Wackojacko on 16/08/08 13:02, wrote:
Ron Johnson wrote:
On 08/16/08 06:17, Wackojacko wrote:
Hi all
I realise there has been some discussion recently over the merits or
otherwise of chkrootkit, but the last two days it is warning of
hidden processes (ps and readdir).
After googling a little further I see this has been a problem in the
past but was unable to find any recent examples.
However, using
#chkrootkit -x lkm
and
#chkproc -v -v
and comparing these to the output of ps and ls /proc I have
determined that there are processes which do not show up on /proc or
ps but I am still able to
#cd /proc/PID
for these processes and then
#cat cmdline
to find out what service is hidden.
The results suggest that icedove-bin and nepomukerserver are the main
culprits, but I want to know why!!
I do not have any services running on external ports as I am behind a
netgear router and have confirmed this via various external port scan
sites. I do run smb, imap (dovecot), postfix, cups and apt-cacher
(perl) locally for my internal network.
Am I really rooted? Anyone else seeing something similar?
Is this your personal workstation?
How is it connected to the Intarweb? Directly, or behind a NATing
firewalling router?
If directly, how many services do you have listening to ports? Get a
friend to nmap you.
If this is your PC, and are behind a hardware firewall, I seriously
doubt that you are compromised.
Hi Ron
Yeah this is my thinking. It is my personal workstation and I only have
the services I listed above listening on the local network. I am
behind a Netgear Router and external port scans show zilch!
Forgot to mention I am running Sid AMD64 with homerolled 2.6.25 Kernel.
Rkhunter shows nothing but they means nothing if the system is
compromised.
I suppose the next question is why are these services hiding from me?
Another big question for me in this sort of situation is, what program can I use
to determine whether I really am rooted or not?
Seems to me that any program running on the suspect server can just be
overridden by the rootkit or hacker, so programs and scripts launched from
crontab would be relatively untrustworthy.
After chkrootkit emailed me a result saying 'PORT INFECTED: 2881' I see
significantly more hidden hidden processes, and but nothing ever turns out to be
definitively rooted - so I'm trying to establish a definitive security structure
before I reformat and reinstall.
(Plus I am monitoring the ports with ntop to see if they're anything suspicious
going on).
Regards
Adam
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
