Adam Hardy on 04/08/08 14:50, wrote:
thveillon.debian on 04/08/08 13:48, wrote:
Adam Hardy on 03/08/08 14:13, wrote:
[...snip]
I talked to the support at the hosting company and they looked at the
system and said they couldn't see anything wrong with it - but they
can re-image it for me which normally costs a fee.
Is it worth re-imaging my system and re-installing everything?
I still have no idea what chkrootkit means when it says a port is
infected.
Adam
Hi,
Chkrootkit is known to fall for quite a few false positive, for
example if you run Portsentry or such anti-portscan demon, it also can
detect legitimate services like dhcpd or such as sniffers, which isn't
really incorrect but not a problem. I never heard of 2881 as being one
of those, but maybe getting in touch with the dev team could give you
an easy answer.
http://www.chkrootkit.org/
Maybe the only way to know for sure would be scanning all traffic from
another system regarding this port to see if anything suspicious can
be spotted, and maybe running an integrity check with debsum or such
on conf files, comparing the result with a backup from an earlier
state or a known sane system.
What would really be interesting is to spot the precise day when the
warning first occurred from your system logs, and see if you can spot
any change in configuration that could have triggered it (update ?).
That is, if your system really is infected you cannot trust anything
and especially not the logs...
I got that message in the email from early Saturday morning's cronjob.
I have been following instructions on
http://www.cert.org/tech_tips/intruder_detection_checklist.html
and I found that step 2 (look for setuid and setgid files) produces a
file list:
[EMAIL PROTECTED]:~# find / -xdev -user root -perm -4000 -print
/bin/su
/bin/mount
/bin/umount
/bin/ping
/bin/ping6
/sbin/unix_chkpwd
/usr/bin/newgrp
/usr/bin/chfn
/usr/bin/chsh
/usr/bin/gpasswd
/usr/bin/passwd
/usr/bin/X
/usr/bin/sudo
/usr/bin/gpg
/usr/bin/sudoedit
/usr/bin/netselect
/usr/bin/traceroute.lbl
/usr/lib/pt_chown
/usr/lib/openssh/ssh-keysign
/usr/lib/apache/suexec.disabled
/usr/lib/libfakeroot-tcp.so
/usr/lib/libfakeroot-sysv.so
Again, I'm stumbling in the dark here. cert.org doesn't explain what
this list of files signifies, it just implies that I shouldn't see it.
Also, I still have no idea what chkrootkit detected which made it decide
to send an INFECTED alert on that port.
More suspicious stuff has turned up in my investigations. The following is the
nmap output when I run it from the suspect rooted system:
Not shown: 65529 closed ports
PORT STATE SERVICE
22/tcp open ssh
25/tcp open smtp
80/tcp open http
443/tcp open https
3306/tcp open mysql
12121/tcp open unknown
But when I run nmap from my home machine to scan it remotely, I see these extra
ports are open:
Not shown: 65524 closed ports
PORT STATE SERVICE
22/tcp open ssh
25/tcp open smtp
80/tcp open http
443/tcp open https
1720/tcp filtered H.323/Q.931
3306/tcp open mysql
6666/tcp filtered irc
6667/tcp filtered irc
6668/tcp filtered irc
6669/tcp filtered irc
12121/tcp open unknown
So I have 1720, 6666, 6667, 6668 and 6669 open and nmap is ignoring them. Isn't
that conclusive evidence that nmap on the suspected machine is some hacker's
version?
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
