[gentoo-user] Did I just get hacked???

[gentoo-user] Did I just get hacked???

[Grant]

The contents of my /home/grant/vmware folder have suddenly
disappeared.  I haven't noticed anything else strange yet.  I did
configure and start shorewall for the first time yesterday instead of
using a few iptables commands from the Gentoo Home Router Guide.  I'm
also running PenguinTV (a video RSS aggregator with an ebuild in
bugs.gentoo.org) and transmission (a bittorrent client in portage) for
the first time.  My shorewall config is here:

http://archives.gentoo.org/gentoo-user/msg_108375.xml

What should I do next?

- Grant
-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] Did I just get hacked???

[Jerry McBride]

On Saturday 10 February 2007 09:27:10 pm Grant wrote:
> The contents of my /home/grant/vmware folder have suddenly
> disappeared.  I haven't noticed anything else strange yet.  I did
> configure and start shorewall for the first time yesterday instead of
> using a few iptables commands from the Gentoo Home Router Guide.  I'm
> also running PenguinTV (a video RSS aggregator with an ebuild in
> bugs.gentoo.org) and transmission (a bittorrent client in portage) for
> the first time.  My shorewall config is here:
>
> http://archives.gentoo.org/gentoo-user/msg_108375.xml
>
> What should I do next?
>
> - Grant

1 - if you aren't sure, then take it off the net untill you are sure.
2 - view the log files in /var/log
3 - look at the contents and the file dates... see anything "not rigt"
4 - from a "rescue disk" of some merit  and run chkrootkit or simiar tool.
5 - did/are you running any internet services? Look at their log files with a   
magnifying glass for "any" discrepancy...

--

Jerry McBride
-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] Did I just get hacked???

[Albert Hopkins]

On Sat, 2007-02-10 at 18:27 -0800, Grant wrote:
> The contents of my /home/grant/vmware folder have suddenly
> disappeared.  I haven't noticed anything else strange yet.  I did
> configure and start shorewall for the first time yesterday instead of
> using a few iptables commands from the Gentoo Home Router Guide.  I'm
> also running PenguinTV (a video RSS aggregator with an ebuild in
> bugs.gentoo.org) and transmission (a bittorrent client in portage) 

So someone breaks into your box and the only thing they can think of to
do is remove your ~/vmware directory?



-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] Did I just get hacked???

[Chris Nolan]

A long time ago when a LAMP box of mine got hacked.. they installed a
program in /tmp/<random characters>  that would connect to IRC
servers.  Basicly they made my box a bot.   The way I found it was I
saw outgoing IRC connections when I was in netstat looking for
something else.

They got me thorugh and expolit in awstats which I no longer run.
The only way I was sure that I got rid of the hack was I wiped and
reloaded the machine from scratch.

Long of it is.. check for odd processes as well.
-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] Did I just get hacked???

[Grant]

> > The contents of my /home/grant/vmware folder have suddenly
> > disappeared.  I haven't noticed anything else strange yet.  I did
> > configure and start shorewall for the first time yesterday instead of
> > using a few iptables commands from the Gentoo Home Router Guide.  I'm
> > also running PenguinTV (a video RSS aggregator with an ebuild in
> > bugs.gentoo.org) and transmission (a bittorrent client in portage) for
> > the first time.  My shorewall config is here:
> >
> > http://archives.gentoo.org/gentoo-user/msg_108375.xml
> >
> > What should I do next?
> >
> > - Grant
>
> 1 - if you aren't sure, then take it off the net untill you are sure.
> 2 - view the log files in /var/log
> 3 - look at the contents and the file dates... see anything "not rigt"

I haven't spent much time in /var/log before unless I was looking for
something specific so it all looks pretty foreign as I look over it
now.  What type of things should I be looking for?

> 4 - from a "rescue disk" of some merit  and run chkrootkit or simiar tool.

Here is the output of chkrootkit.  It looks fine to me but there is
some stuff at and near the end that I don't understand.

ROOTDIR is `/'
Checking `amd'... not found
Checking `basename'... not infected
Checking `biff'... not found
Checking `chfn'... not infected
Checking `chsh'... not infected
Checking `cron'... not infected
Checking `date'... not infected
Checking `du'... not infected
Checking `dirname'... not infected
Checking `echo'... not infected
Checking `egrep'... not infected
Checking `env'... not infected
Checking `find'... not infected
Checking `fingerd'... not found
Checking `gpm'... not infected
Checking `grep'... not infected
Checking `hdparm'... not infected
Checking `su'... not infected
Checking `ifconfig'... not infected
Checking `inetd'... not tested
Checking `inetdconf'... not found
Checking `identd'... not found
Checking `init'... not infected
Checking `killall'... not infected
Checking `ldsopreload'... not infected
Checking `login'... not infected
Checking `ls'... not infected
Checking `lsof'... not found
Checking `mail'... not found
Checking `mingetty'... not found
Checking `netstat'... not infected
Checking `named'... not found
Checking `passwd'... not infected
Checking `pidof'... not infected
Checking `pop2'... not found
Checking `pop3'... not found
Checking `ps'... not infected
Checking `pstree'... not infected
Checking `rpcinfo'... not infected
Checking `rlogind'... not infected
Checking `rshd'... not infected
Checking `slogin'... not infected
Checking `sendmail'... not infected
Checking `sshd'... not infected
Checking `syslogd'... not tested
Checking `tar'... not infected
Checking `tcpd'... not infected
Checking `tcpdump'... not infected
Checking `top'... not infected
Checking `telnetd'... not found
Checking `timed'... not found
Checking `traceroute'... not found
Checking `vdir'... not infected
Checking `w'... not infected
Checking `write'... not infected
Checking `aliens'... no suspect files
Searching for sniffer's logs, it may take a while... nothing found
Searching for HiDrootkit's default dir... nothing found
Searching for t0rn's default files and dirs... nothing found
Searching for t0rn's v8 defaults... nothing found
Searching for Lion Worm default files and dirs... nothing found
Searching for RSHA's default files and dir... nothing found
Searching for RH-Sharpe's default files... nothing found
Searching for Ambient's rootkit (ark) default files and dirs... nothing found
Searching for suspicious files and dirs, it may take a while... nothing found
Searching for LPD Worm files and dirs... nothing found
Searching for Ramen Worm files and dirs... nothing found
Searching for Maniac files and dirs... nothing found
Searching for RK17 files and dirs... nothing found
Searching for Ducoci rootkit... nothing found
Searching for Adore Worm... nothing found
Searching for ShitC Worm... nothing found
Searching for Omega Worm... nothing found
Searching for Sadmind/IIS Worm... nothing found
Searching for MonKit... nothing found
Searching for Showtee... nothing found
Searching for OpticKit... nothing found
Searching for T.R.K... nothing found
Searching for Mithra... nothing found
Searching for OBSD rk v1... nothing found
Searching for LOC rootkit... nothing found
Searching for Romanian rootkit... nothing found
Searching for Suckit rootkit... nothing found
Searching for Volc rootkit... nothing found
Searching for Gold2 rootkit... nothing found
Searching for TC2 Worm default files and dirs... nothing found
Searching for Anonoying rootkit default files and dirs... nothing found
Searching for ZK rootkit default files and dirs... nothing found
Searching for ShKit rootkit default files and dirs... nothing found
Searching for AjaKit rootkit default files and dirs... nothing found
Searching for zaRwT rootkit default files and dirs... nothing found
Searching for Madalin rootkit default files... nothing found
Searching for Fu rootkit default files... nothing found
Searching for ESRK rootkit default files... nothing found
Searching for anomalies in shell history files... nothing found
Checking `asp'... not infected
Checking `bindshell'... not infected
Checking `lkm'... chkproc: nothing detected
Checking `rexedcs'... not found
Checking `sniffer'... ath0: PF_PACKET(/sbin/wpa_supplicant)
vmnet8: not promisc and no PF_PACKET sockets
Checking `w55808'... not infected
Checking `wted'... chkwtmp: nothing deleted
Checking `scalper'... not infected
Checking `slapper'... not infected
Checking `z2'... chklastlog: nothing deleted
Checking `chkutmp'...  The tty of the following user process(es) were not found
 in /var/run/utmp !
! RUID          PID TTY    CMD
! root         4450 tty7   /usr/bin/X :0 -audit 0 -auth /var/gdm/:0.Xauth vt7
chkutmp: nothing deleted

> 5 - did/are you running any internet services? Look at their log files with a
> magnifying glass for "any" discrepancy...

I am running bittorrent on the affected machine as of yesterday with
tcp and udp ports 6881:6999 forwarded to that machine from the
firewall/router via shorewall.  Here is the shorewall config.

/etc/shorewall/zones:

fw     firewall
net     ipv4
loc     ipv4

/etc/shorewall/interfaces:

net     eth0     detect     tcpflags,routefilter,nosmurfs,logmartians
loc     ath0     detect     tcpflags,detectnets,nosmurfs

/etc/shorewall/policy:

loc     net     ACCEPT
loc     $FW     ACCEPT
loc     all     REJECT     info
$FW     net     REJECT     info
$FW     loc     REJECT     info
$FW     all     REJECT     info
net     $FW     DROP     info
net     loc     DROP     info
net     all     DROP     info
all     all     REJECT     info

/etc/shorewall/rules:

DNS/ACCEPT     $FW     net
Ping/REJECT     net     $FW
ACCEPT     $FW     loc     icmp
ACCEPT     $FW     net     icmp
DNAT     net     loc:192.168.0.3     tcp     6881:6999
DNAT     net     loc:192.168.0.3     udp     6881:6999

/etc/shorewall/masq:

eth0     ath0

/etc/shorewall/routestopped:

ath0     -

Please let me know if you have any further advice.  I'm completely
puzzled as to what happened to the contents of ~/vmware.

- Grant
-- 
gentoo-user@gentoo.org mailing list

[gentoo-user] Re: Did I just get hacked???

[Grant Edwards]

On 2007-02-11, Chris Nolan <lostpkts@gmail.com> wrote:
> A long time ago when a LAMP box of mine got hacked.. they installed a
> program in /tmp/<random characters>  that would connect to IRC
> servers.  Basicly they made my box a bot.   The way I found it was I
> saw outgoing IRC connections when I was in netstat looking for
> something else.
>
> They got me thorugh and expolit in awstats which I no longer run.
> The only way I was sure that I got rid of the hack was I wiped and
> reloaded the machine from scratch.
>
> Long of it is.. check for odd processes as well.

A good rootkit will install a "ps" that won't show the 'bot
processes.  The one time a machine of mine got hacked, netstat
still worked, but I don't know why a hacked netstat couldn't be
installed as well.

Looking through /proc/<pid> is probably still reliable.

-- 
Grant Edwards                   grante             Yow!  I am deeply CONCERNED
                                  at               and I want something GOOD
                               visi.com            for BREAKFAST!

-- 
gentoo-user@gentoo.org mailing list

[gentoo-user] Re: Did I just get hacked???

[James]

Grant Edwards <grante <at> visi.com> writes:



> A good rootkit will install a "ps" that won't show the 'bot
> processes.  The one time a machine of mine got hacked, netstat
> still worked, but I don't know why a hacked netstat couldn't be
> installed as well.

> Looking through /proc/≤pid> is probably still reliable.


Hello Grant,

I keep an old portable around, running wireshark and a flat hub.
You can set your ethernet address to 0.0.0.0 and fire up wireshark.

You can then sniff any (ethernet) segment of your network for
nefarious traffic or male-configured network applictions.

hth,

James




-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] Re: Did I just get hacked???

[Grant]

> > A good rootkit will install a "ps" that won't show the 'bot
> > processes.  The one time a machine of mine got hacked, netstat
> > still worked, but I don't know why a hacked netstat couldn't be
> > installed as well.
>
> > Looking through /proc/≤pid> is probably still reliable.
>
>
> Hello Grant,
>
> I keep an old portable around, running wireshark and a flat hub.
> You can set your ethernet address to 0.0.0.0 and fire up wireshark.
>
> You can then sniff any (ethernet) segment of your network for
> nefarious traffic or male-configured network applictions.

Ok, it sounds like the key to figuring this out is watching the
outgoing network traffic for weird stuff.  eth0 is on the WAN and
wireless ath0 is on the local subnet.  How would you monitor the
outgoing traffic considering my setup?

- Grant

Re: [gentoo-user] Re: Did I just get hacked???

[Grant]

> > A good rootkit will install a "ps" that won't show the 'bot
> > processes.  The one time a machine of mine got hacked, netstat
> > still worked, but I don't know why a hacked netstat couldn't be
> > installed as well.
>
> > Looking through /proc/≤pid> is probably still reliable.
>
>
> Hello Grant,
>
> I keep an old portable around, running wireshark and a flat hub.
> You can set your ethernet address to 0.0.0.0 and fire up wireshark.
>
> You can then sniff any (ethernet) segment of your network for
> nefarious traffic or male-configured network applictions.
>
> hth,
>
> James

I can see in an xfce4 panel plugin that there is constantly a small
amount of incoming/outgoing traffic to/from the affected system when
there is no reason I know of for it.  netstat doesn't show anything
that jumps out at me although this is the first time I've really used
it.  All of the current netstat connections appear to be UNIX as
opposed to Internet.  Should I paste them in?

- Grant

Re: [gentoo-user] Re: Did I just get hacked???

[Paul Sebastian Ziegler]

Hi Grant,

personally (but this is by far only ONE possible setup for your task)
I'd advise you to connect eth0 to wan through a box set up as a bridge
(try brctl). If that box has a good wireless card and good drivers (this
mostly means "if that box isn't running Windows") you can also put that
wireless-card into promiscuous mode lock it to your chanel and ssid and
feed wireshark your WEP-Key or WPA-PSK for decryption.
If not, then you'll have to use a second box for the wireless sniffing.

BTW. current rootkits won't just replace ps or some other tools. Good
rootkits do not run in userspace; they run in kernelspace. They directly
intercept the function-calls. Just another thing to keep in mind while
trying to scan for them.

hth
Paul

Grant schrieb:
>> > A good rootkit will install a "ps" that won't show the 'bot
>> > processes.  The one time a machine of mine got hacked, netstat
>> > still worked, but I don't know why a hacked netstat couldn't be
>> > installed as well.
>>
>> > Looking through /proc/≤pid> is probably still reliable.
>>
>>
>> Hello Grant,
>>
>> I keep an old portable around, running wireshark and a flat hub.
>> You can set your ethernet address to 0.0.0.0 and fire up wireshark.
>>
>> You can then sniff any (ethernet) segment of your network for
>> nefarious traffic or male-configured network applictions.
> 
> Ok, it sounds like the key to figuring this out is watching the
> outgoing network traffic for weird stuff.  eth0 is on the WAN and
> wireless ath0 is on the local subnet.  How would you monitor the
> outgoing traffic considering my setup?
> 
> - Grant
> │ИМ╒▀╛z╦\x1e·з(╒╦&j)b·    bst==

-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] Re: Did I just get hacked???

[Shawn Singh]

[-- Attachment #1: Type: text/plain, Size: 2204 bytes --]

Grant,

Maybe going forward (if you're not doing so already), one tool I've found to
be useful in the past was AIDE. While it certainly won't prevent a break-in,
it can certainly be useful when trying to find out what changed on your
system.

Later,

Shawn

On 2/12/07, Paul Sebastian Ziegler <psz@observed.de> wrote:
>
> Hi Grant,
>
> personally (but this is by far only ONE possible setup for your task)
> I'd advise you to connect eth0 to wan through a box set up as a bridge
> (try brctl). If that box has a good wireless card and good drivers (this
> mostly means "if that box isn't running Windows") you can also put that
> wireless-card into promiscuous mode lock it to your chanel and ssid and
> feed wireshark your WEP-Key or WPA-PSK for decryption.
> If not, then you'll have to use a second box for the wireless sniffing.
>
> BTW. current rootkits won't just replace ps or some other tools. Good
> rootkits do not run in userspace; they run in kernelspace. They directly
> intercept the function-calls. Just another thing to keep in mind while
> trying to scan for them.
>
> hth
> Paul
>
> Grant schrieb:
> >> > A good rootkit will install a "ps" that won't show the 'bot
> >> > processes.  The one time a machine of mine got hacked, netstat
> >> > still worked, but I don't know why a hacked netstat couldn't be
> >> > installed as well.
> >>
> >> > Looking through /proc/≤pid> is probably still reliable.
> >>
> >>
> >> Hello Grant,
> >>
> >> I keep an old portable around, running wireshark and a flat hub.
> >> You can set your ethernet address to 0.0.0.0 and fire up wireshark.
> >>
> >> You can then sniff any (ethernet) segment of your network for
> >> nefarious traffic or male-configured network applictions.
> >
> > Ok, it sounds like the key to figuring this out is watching the
> > outgoing network traffic for weird stuff.  eth0 is on the WAN and
> > wireless ath0 is on the local subnet.  How would you monitor the
> > outgoing traffic considering my setup?
> >
> > - Grant
> > │ИМ╒▀╛z╦\x1e·з(╒╦&j)b·    bst==
>
> --
> gentoo-user@gentoo.org mailing list
>
>


-- 
"Doing linear scans over an associative array is like trying to club someone
to death with a loaded Uzi."
Larry Wall

[-- Attachment #2: Type: text/html, Size: 2908 bytes --]

Re: [gentoo-user] Re: Did I just get hacked???

[Shawn Singh]

[-- Attachment #1: Type: text/plain, Size: 2866 bytes --]

Grant,

I figured I should add this note. I'm recommending AIDE as something if you
get to the point where you feel like you've been hacked, you've done your
post-mortem, and are ready to rebuild, upon your rebuild AIDE might prove to
be handy in the future. It'd probably be useless on a system that has
already been compromised.

Later,

Shawn

On 2/12/07, Shawn Singh <callmeshawn@gmail.com> wrote:
>
> Grant,
>
> Maybe going forward (if you're not doing so already), one tool I've found
> to be useful in the past was AIDE. While it certainly won't prevent a
> break-in, it can certainly be useful when trying to find out what changed on
> your system.
>
> Later,
>
> Shawn
>
> On 2/12/07, Paul Sebastian Ziegler <psz@observed.de> wrote:
> >
> > Hi Grant,
> >
> > personally (but this is by far only ONE possible setup for your task)
> > I'd advise you to connect eth0 to wan through a box set up as a bridge
> > (try brctl). If that box has a good wireless card and good drivers (this
> >
> > mostly means "if that box isn't running Windows") you can also put that
> > wireless-card into promiscuous mode lock it to your chanel and ssid and
> > feed wireshark your WEP-Key or WPA-PSK for decryption.
> > If not, then you'll have to use a second box for the wireless sniffing.
> >
> > BTW. current rootkits won't just replace ps or some other tools. Good
> > rootkits do not run in userspace; they run in kernelspace. They directly
> >
> > intercept the function-calls. Just another thing to keep in mind while
> > trying to scan for them.
> >
> > hth
> > Paul
> >
> > Grant schrieb:
> > >> > A good rootkit will install a "ps" that won't show the 'bot
> > >> > processes.  The one time a machine of mine got hacked, netstat
> > >> > still worked, but I don't know why a hacked netstat couldn't be
> > >> > installed as well.
> > >>
> > >> > Looking through /proc/≤pid> is probably still reliable.
> > >>
> > >>
> > >> Hello Grant,
> > >>
> > >> I keep an old portable around, running wireshark and a flat hub.
> > >> You can set your ethernet address to 0.0.0.0 and fire up wireshark.
> > >>
> > >> You can then sniff any (ethernet) segment of your network for
> > >> nefarious traffic or male-configured network applictions.
> > >
> > > Ok, it sounds like the key to figuring this out is watching the
> > > outgoing network traffic for weird stuff.  eth0 is on the WAN and
> > > wireless ath0 is on the local subnet.  How would you monitor the
> > > outgoing traffic considering my setup?
> > >
> > > - Grant
> > > │ИМ╒▀╛z╦\x1e·з(╒╦&j)b·    bst==
> >
> > --
> > gentoo-user@gentoo.org mailing list
> >
> >
>
>
> --
> "Doing linear scans over an associative array is like trying to club
> someone to death with a loaded Uzi."
> Larry Wall




-- 
"Doing linear scans over an associative array is like trying to club someone
to death with a loaded Uzi."
Larry Wall

[-- Attachment #2: Type: text/html, Size: 4081 bytes --]

Re: [gentoo-user] Re: Did I just get hacked???

[Dan Farrell]

On Sun, 11 Feb 2007 19:58:49 -0800
Grant <emailgrant@gmail.com> wrote:

> > > A good rootkit will install a "ps" that won't show the 'bot
> > > processes.  The one time a machine of mine got hacked, netstat
> > > still worked, but I don't know why a hacked netstat couldn't be
> > > installed as well.
> >
> > > Looking through /proc/≤pid> is probably still reliable.
> >
> >
> > Hello Grant,
> >
> > I keep an old portable around, running wireshark and a flat hub.
> > You can set your ethernet address to 0.0.0.0 and fire up wireshark.
> >
> > You can then sniff any (ethernet) segment of your network for
> > nefarious traffic or male-configured network applictions.
> >
> > hth,
> >
> > James
> 
> I can see in an xfce4 panel plugin that there is constantly a small
> amount of incoming/outgoing traffic to/from the affected system when
> there is no reason I know of for it.  netstat doesn't show anything
> that jumps out at me although this is the first time I've really used
> it.  All of the current netstat connections appear to be UNIX as
> opposed to Internet.  Should I paste them in?
> 
> - Grant
> [Error decoding BASE64]
nope, they're all local socket connections.  What kind of traffic are
you seeing, i mean how much?  Ever heard of tcpdump?  
--
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] Re: Did I just get hacked???

[Willie Wong]

On Mon, Feb 12, 2007 at 09:32:47AM -0600, Penguin Lover Dan Farrell squawked:
> > I can see in an xfce4 panel plugin that there is constantly a small
> > amount of incoming/outgoing traffic to/from the affected system when
> > there is no reason I know of for it.  netstat doesn't show anything
> > that jumps out at me although this is the first time I've really used
> > it.  All of the current netstat connections appear to be UNIX as
> > opposed to Internet.  Should I paste them in?
> > 
> > - Grant
> > [Error decoding BASE64]
> nope, they're all local socket connections.  What kind of traffic are
> you seeing, i mean how much?  Ever heard of tcpdump?  

also, what about netstat --ip, that should omit the local sockets. 

W

-- 
Pintsize: Nooooooo! I'm lactose intolerant!
Sortir en Pantoufles: up 66 days, 14:50
-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] Re: Did I just get hacked???

[Grant]

> > > > A good rootkit will install a "ps" that won't show the 'bot
> > > > processes.  The one time a machine of mine got hacked, netstat
> > > > still worked, but I don't know why a hacked netstat couldn't be
> > > > installed as well.
> > >
> > > > Looking through /proc/≤pid> is probably still reliable.
> > >
> > >
> > > Hello Grant,
> > >
> > > I keep an old portable around, running wireshark and a flat hub.
> > > You can set your ethernet address to 0.0.0.0 and fire up wireshark.
> > >
> > > You can then sniff any (ethernet) segment of your network for
> > > nefarious traffic or male-configured network applictions.
> > >
> > > hth,
> > >
> > > James
> >
> > I can see in an xfce4 panel plugin that there is constantly a small
> > amount of incoming/outgoing traffic to/from the affected system when
> > there is no reason I know of for it.  netstat doesn't show anything
> > that jumps out at me although this is the first time I've really used
> > it.  All of the current netstat connections appear to be UNIX as
> > opposed to Internet.  Should I paste them in?
> >
> > - Grant
> > [Error decoding BASE64]
> nope, they're all local socket connections.  What kind of traffic are
> you seeing, i mean how much?  Ever heard of tcpdump?

I just did a fresh reboot and as soon as xfce4 was loaded I was seeing
between .2kbps and .6kbps incoming and outgoing traffic constantly in
the xfce4 panel plugin which uses /proc/net/dev.  I then changed the
WPA wireless password on the router so the machine couldn't connect
and the panel plugin started reporting small bursts of
incoming/outgoing traffic instead of the constant stream.  I then
updated the machine's password to match the router's new password and
the steady stream returned.

netstat --ip reports absolutely no connections during all of this.

Should I emerge tcpdump and run that?

- Grant

Re: [gentoo-user] Re: Did I just get hacked???

[nicolas.cornu]

Grant wrote:

>> > > > A good rootkit will install a "ps" that won't show the 'bot
>> > > > processes. The one time a machine of mine got hacked, netstat
>> > > > still worked, but I don't know why a hacked netstat couldn't be
>> > > > installed as well.
>> > >
>> > > > Looking through /proc/≤pid> is probably still reliable.
>> > >
>> > >
>> > > Hello Grant,
>> > >
>> > > I keep an old portable around, running wireshark and a flat hub.
>> > > You can set your ethernet address to 0.0.0.0 and fire up wireshark.
>> > >
>> > > You can then sniff any (ethernet) segment of your network for
>> > > nefarious traffic or male-configured network applictions.
>> > >
>> > > hth,
>> > >
>> > > James
>> >
>> > I can see in an xfce4 panel plugin that there is constantly a small
>> > amount of incoming/outgoing traffic to/from the affected system when
>> > there is no reason I know of for it. netstat doesn't show anything
>> > that jumps out at me although this is the first time I've really used
>> > it. All of the current netstat connections appear to be UNIX as
>> > opposed to Internet. Should I paste them in?
>> >
>> > - Grant
>> > [Error decoding BASE64]
>> nope, they're all local socket connections. What kind of traffic are
>> you seeing, i mean how much? Ever heard of tcpdump?
>
>
> I just did a fresh reboot and as soon as xfce4 was loaded I was seeing
> between .2kbps and .6kbps incoming and outgoing traffic constantly in
> the xfce4 panel plugin which uses /proc/net/dev. I then changed the
> WPA wireless password on the router so the machine couldn't connect
> and the panel plugin started reporting small bursts of
> incoming/outgoing traffic instead of the constant stream. I then
> updated the machine's password to match the router's new password and
> the steady stream returned.
>
> netstat --ip reports absolutely no connections during all of this.
>
> Should I emerge tcpdump and run that?
>
> - Grant
> │ИМ╒▀╛z╦\x1e·з(╒╦&j)b· b
> st==

Hi,

You could try wireshark which is almost the same thing as tcpdump but
graphical. it will help you to analyze the packets going through your
interface.


-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] Did I just get hacked???

[Grant]

> > The contents of my /home/grant/vmware folder have suddenly
> > disappeared.  I haven't noticed anything else strange yet.  I did
> > configure and start shorewall for the first time yesterday instead of
> > using a few iptables commands from the Gentoo Home Router Guide.  I'm
> > also running PenguinTV (a video RSS aggregator with an ebuild in
> > bugs.gentoo.org) and transmission (a bittorrent client in portage)
>
> So someone breaks into your box and the only thing they can think of to
> do is remove your ~/vmware directory?

It occurred to me this morning that a hacker could have gained access
to my system via the vmware guest OS (XP) and then deleted the
contents of vmware/ to cover his tracks.  Does that sound like a
possibility?

- Grant
-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] Did I just get hacked???

[Neil Bothwick]

[-- Attachment #1: Type: text/plain, Size: 542 bytes --]

On Thu, 22 Feb 2007 15:34:45 -0800, Grant wrote:

> It occurred to me this morning that a hacker could have gained access
> to my system via the vmware guest OS (XP) and then deleted the
> contents of vmware/ to cover his tracks.  Does that sound like a
> possibility?

Not unless you have the vmware directory mounted within the guest OS. The
VM cannot access filesystems on the host unless they are created as disks
on the VM or network mounted.


-- 
Neil Bothwick

Those who live by the sword get shot by those who don't.

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

Re: [gentoo-user] Did I just get hacked???

[Andrey Gerasimenko]

On Fri, 23 Feb 2007 03:51:20 +0300, Neil Bothwick <neil@digimed.co.uk>  
wrote:

> On Thu, 22 Feb 2007 15:34:45 -0800, Grant wrote:
>
>> It occurred to me this morning that a hacker could have gained access
>> to my system via the vmware guest OS (XP) and then deleted the
>> contents of vmware/ to cover his tracks.  Does that sound like a
>> possibility?
>
> Not unless you have the vmware directory mounted within the guest OS. The
> VM cannot access filesystems on the host unless they are created as disks
> on the VM or network mounted.
>
>

This is correct, but if the virtual machine is on the same network as the  
host, then it is posible to get the VM, than the host, and finally to  
delete the VM.

Theoretically it is also possible to get to the host through the VmWare  
Tools, provided they are installed on the guest, but I have never heard  
this done.

-- 
Andrei Gerasimenko
-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] Did I just get hacked???

[Neil Bothwick]

[-- Attachment #1: Type: text/plain, Size: 727 bytes --]

On Fri, 23 Feb 2007 20:48:59 +0300, Andrey Gerasimenko wrote:

> > Not unless you have the vmware directory mounted within the guest OS.
> > The VM cannot access filesystems on the host unless they are created
> > as disks on the VM or network mounted.

> This is correct, but if the virtual machine is on the same network as
> the host, then it is posible to get the VM, than the host, and finally
> to delete the VM.

True, but then you'd need to crack SSH or use some other method to get a
login on the host machine. If you're going to all that trouble, I think
you'd do more than delete the guest OS files.


-- 
Neil Bothwick

If you think that you can truncate my sig to 75 chars, then you can just fu

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 189 bytes --]