups!
I rebooted and the problem was back just as before!
With that I threw up my hands and have WipeDrive going on the drives in DoD mode!
Hope this might help someone!
Again thanks for the help!
Hi,
congratulations, even if that does not seem appropriate :-)
You should test your other servers with both security programs as well. You should do it on a regular basis, by the way.
Rkhunter installs as a cron job as well and sends a report to your system mail box. # ls /etc/cron.daily/ ... rkhunter ...
Keep around some good (and up-to-date) live-cd (Knoppix, etc) that also has those security programs on it (check that beforehand). It must be kept up-to-date (downloaded and burned) frequently due to changes in attack patterns recognition. But it is safer to perform the scan from a read-only media.
There is a clear sense of apprehension in Fedora community :-)
JB
JB <jb.1234abcd <at> gmail.com> writes:
...
Ran chkrootkit and it hit on netstat as Infected (imagine that). It also reported a possible LKM Trojan intrusion. I then ran rkhunter and it threw warnings on the following files: /bin/netstat /bin/ps /usr/bin/top /usr/bin/lsof
... You should test your other servers with both security programs as well. You should do it on a regular basis, by the way. ...
A follow-up.
After you performed a scan of the other servers, should you discover similar infections, do not stop investigating or nuke the system immediately. There are a few simple steps that should be done, best from a read-only live-cd: - compare sizes of infected files to ones in the OS's repository - for binaries there is a 'strings' command whose results may be compared as above
Do not get irritated by something like that. You are lucky to know you have been hacked; there are millions of users who do not know it yet, if ever.
JB
-
Ed Greshko -
James McKenzie -
JB -
JD -
mike