possible LKM rootkit infection

technomage plug-discuss@lists.plug.phoenix.az.us
Wed, 19 Jun 2002 14:48:02 -0700 

according to the "last" command, he logged in as a user on one of my accounts 
and was on for 6 minutes.

I checked elsewhere and found that there had been no other activity (even to 
checking the backups of some of the history files that are made each hour). 

after than, I checked to make sure there weren't any outbound connections to 
his IP range (there weren't). I used a clean box as a sniffer for this. I 
then proceeded to change all system passwords and user account passowrds. 
Then, I loaded clean versions of rpm, etc and proceeded to do a package 
verification. I even did md5 checksum comparisons and sig checking.

I checked with a couple of folks I know in the computer security field (one 
of whom is currently serving duty with the US navy at their fascility in 
southern california (the USN Naval Post Graduate School). Given information 
from him (and others), I made an assumption that the intruder hadn't gotten 
very far into my system, and that since all passwords were changed 
immediately following the incident AND that the offending ip range 
(ns.rotind.ro) was placed in iptables as immediate drop, I saw no other 
incursions until yesterday evening.

what I find odd is that the incursion didn't stick. said "invisible 
processes" that wer recorded before aren't there now.

just as a measure, I also made sure that my system has current patches for 
apache (which I do run a webserver here on port 8000) and I've tested any cgi 
scripts and other things using a tool called nessus.

so far, after the last 12 hours, I can't seem to find any evidence that an 
incursion (intrusion) has taken place other than that 1 log entry written by 
chkrootkit that one time.

so, I'm at a loss. am I trojaned or not?

Technomage

On Wednesday 19 June 2002 12:55 pm, you wrote:
> --- technomage <technomage-hawke@cox.net> wrote:
> > ok,
>
> <snip>
>
> > as a safety measure when I first found an intruder on my system some
> > weeks back, I changed all passwords, ran chattr +ui on some specified
> > directories
>
> <snip>
>
> Hmm.... the fact that you had an intruder is not a good sign.  Even though
> you changed the passwords, etc, there may have already been someting in
> place that passed that info back to the intruder.  Any idea on how long the
> intruder had access to your system?
>
> Personally, I would cut my loses - print (yes print) any config files that
> you want to re-implement, wipe the box and re-install from scratch.
>
> Or
>
> if you have the disk to spare, rebuild the system on a new disk.  Once
> done, mount up the old disk - dont run anything from it - and give it a
> thorough going over - see if you can figure out what was done to compromise
> the system.
>
> __________________________________________________
> Do You Yahoo!?
> Yahoo! - Official partner of 2002 FIFA World Cup
> http://fifaworldcup.yahoo.com
> ________________________________________________
> See http://PLUG.phoenix.az.us/navigator-mail.shtml if your mail doesn't
> post to the list quickly and you use Netscape to write mail.
>
> PLUG-discuss mailing list  -  PLUG-discuss@lists.plug.phoenix.az.us
> http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss

-- 
I will not be pushed, filed, stamped, indexed, briefed, debriefed, or 
numbered!
My life is my own - No. 6