You are not logged in.
I just discovered yesterday that my system had been hacked, and whoever was responsible was running a program called psybnc as well as some scanners, presumably to find more systems to compromise. I spent today cleaning it all up and closing the security hole, a stupidly weak root password and root ssh access, and just finished running both chkrootkit and rkhunter.
chkrootkit came up clean, but rkhunter warns of a possible adore rootkit. I know there's an issue with false positives in this case, however checking the logs reveals repeated reloading (within the same second) of the dbus configuration file (which from my reading on this forum might be indicative of the adore rootkit) and that root has changed the password of the hal and dbus users at least once. I don't have any other arch systems to compare this to at the moment, so what I'm wondering is if either of those are cause for concern, as I have everything else taken care of.
"But it does me no injury for my neighbor to say there are twenty gods or no God. It neither picks my pocket nor breaks my leg." -Thomas Jefferson
Offline
If root was hacked there's no way you can ever know if you've got it clean without formatting and reinstalling. I don't think I'd even bother trying to clean it up.
Offline
Yeah, I'm not sure it can be done either, but it seems they weren't very thorough. I've got a nearly complete record of what was done since they didn't bother to clean up the bash history file. They did delete every executable they ran, but that doesn't really help when you leave the download link behind. The only thing I don't have a copy of is a script/binary called "x", which doesn't appear in the linked archive.
Nevermind, it seems that the mysterious "x" is in fact most likely the adore rootkit. And here I was hoping I wouldn't have to reinstall.
Last edited by KDH (2011-01-23 05:15:15)
"But it does me no injury for my neighbor to say there are twenty gods or no God. It neither picks my pocket nor breaks my leg." -Thomas Jefferson
Offline
I believe that the warning of rkhunter is because of the existence of heimdal package.
In my archlinux installation i did the following :
Try to force removing heimdal:
pacman -Rd heimdal
Run:
rkhunter --checkall
and adore rootkit will go away. That happened in my system.
P.s. Do not forget to pacman -S heimdal again
Mikes on AUR
Offline
I think adore cleans out .bash_history automatically. Of course the person could have modified it or something. I guess I'd be worried that they left a little something there so you'd feel confident you knew what they did.
Offline
@mechmg93: Yeah, I know about rkhunter's issue with heimdal, that's why I was asking about the log activity I mentioned in the first post.
@brianhanna: That worried me as well, especially after searching for info on adore: I found that, in at least one package, a modified version of its installer is called "x", which showed up in root's bash history four or five times.
So, I'm not going to take any chances, and am in the middle of reinstalling right now, and I'm not going to trust any binaries from the old system. Videos, Music, and Pictures should be safe, right? That's the only stuff on the machine I care about. Sorry if it's a silly question, never had to deal with a root kit before.
Last edited by KDH (2011-01-23 16:23:03)
"But it does me no injury for my neighbor to say there are twenty gods or no God. It neither picks my pocket nor breaks my leg." -Thomas Jefferson
Offline
boo
Last edited by jimtito (2011-01-23 17:50:10)
Offline
I think your files will probably be ok. You could use a live cd to take a look at all the files you're saving. Pics, videos, etc, don't need to be executable so you could "chmod -x" on everything you back-up. That would give you some protection even if they messed with one of those files.
Offline
Excellent. That just leave my own scripts, which, worst case scenario I can just re-write. Some of them probably need it anyway. Thank you very much for your help.
"But it does me no injury for my neighbor to say there are twenty gods or no God. It neither picks my pocket nor breaks my leg." -Thomas Jefferson
Offline
Afaik that's a known false positive.
Got Leenucks? :: Arch: Power in simplicity :: Get Counted! Registered Linux User #392717 :: Blog thingy
Offline
I believe that the warning of rkhunter is because of the existence of heimdal package.
In my archlinux installation i did the following :
Try to force removing heimdal:
pacman -Rd heimdal
Run:
rkhunter --checkall
and adore rootkit will go away. That happened in my system.
P.s. Do not forget to pacman -S heimdal again
Odd, I took your advice and received the following warnings (I did not post the OK status messages):
Checking system commands...
Checking for prerequisites [ Warning ]
/usr/bin/ldd [ Warning ]
/usr/sbin/adduser [ Warning ]
Checking the local host...
Checking for syslog configuration file [ Warning ]
Checking the local host...
Performing filesystem checks
Checking /dev for suspicious file types [ Warning ]
Checking for hidden files and directories [ Warning ]
Can you verify that your system isn't flagging them as well? x86_64 here (up-to-date).
Last edited by graysky (2011-01-23 20:34:51)
CPU-optimized Linux-ck packages @ Repo-ck • AUR packages • Zsh and other configs
Offline
Can you verify that your system isn't flagging them as well? x86_64 here (up-to-date).
You don't have the /usr/sbin/kfd warning. The rest of the [Warning] messages are probably specific to your system.
Last edited by Leonid.I (2011-01-24 21:21:46)
Arch Linux is more than just GNU/Linux -- it's an adventure
pkill -9 systemd
Offline
Graysky: a good maintainer checks the details of the warnings, as rkhunter recommends at the end of the scan. The warnings can mean just about anything .
Got Leenucks? :: Arch: Power in simplicity :: Get Counted! Registered Linux User #392717 :: Blog thingy
Offline