was my comp hacked?

drakosha · 2007-02-17 19:46:14

Hi,

i'm observing lately strange symptoms:
1. jabber client does not connect to servers (msn and icq are ok). I tried gaim mostly, centericq too.
2. firefox shows strange dialog about expired certificate on void.gr - i do not visit the site and the dialog shows up even when all extenstions are disabled.
3. nmap shows strange things (port 111 and 876 are open):

>sudo nmap -A -T4 localhost

Starting Nmap 4.20 ( http://insecure.org ) at 2007-02-17 21:46 IST
Interesting ports on wizard.localdomain (127.0.0.1):
Not shown: 1693 closed ports
PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 4.5 (protocol 2.0)
[b]111/tcp  open  rpcbind  2 (rpc #100000)
876/tcp  open  unknown
[/b]6000/tcp open  X11      (access denied)
Device type: general purpose
Running: Linux 2.6.X
OS details: Linux 2.6.18 - 2.6.19 (x86)
Uptime: 6.935 days (since Sat Feb 10 23:19:19 2007)
Network Distance: 0 hops
Service Info: OS: Unix

OS and Service detection performed. Please report any incorrect results at http://insecure.org/nmap/submit/ .
Nmap finished: 1 IP address (1 host up) scanned in 7.584 seconds

When i'm running nmap, there's no internet related application as far as i know. ssh is open for remote access, but (again, as far as i know, it's limited to one user with serious password).

Help, what's going on?????????

skymt · 2007-02-17 20:40:17

If sshd is the only server you installed, your computer has definitely been compromised. Backup, reformat, and reinstall; it's the only way to be sure.

If you want to, you can image your drive for later examination (to see what the intruder did).

drakosha · 2007-02-17 22:35:58

Before i do it, i'd like to understand what happened. What are those ports? By what app are they used?

Can you please help me and tell how do i determine what happened? I did the following:

>sudo /opt/chkrootkit/chkrootkit -q
Warning: crontab for nobody found, possible Lupper.Worm... 
can't exec ./strings-static, 
/usr/lib/perl5/current/i686-linux-thread-multi/.packlist /usr/lib/perl5/site_perl/current/i686-linux-thread-multi/auto/SVN/_Core/.packlist /usr/lib/perl5/site_perl/current/i686-linux/auto/CDDB_get/.packlist /usr/lib/glib-2.0/include/.sconsign /usr/lib/gtk-2.0/include/.sconsign /usr/lib/.sconsign

INFECTED (PORTS:  4000)
not tested: can't exec ./ifpromisc
not tested: can't exec ./chkwtmp
not tested: can't exec ./chklastlog
not tested: can't exec ./chkutmp

and

>sudo /usr/bin/rkhunter --cronjob --report-warnings-only
No logfile given: using default.
Determining OS... Warning: This operating system is not fully supported!
gpg: WARNING: unsafe ownership on configuration file `/home/roman/.gnupg/gpg.conf'
-----------------------------------------------------------------

Found warnings:
[00:39:01] Warning: This operating system is not fully supported!

-----------------------------------------------------------------

If you're unsure about the results above, please contact the
Rootkit Hunter team through the Rootkit Hunter mailinglist
at rkhunter-users@lists.sourceforge.net.
Some errors has been found while checking. Please perform a manual check on this machine (wizard)

Last edited by drakosha (2007-02-17 22:36:32)

skymt · 2007-02-18 00:30:41

Please run "netstat -lp" as root (it's safe, read the manual if you don't trust me [and you shouldn't right now]) and post the output.

Last edited by skymt (2007-02-18 00:31:24)

Snarkout · 2007-02-18 02:29:30

tcpdump might provide some interesting info, but the best thing to do is download a bootable forensics distro and check stuff out from there. There are lot of them out there, I tend to use Helix or PHLAK because I'm too lazy to keep up with what's hot or not.

drakosha · 2007-02-18 05:27:13

Now we are getting somewhere! 876 looks to be famd. By the way, i am now running clamav, hoping for best

>sudo netstat -lp
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name   
tcp        0      0 *:876                   *:*                     LISTEN      22324/famd          
tcp        0      0 *:sunrpc                *:*                     LISTEN      22314/portmap       
tcp        0      0 *:6000                  *:*                     LISTEN      22409/X             
tcp        0      0 *:ssh                   *:*                     LISTEN      10136/sshd          
udp   108088      0 *:bootpc                *:*                                 450/dhcpcd          
udp        0      0 *:sunrpc                *:*                                 22314/portmap       
raw        0      0 *:icmp                  *:*                     7           22371/vmnet-natd    
Active UNIX domain sockets (only servers)
Proto RefCnt Flags       Type       State         I-Node PID/Program name    Path
unix  2      [ ACC ]     STREAM     LISTENING     987346 22404/kdm           /var/run/xdmctl/dmctl/socket
unix  2      [ ACC ]     STREAM     LISTENING     986148 22342/hald          @/var/run/hald/dbus-olVN7BmQha
unix  2      [ ACC ]     STREAM     LISTENING     985644 22179/syslog-ng     /dev/log
unix  2      [ ACC ]     STREAM     LISTENING     986149 22342/hald          @/var/run/hald/dbus-UZ5kwfcSpz
unix  2      [ ACC ]     STREAM     LISTENING     2711745 9984/swiftfox-bin   /tmp/orbit-roman/linc-2700-0-1fee1515abb44
unix  2      [ ACC ]     STREAM     LISTENING     987363 22404/kdm           /var/run/xdmctl/dmctl-:0/socket
unix  2      [ ACC ]     STREAM     LISTENING     987604 22514/dbus-daemon   @/tmp/dbus-hOpHu2U4PO
unix  2      [ ACC ]     STREAM     LISTENING     987358 22409/X             /tmp/.X11-unix/X0
unix  2      [ ACC ]     STREAM     LISTENING     987618 22516/xfce4-session /tmp/.ICE-unix/22516
unix  2      [ ACC ]     STREAM     LISTENING     986963 22371/vmnet-natd    /var/run/vmnat.22371
unix  2      [ ACC ]     STREAM     LISTENING     2711683 9990/gconfd-2       /tmp/orbit-roman/linc-2706-0-46437075a1d6
unix  2      [ ACC ]     STREAM     LISTENING     986086 22317/dbus-daemon   /var/run/dbus/system_bus_socket
unix  2      [ ACC ]     STREAM     LISTENING     987597 22508/ssh-agent     /tmp/ssh-Szyfp22506/agent.22506

drakosha · 2007-02-18 07:56:03

Well, i believe everything is ok, unless someone tells me differently . It looks like fam and portmap are opening these ports. I wonder why? Can anyone explain?

>sudo /etc/rc.d/fam stop
>sudo /etc/rc.d/portmap stop
...

>sudo nmap -A -T4 localhost

Starting Nmap 4.20 ( http://insecure.org ) at 2007-02-18 10:00 IST
Interesting ports on wizard.localdomain (127.0.0.1):
Not shown: 1695 closed ports
PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 4.5 (protocol 2.0)
6000/tcp open  X11      (access denied)
No exact OS matches for host (If you know what OS is running on it, see http://insecure.org/nmap/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=4.20%D=2/18%OT=22%CT=1%CU=33931%PV=N%DS=0%G=Y%TM=45D807BF%P=i686-
OS:pc-linux-gnu)SEQ(SP=C1%GCD=1%ISR=CB%TI=Z%II=I%TS=8)SEQ(SP=C2%GCD=1%ISR=C
OS:B%TI=Z%II=I%TS=8)SEQ(SP=C1%GCD=1%ISR=CB%TI=Z%II=I%TS=8)OPS(O1=M400CST11N
OS:W5%O2=M400CST11NW5%O3=M400CNNT11NW5%O4=M400CST11NW5%O5=M400CST11NW5%O6=M
OS:400CST11)WIN(W1=8000%W2=8000%W3=8000%W4=8000%W5=8000%W6=8000)ECN(R=Y%DF=
OS:Y%T=40%W=8018%O=M400CNNSNW5%CC=N%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=AS%RD=0%
OS:Q=)T2(R=N)T3(R=Y%DF=Y%T=40%W=8000%S=O%A=S+%F=AS%O=M400CST11NW5%RD=0%Q=)T
OS:4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(R=Y%DF=Y%T=40%W=0%S=Z%A=S+
OS:%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T7(R=Y%DF=Y
OS:%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%T=40%TOS=C0%IPL=164%UN=0%
OS:RIPL=G%RID=G%RIPCK=G%RUCK=G%RUL=G%RUD=G)IE(R=Y%DFI=N%T=40%TOSI=S%CD=S%SI
OS:=S%DLI=S)

Uptime: 7.446 days (since Sat Feb 10 23:19:20 2007)
Network Distance: 0 hops
Service Info: OS: Unix

OS and Service detection performed. Please report any incorrect results at http://insecure.org/nmap/submit/ .
Nmap finished: 1 IP address (1 host up) scanned in 17.726 seconds
...

>sudo netstat -lp
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
tcp        0      0 *:6000                  *:*                     LISTEN      22409/X
tcp        0      0 *:ssh                   *:*                     LISTEN      10136/sshd
udp   108088      0 *:bootpc                *:*                                 450/dhcpcd
raw        0      0 *:icmp                  *:*                     7           22371/vmnet-natd
Active UNIX domain sockets (only servers)
...

Last edited by drakosha (2007-02-18 07:57:54)

Snarkout · 2007-02-18 18:37:12

FWIW, running nmap on localhost will almost always provide different output than using your actual ip for the same reasons pinging localhost is different from pinging your own ip.

From the portmap man page:

DESCRIPTION
Portmap is a server that converts RPC program numbers into DARPA protocol port numbers. It must be running
in order to make RPC calls.

When an RPC server is started, it will tell portmap what port number it is listening to, and what RPC pro-
gram numbers it is prepared to serve. When a client wishes to make an RPC call to a given program number,
it will first contact portmap on the server machine to determine the port number where RPC packets should
be sent.

Wikipedia on RPCs:

http://en.wikipedia.org/wiki/Remote_procedure_call

I've never used fam, so I'm no help there.

Last edited by Snarkout (2007-02-18 18:43:30)

drakosha · 2007-02-19 06:35:07

the ports are open to outside world too:

> nmap -A -T4 ...ip...

Starting nmap 3.70 ( http://www.insecure.org/nmap/ ) at 2007-02-18 14:14 IST
Interesting ports on 85.64.209.106.dynamic.barak-online.net (85.64.209.106):
(The 1647 ports scanned but not shown below are in state: closed)
PORT     STATE    SERVICE      VERSION
22/tcp   open     ssh          OpenSSH 4.5 (protocol 2.0)
25/tcp   filtered smtp
109/tcp  filtered pop2
110/tcp  filtered pop3
111/tcp  open     rpc
135/tcp  filtered msrpc
137/tcp  filtered netbios-ns
138/tcp  filtered netbios-dgm
139/tcp  filtered netbios-ssn
143/tcp  filtered imap
445/tcp  filtered microsoft-ds
732/tcp  open     unknown
4444/tcp filtered krb524

skymt · 2007-02-19 15:41:38

drakosha wrote:

the ports are open to outside world too:
<snip scan results>

You ran this on another machine, across the Internet? If so, that's not good. You should install either a hardware firewall/NAT router or a software firewall.

Also, why are you running portmap? And an IMAP server? POP2/3? Samba (the netbios stuff)? Kerberos (I assume that's what krb524 is)? It looks like either you have a more insecure configuration than you indicated or someone is running their remote access trojan on common ports to reduce the chance of being firewalled.

It's also odd that some of these don't show up in netstat (possible sign of a rootkit).

drakosha · 2007-02-19 17:06:46

portmap was started by fam. I'm not running anything besides ssh. "filtered" means closed i believe.

lumiwa · 2007-02-20 02:13:11

I have almost the same message when I run chkrootkit:
Checking `crontab'... Warning: crontab for nobody found, possible Lupper.Worm... not infected

What this mean, please?IS it just possible?

iBertus · 2007-02-20 09:15:07

Have you tried looking in the config files for portmap and fam and setting them so that they are only accessible for local use? I know that fam has this option but not sure about portmap.

Bebo · 2007-02-20 09:55:23

About the "crontab for nobody found, possible Lupper.Worm..." warning. That a crontab for nobody exists can easily be checked with running crontab -l nobody. The check that chkrootkit does is exactly that, but chkrootkit seems to assume that the crontab command returns a non-zero error code when one tries to list a crontab that doesn't exist - here is the corresponding portion from chkrootkit:

    if  ${CMD} -l -u nobody >/dev/null 2>&1 ; then
        printn "Warning: crontab for nobody found, possible Lupper.Worm... "
        if ${CMD} -l -u nobody 2>/dev/null  | ${egrep} $CRONTAB_I_L >/dev/null 2>&1
           then
           STATUS=${INFECTED}
        fi
    fi

What is true, though, is that crontab -l -u <user> returns an error if the user does not exist on the system at all - here I'm testing on my system:

# crontab -l -u gonzo && echo 0 || echo 1
crontab: user gonzo unknown

1
# crontab -l -u nobody && echo 0 || echo 1
no crontab for nobody
0

So, chkrootkit does a faulty check and really only checks if the user nobody exists on the system - which of course is the case.

drakosha · 2007-02-20 12:57:00

iBertus wrote:

Have you tried looking in the config files for portmap and fam and setting them so that they are only accessible for local use? I know that fam has this option but not sure about portmap.

I did not find the option you mention, can you please write it here?

Thanks

Arch Linux

#1 2007-02-17 19:46:14

was my comp hacked?

#2 2007-02-17 20:40:17

Re: was my comp hacked?

#3 2007-02-17 22:35:58

Re: was my comp hacked?

#4 2007-02-18 00:30:41

Re: was my comp hacked?

#5 2007-02-18 02:29:30

Re: was my comp hacked?

#6 2007-02-18 05:27:13

Re: was my comp hacked?

#7 2007-02-18 07:56:03

Re: was my comp hacked?

#8 2007-02-18 18:37:12

Re: was my comp hacked?

#9 2007-02-19 06:35:07

Re: was my comp hacked?

#10 2007-02-19 15:41:38

Re: was my comp hacked?

#11 2007-02-19 17:06:46

Re: was my comp hacked?

#12 2007-02-20 02:13:11

Re: was my comp hacked?

#13 2007-02-20 09:15:07

Re: was my comp hacked?

#14 2007-02-20 09:55:23

Re: was my comp hacked?

#15 2007-02-20 12:57:00

Re: was my comp hacked?

Board footer