FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Debian > Debian User

 
 
LinkBack Thread Tools
 
Old 08-03-2008, 01:13 PM
Adam Hardy
 
Default chkrootkit infected ports 2881

My webserver system is actually a UML slice of a system at memset.co.uk and all
it does is run Apache Tomcat and sshd and the stuff from memset - I thought it
was pretty safe until I came back today and found my nightly email report from
chkrootkit said:


The following suspicious files and directories were found:
/lib/init/rw/.ramfs

INFECTED (PORTS: 2881)

The .ramfs started appearing when I upgraded chkrootkit, so I never worried
about it, but Friday night's INFECTED alert was a slap in the face with a wet
fish. Saturday night's report went back to normal - no mention of the port.


I scanned it from grc.com/x/portprobe and it came back as closed.

The only mention I can find in the logs is:

root@hardyaa1:~# grep 2881 /var/log/*
/var/log/setuid.today:
2881 660 1 root disk 0 Wed Apr 30 11:32:37 2008
/dev/rd/c1d30

r

and that's a PID, not a port, right?

So how bad does this look? Should I clean the system? If it is rooted, how can I
tell what the security flaw was? My password at that point (since changed) was
CE0dff2*£ so if it was a brute force attack, then wow, they did well.



--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
 
Old 08-04-2008, 10:15 AM
Adam Hardy
 
Default chkrootkit infected ports 2881

Adam Hardy on 03/08/08 14:13, wrote:
My webserver system is actually a UML slice of a system at memset.co.uk
and all it does is run Apache Tomcat and sshd and the stuff from memset
- I thought it was pretty safe until I came back today and found my
nightly email report from chkrootkit said:


The following suspicious files and directories were found:
/lib/init/rw/.ramfs

INFECTED (PORTS: 2881)

The .ramfs started appearing when I upgraded chkrootkit, so I never
worried about it, but Friday night's INFECTED alert was a slap in the
face with a wet fish. Saturday night's report went back to normal - no
mention of the port.


I scanned it from grc.com/x/portprobe and it came back as closed.

The only mention I can find in the logs is:

root@hardyaa1:~# grep 2881 /var/log/*
/var/log/setuid.today:
2881 660 1 root disk 0 Wed Apr 30 11:32:37
2008 /dev/rd/c1d30

r

and that's a PID, not a port, right?

So how bad does this look? Should I clean the system? If it is rooted,
how can I tell what the security flaw was? My password at that point
(since changed) was CE0dff2*£ so if it was a brute force attack, then
wow, they did well.


I talked to the support at the hosting company and they looked at the system and
said they couldn't see anything wrong with it - but they can re-image it for me
which normally costs a fee.


Is it worth re-imaging my system and re-installing everything?

I still have no idea what chkrootkit means when it says a port is infected.


Adam


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
 
Old 08-04-2008, 10:48 AM
Thomas Preud'homme
 
Default chkrootkit infected ports 2881

Le lundi 4 août 2008, Adam Hardy a écrit*:
> Adam Hardy on 03/08/08 14:13, wrote:
> > My webserver system is actually a UML slice of a system at
> > memset.co.uk and all it does is run Apache Tomcat and sshd and the
> > stuff from memset - I thought it was pretty safe until I came back
> > today and found my nightly email report from chkrootkit said:
> >
> > The following suspicious files and directories were found:
> > /lib/init/rw/.ramfs
> >
> > INFECTED (PORTS: 2881)
> >
> > The .ramfs started appearing when I upgraded chkrootkit, so I never
> > worried about it, but Friday night's INFECTED alert was a slap in
> > the face with a wet fish. Saturday night's report went back to
> > normal - no mention of the port.
> >
> > I scanned it from grc.com/x/portprobe and it came back as closed.
> >
> > The only mention I can find in the logs is:
> >
> > root@hardyaa1:~# grep 2881 /var/log/*
> > /var/log/setuid.today:
> > 2881 660 1 root disk 0 Wed Apr 30
> > 11:32:37 2008 /dev/rd/c1d30
> > r
> >
> > and that's a PID, not a port, right?
> >
> > So how bad does this look? Should I clean the system? If it is
> > rooted, how can I tell what the security flaw was? My password at
> > that point (since changed) was CE0dff2*£ so if it was a brute force
> > attack, then wow, they did well.
>
> I talked to the support at the hosting company and they looked at the
> system and said they couldn't see anything wrong with it - but they
> can re-image it for me which normally costs a fee.
>
> Is it worth re-imaging my system and re-installing everything?
>
> I still have no idea what chkrootkit means when it says a port is
> infected.
>
>
> Adam

I don't think it's that important. chkrootkit seems a little hazardous
since there was a bug about chkrootkit killing a random process (in
fact one of its test was sending a signal to process 12345, this bug
has been corrected).

I think a good anti-rootkit should be launched from another system to be
sure it's not deactivated by a smart rootkit.

Regards,

Thomas Preud'homme

--
Why Debian : http://www.debian.org/intro/why_debian
 
Old 08-04-2008, 12:12 PM
Adam Hardy
 
Default chkrootkit infected ports 2881

Thomas Preud'homme on 04/08/08 11:48, wrote:

Le lundi 4 août 2008, Adam Hardy a écrit :

Adam Hardy on 03/08/08 14:13, wrote:

My webserver system is actually a UML slice of a system at
memset.co.uk and all it does is run Apache Tomcat and sshd and the
stuff from memset - I thought it was pretty safe until I came back
today and found my nightly email report from chkrootkit said:

The following suspicious files and directories were found:
/lib/init/rw/.ramfs

INFECTED (PORTS: 2881)

The .ramfs started appearing when I upgraded chkrootkit, so I never
worried about it, but Friday night's INFECTED alert was a slap in
the face with a wet fish. Saturday night's report went back to
normal - no mention of the port.

I scanned it from grc.com/x/portprobe and it came back as closed.

The only mention I can find in the logs is:

root@hardyaa1:~# grep 2881 /var/log/*
/var/log/setuid.today:
2881 660 1 root disk 0 Wed Apr 30
11:32:37 2008 /dev/rd/c1d30
r

and that's a PID, not a port, right?

So how bad does this look? Should I clean the system? If it is
rooted, how can I tell what the security flaw was? My password at
that point (since changed) was CE0dff2*£ so if it was a brute force
attack, then wow, they did well.

I talked to the support at the hosting company and they looked at the
system and said they couldn't see anything wrong with it - but they
can re-image it for me which normally costs a fee.

Is it worth re-imaging my system and re-installing everything?

I still have no idea what chkrootkit means when it says a port is
infected.


Adam


I don't think it's that important. chkrootkit seems a little hazardous
since there was a bug about chkrootkit killing a random process (in
fact one of its test was sending a signal to process 12345, this bug
has been corrected).


I think a good anti-rootkit should be launched from another system to be
sure it's not deactivated by a smart rootkit.


Hopefully that is simpler than it sounds! What anti-rootkit are you thinking of?
I use chkrootkit and rkhunter.



Adam


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
 
Old 08-04-2008, 12:39 PM
Thomas Preud'homme
 
Default chkrootkit infected ports 2881

Monday 04 August 2008, Adam Hardy wrote*:
> Thomas Preud'homme on 04/08/08 11:48, wrote:
> > Le lundi 4 août 2008, Adam Hardy a écrit :
> >> Adam Hardy on 03/08/08 14:13, wrote:
> >>> My webserver system is actually a UML slice of a system at
> >>> memset.co.uk and all it does is run Apache Tomcat and sshd and
> >>> the stuff from memset - I thought it was pretty safe until I came
> >>> back today and found my nightly email report from chkrootkit
> >>> said:
> >>>
> >>> The following suspicious files and directories were found:
> >>> /lib/init/rw/.ramfs
> >>>
> >>> INFECTED (PORTS: 2881)
> >>>
> >>> The .ramfs started appearing when I upgraded chkrootkit, so I
> >>> never worried about it, but Friday night's INFECTED alert was a
> >>> slap in the face with a wet fish. Saturday night's report went
> >>> back to normal - no mention of the port.
> >>>
> >>> I scanned it from grc.com/x/portprobe and it came back as closed.
> >>>
> >>> The only mention I can find in the logs is:
> >>>
> >>> root@hardyaa1:~# grep 2881 /var/log/*
> >>> /var/log/setuid.today:
> >>> 2881 660 1 root disk 0 Wed Apr 30
> >>> 11:32:37 2008 /dev/rd/c1d30
> >>> r
> >>>
> >>> and that's a PID, not a port, right?
> >>>
> >>> So how bad does this look? Should I clean the system? If it is
> >>> rooted, how can I tell what the security flaw was? My password at
> >>> that point (since changed) was CE0dff2*£ so if it was a brute
> >>> force attack, then wow, they did well.
> >>
> >> I talked to the support at the hosting company and they looked at
> >> the system and said they couldn't see anything wrong with it - but
> >> they can re-image it for me which normally costs a fee.
> >>
> >> Is it worth re-imaging my system and re-installing everything?
> >>
> >> I still have no idea what chkrootkit means when it says a port is
> >> infected.
> >>
> >>
> >> Adam
> >
> > I don't think it's that important. chkrootkit seems a little
> > hazardous since there was a bug about chkrootkit killing a random
> > process (in fact one of its test was sending a signal to process
> > 12345, this bug has been corrected).
> >
> > I think a good anti-rootkit should be launched from another system
> > to be sure it's not deactivated by a smart rootkit.
>
> Hopefully that is simpler than it sounds! What anti-rootkit are you
> thinking of? I use chkrootkit and rkhunter.

Unfortunetely I haven't any reference but hoping a rootkit on your
computer being launched once a day will protect you is like hoping an
anti-virus will protect you even if a smart virus infect your computer
between 2 launch. It's better than nothing but I don't think it's
sufficient.

I think you can safely discard this warning from chkrootkit or if you're
cautious (it's very good) then ask to the maintener or better to the
upstream developer of this software.

>
>
> Adam



Regards,

Thomas Preud'homme

--
Why Debian : http://www.debian.org/intro/why_debian
 
Old 08-04-2008, 12:48 PM
"thveillon.debian"
 
Default chkrootkit infected ports 2881

Adam Hardy on 03/08/08 14:13, wrote:

[...snip]

I talked to the support at the hosting company and they looked at the
system and said they couldn't see anything wrong with it - but they
can re-image it for me which normally costs a fee.

Is it worth re-imaging my system and re-installing everything?

I still have no idea what chkrootkit means when it says a port is
infected.


Adam


Hi,
Chkrootkit is known to fall for quite a few false positive, for example
if you run Portsentry or such anti-portscan demon, it also can detect
legitimate services like dhcpd or such as sniffers, which isn't really
incorrect but not a problem. I never heard of 2881 as being one of
those, but maybe getting in touch with the dev team could give you an
easy answer.

http://www.chkrootkit.org/

Maybe the only way to know for sure would be scanning all traffic from
another system regarding this port to see if anything suspicious can be
spotted, and maybe running an integrity check with debsum or such on
conf files, comparing the result with a backup from an earlier state or
a known sane system.


What would really be interesting is to spot the precise day when the
warning first occurred from your system logs, and see if you can spot
any change in configuration that could have triggered it (update ?).
That is, if your system really is infected you cannot trust anything and
especially not the logs...


Tom


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
 
Old 08-04-2008, 01:50 PM
Adam Hardy
 
Default chkrootkit infected ports 2881

thveillon.debian on 04/08/08 13:48, wrote:

Adam Hardy on 03/08/08 14:13, wrote:

[...snip]

I talked to the support at the hosting company and they looked at the
system and said they couldn't see anything wrong with it - but they
can re-image it for me which normally costs a fee.

Is it worth re-imaging my system and re-installing everything?

I still have no idea what chkrootkit means when it says a port is
infected.


Adam


Hi,
Chkrootkit is known to fall for quite a few false positive, for example
if you run Portsentry or such anti-portscan demon, it also can detect
legitimate services like dhcpd or such as sniffers, which isn't really
incorrect but not a problem. I never heard of 2881 as being one of
those, but maybe getting in touch with the dev team could give you an
easy answer.

http://www.chkrootkit.org/

Maybe the only way to know for sure would be scanning all traffic from
another system regarding this port to see if anything suspicious can be
spotted, and maybe running an integrity check with debsum or such on
conf files, comparing the result with a backup from an earlier state or
a known sane system.


What would really be interesting is to spot the precise day when the
warning first occurred from your system logs, and see if you can spot
any change in configuration that could have triggered it (update ?).
That is, if your system really is infected you cannot trust anything and
especially not the logs...



I got that message in the email from early Saturday morning's cronjob.

I have been following instructions on

http://www.cert.org/tech_tips/intruder_detection_checklist.html

and I found that step 2 (look for setuid and setgid files) produces a file list:

root@hardyaa1:~# find / -xdev -user root -perm -4000 -print
/bin/su
/bin/mount
/bin/umount
/bin/ping
/bin/ping6
/sbin/unix_chkpwd
/usr/bin/newgrp
/usr/bin/chfn
/usr/bin/chsh
/usr/bin/gpasswd
/usr/bin/passwd
/usr/bin/X
/usr/bin/sudo
/usr/bin/gpg
/usr/bin/sudoedit
/usr/bin/netselect
/usr/bin/traceroute.lbl
/usr/lib/pt_chown
/usr/lib/openssh/ssh-keysign
/usr/lib/apache/suexec.disabled
/usr/lib/libfakeroot-tcp.so
/usr/lib/libfakeroot-sysv.so

Again, I'm stumbling in the dark here. cert.org doesn't explain what this list
of files signifies, it just implies that I shouldn't see it.


Also, I still have no idea what chkrootkit detected which made it decide to send
an INFECTED alert on that port.



Regards
Adam


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
 
Old 08-04-2008, 01:52 PM
Adam Hardy
 
Default chkrootkit infected ports 2881

Thomas Preud'homme on 04/08/08 13:39, wrote:

Monday 04 August 2008, Adam Hardy wrote :

Thomas Preud'homme on 04/08/08 11:48, wrote:

Le lundi 4 août 2008, Adam Hardy a écrit :

Adam Hardy on 03/08/08 14:13, wrote:

My webserver system is actually a UML slice of a system at
memset.co.uk and all it does is run Apache Tomcat and sshd and
the stuff from memset - I thought it was pretty safe until I came
back today and found my nightly email report from chkrootkit
said:

The following suspicious files and directories were found:
/lib/init/rw/.ramfs

INFECTED (PORTS: 2881)

The .ramfs started appearing when I upgraded chkrootkit, so I
never worried about it, but Friday night's INFECTED alert was a
slap in the face with a wet fish. Saturday night's report went
back to normal - no mention of the port.

I scanned it from grc.com/x/portprobe and it came back as closed.

The only mention I can find in the logs is:

root@hardyaa1:~# grep 2881 /var/log/*
/var/log/setuid.today:
2881 660 1 root disk 0 Wed Apr 30
11:32:37 2008 /dev/rd/c1d30
r

and that's a PID, not a port, right?

So how bad does this look? Should I clean the system? If it is
rooted, how can I tell what the security flaw was? My password at
that point (since changed) was CE0dff2*£ so if it was a brute
force attack, then wow, they did well.

I talked to the support at the hosting company and they looked at
the system and said they couldn't see anything wrong with it - but
they can re-image it for me which normally costs a fee.

Is it worth re-imaging my system and re-installing everything?

I still have no idea what chkrootkit means when it says a port is
infected.


Adam

I don't think it's that important. chkrootkit seems a little
hazardous since there was a bug about chkrootkit killing a random
process (in fact one of its test was sending a signal to process
12345, this bug has been corrected).

I think a good anti-rootkit should be launched from another system
to be sure it's not deactivated by a smart rootkit.

Hopefully that is simpler than it sounds! What anti-rootkit are you
thinking of? I use chkrootkit and rkhunter.


Unfortunetely I haven't any reference but hoping a rootkit on your
computer being launched once a day will protect you is like hoping an
anti-virus will protect you even if a smart virus infect your computer
between 2 launch. It's better than nothing but I don't think it's
sufficient.


Yes, you are right, and I have been too slack to get around to changing it. I am
looking at installing tripwire (after a fresh install) to be able to check up
what is going on after the fact.





--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
 
Old 08-04-2008, 02:32 PM
Thomas Preud'homme
 
Default chkrootkit infected ports 2881

Monday 04 August 2008, Adam Hardy wrote*:
> thveillon.debian on 04/08/08 13:48, wrote:
> >>>> Adam Hardy on 03/08/08 14:13, wrote:
> >
> > [...snip]
> >
> >>>> I talked to the support at the hosting company and they looked
> >>>> at the system and said they couldn't see anything wrong with it
> >>>> - but they can re-image it for me which normally costs a fee.
> >>>>
> >>>> Is it worth re-imaging my system and re-installing everything?
> >>>>
> >>>> I still have no idea what chkrootkit means when it says a port
> >>>> is infected.
> >>>>
> >>>>
> >>>> Adam
> >
> > Hi,
> > Chkrootkit is known to fall for quite a few false positive, for
> > example if you run Portsentry or such anti-portscan demon, it also
> > can detect legitimate services like dhcpd or such as sniffers,
> > which isn't really incorrect but not a problem. I never heard of
> > 2881 as being one of those, but maybe getting in touch with the dev
> > team could give you an easy answer.
> > http://www.chkrootkit.org/
> >
> > Maybe the only way to know for sure would be scanning all traffic
> > from another system regarding this port to see if anything
> > suspicious can be spotted, and maybe running an integrity check
> > with debsum or such on conf files, comparing the result with a
> > backup from an earlier state or a known sane system.
> >
> > What would really be interesting is to spot the precise day when
> > the warning first occurred from your system logs, and see if you
> > can spot any change in configuration that could have triggered it
> > (update ?). That is, if your system really is infected you cannot
> > trust anything and especially not the logs...
>
> I got that message in the email from early Saturday morning's
> cronjob.
>
> I have been following instructions on
>
> http://www.cert.org/tech_tips/intruder_detection_checklist.html
>
> and I found that step 2 (look for setuid and setgid files) produces a
> file list:
>
> root@hardyaa1:~# find / -xdev -user root -perm -4000 -print
> /bin/su
> /bin/mount
> /bin/umount
> /bin/ping
> /bin/ping6
> /sbin/unix_chkpwd
> /usr/bin/newgrp
> /usr/bin/chfn
> /usr/bin/chsh
> /usr/bin/gpasswd
> /usr/bin/passwd
> /usr/bin/X
> /usr/bin/sudo
> /usr/bin/gpg
> /usr/bin/sudoedit
> /usr/bin/netselect
> /usr/bin/traceroute.lbl
> /usr/lib/pt_chown
> /usr/lib/openssh/ssh-keysign
> /usr/lib/apache/suexec.disabled
> /usr/lib/libfakeroot-tcp.so
> /usr/lib/libfakeroot-sysv.so
>
> Again, I'm stumbling in the dark here. cert.org doesn't explain what
> this list of files signifies, it just implies that I shouldn't see
> it.
>
> Also, I still have no idea what chkrootkit detected which made it
> decide to send an INFECTED alert on that port.
>
>
> Regards
> Adam

Executables with setuid set and user root will have root rights even if
they are launched by a user not being root. Programs with setuid set
are launched with the right of the owner of the program (here root).

So it could be security hole and the list of such programs must be as
smaller as possible. Here I don't see strange program which shouldn't
have setuid set so it's fine don't worry.

Regards,

Thomas Preud'homme

--
Why Debian : http://www.debian.org/intro/why_debian
 
Old 08-04-2008, 02:43 PM
Adam Hardy
 
Default chkrootkit infected ports 2881

Adam Hardy on 04/08/08 14:50, wrote:

thveillon.debian on 04/08/08 13:48, wrote:

Adam Hardy on 03/08/08 14:13, wrote:

[...snip]

I talked to the support at the hosting company and they looked at the
system and said they couldn't see anything wrong with it - but they
can re-image it for me which normally costs a fee.

Is it worth re-imaging my system and re-installing everything?

I still have no idea what chkrootkit means when it says a port is
infected.


Adam


Hi,
Chkrootkit is known to fall for quite a few false positive, for
example if you run Portsentry or such anti-portscan demon, it also can
detect legitimate services like dhcpd or such as sniffers, which isn't
really incorrect but not a problem. I never heard of 2881 as being one
of those, but maybe getting in touch with the dev team could give you
an easy answer.

http://www.chkrootkit.org/

Maybe the only way to know for sure would be scanning all traffic from
another system regarding this port to see if anything suspicious can
be spotted, and maybe running an integrity check with debsum or such
on conf files, comparing the result with a backup from an earlier
state or a known sane system.


What would really be interesting is to spot the precise day when the
warning first occurred from your system logs, and see if you can spot
any change in configuration that could have triggered it (update ?).
That is, if your system really is infected you cannot trust anything
and especially not the logs...



I got that message in the email from early Saturday morning's cronjob.

I have been following instructions on

http://www.cert.org/tech_tips/intruder_detection_checklist.html

and I found that step 2 (look for setuid and setgid files) produces a
file list:


root@hardyaa1:~# find / -xdev -user root -perm -4000 -print
/bin/su
/bin/mount
/bin/umount
/bin/ping
/bin/ping6
/sbin/unix_chkpwd
/usr/bin/newgrp
/usr/bin/chfn
/usr/bin/chsh
/usr/bin/gpasswd
/usr/bin/passwd
/usr/bin/X
/usr/bin/sudo
/usr/bin/gpg
/usr/bin/sudoedit
/usr/bin/netselect
/usr/bin/traceroute.lbl
/usr/lib/pt_chown
/usr/lib/openssh/ssh-keysign
/usr/lib/apache/suexec.disabled
/usr/lib/libfakeroot-tcp.so
/usr/lib/libfakeroot-sysv.so

Again, I'm stumbling in the dark here. cert.org doesn't explain what
this list of files signifies, it just implies that I shouldn't see it.


Also, I still have no idea what chkrootkit detected which made it decide
to send an INFECTED alert on that port.


More suspicious stuff has turned up in my investigations. The following is the
nmap output when I run it from the suspect rooted system:


Not shown: 65529 closed ports
PORT STATE SERVICE
22/tcp open ssh
25/tcp open smtp
80/tcp open http
443/tcp open https
3306/tcp open mysql
12121/tcp open unknown


But when I run nmap from my home machine to scan it remotely, I see these extra
ports are open:


Not shown: 65524 closed ports
PORT STATE SERVICE
22/tcp open ssh
25/tcp open smtp
80/tcp open http
443/tcp open https
1720/tcp filtered H.323/Q.931
3306/tcp open mysql
6666/tcp filtered irc
6667/tcp filtered irc
6668/tcp filtered irc
6669/tcp filtered irc
12121/tcp open unknown

So I have 1720, 6666, 6667, 6668 and 6669 open and nmap is ignoring them. Isn't
that conclusive evidence that nmap on the suspected machine is some hacker's
version?



--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
 

Thread Tools




All times are GMT. The time now is 01:09 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright ©2007 - 2008, www.linux-archive.org