possible LKM rootkit infection

Bill Nash plug-discuss@lists.plug.phoenix.az.us
Wed, 19 Jun 2002 08:25:26 +0000 (UTC)


Have you considered structuring your partitions appropriately so things
*can't* be replaced? An example would be mounting lib and binaries trees
in read-only form, and requiring maintenance windows at the console to
update them. Proper kernel restrictions like not allowing the use of mount
under normal running conditions would cut down on rootkit implants under
standard kiddie attempts.

- billn

On Wed, 19 Jun 2002, technomage wrote:

> according to the "last" command, he logged in as a user on one of my accounts
> and was on for 6 minutes.
>
> I checked elsewhere and found that there had been no other activity (even to
> checking the backups of some of the history files that are made each hour).
>
> after than, I checked to make sure there weren't any outbound connections to
> his IP range (there weren't). I used a clean box as a sniffer for this. I
> then proceeded to change all system passwords and user account passowrds.
> Then, I loaded clean versions of rpm, etc and proceeded to do a package
> verification. I even did md5 checksum comparisons and sig checking.
>
> I checked with a couple of folks I know in the computer security field (one
> of whom is currently serving duty with the US navy at their fascility in
> southern california (the USN Naval Post Graduate School). Given information
> from him (and others), I made an assumption that the intruder hadn't gotten
> very far into my system, and that since all passwords were changed
> immediately following the incident AND that the offending ip range
> (ns.rotind.ro) was placed in iptables as immediate drop, I saw no other
> incursions until yesterday evening.
>
> what I find odd is that the incursion didn't stick. said "invisible
> processes" that wer recorded before aren't there now.
>
> just as a measure, I also made sure that my system has current patches for
> apache (which I do run a webserver here on port 8000) and I've tested any cgi
> scripts and other things using a tool called nessus.
>
> so far, after the last 12 hours, I can't seem to find any evidence that an
> incursion (intrusion) has taken place other than that 1 log entry written by
> chkrootkit that one time.
>
> so, I'm at a loss. am I trojaned or not?
>
> Technomage
>
> On Wednesday 19 June 2002 12:55 pm, you wrote:
> > --- technomage <technomage-hawke@cox.net> wrote:
> > > ok,
> >
> > <snip>
> >
> > > as a safety measure when I first found an intruder on my system some
> > > weeks back, I changed all passwords, ran chattr +ui on some specified
> > > directories
> >
> > <snip>
> >
> > Hmm.... the fact that you had an intruder is not a good sign.  Even though
> > you changed the passwords, etc, there may have already been someting in
> > place that passed that info back to the intruder.  Any idea on how long the
> > intruder had access to your system?
> >
> > Personally, I would cut my loses - print (yes print) any config files that
> > you want to re-implement, wipe the box and re-install from scratch.
> >
> > Or
> >
> > if you have the disk to spare, rebuild the system on a new disk.  Once
> > done, mount up the old disk - dont run anything from it - and give it a
> > thorough going over - see if you can figure out what was done to compromise
> > the system.
> >
> > __________________________________________________
> > Do You Yahoo!?
> > Yahoo! - Official partner of 2002 FIFA World Cup
> > http://fifaworldcup.yahoo.com
> > ________________________________________________
> > See http://PLUG.phoenix.az.us/navigator-mail.shtml if your mail doesn't
> > post to the list quickly and you use Netscape to write mail.
> >
> > PLUG-discuss mailing list  -  PLUG-discuss@lists.plug.phoenix.az.us
> > http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
>
> --
> I will not be pushed, filed, stamped, indexed, briefed, debriefed, or
> numbered!
> My life is my own - No. 6
> ________________________________________________
> See http://PLUG.phoenix.az.us/navigator-mail.shtml if your mail doesn't post to the list quickly and you use Netscape to write mail.
>
> PLUG-discuss mailing list  -  PLUG-discuss@lists.plug.phoenix.az.us
> http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
>