* [gentoo-user] Did I just get hacked??? @ 2007-02-11 2:27 Grant 2007-02-11 3:06 ` Jerry McBride 2007-02-11 3:38 ` Albert Hopkins 0 siblings, 2 replies; 20+ messages in thread From: Grant @ 2007-02-11 2:27 UTC (permalink / raw To: Gentoo mailing list The contents of my /home/grant/vmware folder have suddenly disappeared. I haven't noticed anything else strange yet. I did configure and start shorewall for the first time yesterday instead of using a few iptables commands from the Gentoo Home Router Guide. I'm also running PenguinTV (a video RSS aggregator with an ebuild in bugs.gentoo.org) and transmission (a bittorrent client in portage) for the first time. My shorewall config is here: http://archives.gentoo.org/gentoo-user/msg_108375.xml What should I do next? - Grant -- gentoo-user@gentoo.org mailing list ^ permalink raw reply [flat|nested] 20+ messages in thread
* Re: [gentoo-user] Did I just get hacked??? 2007-02-11 2:27 [gentoo-user] Did I just get hacked??? Grant @ 2007-02-11 3:06 ` Jerry McBride 2007-02-11 4:11 ` Grant 2007-02-11 3:38 ` Albert Hopkins 1 sibling, 1 reply; 20+ messages in thread From: Jerry McBride @ 2007-02-11 3:06 UTC (permalink / raw To: gentoo-user On Saturday 10 February 2007 09:27:10 pm Grant wrote: > The contents of my /home/grant/vmware folder have suddenly > disappeared. I haven't noticed anything else strange yet. I did > configure and start shorewall for the first time yesterday instead of > using a few iptables commands from the Gentoo Home Router Guide. I'm > also running PenguinTV (a video RSS aggregator with an ebuild in > bugs.gentoo.org) and transmission (a bittorrent client in portage) for > the first time. My shorewall config is here: > > http://archives.gentoo.org/gentoo-user/msg_108375.xml > > What should I do next? > > - Grant 1 - if you aren't sure, then take it off the net untill you are sure. 2 - view the log files in /var/log 3 - look at the contents and the file dates... see anything "not rigt" 4 - from a "rescue disk" of some merit and run chkrootkit or simiar tool. 5 - did/are you running any internet services? Look at their log files with a magnifying glass for "any" discrepancy... -- Jerry McBride -- gentoo-user@gentoo.org mailing list ^ permalink raw reply [flat|nested] 20+ messages in thread
* Re: [gentoo-user] Did I just get hacked??? 2007-02-11 3:06 ` Jerry McBride @ 2007-02-11 4:11 ` Grant 0 siblings, 0 replies; 20+ messages in thread From: Grant @ 2007-02-11 4:11 UTC (permalink / raw To: gentoo-user > > The contents of my /home/grant/vmware folder have suddenly > > disappeared. I haven't noticed anything else strange yet. I did > > configure and start shorewall for the first time yesterday instead of > > using a few iptables commands from the Gentoo Home Router Guide. I'm > > also running PenguinTV (a video RSS aggregator with an ebuild in > > bugs.gentoo.org) and transmission (a bittorrent client in portage) for > > the first time. My shorewall config is here: > > > > http://archives.gentoo.org/gentoo-user/msg_108375.xml > > > > What should I do next? > > > > - Grant > > 1 - if you aren't sure, then take it off the net untill you are sure. > 2 - view the log files in /var/log > 3 - look at the contents and the file dates... see anything "not rigt" I haven't spent much time in /var/log before unless I was looking for something specific so it all looks pretty foreign as I look over it now. What type of things should I be looking for? > 4 - from a "rescue disk" of some merit and run chkrootkit or simiar tool. Here is the output of chkrootkit. It looks fine to me but there is some stuff at and near the end that I don't understand. ROOTDIR is `/' Checking `amd'... not found Checking `basename'... not infected Checking `biff'... not found Checking `chfn'... not infected Checking `chsh'... not infected Checking `cron'... not infected Checking `date'... not infected Checking `du'... not infected Checking `dirname'... not infected Checking `echo'... not infected Checking `egrep'... not infected Checking `env'... not infected Checking `find'... not infected Checking `fingerd'... not found Checking `gpm'... not infected Checking `grep'... not infected Checking `hdparm'... not infected Checking `su'... not infected Checking `ifconfig'... not infected Checking `inetd'... not tested Checking `inetdconf'... not found Checking `identd'... not found Checking `init'... not infected Checking `killall'... not infected Checking `ldsopreload'... not infected Checking `login'... not infected Checking `ls'... not infected Checking `lsof'... not found Checking `mail'... not found Checking `mingetty'... not found Checking `netstat'... not infected Checking `named'... not found Checking `passwd'... not infected Checking `pidof'... not infected Checking `pop2'... not found Checking `pop3'... not found Checking `ps'... not infected Checking `pstree'... not infected Checking `rpcinfo'... not infected Checking `rlogind'... not infected Checking `rshd'... not infected Checking `slogin'... not infected Checking `sendmail'... not infected Checking `sshd'... not infected Checking `syslogd'... not tested Checking `tar'... not infected Checking `tcpd'... not infected Checking `tcpdump'... not infected Checking `top'... not infected Checking `telnetd'... not found Checking `timed'... not found Checking `traceroute'... not found Checking `vdir'... not infected Checking `w'... not infected Checking `write'... not infected Checking `aliens'... no suspect files Searching for sniffer's logs, it may take a while... nothing found Searching for HiDrootkit's default dir... nothing found Searching for t0rn's default files and dirs... nothing found Searching for t0rn's v8 defaults... nothing found Searching for Lion Worm default files and dirs... nothing found Searching for RSHA's default files and dir... nothing found Searching for RH-Sharpe's default files... nothing found Searching for Ambient's rootkit (ark) default files and dirs... nothing found Searching for suspicious files and dirs, it may take a while... nothing found Searching for LPD Worm files and dirs... nothing found Searching for Ramen Worm files and dirs... nothing found Searching for Maniac files and dirs... nothing found Searching for RK17 files and dirs... nothing found Searching for Ducoci rootkit... nothing found Searching for Adore Worm... nothing found Searching for ShitC Worm... nothing found Searching for Omega Worm... nothing found Searching for Sadmind/IIS Worm... nothing found Searching for MonKit... nothing found Searching for Showtee... nothing found Searching for OpticKit... nothing found Searching for T.R.K... nothing found Searching for Mithra... nothing found Searching for OBSD rk v1... nothing found Searching for LOC rootkit... nothing found Searching for Romanian rootkit... nothing found Searching for Suckit rootkit... nothing found Searching for Volc rootkit... nothing found Searching for Gold2 rootkit... nothing found Searching for TC2 Worm default files and dirs... nothing found Searching for Anonoying rootkit default files and dirs... nothing found Searching for ZK rootkit default files and dirs... nothing found Searching for ShKit rootkit default files and dirs... nothing found Searching for AjaKit rootkit default files and dirs... nothing found Searching for zaRwT rootkit default files and dirs... nothing found Searching for Madalin rootkit default files... nothing found Searching for Fu rootkit default files... nothing found Searching for ESRK rootkit default files... nothing found Searching for anomalies in shell history files... nothing found Checking `asp'... not infected Checking `bindshell'... not infected Checking `lkm'... chkproc: nothing detected Checking `rexedcs'... not found Checking `sniffer'... ath0: PF_PACKET(/sbin/wpa_supplicant) vmnet8: not promisc and no PF_PACKET sockets Checking `w55808'... not infected Checking `wted'... chkwtmp: nothing deleted Checking `scalper'... not infected Checking `slapper'... not infected Checking `z2'... chklastlog: nothing deleted Checking `chkutmp'... The tty of the following user process(es) were not found in /var/run/utmp ! ! RUID PID TTY CMD ! root 4450 tty7 /usr/bin/X :0 -audit 0 -auth /var/gdm/:0.Xauth vt7 chkutmp: nothing deleted > 5 - did/are you running any internet services? Look at their log files with a > magnifying glass for "any" discrepancy... I am running bittorrent on the affected machine as of yesterday with tcp and udp ports 6881:6999 forwarded to that machine from the firewall/router via shorewall. Here is the shorewall config. /etc/shorewall/zones: fw firewall net ipv4 loc ipv4 /etc/shorewall/interfaces: net eth0 detect tcpflags,routefilter,nosmurfs,logmartians loc ath0 detect tcpflags,detectnets,nosmurfs /etc/shorewall/policy: loc net ACCEPT loc $FW ACCEPT loc all REJECT info $FW net REJECT info $FW loc REJECT info $FW all REJECT info net $FW DROP info net loc DROP info net all DROP info all all REJECT info /etc/shorewall/rules: DNS/ACCEPT $FW net Ping/REJECT net $FW ACCEPT $FW loc icmp ACCEPT $FW net icmp DNAT net loc:192.168.0.3 tcp 6881:6999 DNAT net loc:192.168.0.3 udp 6881:6999 /etc/shorewall/masq: eth0 ath0 /etc/shorewall/routestopped: ath0 - Please let me know if you have any further advice. I'm completely puzzled as to what happened to the contents of ~/vmware. - Grant -- gentoo-user@gentoo.org mailing list ^ permalink raw reply [flat|nested] 20+ messages in thread
* Re: [gentoo-user] Did I just get hacked??? 2007-02-11 2:27 [gentoo-user] Did I just get hacked??? Grant 2007-02-11 3:06 ` Jerry McBride @ 2007-02-11 3:38 ` Albert Hopkins 2007-02-11 4:06 ` Chris Nolan 2007-02-22 23:34 ` [gentoo-user] " Grant 1 sibling, 2 replies; 20+ messages in thread From: Albert Hopkins @ 2007-02-11 3:38 UTC (permalink / raw To: gentoo-user On Sat, 2007-02-10 at 18:27 -0800, Grant wrote: > The contents of my /home/grant/vmware folder have suddenly > disappeared. I haven't noticed anything else strange yet. I did > configure and start shorewall for the first time yesterday instead of > using a few iptables commands from the Gentoo Home Router Guide. I'm > also running PenguinTV (a video RSS aggregator with an ebuild in > bugs.gentoo.org) and transmission (a bittorrent client in portage) So someone breaks into your box and the only thing they can think of to do is remove your ~/vmware directory? -- gentoo-user@gentoo.org mailing list ^ permalink raw reply [flat|nested] 20+ messages in thread
* Re: [gentoo-user] Did I just get hacked??? 2007-02-11 3:38 ` Albert Hopkins @ 2007-02-11 4:06 ` Chris Nolan 2007-02-11 4:29 ` [gentoo-user] " Grant Edwards 2007-02-22 23:34 ` [gentoo-user] " Grant 1 sibling, 1 reply; 20+ messages in thread From: Chris Nolan @ 2007-02-11 4:06 UTC (permalink / raw To: gentoo-user A long time ago when a LAMP box of mine got hacked.. they installed a program in /tmp/<random characters> that would connect to IRC servers. Basicly they made my box a bot. The way I found it was I saw outgoing IRC connections when I was in netstat looking for something else. They got me thorugh and expolit in awstats which I no longer run. The only way I was sure that I got rid of the hack was I wiped and reloaded the machine from scratch. Long of it is.. check for odd processes as well. -- gentoo-user@gentoo.org mailing list ^ permalink raw reply [flat|nested] 20+ messages in thread
* [gentoo-user] Re: Did I just get hacked??? 2007-02-11 4:06 ` Chris Nolan @ 2007-02-11 4:29 ` Grant Edwards 2007-02-11 21:16 ` James 0 siblings, 1 reply; 20+ messages in thread From: Grant Edwards @ 2007-02-11 4:29 UTC (permalink / raw To: gentoo-user On 2007-02-11, Chris Nolan <lostpkts@gmail.com> wrote: > A long time ago when a LAMP box of mine got hacked.. they installed a > program in /tmp/<random characters> that would connect to IRC > servers. Basicly they made my box a bot. The way I found it was I > saw outgoing IRC connections when I was in netstat looking for > something else. > > They got me thorugh and expolit in awstats which I no longer run. > The only way I was sure that I got rid of the hack was I wiped and > reloaded the machine from scratch. > > Long of it is.. check for odd processes as well. A good rootkit will install a "ps" that won't show the 'bot processes. The one time a machine of mine got hacked, netstat still worked, but I don't know why a hacked netstat couldn't be installed as well. Looking through /proc/<pid> is probably still reliable. -- Grant Edwards grante Yow! I am deeply CONCERNED at and I want something GOOD visi.com for BREAKFAST! -- gentoo-user@gentoo.org mailing list ^ permalink raw reply [flat|nested] 20+ messages in thread
* [gentoo-user] Re: Did I just get hacked??? 2007-02-11 4:29 ` [gentoo-user] " Grant Edwards @ 2007-02-11 21:16 ` James 2007-02-12 0:31 ` Grant 2007-02-12 3:58 ` Grant 0 siblings, 2 replies; 20+ messages in thread From: James @ 2007-02-11 21:16 UTC (permalink / raw To: gentoo-user Grant Edwards <grante <at> visi.com> writes: > A good rootkit will install a "ps" that won't show the 'bot > processes. The one time a machine of mine got hacked, netstat > still worked, but I don't know why a hacked netstat couldn't be > installed as well. > Looking through /proc/≤pid> is probably still reliable. Hello Grant, I keep an old portable around, running wireshark and a flat hub. You can set your ethernet address to 0.0.0.0 and fire up wireshark. You can then sniff any (ethernet) segment of your network for nefarious traffic or male-configured network applictions. hth, James -- gentoo-user@gentoo.org mailing list ^ permalink raw reply [flat|nested] 20+ messages in thread
* Re: [gentoo-user] Re: Did I just get hacked??? 2007-02-11 21:16 ` James @ 2007-02-12 0:31 ` Grant 2007-02-12 6:02 ` Paul Sebastian Ziegler 2007-02-12 3:58 ` Grant 1 sibling, 1 reply; 20+ messages in thread From: Grant @ 2007-02-12 0:31 UTC (permalink / raw To: gentoo-user > > A good rootkit will install a "ps" that won't show the 'bot > > processes. The one time a machine of mine got hacked, netstat > > still worked, but I don't know why a hacked netstat couldn't be > > installed as well. > > > Looking through /proc/≤pid> is probably still reliable. > > > Hello Grant, > > I keep an old portable around, running wireshark and a flat hub. > You can set your ethernet address to 0.0.0.0 and fire up wireshark. > > You can then sniff any (ethernet) segment of your network for > nefarious traffic or male-configured network applictions. Ok, it sounds like the key to figuring this out is watching the outgoing network traffic for weird stuff. eth0 is on the WAN and wireless ath0 is on the local subnet. How would you monitor the outgoing traffic considering my setup? - Grant ^ permalink raw reply [flat|nested] 20+ messages in thread
* Re: [gentoo-user] Re: Did I just get hacked??? 2007-02-12 0:31 ` Grant @ 2007-02-12 6:02 ` Paul Sebastian Ziegler 2007-02-12 13:30 ` Shawn Singh 0 siblings, 1 reply; 20+ messages in thread From: Paul Sebastian Ziegler @ 2007-02-12 6:02 UTC (permalink / raw To: gentoo-user Hi Grant, personally (but this is by far only ONE possible setup for your task) I'd advise you to connect eth0 to wan through a box set up as a bridge (try brctl). If that box has a good wireless card and good drivers (this mostly means "if that box isn't running Windows") you can also put that wireless-card into promiscuous mode lock it to your chanel and ssid and feed wireshark your WEP-Key or WPA-PSK for decryption. If not, then you'll have to use a second box for the wireless sniffing. BTW. current rootkits won't just replace ps or some other tools. Good rootkits do not run in userspace; they run in kernelspace. They directly intercept the function-calls. Just another thing to keep in mind while trying to scan for them. hth Paul Grant schrieb: >> > A good rootkit will install a "ps" that won't show the 'bot >> > processes. The one time a machine of mine got hacked, netstat >> > still worked, but I don't know why a hacked netstat couldn't be >> > installed as well. >> >> > Looking through /proc/≤pid> is probably still reliable. >> >> >> Hello Grant, >> >> I keep an old portable around, running wireshark and a flat hub. >> You can set your ethernet address to 0.0.0.0 and fire up wireshark. >> >> You can then sniff any (ethernet) segment of your network for >> nefarious traffic or male-configured network applictions. > > Ok, it sounds like the key to figuring this out is watching the > outgoing network traffic for weird stuff. eth0 is on the WAN and > wireless ath0 is on the local subnet. How would you monitor the > outgoing traffic considering my setup? > > - Grant > │ИМ╒▀╛z╦\x1e·з(╒╦&j)b· bst== -- gentoo-user@gentoo.org mailing list ^ permalink raw reply [flat|nested] 20+ messages in thread
* Re: [gentoo-user] Re: Did I just get hacked??? 2007-02-12 6:02 ` Paul Sebastian Ziegler @ 2007-02-12 13:30 ` Shawn Singh 2007-02-12 13:35 ` Shawn Singh 0 siblings, 1 reply; 20+ messages in thread From: Shawn Singh @ 2007-02-12 13:30 UTC (permalink / raw To: gentoo-user [-- Attachment #1: Type: text/plain, Size: 2204 bytes --] Grant, Maybe going forward (if you're not doing so already), one tool I've found to be useful in the past was AIDE. While it certainly won't prevent a break-in, it can certainly be useful when trying to find out what changed on your system. Later, Shawn On 2/12/07, Paul Sebastian Ziegler <psz@observed.de> wrote: > > Hi Grant, > > personally (but this is by far only ONE possible setup for your task) > I'd advise you to connect eth0 to wan through a box set up as a bridge > (try brctl). If that box has a good wireless card and good drivers (this > mostly means "if that box isn't running Windows") you can also put that > wireless-card into promiscuous mode lock it to your chanel and ssid and > feed wireshark your WEP-Key or WPA-PSK for decryption. > If not, then you'll have to use a second box for the wireless sniffing. > > BTW. current rootkits won't just replace ps or some other tools. Good > rootkits do not run in userspace; they run in kernelspace. They directly > intercept the function-calls. Just another thing to keep in mind while > trying to scan for them. > > hth > Paul > > Grant schrieb: > >> > A good rootkit will install a "ps" that won't show the 'bot > >> > processes. The one time a machine of mine got hacked, netstat > >> > still worked, but I don't know why a hacked netstat couldn't be > >> > installed as well. > >> > >> > Looking through /proc/≤pid> is probably still reliable. > >> > >> > >> Hello Grant, > >> > >> I keep an old portable around, running wireshark and a flat hub. > >> You can set your ethernet address to 0.0.0.0 and fire up wireshark. > >> > >> You can then sniff any (ethernet) segment of your network for > >> nefarious traffic or male-configured network applictions. > > > > Ok, it sounds like the key to figuring this out is watching the > > outgoing network traffic for weird stuff. eth0 is on the WAN and > > wireless ath0 is on the local subnet. How would you monitor the > > outgoing traffic considering my setup? > > > > - Grant > > │ИМ╒▀╛z╦\x1e·з(╒╦&j)b· bst== > > -- > gentoo-user@gentoo.org mailing list > > -- "Doing linear scans over an associative array is like trying to club someone to death with a loaded Uzi." Larry Wall [-- Attachment #2: Type: text/html, Size: 2908 bytes --] ^ permalink raw reply [flat|nested] 20+ messages in thread
* Re: [gentoo-user] Re: Did I just get hacked??? 2007-02-12 13:30 ` Shawn Singh @ 2007-02-12 13:35 ` Shawn Singh 0 siblings, 0 replies; 20+ messages in thread From: Shawn Singh @ 2007-02-12 13:35 UTC (permalink / raw To: gentoo-user [-- Attachment #1: Type: text/plain, Size: 2866 bytes --] Grant, I figured I should add this note. I'm recommending AIDE as something if you get to the point where you feel like you've been hacked, you've done your post-mortem, and are ready to rebuild, upon your rebuild AIDE might prove to be handy in the future. It'd probably be useless on a system that has already been compromised. Later, Shawn On 2/12/07, Shawn Singh <callmeshawn@gmail.com> wrote: > > Grant, > > Maybe going forward (if you're not doing so already), one tool I've found > to be useful in the past was AIDE. While it certainly won't prevent a > break-in, it can certainly be useful when trying to find out what changed on > your system. > > Later, > > Shawn > > On 2/12/07, Paul Sebastian Ziegler <psz@observed.de> wrote: > > > > Hi Grant, > > > > personally (but this is by far only ONE possible setup for your task) > > I'd advise you to connect eth0 to wan through a box set up as a bridge > > (try brctl). If that box has a good wireless card and good drivers (this > > > > mostly means "if that box isn't running Windows") you can also put that > > wireless-card into promiscuous mode lock it to your chanel and ssid and > > feed wireshark your WEP-Key or WPA-PSK for decryption. > > If not, then you'll have to use a second box for the wireless sniffing. > > > > BTW. current rootkits won't just replace ps or some other tools. Good > > rootkits do not run in userspace; they run in kernelspace. They directly > > > > intercept the function-calls. Just another thing to keep in mind while > > trying to scan for them. > > > > hth > > Paul > > > > Grant schrieb: > > >> > A good rootkit will install a "ps" that won't show the 'bot > > >> > processes. The one time a machine of mine got hacked, netstat > > >> > still worked, but I don't know why a hacked netstat couldn't be > > >> > installed as well. > > >> > > >> > Looking through /proc/≤pid> is probably still reliable. > > >> > > >> > > >> Hello Grant, > > >> > > >> I keep an old portable around, running wireshark and a flat hub. > > >> You can set your ethernet address to 0.0.0.0 and fire up wireshark. > > >> > > >> You can then sniff any (ethernet) segment of your network for > > >> nefarious traffic or male-configured network applictions. > > > > > > Ok, it sounds like the key to figuring this out is watching the > > > outgoing network traffic for weird stuff. eth0 is on the WAN and > > > wireless ath0 is on the local subnet. How would you monitor the > > > outgoing traffic considering my setup? > > > > > > - Grant > > > │ИМ╒▀╛z╦\x1e·з(╒╦&j)b· bst== > > > > -- > > gentoo-user@gentoo.org mailing list > > > > > > > -- > "Doing linear scans over an associative array is like trying to club > someone to death with a loaded Uzi." > Larry Wall -- "Doing linear scans over an associative array is like trying to club someone to death with a loaded Uzi." Larry Wall [-- Attachment #2: Type: text/html, Size: 4081 bytes --] ^ permalink raw reply [flat|nested] 20+ messages in thread
* Re: [gentoo-user] Re: Did I just get hacked??? 2007-02-11 21:16 ` James 2007-02-12 0:31 ` Grant @ 2007-02-12 3:58 ` Grant 2007-02-12 15:32 ` Dan Farrell 1 sibling, 1 reply; 20+ messages in thread From: Grant @ 2007-02-12 3:58 UTC (permalink / raw To: gentoo-user > > A good rootkit will install a "ps" that won't show the 'bot > > processes. The one time a machine of mine got hacked, netstat > > still worked, but I don't know why a hacked netstat couldn't be > > installed as well. > > > Looking through /proc/≤pid> is probably still reliable. > > > Hello Grant, > > I keep an old portable around, running wireshark and a flat hub. > You can set your ethernet address to 0.0.0.0 and fire up wireshark. > > You can then sniff any (ethernet) segment of your network for > nefarious traffic or male-configured network applictions. > > hth, > > James I can see in an xfce4 panel plugin that there is constantly a small amount of incoming/outgoing traffic to/from the affected system when there is no reason I know of for it. netstat doesn't show anything that jumps out at me although this is the first time I've really used it. All of the current netstat connections appear to be UNIX as opposed to Internet. Should I paste them in? - Grant ^ permalink raw reply [flat|nested] 20+ messages in thread
* Re: [gentoo-user] Re: Did I just get hacked??? 2007-02-12 3:58 ` Grant @ 2007-02-12 15:32 ` Dan Farrell 2007-02-12 16:33 ` Willie Wong 2007-02-12 18:05 ` Grant 0 siblings, 2 replies; 20+ messages in thread From: Dan Farrell @ 2007-02-12 15:32 UTC (permalink / raw To: gentoo-user On Sun, 11 Feb 2007 19:58:49 -0800 Grant <emailgrant@gmail.com> wrote: > > > A good rootkit will install a "ps" that won't show the 'bot > > > processes. The one time a machine of mine got hacked, netstat > > > still worked, but I don't know why a hacked netstat couldn't be > > > installed as well. > > > > > Looking through /proc/≤pid> is probably still reliable. > > > > > > Hello Grant, > > > > I keep an old portable around, running wireshark and a flat hub. > > You can set your ethernet address to 0.0.0.0 and fire up wireshark. > > > > You can then sniff any (ethernet) segment of your network for > > nefarious traffic or male-configured network applictions. > > > > hth, > > > > James > > I can see in an xfce4 panel plugin that there is constantly a small > amount of incoming/outgoing traffic to/from the affected system when > there is no reason I know of for it. netstat doesn't show anything > that jumps out at me although this is the first time I've really used > it. All of the current netstat connections appear to be UNIX as > opposed to Internet. Should I paste them in? > > - Grant > [Error decoding BASE64] nope, they're all local socket connections. What kind of traffic are you seeing, i mean how much? Ever heard of tcpdump? -- gentoo-user@gentoo.org mailing list ^ permalink raw reply [flat|nested] 20+ messages in thread
* Re: [gentoo-user] Re: Did I just get hacked??? 2007-02-12 15:32 ` Dan Farrell @ 2007-02-12 16:33 ` Willie Wong 2007-02-12 18:05 ` Grant 1 sibling, 0 replies; 20+ messages in thread From: Willie Wong @ 2007-02-12 16:33 UTC (permalink / raw To: gentoo-user On Mon, Feb 12, 2007 at 09:32:47AM -0600, Penguin Lover Dan Farrell squawked: > > I can see in an xfce4 panel plugin that there is constantly a small > > amount of incoming/outgoing traffic to/from the affected system when > > there is no reason I know of for it. netstat doesn't show anything > > that jumps out at me although this is the first time I've really used > > it. All of the current netstat connections appear to be UNIX as > > opposed to Internet. Should I paste them in? > > > > - Grant > > [Error decoding BASE64] > nope, they're all local socket connections. What kind of traffic are > you seeing, i mean how much? Ever heard of tcpdump? also, what about netstat --ip, that should omit the local sockets. W -- Pintsize: Nooooooo! I'm lactose intolerant! Sortir en Pantoufles: up 66 days, 14:50 -- gentoo-user@gentoo.org mailing list ^ permalink raw reply [flat|nested] 20+ messages in thread
* Re: [gentoo-user] Re: Did I just get hacked??? 2007-02-12 15:32 ` Dan Farrell 2007-02-12 16:33 ` Willie Wong @ 2007-02-12 18:05 ` Grant 2007-02-13 8:07 ` nicolas.cornu 1 sibling, 1 reply; 20+ messages in thread From: Grant @ 2007-02-12 18:05 UTC (permalink / raw To: gentoo-user > > > > A good rootkit will install a "ps" that won't show the 'bot > > > > processes. The one time a machine of mine got hacked, netstat > > > > still worked, but I don't know why a hacked netstat couldn't be > > > > installed as well. > > > > > > > Looking through /proc/≤pid> is probably still reliable. > > > > > > > > > Hello Grant, > > > > > > I keep an old portable around, running wireshark and a flat hub. > > > You can set your ethernet address to 0.0.0.0 and fire up wireshark. > > > > > > You can then sniff any (ethernet) segment of your network for > > > nefarious traffic or male-configured network applictions. > > > > > > hth, > > > > > > James > > > > I can see in an xfce4 panel plugin that there is constantly a small > > amount of incoming/outgoing traffic to/from the affected system when > > there is no reason I know of for it. netstat doesn't show anything > > that jumps out at me although this is the first time I've really used > > it. All of the current netstat connections appear to be UNIX as > > opposed to Internet. Should I paste them in? > > > > - Grant > > [Error decoding BASE64] > nope, they're all local socket connections. What kind of traffic are > you seeing, i mean how much? Ever heard of tcpdump? I just did a fresh reboot and as soon as xfce4 was loaded I was seeing between .2kbps and .6kbps incoming and outgoing traffic constantly in the xfce4 panel plugin which uses /proc/net/dev. I then changed the WPA wireless password on the router so the machine couldn't connect and the panel plugin started reporting small bursts of incoming/outgoing traffic instead of the constant stream. I then updated the machine's password to match the router's new password and the steady stream returned. netstat --ip reports absolutely no connections during all of this. Should I emerge tcpdump and run that? - Grant ^ permalink raw reply [flat|nested] 20+ messages in thread
* Re: [gentoo-user] Re: Did I just get hacked??? 2007-02-12 18:05 ` Grant @ 2007-02-13 8:07 ` nicolas.cornu 0 siblings, 0 replies; 20+ messages in thread From: nicolas.cornu @ 2007-02-13 8:07 UTC (permalink / raw To: gentoo-user Grant wrote: >> > > > A good rootkit will install a "ps" that won't show the 'bot >> > > > processes. The one time a machine of mine got hacked, netstat >> > > > still worked, but I don't know why a hacked netstat couldn't be >> > > > installed as well. >> > > >> > > > Looking through /proc/≤pid> is probably still reliable. >> > > >> > > >> > > Hello Grant, >> > > >> > > I keep an old portable around, running wireshark and a flat hub. >> > > You can set your ethernet address to 0.0.0.0 and fire up wireshark. >> > > >> > > You can then sniff any (ethernet) segment of your network for >> > > nefarious traffic or male-configured network applictions. >> > > >> > > hth, >> > > >> > > James >> > >> > I can see in an xfce4 panel plugin that there is constantly a small >> > amount of incoming/outgoing traffic to/from the affected system when >> > there is no reason I know of for it. netstat doesn't show anything >> > that jumps out at me although this is the first time I've really used >> > it. All of the current netstat connections appear to be UNIX as >> > opposed to Internet. Should I paste them in? >> > >> > - Grant >> > [Error decoding BASE64] >> nope, they're all local socket connections. What kind of traffic are >> you seeing, i mean how much? Ever heard of tcpdump? > > > I just did a fresh reboot and as soon as xfce4 was loaded I was seeing > between .2kbps and .6kbps incoming and outgoing traffic constantly in > the xfce4 panel plugin which uses /proc/net/dev. I then changed the > WPA wireless password on the router so the machine couldn't connect > and the panel plugin started reporting small bursts of > incoming/outgoing traffic instead of the constant stream. I then > updated the machine's password to match the router's new password and > the steady stream returned. > > netstat --ip reports absolutely no connections during all of this. > > Should I emerge tcpdump and run that? > > - Grant > │ИМ╒▀╛z╦\x1e·з(╒╦&j)b· b > st== Hi, You could try wireshark which is almost the same thing as tcpdump but graphical. it will help you to analyze the packets going through your interface. -- gentoo-user@gentoo.org mailing list ^ permalink raw reply [flat|nested] 20+ messages in thread
* Re: [gentoo-user] Did I just get hacked??? 2007-02-11 3:38 ` Albert Hopkins 2007-02-11 4:06 ` Chris Nolan @ 2007-02-22 23:34 ` Grant 2007-02-23 0:51 ` Neil Bothwick 1 sibling, 1 reply; 20+ messages in thread From: Grant @ 2007-02-22 23:34 UTC (permalink / raw To: gentoo-user > > The contents of my /home/grant/vmware folder have suddenly > > disappeared. I haven't noticed anything else strange yet. I did > > configure and start shorewall for the first time yesterday instead of > > using a few iptables commands from the Gentoo Home Router Guide. I'm > > also running PenguinTV (a video RSS aggregator with an ebuild in > > bugs.gentoo.org) and transmission (a bittorrent client in portage) > > So someone breaks into your box and the only thing they can think of to > do is remove your ~/vmware directory? It occurred to me this morning that a hacker could have gained access to my system via the vmware guest OS (XP) and then deleted the contents of vmware/ to cover his tracks. Does that sound like a possibility? - Grant -- gentoo-user@gentoo.org mailing list ^ permalink raw reply [flat|nested] 20+ messages in thread
* Re: [gentoo-user] Did I just get hacked??? 2007-02-22 23:34 ` [gentoo-user] " Grant @ 2007-02-23 0:51 ` Neil Bothwick 2007-02-23 17:48 ` Andrey Gerasimenko 0 siblings, 1 reply; 20+ messages in thread From: Neil Bothwick @ 2007-02-23 0:51 UTC (permalink / raw To: gentoo-user [-- Attachment #1: Type: text/plain, Size: 542 bytes --] On Thu, 22 Feb 2007 15:34:45 -0800, Grant wrote: > It occurred to me this morning that a hacker could have gained access > to my system via the vmware guest OS (XP) and then deleted the > contents of vmware/ to cover his tracks. Does that sound like a > possibility? Not unless you have the vmware directory mounted within the guest OS. The VM cannot access filesystems on the host unless they are created as disks on the VM or network mounted. -- Neil Bothwick Those who live by the sword get shot by those who don't. [-- Attachment #2: signature.asc --] [-- Type: application/pgp-signature, Size: 189 bytes --] ^ permalink raw reply [flat|nested] 20+ messages in thread
* Re: [gentoo-user] Did I just get hacked??? 2007-02-23 0:51 ` Neil Bothwick @ 2007-02-23 17:48 ` Andrey Gerasimenko 2007-02-23 18:47 ` Neil Bothwick 0 siblings, 1 reply; 20+ messages in thread From: Andrey Gerasimenko @ 2007-02-23 17:48 UTC (permalink / raw To: gentoo-user On Fri, 23 Feb 2007 03:51:20 +0300, Neil Bothwick <neil@digimed.co.uk> wrote: > On Thu, 22 Feb 2007 15:34:45 -0800, Grant wrote: > >> It occurred to me this morning that a hacker could have gained access >> to my system via the vmware guest OS (XP) and then deleted the >> contents of vmware/ to cover his tracks. Does that sound like a >> possibility? > > Not unless you have the vmware directory mounted within the guest OS. The > VM cannot access filesystems on the host unless they are created as disks > on the VM or network mounted. > > This is correct, but if the virtual machine is on the same network as the host, then it is posible to get the VM, than the host, and finally to delete the VM. Theoretically it is also possible to get to the host through the VmWare Tools, provided they are installed on the guest, but I have never heard this done. -- Andrei Gerasimenko -- gentoo-user@gentoo.org mailing list ^ permalink raw reply [flat|nested] 20+ messages in thread
* Re: [gentoo-user] Did I just get hacked??? 2007-02-23 17:48 ` Andrey Gerasimenko @ 2007-02-23 18:47 ` Neil Bothwick 0 siblings, 0 replies; 20+ messages in thread From: Neil Bothwick @ 2007-02-23 18:47 UTC (permalink / raw To: gentoo-user [-- Attachment #1: Type: text/plain, Size: 727 bytes --] On Fri, 23 Feb 2007 20:48:59 +0300, Andrey Gerasimenko wrote: > > Not unless you have the vmware directory mounted within the guest OS. > > The VM cannot access filesystems on the host unless they are created > > as disks on the VM or network mounted. > This is correct, but if the virtual machine is on the same network as > the host, then it is posible to get the VM, than the host, and finally > to delete the VM. True, but then you'd need to crack SSH or use some other method to get a login on the host machine. If you're going to all that trouble, I think you'd do more than delete the guest OS files. -- Neil Bothwick If you think that you can truncate my sig to 75 chars, then you can just fu [-- Attachment #2: signature.asc --] [-- Type: application/pgp-signature, Size: 189 bytes --] ^ permalink raw reply [flat|nested] 20+ messages in thread
end of thread, other threads:[~2007-02-23 18:57 UTC | newest] Thread overview: 20+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2007-02-11 2:27 [gentoo-user] Did I just get hacked??? Grant 2007-02-11 3:06 ` Jerry McBride 2007-02-11 4:11 ` Grant 2007-02-11 3:38 ` Albert Hopkins 2007-02-11 4:06 ` Chris Nolan 2007-02-11 4:29 ` [gentoo-user] " Grant Edwards 2007-02-11 21:16 ` James 2007-02-12 0:31 ` Grant 2007-02-12 6:02 ` Paul Sebastian Ziegler 2007-02-12 13:30 ` Shawn Singh 2007-02-12 13:35 ` Shawn Singh 2007-02-12 3:58 ` Grant 2007-02-12 15:32 ` Dan Farrell 2007-02-12 16:33 ` Willie Wong 2007-02-12 18:05 ` Grant 2007-02-13 8:07 ` nicolas.cornu 2007-02-22 23:34 ` [gentoo-user] " Grant 2007-02-23 0:51 ` Neil Bothwick 2007-02-23 17:48 ` Andrey Gerasimenko 2007-02-23 18:47 ` Neil Bothwick
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox