[Cialug] Rootkit?

Josh More morej at alliancetechnologies.net
Thu Jan 31 21:21:50 CST 2008 

This client doesn't do inline comments very well (sorry, I don't like it
either), so here are my responses to Nathan:

1) See http://www.chkrootkit.org/faq/#5 for using chkrootkit with the -r
and -p options.
2) In theory, rkhunter will scan both the CD filesystem and the mounted
directories since it's hash bases.
3) Nessus is a vulnerability scanner with a lot more history than nmap
(nmap is just now turning into a vuln scanner).  It's a bit of a pain to
set up, but it is very powerful.

However, after reading what happened in this thread after my first post,
I suspect that you have a network process running amok.  Boot into level
1 emergency mode and see if the problem still occurs there.  Then bring
up your services one at a time and see when you start to see the
problem.  (I suspect samba ;)

A quicker test would be to go straight to init 3 and see if it's there. 
Then go to init 5.  If it's in init 5 but not 3, odds are that it's
something that X/gnome/KDE/etc is doing.  Try a basic window manager and
see if goes away (you may need to reboot first).

"netstat -atunp" may give you clues... but if you *are* hacked, you
cannot trust its output (nor that of the dependencies of chkrootkit and
rkhunter, which is why you need to use a boot disk).



-Josh More, RHCE, CISSP, NCLP, GIAC 
 morej at alliancetechnologies.net 
 515-245-7701

>>> "Nathan Stien" <nathanism at gmail.com> 01/31/08 8:51 PM >>>
On Jan 31, 2008 8:27 PM, Josh More <morej at alliancetechnologies.net>
wrote:
> Boot Knoppix or RescueCD and run chkrootkit and rkhunter again.  Run
> clamAV.

Hmm, it seems to me that running rkhunter & friends from Knoppix would
check the cdrom's binaries and /etc files rather than those on my
drive.   Is there some boot disc out there that is set up to scan your
hard drive with those tools?

> Run Nessus and nmap against your server from a trusted machine.

nmap is my go-to tool for stuff like this.  But I must admit my
ignorance -- I've never used nessus before; what does it do that nmap
doesn't?

> Boot into different init levels and see if the same behavior occurs.

Interesting idea, I'll try that one.

> Check your router/firewall for outbound packets for which you cannot
> account.  (You may have to sniff for up to two weeks to actually see
> them, if they batch them (ports 80, 25, and 666* are common, but there
> are others)).

Hmm, I go to all manner of sites all the time.  It would be impossible
to check outgoing port 80 stuff.  Other ports might be easier to
check, though.

Thanks for the suggestions, Josh!

- Nathan
_______________________________________________
Cialug mailing list
Cialug at cialug.org
http://cialug.org/mailman/listinfo/cialug

More information about the Cialug mailing list