From: Paul Hartman <paul.hartman+gentoo@gmail.com>
To: gentoo-user@lists.gentoo.org
Subject: [gentoo-user] Rooted/compromised Gentoo, seeking advice
Date: Mon, 9 Aug 2010 11:25:56 -0500 [thread overview]
Message-ID: <AANLkTikcKYS+pTQOesC_rmqVwjwN80PKqrTuv3TPAq_h@mail.gmail.com> (raw)
Hi, today when working remotely I ran nethogs and noticed suspicious
network traffic coming from my home gentoo box. It was very low
traffic (less than 1KB/sec bandwidth usage) but according to nethogs
it was between a root user process and various suspicious-looking
ports on outside hosts in other countries that I have no business
with. netstat didn't show anything, however, but when I ran chkrootkit
told me that netstat was INFECTED. I immediately issued "shutdown -h
now" and now I won't be able to take a further look at it until I get
home and have physical access to the box. System uptime was a few
months. It was last updated for installation of a 2.6.33 kernel
(2.6.35 is out now).
I have 3 goals now:
1) Figure out what is running on my box and how long it has been there.
2) Find out how it got there.
3) Sanitizing, or most likely rebuilding the system from scratch.
I won't feel comfortable about doing item 3 until I learn the cause of
1 and 2. Since this is a home PC, it's not mission-critical and I have
other computers so I can afford to leave it offline while I
investigate this security breach, but at the same time it's worrisome
because I do banking etc from this machine. I'll obviously have to
check the status of any other computer on the same network.
My user account has sudo-without-password rights to any command. In
hindsight this risk may not be worth the extra convenience... A rogue
"sudo install-bad-stuff" anywhere over time could have done me in.
Alternatively I was running vulnerable/compromised software. My box
has sshd running, root login in ssh is not allowed, and pubkey only
logins (no passwords). It is behind a wireless router but port 22 is
open and pointing to this box, and a few others needed by other
applications. So I will check out which keys exist on the compromised
machine and make sure I recognize them all. I'll also need to check
the status of any other computer my key is stored on (a mix of linux &
windows, and my mobile phone). Sigh...
I am using ~amd64 and I update deep world about 3 times a week normally.
The computer is only a few months old, but it was created by cloning a
~2-years-old computer. I did emerge -e world as part of the upgrade
process.
If anyone has advice on what I should look at forensically to
determine the cause of this, it is appreciated. I'll first dig into
the logs, bash history etc. and really hope that this very happened
recently.
Thanks for any tips and wish me good luck. :)
next reply other threads:[~2010-08-09 16:26 UTC|newest]
Thread overview: 44+ messages / expand[flat|nested] mbox.gz Atom feed top
2010-08-09 16:25 Paul Hartman [this message]
2010-08-09 16:48 ` [gentoo-user] Rooted/compromised Gentoo, seeking advice Alan McKinnon
2010-08-09 18:48 ` Paul Hartman
2010-08-09 18:59 ` [gentoo-user] " 7v5w7go9ub0o
2010-08-09 19:08 ` Paul Hartman
2010-08-09 19:46 ` Mick
2010-08-10 13:50 ` Kyle Bader
2010-08-09 19:09 ` [gentoo-user] " Mick
2010-08-09 20:08 ` Robert Bridge
2010-08-09 20:20 ` Bill Longman
2010-08-10 0:30 ` Kevin O'Gorman
2010-08-10 1:18 ` William Hubbs
2010-08-10 6:42 ` Alan McKinnon
2010-08-10 13:03 ` Kevin O'Gorman
2010-08-10 18:50 ` Alan McKinnon
2010-08-10 19:22 ` Hazen Valliant-Saunders
2010-08-10 23:23 ` Peter Humphrey
2010-08-11 16:55 ` Stroller
2010-08-11 18:16 ` Dale
2010-08-11 20:30 ` Alan McKinnon
2010-08-11 22:11 ` [gentoo-user] Rooted/compromised Gentoo, seeking advice - AKA passwords Bill Longman
2010-08-11 23:09 ` Alan McKinnon
2010-08-12 4:30 ` Bill Longman
2010-08-12 13:01 ` [gentoo-user] Rooted/compromised Gentoo, seeking advice Stroller
2010-08-12 19:21 ` Alan McKinnon
2010-08-12 19:43 ` Peter Humphrey
2010-08-12 20:14 ` Alan McKinnon
2010-08-12 12:56 ` Stroller
2010-08-13 2:11 ` Dale
2010-08-11 16:58 ` Stroller
2010-08-11 20:26 ` Alan McKinnon
2010-08-09 20:25 ` Dale
2010-08-09 21:22 ` Mick
2010-08-09 22:19 ` Dale
2010-08-09 21:17 ` Philip Webb
2010-08-09 23:07 ` Paul Hartman
2010-08-10 2:14 ` Frank Steinmetzger
2010-08-10 2:24 ` Indexer
2010-08-11 1:05 ` Walter Dnes
2010-08-11 2:16 ` Dale
2010-08-11 4:36 ` Walter Dnes
2010-08-11 5:37 ` Dale
2010-08-10 2:30 ` Keith Dart
2010-08-10 3:06 ` Adam Carter
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=AANLkTikcKYS+pTQOesC_rmqVwjwN80PKqrTuv3TPAq_h@mail.gmail.com \
--to=paul.hartman+gentoo@gmail.com \
--cc=gentoo-user@lists.gentoo.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox