did that. the processes did disappear. since that point, I have been clean (so to speak). still, I think its time that I simply installed a newer version of the OS. Technomage On Friday 21 June 2002 11:10 pm, you wrote: > If chkrootkit says there are process's running that ps isn't showing - > it's probably right. Stop all services that have the posibility of > spawning child procces's quickly (apache etc) and run again. If it > still shows up, most likely someone has you. The new rootkits are > getting pretty complex in how they work, and with a trojan kernel module > nearly anything is possible. > > I'd attach a sniffer to log _all_ traffic, possibly using snort to get a > handle on it if it's a lot. > > I worked on a box that was hacked with suckit, one of the better LKM > trojans. Only real way to fix it was to format/reinstall. RPM wasn't > showing any problems with the procps (ps, ls etc.) rpm because the LKM > was intercepting those calls at the kernel level. Took a sniffer and > several days to figure out it was owned, as the box behaved normally. > Seems the person was using it as a jumping point, running a scan of > random netblocks. > > You might have some success booting with a rescue dist (tomsbrt works > good), and looking for some directories that shouldn't be there. suckit > defaults to something in /dev/(can't remember where - check phrack..48?) > > -dallas > > On Wed, 2002-06-19 at 16:15, Matt Alexander wrote: > > It's possible that those mystery processes only ran one time and covered > > up their activity afterwards, or maybe they run at some regular interval, > > who knows. Personally, I would sleep better at night after rebuilding > > the box. Also, I would recommend that you have different passwords for > > different sites. You don't want a security hole at one site completely > > opening your boxes at another site (as was the case with you). It's even > > better if each box has a different password from all the others. ~M > > > > On Wed, 19 Jun 2002, technomage wrote: > > > according to the "last" command, he logged in as a user on one of my > > > accounts and was on for 6 minutes. > > > > > > I checked elsewhere and found that there had been no other activity > > > (even to checking the backups of some of the history files that are > > > made each hour). > > > > > > after than, I checked to make sure there weren't any outbound > > > connections to his IP range (there weren't). I used a clean box as a > > > sniffer for this. I then proceeded to change all system passwords and > > > user account passowrds. Then, I loaded clean versions of rpm, etc and > > > proceeded to do a package verification. I even did md5 checksum > > > comparisons and sig checking. > > > > > > I checked with a couple of folks I know in the computer security field > > > (one of whom is currently serving duty with the US navy at their > > > fascility in southern california (the USN Naval Post Graduate School). > > > Given information from him (and others), I made an assumption that the > > > intruder hadn't gotten very far into my system, and that since all > > > passwords were changed immediately following the incident AND that the > > > offending ip range (ns.rotind.ro) was placed in iptables as immediate > > > drop, I saw no other incursions until yesterday evening. > > > > > > what I find odd is that the incursion didn't stick. said "invisible > > > processes" that wer recorded before aren't there now. > > > > > > just as a measure, I also made sure that my system has current patches > > > for apache (which I do run a webserver here on port 8000) and I've > > > tested any cgi scripts and other things using a tool called nessus. > > > > > > so far, after the last 12 hours, I can't seem to find any evidence that > > > an incursion (intrusion) has taken place other than that 1 log entry > > > written by chkrootkit that one time. > > > > > > so, I'm at a loss. am I trojaned or not? > > > > > > Technomage > > > > > > On Wednesday 19 June 2002 12:55 pm, you wrote: > > > > --- technomage wrote: > > > > > ok, > > > > > > > > > > > > > > > > > as a safety measure when I first found an intruder on my system > > > > > some weeks back, I changed all passwords, ran chattr +ui on some > > > > > specified directories > > > > > > > > > > > > > > > > Hmm.... the fact that you had an intruder is not a good sign. Even > > > > though you changed the passwords, etc, there may have already been > > > > someting in place that passed that info back to the intruder. Any > > > > idea on how long the intruder had access to your system? > > > > > > > > Personally, I would cut my loses - print (yes print) any config files > > > > that you want to re-implement, wipe the box and re-install from > > > > scratch. > > > > > > > > Or > > > > > > > > if you have the disk to spare, rebuild the system on a new disk. > > > > Once done, mount up the old disk - dont run anything from it - and > > > > give it a thorough going over - see if you can figure out what was > > > > done to compromise the system. > > > > > > > > __________________________________________________ > > > > Do You Yahoo!? > > > > Yahoo! - Official partner of 2002 FIFA World Cup > > > > http://fifaworldcup.yahoo.com > > > > ________________________________________________ > > > > See http://PLUG.phoenix.az.us/navigator-mail.shtml if your mail > > > > doesn't post to the list quickly and you use Netscape to write mail. > > > > > > > > PLUG-discuss mailing list - PLUG-discuss@lists.plug.phoenix.az.us > > > > http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss > > > > > > -- > > > I will not be pushed, filed, stamped, indexed, briefed, debriefed, or > > > numbered! > > > My life is my own - No. 6 > > > ________________________________________________ > > > See http://PLUG.phoenix.az.us/navigator-mail.shtml if your mail doesn't > > > post to the list quickly and you use Netscape to write mail. > > > > > > PLUG-discuss mailing list - PLUG-discuss@lists.plug.phoenix.az.us > > > http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss > > > > ________________________________________________ > > See http://PLUG.phoenix.az.us/navigator-mail.shtml if your mail doesn't > > post to the list quickly and you use Netscape to write mail. > > > > PLUG-discuss mailing list - PLUG-discuss@lists.plug.phoenix.az.us > > http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss > > ________________________________________________ > See http://PLUG.phoenix.az.us/navigator-mail.shtml if your mail doesn't > post to the list quickly and you use Netscape to write mail. > > PLUG-discuss mailing list - PLUG-discuss@lists.plug.phoenix.az.us > http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss -- I will not be pushed, filed, stamped, indexed, briefed, debriefed, or numbered! My life is my own - No. 6