On Tue, 3 Feb 2004 09:55:04 +1300 (NZDT) "TiM" <[EMAIL PROTECTED]> wrote:
> > > Hello, > > > > As of this morning two of my machines - which are regularly > > contacted trough ssh from each other - showed this message upon > > 'chkrootkit': > >> Checking 'bindshell'... INFECTED [PORTS: 1524 31337] > >> Checking 'lkm'... You have 4 processes hidden for ps command > > The latter happened to me before and I had gotten info on how this > > check doesn't work from this newsgroup ... but the former never > > showed up before. > > > > 'nmap' to those ports gives me: > >> PORT STATE SERVICE > >> 1524/tcp filtered ingreslock > >> 31337/tcp filtered Elite > > > > Checksecurity reports this: > > > >> Security Violations for su > >> =-=-=-=-=-=-=-=-=-=-=-=-=- > >> Feb 2 06:33:11 server_name su[16863]: + ??? root:nobody > > > > 'tiger' also reports - while performing signature check of system > > binaries, that /bin/ping, /usr/bin/chage, /usr/bin/at, > > /usr/bin/write and /usr/bin/inetd don not match. This can not be > > confirmed by aide(cd-burned database, unsafe binary) or debsums > > (unsafe binary). > > > > Am I hacked? What else can I do to investigate the situation > > further? > > Yes, I'm afraid you are. Hard to say at this time exactly how you > were hacked, but it doesn't look good I'm afriad! What kernel version > were are you running? Was it patched against the two recent local root > exploits? I'm running a Debian 2.4.24-1-k7 stock kernel on the testing/unstable system and 2.4.18-1-k7 stock kernel on the affected stable system. I don't know what exploits you are referring to and whether the Debian team took care of them. Joh
