possible LKM rootkit infection

Matt Alexander plug-discuss@lists.plug.phoenix.az.us
Wed, 19 Jun 2002 15:15:24 -0700 (PDT) 

It's possible that those mystery processes only ran one time and covered
up their activity afterwards, or maybe they run at some regular interval,
who knows.  Personally, I would sleep better at night after rebuilding the
box.  Also, I would recommend that you have different passwords for
different sites.  You don't want a security hole at one site completely
opening your boxes at another site (as was the case with you).  It's even
better if each box has a different password from all the others.
~M


On Wed, 19 Jun 2002, technomage wrote:

> according to the "last" command, he logged in as a user on one of my accounts
> and was on for 6 minutes.
>
> I checked elsewhere and found that there had been no other activity (even to
> checking the backups of some of the history files that are made each hour).
>
> after than, I checked to make sure there weren't any outbound connections to
> his IP range (there weren't). I used a clean box as a sniffer for this. I
> then proceeded to change all system passwords and user account passowrds.
> Then, I loaded clean versions of rpm, etc and proceeded to do a package
> verification. I even did md5 checksum comparisons and sig checking.
>
> I checked with a couple of folks I know in the computer security field (one
> of whom is currently serving duty with the US navy at their fascility in
> southern california (the USN Naval Post Graduate School). Given information
> from him (and others), I made an assumption that the intruder hadn't gotten
> very far into my system, and that since all passwords were changed
> immediately following the incident AND that the offending ip range
> (ns.rotind.ro) was placed in iptables as immediate drop, I saw no other
> incursions until yesterday evening.
>
> what I find odd is that the incursion didn't stick. said "invisible
> processes" that wer recorded before aren't there now.
>
> just as a measure, I also made sure that my system has current patches for
> apache (which I do run a webserver here on port 8000) and I've tested any cgi
> scripts and other things using a tool called nessus.
>
> so far, after the last 12 hours, I can't seem to find any evidence that an
> incursion (intrusion) has taken place other than that 1 log entry written by
> chkrootkit that one time.
>
> so, I'm at a loss. am I trojaned or not?
>
> Technomage
>
> On Wednesday 19 June 2002 12:55 pm, you wrote:
> > --- technomage <technomage-hawke@cox.net> wrote:
> > > ok,
> >
> > <snip>
> >
> > > as a safety measure when I first found an intruder on my system some
> > > weeks back, I changed all passwords, ran chattr +ui on some specified
> > > directories
> >
> > <snip>
> >
> > Hmm.... the fact that you had an intruder is not a good sign.  Even though
> > you changed the passwords, etc, there may have already been someting in
> > place that passed that info back to the intruder.  Any idea on how long the
> > intruder had access to your system?
> >
> > Personally, I would cut my loses - print (yes print) any config files that
> > you want to re-implement, wipe the box and re-install from scratch.
> >
> > Or
> >
> > if you have the disk to spare, rebuild the system on a new disk.  Once
> > done, mount up the old disk - dont run anything from it - and give it a
> > thorough going over - see if you can figure out what was done to compromise
> > the system.
> >
> > __________________________________________________
> > Do You Yahoo!?
> > Yahoo! - Official partner of 2002 FIFA World Cup
> > http://fifaworldcup.yahoo.com
> > ________________________________________________
> > See http://PLUG.phoenix.az.us/navigator-mail.shtml if your mail doesn't
> > post to the list quickly and you use Netscape to write mail.
> >
> > PLUG-discuss mailing list  -  PLUG-discuss@lists.plug.phoenix.az.us
> > http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
>
> --
> I will not be pushed, filed, stamped, indexed, briefed, debriefed, or
> numbered!
> My life is my own - No. 6
> ________________________________________________
> See http://PLUG.phoenix.az.us/navigator-mail.shtml if your mail doesn't post to the list quickly and you use Netscape to write mail.
>
> PLUG-discuss mailing list  -  PLUG-discuss@lists.plug.phoenix.az.us
> http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
>