From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from pigeon.gentoo.org ([208.92.234.80] helo=lists.gentoo.org) by finch.gentoo.org with esmtp (Exim 4.60) (envelope-from ) id 1OiVaC-0002d5-Ew for garchives@archives.gentoo.org; Mon, 09 Aug 2010 16:52:17 +0000 Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 1DE30E0B16; Mon, 9 Aug 2010 16:51:50 +0000 (UTC) Received: from mail-ey0-f181.google.com (mail-ey0-f181.google.com [209.85.215.181]) by pigeon.gentoo.org (Postfix) with ESMTP id D7136E0B16 for ; Mon, 9 Aug 2010 16:51:49 +0000 (UTC) Received: by eydd26 with SMTP id d26so4430432eyd.40 for ; Mon, 09 Aug 2010 09:51:49 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:from:to:subject:date :user-agent:references:in-reply-to:mime-version:content-type :content-transfer-encoding:message-id; bh=9RsEAohNfv3hjZHFTXUjhy8iW6dvYzuWprBtNF6C7vE=; b=xgpiWz1Dlt5Fw4jx+lO61H7mCQzOWGJhMJjbUr6vi7bTgrYXm9HPauEfpZUzx8CQbb JULGODa5maJxFv5vRnGwX8+rVowjNfLt8W+GoXusSMH1H4fLdtr0SbVlls/56mxhU3Hf mGdGL5ibPO4eOeK6q+OvZ69W1uyDHvVRsQCIU= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=from:to:subject:date:user-agent:references:in-reply-to:mime-version :content-type:content-transfer-encoding:message-id; b=UKUpMNDQfV5D+aK15QnLxUi3su5P4wSTFbRuAZQw48w5vrxUVop5Q9+exofymnAUyg QToflUBrxyqi8kPr6xfZ+epk4No+/0H4HE8+Kk2RgqEorclMNrX1RH5VVY86Rifpe0j1 6ghUirW4/AOCrmIofxMwyN9rieLXJsY6Iem18= Received: by 10.213.35.6 with SMTP id n6mr3128368ebd.11.1281372709225; Mon, 09 Aug 2010 09:51:49 -0700 (PDT) Received: from nazgul.localnet (196-210-183-170.dynamic.isadsl.co.za [196.210.183.170]) by mx.google.com with ESMTPS id z55sm8124581eeh.21.2010.08.09.09.51.45 (version=TLSv1/SSLv3 cipher=RC4-MD5); Mon, 09 Aug 2010 09:51:47 -0700 (PDT) From: Alan McKinnon To: gentoo-user@lists.gentoo.org Subject: Re: [gentoo-user] Rooted/compromised Gentoo, seeking advice Date: Mon, 9 Aug 2010 18:48:45 +0200 User-Agent: KMail/1.13.5 (Linux/2.6.34-ck-r1; KDE/4.4.5; x86_64; ; ) References: In-Reply-To: Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-user@lists.gentoo.org Reply-to: gentoo-user@lists.gentoo.org MIME-Version: 1.0 Content-Type: Text/Plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Message-Id: <201008091848.46139.alan.mckinnon@gmail.com> X-Archives-Salt: 178266a2-6c8c-4528-84a9-f937d6e1603d X-Archives-Hash: 6e478a94a48a8312aebf5a9cb2312a52 On Monday 09 August 2010 18:25:56 Paul Hartman wrote: > Hi, today when working remotely I ran nethogs and noticed suspicious > network traffic coming from my home gentoo box. It was very low > traffic (less than 1KB/sec bandwidth usage) but according to nethogs > it was between a root user process and various suspicious-looking > ports on outside hosts in other countries that I have no business > with. netstat didn't show anything, however, but when I ran chkrootkit > told me that netstat was INFECTED. I immediately issued "shutdown -h > now" and now I won't be able to take a further look at it until I get > home and have physical access to the box. System uptime was a few > months. It was last updated for installation of a 2.6.33 kernel > (2.6.35 is out now). > > I have 3 goals now: > > 1) Figure out what is running on my box and how long it has been there. > 2) Find out how it got there. > 3) Sanitizing, or most likely rebuilding the system from scratch. Here's the bad news: An intruder probably gained access through a script kiddie script, which has likely already removed all the logs. Or they have possibly been rotated away by now. I would proceed as follows: 1. Keep that machine off the internet till it is reinstalled 2. Fresh reinstall using boot media that you have downloaded and written elsewhere, plus a portage tree. Don't worry about distfiles - a fresh portage tree won't use existing copies on that machine if the hashes don't match. So you can re-use them. If you boot off new install media it is safe to download new distfiles using it. 3. Keep your old partitions around if you want to do forensics, you can mount them somewhere when a reinstall is done and peruse them at your leisure. However, doing that is often a waste of time unless you still have logs. You can use a scanner like nessus to look things over. 4. And it goes without saying that you should change all passwords and keys used on that trojaned machine. > I won't feel comfortable about doing item 3 until I learn the cause of > 1 and 2. Since this is a home PC, it's not mission-critical and I have > other computers so I can afford to leave it offline while I > investigate this security breach, but at the same time it's worrisome > because I do banking etc from this machine. I'll obviously have to > check the status of any other computer on the same network. > > My user account has sudo-without-password rights to any command. In > hindsight this risk may not be worth the extra convenience... A rogue > "sudo install-bad-stuff" anywhere over time could have done me in. > > Alternatively I was running vulnerable/compromised software. My box > has sshd running, root login in ssh is not allowed, and pubkey only > logins (no passwords). It is behind a wireless router but port 22 is > open and pointing to this box, and a few others needed by other > applications. So I will check out which keys exist on the compromised > machine and make sure I recognize them all. I'll also need to check > the status of any other computer my key is stored on (a mix of linux & > windows, and my mobile phone). Sigh... > > I am using ~amd64 and I update deep world about 3 times a week normally. > > The computer is only a few months old, but it was created by cloning a > ~2-years-old computer. I did emerge -e world as part of the upgrade > process. > > If anyone has advice on what I should look at forensically to > determine the cause of this, it is appreciated. I'll first dig into > the logs, bash history etc. and really hope that this very happened > recently. > > Thanks for any tips and wish me good luck. :) -- alan dot mckinnon at gmail dot com