[TriLUG] Suspicious behavior: have I been hacked?

Scott Morris scmorris at ifndef.com
Sun Feb 23 22:46:01 EST 2003


http://www.chkrootkit.org/

a good thing to have in your toolbox..


Scott Morris		scmorris at ifndef.com
Cleverly Disguised As A Responsible Adult.
pub  1024D/146D0BC9 2000-11-29 scmorris
Key fingerprint = 5348 7697 85AA 2117 8E7C  9A13 26BA C4FF 146D 0BC9

On Sun, 23 Feb 2003, Andrew Perrin wrote:

> I use debian, not redhat, so I can't use the .rpm advice. I checked most
> of the important binaries (top, ps, ls, bash) with an off-net debian
> machine of the same generation and found no differences in date or
> size.  netstat shows nothing very interesting either.
>
> ap
>
> ----------------------------------------------------------------------
> Andrew J Perrin - http://www.unc.edu/~aperrin
> Assistant Professor of Sociology, U of North Carolina, Chapel Hill
> clists at perrin.socsci.unc.edu * andrew_perrin (at) unc.edu
>
>
> On Sun, 23 Feb 2003, Chris Hedemark wrote:
>
> > -----BEGIN PGP SIGNED MESSAGE-----
> > Hash: SHA1
> >
> > Also a lot of rootkits are not smart enough to cover their tracks in
> > the rpm database, so you can use rpm to compare what it thinks should
> > be there with what is really there.
> >
> > On Sunday, February 23, 2003, at 10:08 PM, Jon Carnes wrote:
> >
> > > boot with a rescue disk and check out your system.  In particular look
> > > at the dates on your library files and on key binaries like top, ls,
> > > ps,
> > > netstat, etc...  If you have another system running the same distro you
> > > can check your binaries against those.
> > >
> > > Using an unhacked netstat is a good way to find out if you've started
> > > to
> > > send/receive on ports that you shouldn't.
> > >
> > > This job is much easier if you have a back-up to compare with.
> > > Personally I use an unmounted partition with a copy of my etc and my
> > > /bin, /sbin, /usr/bin, /usr/sbin, and /lib directories.  I can mount
> > > the
> > > partition read-only and run a automated checkup on my system using
> > > scripts and binaries located on the partition.
> > >
> > > Good Luck - Jon Carnes
> > >
> > > On Sun, 2003-02-23 at 21:48, Andrew Perrin wrote:
> > >> I came upstairs after a weekend mostly away from my computer to find
> > >> it in
> > >> a nearly-hung state. Load (by top) was >10, and there were numerous
> > >> /USR/SBIN/CRON entries which, from the logs, look like they were
> > >> trying to
> > >> run exim sessions:
> > >>
> > >> Feb 23 07:38:01 joehill /USR/SBIN/CRON[13821]: (mail) CMD (  if [ -x
> > >> /usr/sbin/exim -a -f /etc/exim/exim.conf ]; then /usr/sbin/exim -q ;
> > >> fi)
> > >> Feb 23 07:53:01 joehill /USR/SBIN/CRON[13829]: (mail) CMD (  if [ -x
> > >> /usr/sbin/exim -a -f /etc/exim/exim.conf ]; then /usr/sbin/exim -q ;
> > >> fi)
> > >>
> > >>
> > >> (etc., etc.)
> > >>
> > >> The other thing in the ps listing were several (three I think)
> > >> instances
> > >> of:
> > >>
> > >> modprobe -s -k -- net-pf-10
> > >>
> > >> I do not have such a module, either loaded or available on the disk.
> > >>
> > >> What's particularly worrisome is that this machine is behind another
> > >> machine running NAT, so it has only a private (192.168.0.x) address.
> > >> The
> > >> NAT machine has nothing particularly suspicious about it. last
> > >> commands on
> > >> both machine show only me logging in.
> > >>
> > >> I would be a happier person if someone could provide a non-suspicious
> > >> explanation for this.
> > >>
> > >>
> > >> Thanks.
> > >>
> > >> ----------------------------------------------------------------------
> > >> Andrew J Perrin - http://www.unc.edu/~aperrin
> > >> Assistant Professor of Sociology, U of North Carolina, Chapel Hill
> > >> clists at perrin.socsci.unc.edu * andrew_perrin (at) unc.edu
> > >>
> > >>
> > >> _______________________________________________
> > >> TriLUG mailing list
> > >>     http://www.trilug.org/mailman/listinfo/trilug
> > >> TriLUG Organizational FAQ:
> > >>     http://www.trilug.org/~lovelace/faq/TriLUG-faq.html
> > >
> > >
> > > _______________________________________________
> > > TriLUG mailing list
> > >     http://www.trilug.org/mailman/listinfo/trilug
> > > TriLUG Organizational FAQ:
> > >     http://www.trilug.org/~lovelace/faq/TriLUG-faq.html
> > >
> > >
> >
> > Chris Hedemark
> > PGP/GnuPG Public Key at http://yonderway.com/chris/hedemark.gpg
> > -----BEGIN PGP SIGNATURE-----
> > Version: GnuPG v1.2.1 (Darwin)
> >
> > iD8DBQE+WY/0YPuF4Zq9lvYRAlaHAKDbXzFt41zNf/PwXRfxwRVzwfQ7MwCfSv3u
> > kQY1+gON2bjUQWsjxDBRWf0=
> > =Jvbh
> > -----END PGP SIGNATURE-----
> >
> > _______________________________________________
> > TriLUG mailing list
> >     http://www.trilug.org/mailman/listinfo/trilug
> > TriLUG Organizational FAQ:
> >     http://www.trilug.org/~lovelace/faq/TriLUG-faq.html
> >
>
> _______________________________________________
> TriLUG mailing list
>     http://www.trilug.org/mailman/listinfo/trilug
> TriLUG Organizational FAQ:
>     http://www.trilug.org/~lovelace/faq/TriLUG-faq.html
>




More information about the TriLUG mailing list