You are not logged in.
Pages: 1
Hi,
i'm observing lately strange symptoms:
1. jabber client does not connect to servers (msn and icq are ok). I tried gaim mostly, centericq too.
2. firefox shows strange dialog about expired certificate on void.gr - i do not visit the site and the dialog shows up even when all extenstions are disabled.
3. nmap shows strange things (port 111 and 876 are open):
>sudo nmap -A -T4 localhost
Starting Nmap 4.20 ( http://insecure.org ) at 2007-02-17 21:46 IST
Interesting ports on wizard.localdomain (127.0.0.1):
Not shown: 1693 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 4.5 (protocol 2.0)
[b]111/tcp open rpcbind 2 (rpc #100000)
876/tcp open unknown
[/b]6000/tcp open X11 (access denied)
Device type: general purpose
Running: Linux 2.6.X
OS details: Linux 2.6.18 - 2.6.19 (x86)
Uptime: 6.935 days (since Sat Feb 10 23:19:19 2007)
Network Distance: 0 hops
Service Info: OS: Unix
OS and Service detection performed. Please report any incorrect results at http://insecure.org/nmap/submit/ .
Nmap finished: 1 IP address (1 host up) scanned in 7.584 seconds
When i'm running nmap, there's no internet related application as far as i know. ssh is open for remote access, but (again, as far as i know, it's limited to one user with serious password).
Help, what's going on?????????
Offline
If sshd is the only server you installed, your computer has definitely been compromised. Backup, reformat, and reinstall; it's the only way to be sure.
If you want to, you can image your drive for later examination (to see what the intruder did).
Offline
Before i do it, i'd like to understand what happened. What are those ports? By what app are they used?
Can you please help me and tell how do i determine what happened? I did the following:
>sudo /opt/chkrootkit/chkrootkit -q
Warning: crontab for nobody found, possible Lupper.Worm...
can't exec ./strings-static,
/usr/lib/perl5/current/i686-linux-thread-multi/.packlist /usr/lib/perl5/site_perl/current/i686-linux-thread-multi/auto/SVN/_Core/.packlist /usr/lib/perl5/site_perl/current/i686-linux/auto/CDDB_get/.packlist /usr/lib/glib-2.0/include/.sconsign /usr/lib/gtk-2.0/include/.sconsign /usr/lib/.sconsign
INFECTED (PORTS: 4000)
not tested: can't exec ./ifpromisc
not tested: can't exec ./chkwtmp
not tested: can't exec ./chklastlog
not tested: can't exec ./chkutmp
and
>sudo /usr/bin/rkhunter --cronjob --report-warnings-only
No logfile given: using default.
Determining OS... Warning: This operating system is not fully supported!
gpg: WARNING: unsafe ownership on configuration file `/home/roman/.gnupg/gpg.conf'
-----------------------------------------------------------------
Found warnings:
[00:39:01] Warning: This operating system is not fully supported!
-----------------------------------------------------------------
If you're unsure about the results above, please contact the
Rootkit Hunter team through the Rootkit Hunter mailinglist
at rkhunter-users@lists.sourceforge.net.
Some errors has been found while checking. Please perform a manual check on this machine (wizard)
Last edited by drakosha (2007-02-17 22:36:32)
Offline
Please run "netstat -lp" as root (it's safe, read the manual if you don't trust me [and you shouldn't right now]) and post the output.
Last edited by skymt (2007-02-18 00:31:24)
Offline
tcpdump might provide some interesting info, but the best thing to do is download a bootable forensics distro and check stuff out from there. There are lot of them out there, I tend to use Helix or PHLAK because I'm too lazy to keep up with what's hot or not.
Unthinking respect for authority is the greatest enemy of truth.
-Albert Einstein
Offline
Now we are getting somewhere! 876 looks to be famd. By the way, i am now running clamav, hoping for best
>sudo netstat -lp
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 *:876 *:* LISTEN 22324/famd
tcp 0 0 *:sunrpc *:* LISTEN 22314/portmap
tcp 0 0 *:6000 *:* LISTEN 22409/X
tcp 0 0 *:ssh *:* LISTEN 10136/sshd
udp 108088 0 *:bootpc *:* 450/dhcpcd
udp 0 0 *:sunrpc *:* 22314/portmap
raw 0 0 *:icmp *:* 7 22371/vmnet-natd
Active UNIX domain sockets (only servers)
Proto RefCnt Flags Type State I-Node PID/Program name Path
unix 2 [ ACC ] STREAM LISTENING 987346 22404/kdm /var/run/xdmctl/dmctl/socket
unix 2 [ ACC ] STREAM LISTENING 986148 22342/hald @/var/run/hald/dbus-olVN7BmQha
unix 2 [ ACC ] STREAM LISTENING 985644 22179/syslog-ng /dev/log
unix 2 [ ACC ] STREAM LISTENING 986149 22342/hald @/var/run/hald/dbus-UZ5kwfcSpz
unix 2 [ ACC ] STREAM LISTENING 2711745 9984/swiftfox-bin /tmp/orbit-roman/linc-2700-0-1fee1515abb44
unix 2 [ ACC ] STREAM LISTENING 987363 22404/kdm /var/run/xdmctl/dmctl-:0/socket
unix 2 [ ACC ] STREAM LISTENING 987604 22514/dbus-daemon @/tmp/dbus-hOpHu2U4PO
unix 2 [ ACC ] STREAM LISTENING 987358 22409/X /tmp/.X11-unix/X0
unix 2 [ ACC ] STREAM LISTENING 987618 22516/xfce4-session /tmp/.ICE-unix/22516
unix 2 [ ACC ] STREAM LISTENING 986963 22371/vmnet-natd /var/run/vmnat.22371
unix 2 [ ACC ] STREAM LISTENING 2711683 9990/gconfd-2 /tmp/orbit-roman/linc-2706-0-46437075a1d6
unix 2 [ ACC ] STREAM LISTENING 986086 22317/dbus-daemon /var/run/dbus/system_bus_socket
unix 2 [ ACC ] STREAM LISTENING 987597 22508/ssh-agent /tmp/ssh-Szyfp22506/agent.22506
Offline
Well, i believe everything is ok, unless someone tells me differently . It looks like fam and portmap are opening these ports. I wonder why? Can anyone explain?
>sudo /etc/rc.d/fam stop
>sudo /etc/rc.d/portmap stop
...
>sudo nmap -A -T4 localhost
Starting Nmap 4.20 ( http://insecure.org ) at 2007-02-18 10:00 IST
Interesting ports on wizard.localdomain (127.0.0.1):
Not shown: 1695 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 4.5 (protocol 2.0)
6000/tcp open X11 (access denied)
No exact OS matches for host (If you know what OS is running on it, see http://insecure.org/nmap/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=4.20%D=2/18%OT=22%CT=1%CU=33931%PV=N%DS=0%G=Y%TM=45D807BF%P=i686-
OS:pc-linux-gnu)SEQ(SP=C1%GCD=1%ISR=CB%TI=Z%II=I%TS=8)SEQ(SP=C2%GCD=1%ISR=C
OS:B%TI=Z%II=I%TS=8)SEQ(SP=C1%GCD=1%ISR=CB%TI=Z%II=I%TS=8)OPS(O1=M400CST11N
OS:W5%O2=M400CST11NW5%O3=M400CNNT11NW5%O4=M400CST11NW5%O5=M400CST11NW5%O6=M
OS:400CST11)WIN(W1=8000%W2=8000%W3=8000%W4=8000%W5=8000%W6=8000)ECN(R=Y%DF=
OS:Y%T=40%W=8018%O=M400CNNSNW5%CC=N%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=AS%RD=0%
OS:Q=)T2(R=N)T3(R=Y%DF=Y%T=40%W=8000%S=O%A=S+%F=AS%O=M400CST11NW5%RD=0%Q=)T
OS:4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(R=Y%DF=Y%T=40%W=0%S=Z%A=S+
OS:%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T7(R=Y%DF=Y
OS:%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%T=40%TOS=C0%IPL=164%UN=0%
OS:RIPL=G%RID=G%RIPCK=G%RUCK=G%RUL=G%RUD=G)IE(R=Y%DFI=N%T=40%TOSI=S%CD=S%SI
OS:=S%DLI=S)
Uptime: 7.446 days (since Sat Feb 10 23:19:20 2007)
Network Distance: 0 hops
Service Info: OS: Unix
OS and Service detection performed. Please report any incorrect results at http://insecure.org/nmap/submit/ .
Nmap finished: 1 IP address (1 host up) scanned in 17.726 seconds
...
>sudo netstat -lp
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 *:6000 *:* LISTEN 22409/X
tcp 0 0 *:ssh *:* LISTEN 10136/sshd
udp 108088 0 *:bootpc *:* 450/dhcpcd
raw 0 0 *:icmp *:* 7 22371/vmnet-natd
Active UNIX domain sockets (only servers)
...
Last edited by drakosha (2007-02-18 07:57:54)
Offline
FWIW, running nmap on localhost will almost always provide different output than using your actual ip for the same reasons pinging localhost is different from pinging your own ip.
From the portmap man page:
DESCRIPTION
Portmap is a server that converts RPC program numbers into DARPA protocol port numbers. It must be running
in order to make RPC calls.
When an RPC server is started, it will tell portmap what port number it is listening to, and what RPC pro-
gram numbers it is prepared to serve. When a client wishes to make an RPC call to a given program number,
it will first contact portmap on the server machine to determine the port number where RPC packets should
be sent.
Wikipedia on RPCs:
http://en.wikipedia.org/wiki/Remote_procedure_call
I've never used fam, so I'm no help there.
Last edited by Snarkout (2007-02-18 18:43:30)
Unthinking respect for authority is the greatest enemy of truth.
-Albert Einstein
Offline
the ports are open to outside world too:
> nmap -A -T4 ...ip...
Starting nmap 3.70 ( http://www.insecure.org/nmap/ ) at 2007-02-18 14:14 IST
Interesting ports on 85.64.209.106.dynamic.barak-online.net (85.64.209.106):
(The 1647 ports scanned but not shown below are in state: closed)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 4.5 (protocol 2.0)
25/tcp filtered smtp
109/tcp filtered pop2
110/tcp filtered pop3
111/tcp open rpc
135/tcp filtered msrpc
137/tcp filtered netbios-ns
138/tcp filtered netbios-dgm
139/tcp filtered netbios-ssn
143/tcp filtered imap
445/tcp filtered microsoft-ds
732/tcp open unknown
4444/tcp filtered krb524
Offline
the ports are open to outside world too:
<snip scan results>
You ran this on another machine, across the Internet? If so, that's not good. You should install either a hardware firewall/NAT router or a software firewall.
Also, why are you running portmap? And an IMAP server? POP2/3? Samba (the netbios stuff)? Kerberos (I assume that's what krb524 is)? It looks like either you have a more insecure configuration than you indicated or someone is running their remote access trojan on common ports to reduce the chance of being firewalled.
It's also odd that some of these don't show up in netstat (possible sign of a rootkit).
Offline
portmap was started by fam. I'm not running anything besides ssh. "filtered" means closed i believe.
Offline
I have almost the same message when I run chkrootkit:
Checking `crontab'... Warning: crontab for nobody found, possible Lupper.Worm... not infected
What this mean, please?IS it just possible?
Offline
Have you tried looking in the config files for portmap and fam and setting them so that they are only accessible for local use? I know that fam has this option but not sure about portmap.
Offline
About the "crontab for nobody found, possible Lupper.Worm..." warning. That a crontab for nobody exists can easily be checked with running crontab -l nobody. The check that chkrootkit does is exactly that, but chkrootkit seems to assume that the crontab command returns a non-zero error code when one tries to list a crontab that doesn't exist - here is the corresponding portion from chkrootkit:
if ${CMD} -l -u nobody >/dev/null 2>&1 ; then
printn "Warning: crontab for nobody found, possible Lupper.Worm... "
if ${CMD} -l -u nobody 2>/dev/null | ${egrep} $CRONTAB_I_L >/dev/null 2>&1
then
STATUS=${INFECTED}
fi
fi
What is true, though, is that crontab -l -u <user> returns an error if the user does not exist on the system at all - here I'm testing on my system:
# crontab -l -u gonzo && echo 0 || echo 1
crontab: user gonzo unknown
1
# crontab -l -u nobody && echo 0 || echo 1
no crontab for nobody
0
So, chkrootkit does a faulty check and really only checks if the user nobody exists on the system - which of course is the case.
Offline
Have you tried looking in the config files for portmap and fam and setting them so that they are only accessible for local use? I know that fam has this option but not sure about portmap.
I did not find the option you mention, can you please write it here?
Thanks
Offline
Pages: 1