syslogd problem

Top Page
This message is part of the following thread:
Mthe complete thread tree sorted by date
M+\Daniel McAferty at <-
MMMJeremy C. Reed at ->
Attachments:
Message as email
+ (text/plain)
Delete this message
Reply to this message
Author: Craig White
Date:  
Subject: syslogd problem
On Fri, 2004-01-02 at 12:34, Daniel McAferty wrote:
> I'm starting to get really nervous now.
> I downloaded the chkrootkit program you suggested earlier,
> and it looks like I may have some problems with infected
> files and "possible rootkits" installed.
>
> When I ran "chkrootkit -q" I got the following:
> Checking `ifconfig'... INFECTED
> Checking `login'... INFECTED
> Checking `pstree'... INFECTED
> /etc/ld.so.hash
> Possible t0rn v8 \(or variation\) rootkit installed
>
> /usr/lib/perl5/5.8.0/i386-linux-thread-multi/.packlist
> /usr/lib/perl5/site_perl/5.8.0/i386-linux-thread-multi/auto/NKF/.packlist
> /usr/lib/qt-3.0.5/etc/settings/.qtrc.lock
> /usr/lib/openoffice/share/gnome/net/.directory
> /usr/lib/openoffice/share/gnome/net/.order
> /usr/lib/openoffice/share/kde/net/applnk/OpenOffice.org/.directory
> /usr/lib/openoffice/share/kde/net/applnk/OpenOffice.org/.order
> 
> Warning: Possible Showtee Rootkit installed
>  /usr/include/file.h /usr/include/proc.h
> Possible ShKit rootkit installed
> You have     2 process hidden for ps command
> Warning: Possible LKM Trojan installed
> eth0: PF_PACKET(/usr/sbin/arpwatch)

>
>
> ----------------- end of chkrootkit results-----------
> Now what do I do to fix or verify?
>
> This could explain another problem I have been having with
> telnet. (Can't get a login prompt)
----
time to take it down (offline) and torch it

don't know what you are doing with the system and cannot tell you how it
got rooted but it sure looks like it's been rooted. Probably the easiest
way to handle it is to disconnect it from all networks, buy a new hard
drive, connect it to the primary master and install Linux on it. After
install, connect the original hard drive to first controller slave / or
on the second controller (slave or master - I would presume the Cd is on
this controller)

Then you can create mount locations for the old hard drive and mount the
old hard drive and copy data only (configs are probably ok if you check
them first). For example... 

old hard drive df looks something like this...
/dev/sda8              2063504    238104   1720580  13% /
/dev/sda3              8254272    460952   7374024   6% /var
/dev/sda9             46829928    201708  44249400   1% /home


so my root partition was on /dev/sda8 and so I would then...
mkdir /old
mkdir /home/old
mkdir /var/old
mount -t ext3 /dev/sda8 /old
mount -t ext3 /dev/sd3 /var/old
mount -t ext3 /dev/sd9 /home/old

so I could copy off the old data (from /home/old), mail (from
/var/old/spool/mail) and configs (from /old/etc/)

After you get what you want off your old hard drive, you should umount
the mounts and torch it (remove all the partitions) - there is way too
much on that drive that you simply cannot trust.

Of course, unless you change what you are doing, you are likely to get
rooted again. Either you weren't keeping things up to date, exposing
services that shouldn't be exposed or have no consistent plan to set up
and maintain firewall. Since your question posed a problem with telnet
getting a login prompt, that would be the first thing to go - telnet
server isn't installed by default on any Red Hat system for years
because it is insecure and sshd is included, installed by default and
the only thing to use.

Good luck,

Craig


This message was posted to the following mailing lists:
Plug Discuss
Mailing List Info | Nearby Messages		<-My scsi can't be bad.syslogd problem->
Some Mailing List Archive administrated by UnconfiguredLurker (version 2.3)