[gentoo-user] Re: Rooted/compromised Gentoo, seeking advice [Solved?]

[Paul Hartman <paul.hartman+gentoo@gmail.com>]

On Mon, Aug 9, 2010 at 11:25 AM, Paul Hartman
<paul.hartman+gentoo@gmail.com> wrote:
> Hi, today when working remotely I ran nethogs and noticed suspicious
> network traffic coming from my home gentoo box. It was very low
> traffic (less than 1KB/sec bandwidth usage) but according to nethogs
> it was between a root user process and various suspicious-looking
> ports on outside hosts in other countries that I have no business
> with. netstat didn't show anything, however, but when I ran chkrootkit
> told me that netstat was INFECTED. I immediately issued "shutdown -h
> now" and now I won't be able to take a further look at it until I get
> home and have physical access to the box. System uptime was a few
> months. It was last updated for installation of a 2.6.33 kernel
> (2.6.35 is out now).

Well, so far everything I'm seeing points to a false alarm. :) It
seems I may have overreacted due to my lack of understanding.

First, when I got home and inspected router settings I realized the
strange activity I saw earlier was happening on a port I had opened
for Vuze (the bittorrent client). Nethogs output was like this:

NetHogs version 0.7.0
PID USER     PROGRAM                      DEV        SENT      RECEIVED
0     root     ..7423-213.138.94.110:49971             0.032       0.038 KB/sec
0     root     ..7423-72.191.172.228:54861             0.000       0.000 KB/sec
0     root     ..00:17423-82.52.3.94:57635             0.000       0.000 KB/sec
0     root     unknown TCP                             0.000
0.000 KB/sec
TOTAL                                                0.032       0.038 KB/sec

Based on my Googling tonight, it seems this may simply be how it
displays incoming connection attempts. I found a post on the Ubuntu
Launchpad site that is basically asking the same question:
https://answers.launchpad.net/ubuntu/+source/nethogs/+question/113880

I changed my designated port setting in Vuze, opened that port on my
firewall, and then waited a few minutes and sure enough this same kind
of "mystery traffic" started to appear on that port. So it would seem
to be innocent bittorrent traffic. Egg on my face.

Second, the problem of chkrootkit telling me "find" and "netstat" were
INFECTED, in big scary upper-case letters. The files appear to be
genuine, I checked and double-checked and they appear to be
legitimate. I re-emerged them and the files match and still fail the
test. After looking into how chkroot does its tests, it's simply
grepping the strings from the file. I have debugging info compiled
into everything on my system and perhaps that means the files are
quite a bit more chatty than usual when it comes to strings. The
damning strings that caused it to give me an INFECTED warning? (using
the pattern from chkrootkit's test)

/usr/bin/find: sharefile.h
/bin/netstat: sockaddr.h

To further test this false-positive theory, I stripped those two
binaries of debugging data and now they do not appear as INFECTED by
the test. If anyone else wants to compile net-tools or findutils with
debugging data and nostrip and then run chkrootkit to see what results
you get on these files, that would be quite helpful in confirming
this.

I then tried rkhunter. It gave me numerous warnings, but after
checking the log for details they all appear to be harmless (For
example, it warns that /usr/bin/ldd is a script, not a binary... as
far as I can tell, that is how it's supposed to be)

Next I ran app-forensics/lynis, which is a more general system
settings audit. Everything looked normal there, too.

I've audited all of my logs, bash history, etc and everything looks
fine. The logs are complete. I use metalog so I've got duplicate log
data in most cases, split up into different files and directories, and
they all match. I've checked the other computers/devices in the house
and don't see any signs of any funny business.

The router settings and activity all look normal as well. I already
had non-default password, telnet disabled, external admin interface
disabled, web interface disabled, etc. and the firmware is the latest
version, supposedly not vulnerable to the milw0rm attack so I think it
is secure as can be expected.

I've checked all servers & online services that allow me to view my
login history and I don't see any unusual activity.

At this point I feel pretty good that my box was not compromised and
it was only ignorance and panic on my part. To play it safe, I'm going
to leave it disconnected for tonight and do some monitoring tomorrow
with wireshark just to be absolutely sure there's nothing going on.
Wish me luck! :)

I am grateful to everyone for their ideas and suggestions, and I'm
definitely going to change my sudoers privileges and more importantly
my habits and assumptions. The grace period that William alluded to
(timestamp_timeout is what Google tells me) may help to relieve a bit
of the "pain" of having to type my password so often.

Thanks,
Paul