Searching for possible key logger or rootkit, advice please.

mreiland · 2010-03-12 13:38:15

I apologize if this isn't the correct board, I didn't see one specific to security.

I play World of Warcraft casually and I found out this morning my account had been gotten into and my top 3 characters transferred off realm (only 1 80, as I said, pretty casual).

I checked the email address that my account is attached to and I recieved several emails this morning informing me that my characters were transferred to another server and my password changed. The email address itself is nothing more than a spam trap and the password isn't the most imaginative in the world. Not horrid by any means, but not particularly secure either, and I've used the password on that email address for 5-10 years at least.

I don't go to strange World of Warcraft sites for free mounts, presents, or anything of the like. I *rarely* log into this particular email account, and in fact, haven't done it in several months. I also don't generally go surfing to strange websites unless I find them on reddit.com. I'm just old enough to find the idea of randomly searching for stuff in google boring (I remember when there was no google, lol).

I've been a linux user for many years (old gentoo-er before Daniel Robbins left and it turned to crap), but I've never bothered to secure it. I work as a Windows software developer so my experience on linux has always been as a desktop user. Since I have nothing on my boxes I'm particularly worried about, I never bother about securing my desktop boxes (I don't run anti-virus on my windows boxes, just to give you an idea). The end result is that, although I've been using linux for many years, I'm very ignorant about hardening a linux box, etc.

I'm currently running x86_64 fully updated as of about 2 or 3 days ago. I run wine on the 32 bit package of wine, along with it's dependencies, which I believe I've gotten from AUR via yaourt. This particular box was fully re-installed about a month ago, so it's a relatively recent install.

Based upon the evidence I'm leaning towards someone having a key logger or a rootkit rather than someone having gotten into my email address. It's possible someone guessed the password or found it via other means, but for now I'm going to assume the fault is in something I've done that's resulted in a compromised linux box.

What I'm hoping for is a back and forth with the community in an effort to determine if my box has been compromised. If so, how it was done, and how it can be prevented in the future. I'm very ignorant when it comes to linux security so I'm also hoping this will be an enlightening experience for me.

And so, if this was something that happened to you, how would you go about determining if the box had been undermined?

Last edited by mreiland (2010-03-12 13:40:09)

daf666 · 2010-03-12 13:51:30

Just some basics to get you started:
1. use the 'last' command to check latest logins
2. look for suspicious stuff in logs at /var/log/*
3. check for unusual files in /tmp/

tkdfighter · 2010-03-12 14:15:05

Well, given that the password was not very strong, I assume someone cracked or sniffed it. Do you always check if you have a secure connection? Sniffing unencrypted channels isn't too hard. Also, there are plenty of fairly efficient ways to crack passwords: dictionary attacks, hash tables, etc. I think it's unlikely someone installed a rootkit on your PC, given the alternatives.

mreiland · 2010-03-12 15:43:23

tkdfighter, I understand and I don't necessarily disagree, which is why I mentioned the weakness of the password in the first place. OTOH, I've had this World of Warcraft account for several years (been playing wow since it first came out) and I've never been hacked. If my system has been compromised and I change my password, it will just be compromised again. If my system hasn't been compromised, investigating doesn't hurt anything, so I'd prefer to investigate first.

last didn't show me anything unexpected.

I'm not sure just how qualified I am to determine what's strange in the logs, but the following is what jumps out at me.

It looks like cron attempted to mail out for user root (sys-daily) on the 7, 8, and 9th, but not the 10th, 11th, or 12th.

In the logs I'm seeing where dbus failed to reload a configuration because if couldn't open /etc/dbus-1/system.conf, followed by the configuration successfully loading twice in a row within 3 seconds of each other. The file /etc/dbus-1/system.conf currently exists on my system.

The mail out of cron happened at 18:03, the configuration error of dbus happened at 18:04.

I'm also seeing a lot of messages in messages.log about invalid module or alias names (acpi:LNXSYBUS, acpi:device, acpi:PNP0C02, etc).

I'm not recognizing the following in the tmp directory.

orbit-<username>
plugtmp
plugtmp-1

knopwob · 2010-03-12 16:02:22

you can see wich programms have this files open by lsof | grep filename.

the orbit-username directory seems normal. i have it too and files within this directory are opened by firefox and gconfd-2

Snakeye · 2010-03-12 17:03:04

Account hackers are getting very agressive in WoW. Many are sending in game messages to people with blizz-name type names and telling you to log into a site to check your security. You can tell these are false because you can't reply to them, also their english is terrible. They use the same methods as gold spammers to send tells to people in game. Check that you are not connecting to a false battle-net, your browser could have been redirected.

mreiland · 2010-03-12 17:20:42

yea, they always whisper about free mounts, etc.

I haven't logged into the blizzard website since before I re-installed arch. I very rarely log into it actually honestly. Every once in a while I'll post on the forums, but even that hasn't happened since re-installation of arch.

One thing of note is that I recieved 5 or 6 messages in my wow mail the other day about presents. It was obvious scam material and I simply deleted them out of my mail. As far as I know, I haven't seen or done anything wow related outside of the wow client for a long time.

Atragor · 2010-03-12 21:12:30

Did you check your system with tools like chkrootkit or rkhunter? Try them, maybe they'll find something suspicious.

mreiland · 2010-03-13 14:05:27

chkrootkit reported nothing suspicious, but I'm getting several warnings with rkhunter.

I've looked online and these seemed to be referred to as possible false positives as opposed to definite problems. If you guys could look this over and tell me if I have cause for worry I'd appreciate it. I've included only the warnings for brevity.

[07:52:01] Performing file properties checks
[07:52:01] Info: Starting test name 'properties'
[07:52:01] Warning: Checking for prerequisites               [ Warning ]
[07:52:01]          No output from the 'lsattr' command - all file immutable-bit checks will be skipped.

[07:52:07] Warning: The command '/usr/bin/csh' has been replaced by a script: /usr/bin/csh: POSIX shell script text executable

[07:52:08] Warning: The command '/usr/bin/ldd' has been replaced by a script: /usr/bin/ldd: Bourne-Again shell script text executable

[07:52:13] /usr/bin/tcsh                                     [ Warning ]
[07:52:13] Warning: The command '/usr/bin/tcsh' has been replaced by a script: /usr/bin/tcsh: POSIX shell script text executable

[07:52:16] /usr/sbin/adduser                                 [ Warning ]
[07:52:16] Warning: The command '/usr/sbin/adduser' has been replaced by a script: /usr/sbin/adduser: Bourne-Again shell script text executable

[07:53:29] Warning: Adore Rootkit                            [ Warning ]
[07:53:29]          File '/usr/sbin/kfd' found

[07:54:54]   Checking if SSH root access is allowed          [ Warning ]
[07:54:54] Warning: The SSH configuration option 'PermitRootLogin' has not been set.
           The default value may be 'yes', to allow root access.

[07:54:54]   Checking for syslog configuration file          [ Warning ]
[07:54:54] Warning: The syslog daemon is running, but no configuration file can be found.

I apologize if it seems like I'm being lazy. I'm extremely ignorant of these issues and I'm not even sure where to start looking to find information on whether these things are problematic or not.

Last edited by mreiland (2010-03-13 14:07:23)

loafer · 2010-03-13 15:08:06

The warnings look innocuous and the kfd one is a false positive. If you are using ssh make sure PermitRootLogin is set to no.

brianhanna · 2010-03-13 15:24:15

Looks like that adore rootkit issue is a known false positive in rkhunter. http://bbs.archlinux.org/viewtopic.php?id=86539

However, it looks to me like your dbus issue is consistent with the way the adore rootkit works. It is loaded as a kernel module. Once it's loaded you can't trust any of your logs because adore hides itself.

If your system doesn't have anything important on it, as a precaution you could reinstall it. You'd probably want to wipe everything - config files, home directory and all. You could probably back up the specific files you want to save but I'd be careful about saving whole directories without looking through them carefully.

Arch Linux

#1 2010-03-12 13:38:15

Searching for possible key logger or rootkit, advice please.

#2 2010-03-12 13:51:30

Re: Searching for possible key logger or rootkit, advice please.

#3 2010-03-12 14:15:05

Re: Searching for possible key logger or rootkit, advice please.

#4 2010-03-12 15:43:23

Re: Searching for possible key logger or rootkit, advice please.

#5 2010-03-12 16:02:22

Re: Searching for possible key logger or rootkit, advice please.

#6 2010-03-12 17:03:04

Re: Searching for possible key logger or rootkit, advice please.

#7 2010-03-12 17:20:42

Re: Searching for possible key logger or rootkit, advice please.

#8 2010-03-12 21:12:30

Re: Searching for possible key logger or rootkit, advice please.

#9 2010-03-13 14:05:27

Re: Searching for possible key logger or rootkit, advice please.

#10 2010-03-13 15:08:06

Re: Searching for possible key logger or rootkit, advice please.

#11 2010-03-13 15:24:15

Re: Searching for possible key logger or rootkit, advice please.

Board footer