possible LKM rootkit infection

Blake Barnett plug-discuss@lists.plug.phoenix.az.us
19 Jun 2002 15:06:18 -0700 

If you are unwilling to reinstall from scratch then at least replace
your kernel and get fresh binaries for all base components (as much as
/bin and /usr/bin as you can handle).


On Wed, 2002-06-19 at 14:48, technomage wrote:
> according to the "last" command, he logged in as a user on one of my accounts 
> and was on for 6 minutes.
> 
> I checked elsewhere and found that there had been no other activity (even to 
> checking the backups of some of the history files that are made each hour). 
> 
> after than, I checked to make sure there weren't any outbound connections to 
> his IP range (there weren't). I used a clean box as a sniffer for this. I 
> then proceeded to change all system passwords and user account passowrds. 
> Then, I loaded clean versions of rpm, etc and proceeded to do a package 
> verification. I even did md5 checksum comparisons and sig checking.
> 
> I checked with a couple of folks I know in the computer security field (one 
> of whom is currently serving duty with the US navy at their fascility in 
> southern california (the USN Naval Post Graduate School). Given information 
> from him (and others), I made an assumption that the intruder hadn't gotten 
> very far into my system, and that since all passwords were changed 
> immediately following the incident AND that the offending ip range 
> (ns.rotind.ro) was placed in iptables as immediate drop, I saw no other 
> incursions until yesterday evening.
> 
> what I find odd is that the incursion didn't stick. said "invisible 
> processes" that wer recorded before aren't there now.
> 
> just as a measure, I also made sure that my system has current patches for 
> apache (which I do run a webserver here on port 8000) and I've tested any cgi 
> scripts and other things using a tool called nessus.
> 
> so far, after the last 12 hours, I can't seem to find any evidence that an 
> incursion (intrusion) has taken place other than that 1 log entry written by 
> chkrootkit that one time.
> 
> so, I'm at a loss. am I trojaned or not?
> 
> Technomage
> 
> On Wednesday 19 June 2002 12:55 pm, you wrote:
> > --- technomage <technomage-hawke@cox.net> wrote:
> > > ok,
> >
> > <snip>
> >
> > > as a safety measure when I first found an intruder on my system some
> > > weeks back, I changed all passwords, ran chattr +ui on some specified
> > > directories
> >
> > <snip>
> >
> > Hmm.... the fact that you had an intruder is not a good sign.  Even though
> > you changed the passwords, etc, there may have already been someting in
> > place that passed that info back to the intruder.  Any idea on how long the
> > intruder had access to your system?
> >
> > Personally, I would cut my loses - print (yes print) any config files that
> > you want to re-implement, wipe the box and re-install from scratch.
> >
> > Or
> >
> > if you have the disk to spare, rebuild the system on a new disk.  Once
> > done, mount up the old disk - dont run anything from it - and give it a
> > thorough going over - see if you can figure out what was done to compromise
> > the system.
> >
> > __________________________________________________
> > Do You Yahoo!?
> > Yahoo! - Official partner of 2002 FIFA World Cup
> > http://fifaworldcup.yahoo.com
> > ________________________________________________
> > See http://PLUG.phoenix.az.us/navigator-mail.shtml if your mail doesn't
> > post to the list quickly and you use Netscape to write mail.
> >
> > PLUG-discuss mailing list  -  PLUG-discuss@lists.plug.phoenix.az.us
> > http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
> 
> -- 
> I will not be pushed, filed, stamped, indexed, briefed, debriefed, or 
> numbered!
> My life is my own - No. 6
> ________________________________________________
> See http://PLUG.phoenix.az.us/navigator-mail.shtml if your mail doesn't post to the list quickly and you use Netscape to write mail.
> 
> PLUG-discuss mailing list  -  PLUG-discuss@lists.plug.phoenix.az.us
> http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
-- 
Blake Barnett (bdb)  <blake.barnett@developonline.com>
Sr. Unix Administrator
DevelopOnline.com                 office: 480-377-6816

Learning is a skill, you get better at it with practice.