Yep, it definately looks like you're hacked with those ports open unless
you've installed something that uses them. I'd look into those hidden
processes also but I know there's a problem with procfs or something
that causes some hidden pid's 2-5 or something.
check out http://www.soohrt.org/stuff/linux/suckit/ if in doubt.
Eric
Johannes Graumann wrote:
Hello,
As of this morning two of my machines - which are regularly contacted
trough ssh from each other - showed this message upon 'chkrootkit':
Checking 'bindshell'... INFECTED [PORTS: 1524 31337]
Checking 'lkm'... You have 4 processes hidden for ps command
The latter happened to me before and I had gotten info on how this check
doesn't work from this newsgroup ... but the former never showed up
before.
'nmap' to those ports gives me:
PORT STATE SERVICE
1524/tcp filtered ingreslock
31337/tcp filtered Elite
Checksecurity reports this:
Security Violations for su
=-=-=-=-=-=-=-=-=-=-=-=-=-
Feb 2 06:33:11 server_name su[16863]: + ??? root:nobody
'tiger' also reports - while performing signature check of system
binaries, that /bin/ping, /usr/bin/chage, /usr/bin/at, /usr/bin/write
and /usr/bin/inetd don not match. This can not be confirmed by aide
(cd-burned database, unsafe binary) or debsums (unsafe binary).
Am I hacked? What else can I do to investigate the situation further?
Thanks, Joh
--
Eric Nelson <[EMAIL PROTECTED]> http://www.megahosted.com/~en/
GPG-key: C4AB5707 Fingerprint: 9E50 D5C2 2B02 A944 1A28 5CA5 366A 0294
C4AB 5707
