You are not logged in.
Pages: 1

Hi,
i'm observing lately strange symptoms:
1. jabber client does not connect to servers (msn and icq are ok). I tried gaim mostly, centericq too.
2. firefox shows strange dialog about expired certificate on void.gr - i do not visit the site and the dialog shows up even when all extenstions are disabled.
3. nmap shows strange things (port 111 and 876 are open):
>sudo nmap -A -T4 localhost
Starting Nmap 4.20 ( http://insecure.org ) at 2007-02-17 21:46 IST
Interesting ports on wizard.localdomain (127.0.0.1):
Not shown: 1693 closed ports
PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 4.5 (protocol 2.0)
[b]111/tcp  open  rpcbind  2 (rpc #100000)
876/tcp  open  unknown
[/b]6000/tcp open  X11      (access denied)
Device type: general purpose
Running: Linux 2.6.X
OS details: Linux 2.6.18 - 2.6.19 (x86)
Uptime: 6.935 days (since Sat Feb 10 23:19:19 2007)
Network Distance: 0 hops
Service Info: OS: Unix
OS and Service detection performed. Please report any incorrect results at http://insecure.org/nmap/submit/ .
Nmap finished: 1 IP address (1 host up) scanned in 7.584 secondsWhen i'm running nmap, there's no internet related application as far as i know. ssh is open for remote access, but (again, as far as i know, it's limited to one user with serious password).
Help, what's going on?????????
Offline
If sshd is the only server you installed, your computer has definitely been compromised. Backup, reformat, and reinstall; it's the only way to be sure.
If you want to, you can image your drive for later examination (to see what the intruder did).
Offline

Before i do it, i'd like to understand what happened. What are those ports? By what app are they used?
Can you please help me and tell how do i determine what happened? I did the following:
>sudo /opt/chkrootkit/chkrootkit -q
Warning: crontab for nobody found, possible Lupper.Worm... 
can't exec ./strings-static, 
/usr/lib/perl5/current/i686-linux-thread-multi/.packlist /usr/lib/perl5/site_perl/current/i686-linux-thread-multi/auto/SVN/_Core/.packlist /usr/lib/perl5/site_perl/current/i686-linux/auto/CDDB_get/.packlist /usr/lib/glib-2.0/include/.sconsign /usr/lib/gtk-2.0/include/.sconsign /usr/lib/.sconsign
INFECTED (PORTS:  4000)
not tested: can't exec ./ifpromisc
not tested: can't exec ./chkwtmp
not tested: can't exec ./chklastlog
not tested: can't exec ./chkutmpand
>sudo /usr/bin/rkhunter --cronjob --report-warnings-only
No logfile given: using default.
Determining OS... Warning: This operating system is not fully supported!
gpg: WARNING: unsafe ownership on configuration file `/home/roman/.gnupg/gpg.conf'
-----------------------------------------------------------------
Found warnings:
[00:39:01] Warning: This operating system is not fully supported!
-----------------------------------------------------------------
If you're unsure about the results above, please contact the
Rootkit Hunter team through the Rootkit Hunter mailinglist
at rkhunter-users@lists.sourceforge.net.
Some errors has been found while checking. Please perform a manual check on this machine (wizard)Last edited by drakosha (2007-02-17 22:36:32)
Offline
Please run "netstat -lp" as root (it's safe, read the manual if you don't trust me [and you shouldn't right now]) and post the output.
Last edited by skymt (2007-02-18 00:31:24)
Offline

tcpdump might provide some interesting info, but the best thing to do is download a bootable forensics distro and check stuff out from there. There are lot of them out there, I tend to use Helix or PHLAK because I'm too lazy to keep up with what's hot or not.
Unthinking respect for authority is the greatest enemy of truth. 
-Albert Einstein
Offline

Now we are getting somewhere! 876 looks to be famd. By the way, i am now running clamav, hoping for best 
>sudo netstat -lp
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name   
tcp        0      0 *:876                   *:*                     LISTEN      22324/famd          
tcp        0      0 *:sunrpc                *:*                     LISTEN      22314/portmap       
tcp        0      0 *:6000                  *:*                     LISTEN      22409/X             
tcp        0      0 *:ssh                   *:*                     LISTEN      10136/sshd          
udp   108088      0 *:bootpc                *:*                                 450/dhcpcd          
udp        0      0 *:sunrpc                *:*                                 22314/portmap       
raw        0      0 *:icmp                  *:*                     7           22371/vmnet-natd    
Active UNIX domain sockets (only servers)
Proto RefCnt Flags       Type       State         I-Node PID/Program name    Path
unix  2      [ ACC ]     STREAM     LISTENING     987346 22404/kdm           /var/run/xdmctl/dmctl/socket
unix  2      [ ACC ]     STREAM     LISTENING     986148 22342/hald          @/var/run/hald/dbus-olVN7BmQha
unix  2      [ ACC ]     STREAM     LISTENING     985644 22179/syslog-ng     /dev/log
unix  2      [ ACC ]     STREAM     LISTENING     986149 22342/hald          @/var/run/hald/dbus-UZ5kwfcSpz
unix  2      [ ACC ]     STREAM     LISTENING     2711745 9984/swiftfox-bin   /tmp/orbit-roman/linc-2700-0-1fee1515abb44
unix  2      [ ACC ]     STREAM     LISTENING     987363 22404/kdm           /var/run/xdmctl/dmctl-:0/socket
unix  2      [ ACC ]     STREAM     LISTENING     987604 22514/dbus-daemon   @/tmp/dbus-hOpHu2U4PO
unix  2      [ ACC ]     STREAM     LISTENING     987358 22409/X             /tmp/.X11-unix/X0
unix  2      [ ACC ]     STREAM     LISTENING     987618 22516/xfce4-session /tmp/.ICE-unix/22516
unix  2      [ ACC ]     STREAM     LISTENING     986963 22371/vmnet-natd    /var/run/vmnat.22371
unix  2      [ ACC ]     STREAM     LISTENING     2711683 9990/gconfd-2       /tmp/orbit-roman/linc-2706-0-46437075a1d6
unix  2      [ ACC ]     STREAM     LISTENING     986086 22317/dbus-daemon   /var/run/dbus/system_bus_socket
unix  2      [ ACC ]     STREAM     LISTENING     987597 22508/ssh-agent     /tmp/ssh-Szyfp22506/agent.22506Offline

Well, i believe everything is ok, unless someone tells me differently  . It looks like fam and portmap are opening these ports. I wonder why? Can anyone explain?
. It looks like fam and portmap are opening these ports. I wonder why? Can anyone explain?
>sudo /etc/rc.d/fam stop
>sudo /etc/rc.d/portmap stop
...
>sudo nmap -A -T4 localhost
Starting Nmap 4.20 ( http://insecure.org ) at 2007-02-18 10:00 IST
Interesting ports on wizard.localdomain (127.0.0.1):
Not shown: 1695 closed ports
PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 4.5 (protocol 2.0)
6000/tcp open  X11      (access denied)
No exact OS matches for host (If you know what OS is running on it, see http://insecure.org/nmap/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=4.20%D=2/18%OT=22%CT=1%CU=33931%PV=N%DS=0%G=Y%TM=45D807BF%P=i686-
OS:pc-linux-gnu)SEQ(SP=C1%GCD=1%ISR=CB%TI=Z%II=I%TS=8)SEQ(SP=C2%GCD=1%ISR=C
OS:B%TI=Z%II=I%TS=8)SEQ(SP=C1%GCD=1%ISR=CB%TI=Z%II=I%TS=8)OPS(O1=M400CST11N
OS:W5%O2=M400CST11NW5%O3=M400CNNT11NW5%O4=M400CST11NW5%O5=M400CST11NW5%O6=M
OS:400CST11)WIN(W1=8000%W2=8000%W3=8000%W4=8000%W5=8000%W6=8000)ECN(R=Y%DF=
OS:Y%T=40%W=8018%O=M400CNNSNW5%CC=N%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=AS%RD=0%
OS:Q=)T2(R=N)T3(R=Y%DF=Y%T=40%W=8000%S=O%A=S+%F=AS%O=M400CST11NW5%RD=0%Q=)T
OS:4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(R=Y%DF=Y%T=40%W=0%S=Z%A=S+
OS:%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T7(R=Y%DF=Y
OS:%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%T=40%TOS=C0%IPL=164%UN=0%
OS:RIPL=G%RID=G%RIPCK=G%RUCK=G%RUL=G%RUD=G)IE(R=Y%DFI=N%T=40%TOSI=S%CD=S%SI
OS:=S%DLI=S)
Uptime: 7.446 days (since Sat Feb 10 23:19:20 2007)
Network Distance: 0 hops
Service Info: OS: Unix
OS and Service detection performed. Please report any incorrect results at http://insecure.org/nmap/submit/ .
Nmap finished: 1 IP address (1 host up) scanned in 17.726 seconds
...
>sudo netstat -lp
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
tcp        0      0 *:6000                  *:*                     LISTEN      22409/X
tcp        0      0 *:ssh                   *:*                     LISTEN      10136/sshd
udp   108088      0 *:bootpc                *:*                                 450/dhcpcd
raw        0      0 *:icmp                  *:*                     7           22371/vmnet-natd
Active UNIX domain sockets (only servers)
...Last edited by drakosha (2007-02-18 07:57:54)
Offline

FWIW, running nmap on localhost will almost always provide different output than using your actual ip for the same reasons pinging localhost is different from pinging your own ip.
From the portmap man page:
DESCRIPTION
     Portmap is a server that converts RPC program numbers into DARPA protocol port numbers.  It must be running
     in order to make RPC calls.
     When an RPC server is started, it will tell portmap what port number it is listening to, and what RPC pro-
     gram numbers it is prepared to serve.  When a client wishes to make an RPC call to a given program number,
     it will first contact portmap on the server machine to determine the port number where RPC packets should
     be sent.
Wikipedia on RPCs:
http://en.wikipedia.org/wiki/Remote_procedure_call
I've never used fam, so I'm no help there.
Last edited by Snarkout (2007-02-18 18:43:30)
Unthinking respect for authority is the greatest enemy of truth. 
-Albert Einstein
Offline

the ports are open to outside world too:
> nmap -A -T4 ...ip...
Starting nmap 3.70 ( http://www.insecure.org/nmap/ ) at 2007-02-18 14:14 IST
Interesting ports on 85.64.209.106.dynamic.barak-online.net (85.64.209.106):
(The 1647 ports scanned but not shown below are in state: closed)
PORT     STATE    SERVICE      VERSION
22/tcp   open     ssh          OpenSSH 4.5 (protocol 2.0)
25/tcp   filtered smtp
109/tcp  filtered pop2
110/tcp  filtered pop3
111/tcp  open     rpc
135/tcp  filtered msrpc
137/tcp  filtered netbios-ns
138/tcp  filtered netbios-dgm
139/tcp  filtered netbios-ssn
143/tcp  filtered imap
445/tcp  filtered microsoft-ds
732/tcp  open     unknown
4444/tcp filtered krb524Offline
the ports are open to outside world too:
<snip scan results>
You ran this on another machine, across the Internet? If so, that's not good. You should install either a hardware firewall/NAT router or a software firewall.
Also, why are you running portmap? And an IMAP server? POP2/3? Samba (the netbios stuff)? Kerberos (I assume that's what krb524 is)? It looks like either you have a more insecure configuration than you indicated or someone is running their remote access trojan on common ports to reduce the chance of being firewalled.
It's also odd that some of these don't show up in netstat (possible sign of a rootkit).
Offline

portmap was started by fam. I'm not running anything besides ssh. "filtered" means closed i believe.
Offline
I have almost the same message when I run chkrootkit:
Checking `crontab'... Warning: crontab for nobody found, possible Lupper.Worm... not infected
What this mean, please?IS it just possible?
Offline
Have you tried looking in the config files for portmap and fam and setting them so that they are only accessible for local use? I know that fam has this option but not sure about portmap.
Offline
About the "crontab for nobody found, possible Lupper.Worm..." warning. That a crontab for nobody exists can easily be checked with running crontab -l nobody. The check that chkrootkit does is exactly that, but chkrootkit seems to assume that the crontab command returns a non-zero error code when one tries to list a crontab that doesn't exist - here is the corresponding portion from chkrootkit:
    if  ${CMD} -l -u nobody >/dev/null 2>&1 ; then
        printn "Warning: crontab for nobody found, possible Lupper.Worm... "
        if ${CMD} -l -u nobody 2>/dev/null  | ${egrep} $CRONTAB_I_L >/dev/null 2>&1
           then
           STATUS=${INFECTED}
        fi
    fiWhat is true, though, is that crontab -l -u <user> returns an error if the user does not exist on the system at all - here I'm testing on my system:
# crontab -l -u gonzo && echo 0 || echo 1
crontab: user gonzo unknown
1
# crontab -l -u nobody && echo 0 || echo 1
no crontab for nobody
0So, chkrootkit does a faulty check and really only checks if the user nobody exists on the system - which of course is the case.
Offline

Have you tried looking in the config files for portmap and fam and setting them so that they are only accessible for local use? I know that fam has this option but not sure about portmap.
I did not find the option you mention, can you please write it here?
Thanks
Offline
Pages: 1