You are not logged in.

#1 2005-05-23 22:09:34

Gullible Jones
Member
Registered: 2004-12-29
Posts: 4,863

Shit, I've been infected!

From chkrootkit:

[b]Checking `bindshell'... INFECTED (PORTS:  1008)[/b]
Checking `lkm'... chkproc: nothing detected
Checking `rexedcs'... not found
Checking `sniffer'... eth0: not promisc and no PF_PACKET sockets
Checking `w55808'... not infected
Checking `wted'... chkwtmp: nothing deleted
Checking `scalper'... not infected
Checking `slapper'... not infected
Checking `z2'... chklastlog: nothing deleted
Checking `chkutmp'...  The tty of the following user process(es) were not found
 in /var/run/utmp !
! RUID          PID TTY    CMD
! proteus      5789 pts/0  bash
! root         5798 pts/0  su
! root         5799 pts/0  bash
! root         5801 pts/0  /bin/sh ./chkrootkit
! root         7398 pts/0  ./chkutmp
! root         7399 pts/0  ps ax -o tty,pid,ruser,args
chkutmp: nothing deleted

Okay... What do I do about this? And how the hell did I get the damn thing? I use a good NAT router, and never run sshd...

Also, some weird stuff, again from chkrootkit:

Searching for suspicious files and dirs, it may take a while...
/usr/lib/perl5/current/i686-linux-thread-multi/.packlist /usr/lib/perl5/site_per l/current/i686-linux-thread-multi/auto/XML/Parser/.packlist /usr/lib/perl5/site_ perl/current/i686-linux-thread-multi/auto/Image/Magick/.packlist

And in case you ask: yes, I scan regularly with chkrootkit. It's a habit from the bad old days of Win98 usage, when I used AVG and F-Prot for DOS...

Offline

#2 2005-05-23 22:37:47

Shofs
Member
From: Central Illinois
Registered: 2004-12-15
Posts: 184

Re: Shit, I've been infected!

.
..
...
Searching for suspicious files and dirs, it may take a while...
/usr/lib/perl5/current/i686-linux-thread-multi/auto/Gaim/.packlist /usr/lib/perl5/current/i686-linux-thread-multi/.packlist /usr/lib/perl5/site_perl/current/i686-linux-thread-multi/auto/Gtk/Gdk/Pixbuf/.packlist /usr/lib/perl5/site_perl/current/i686-linux-thread-multi/auto/Gtk/Gdk/ImlibImage/.packlist /usr/lib/perl5/site_perl/current/i686-linux-thread-multi/auto/Gtk/base/.packlist /usr/lib/perl5/site_perl/current/i686-linux-thread-multi/auto/Image/Magick/.packlist
...
...
....
Checking `chkutmp'...  The tty of the following user process(es) were not found
 in /var/run/utmp !
! RUID          PID TTY    CMD
! ryan        26750 pts/0  su -
! root        26751 pts/0  -bash
! root        26843 pts/0  /bin/sh ./chkrootkit
! root        28405 pts/0  ./chkutmp
! root        28406 pts/0  ps ax -o tty,pid,ruser,args
chkutmp: nothing deleted

Maybe it has to do with the updated chkrootkit . . . ?

Offline

#3 2005-05-23 22:49:06

Gullible Jones
Member
Registered: 2004-12-29
Posts: 4,863

Re: Shit, I've been infected!

Okay, looks like this was a false alarm... I scanned again, twice, and I got the okay for bindshell. Damned if I know what was going on there...

Of course, now I have this:

Checking `sniffer'... eth0: not promisc and no PF_PACKET sockets

WTF is that about? :?

Offline

#4 2005-05-23 23:29:13

i3839
Member
Registered: 2004-02-04
Posts: 1,185

Re: Shit, I've been infected!

Practically, that means that there's no sniffer attached to it. In other words: It couldn't be in a less suspicious state.

Offline

#5 2005-05-23 23:31:40

Gullible Jones
Member
Registered: 2004-12-29
Posts: 4,863

Re: Shit, I've been infected!

Ahh... Thanks.

(Sorry about this... Win98 taught be to be paranoid, but I'm not all that knowledgable about Linux security.)

Offline

#6 2005-05-24 01:44:00

T-Dawg
Forum Fellow
From: Wilmington, NC
Registered: 2005-01-29
Posts: 2,734

Re: Shit, I've been infected!

Gullible Jones wrote:

Ahh... Thanks.

(Sorry about this... Win98 taught be to be paranoid, but I'm not all that knowledgable about Linux security.)

Hey, all windows taught me to be paranoid....Linux has got great security. That's why I ditched it all together 7 months ago and never turned back. wink

Offline

#7 2005-05-24 02:02:25

i3839
Member
Registered: 2004-02-04
Posts: 1,185

Re: Shit, I've been infected!

Just don't forget to make your daily backup, either broken hardware or exploits: better to have a backup ready.

Offline

#8 2005-05-24 02:07:39

T-Dawg
Forum Fellow
From: Wilmington, NC
Registered: 2005-01-29
Posts: 2,734

Re: Shit, I've been infected!

What do you use for a backup program? I thought of using hdup but, it looked like I had to have a separate machine to backup onto (didn't look to much into it though). I just need to backup onto my other hard drive.

Offline

#9 2005-05-24 05:56:43

dtw
Forum Fellow
From: UK
Registered: 2004-08-03
Posts: 4,431
Website

Re: Shit, I've been infected!

i just use a script to back up /etc - guess you could keep a list of currently installed packages - it'd be easy to reinstall arch with that list and /etc backup, eh?

Offline

#10 2005-05-24 10:05:48

Kern
Member
From: UK
Registered: 2005-02-09
Posts: 464

Re: Shit, I've been infected!

Re backups i hear mondorescue is good.

Re chkrootkit: this has been know to show fake positives sometimes. maybe also run rootkithunter at the same time.

Offline

#11 2005-05-24 12:02:25

i3839
Member
Registered: 2004-02-04
Posts: 1,185

Re: Shit, I've been infected!

Penguin wrote:

What do you use for a backup program?

I use hdup. You can backup to everywhere you want.

Offline

#12 2005-05-25 04:05:14

chane
Member
Registered: 2003-12-02
Posts: 93

Re: Shit, I've been infected!

Penguin wrote:

What do you use for a backup program?

we use box backup (there is a user contributed build in the AUR).

it's pretty simple to setup and use and has a rolling snapshot backup.

Chris....

Offline

#13 2005-05-25 12:44:41

timm
Member
From: Wisconsin
Registered: 2004-02-25
Posts: 417

Re: Shit, I've been infected!

Penguin wrote:

What do you use for a backup program?

We use bacula for tape or for hard drive backup.  It does pretty much everything we need done.

Offline

Board footer

Powered by FluxBB