From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from pigeon.gentoo.org ([208.92.234.80] helo=lists.gentoo.org) by finch.gentoo.org with esmtp (Exim 4.60) (envelope-from ) id 1Oii4M-0006lF-ST for garchives@archives.gentoo.org; Tue, 10 Aug 2010 06:12:15 +0000 Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id E3257E09C9; Tue, 10 Aug 2010 06:10:38 +0000 (UTC) Received: from mail-ww0-f53.google.com (mail-ww0-f53.google.com [74.125.82.53]) by pigeon.gentoo.org (Postfix) with ESMTP id 8E25DE09C9 for ; Tue, 10 Aug 2010 06:10:38 +0000 (UTC) Received: by wwi17 with SMTP id 17so497306wwi.10 for ; Mon, 09 Aug 2010 23:10:38 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:sender:received:date :x-google-sender-auth:message-id:subject:from:to:content-type; bh=M6D/kX3JS+tWn+FoUNRf4izAThx0aVoxdcOXNj4hvFU=; b=fiFaUZOsCd98gPsSGQSMO5SycJK2462KrUnkOHq7u9lJ4rMaKUaCMxKM8EWggfSXGS Po8+78NPvm6Xr3NOsvfQUpxxh0ItkEYB73NFyk+/xqMISPHDJfxl5uDlNt6Yh3/kCoFp JV9dS5WDFyx8qPGzDjGi7fXc0WStxJNZTnqJ0= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:sender:date:x-google-sender-auth:message-id:subject :from:to:content-type; b=QwGvQSgSkqYPvYm/F43UCYbctf6sRqSIxuncDNLOI4a6s30LSVbDpd3FYR5G0vF2Zw kImXDsm1rxIPPFt9h/mmN41PLR3qtlNhDF0i2zu4NgaBSfpuEJUNInULsH6VyEbW7QjI bzQqKHZsyTw5KZgBPaYi6pTs8LkuA4NHRuGL0= Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-user@lists.gentoo.org Reply-to: gentoo-user@lists.gentoo.org MIME-Version: 1.0 Received: by 10.227.144.129 with SMTP id z1mr14870960wbu.85.1281420637861; Mon, 09 Aug 2010 23:10:37 -0700 (PDT) Sender: paul.hartman@gmail.com Received: by 10.227.83.213 with HTTP; Mon, 9 Aug 2010 23:10:37 -0700 (PDT) Date: Tue, 10 Aug 2010 01:10:37 -0500 X-Google-Sender-Auth: xlc6hlcyvP1Ni1ZcCbbiEIXwkzg Message-ID: Subject: [gentoo-user] Re: Rooted/compromised Gentoo, seeking advice [Solved?] From: Paul Hartman To: gentoo-user@lists.gentoo.org Content-Type: text/plain; charset=ISO-8859-1 X-Archives-Salt: 8ab219af-5668-42ff-ae42-7c12ae474beb X-Archives-Hash: f820c8cf64aa7b552dcc0906485131c9 On Mon, Aug 9, 2010 at 11:25 AM, Paul Hartman wrote: > Hi, today when working remotely I ran nethogs and noticed suspicious > network traffic coming from my home gentoo box. It was very low > traffic (less than 1KB/sec bandwidth usage) but according to nethogs > it was between a root user process and various suspicious-looking > ports on outside hosts in other countries that I have no business > with. netstat didn't show anything, however, but when I ran chkrootkit > told me that netstat was INFECTED. I immediately issued "shutdown -h > now" and now I won't be able to take a further look at it until I get > home and have physical access to the box. System uptime was a few > months. It was last updated for installation of a 2.6.33 kernel > (2.6.35 is out now). Well, so far everything I'm seeing points to a false alarm. :) It seems I may have overreacted due to my lack of understanding. First, when I got home and inspected router settings I realized the strange activity I saw earlier was happening on a port I had opened for Vuze (the bittorrent client). Nethogs output was like this: NetHogs version 0.7.0 PID USER PROGRAM DEV SENT RECEIVED 0 root ..7423-213.138.94.110:49971 0.032 0.038 KB/sec 0 root ..7423-72.191.172.228:54861 0.000 0.000 KB/sec 0 root ..00:17423-82.52.3.94:57635 0.000 0.000 KB/sec 0 root unknown TCP 0.000 0.000 KB/sec TOTAL 0.032 0.038 KB/sec Based on my Googling tonight, it seems this may simply be how it displays incoming connection attempts. I found a post on the Ubuntu Launchpad site that is basically asking the same question: https://answers.launchpad.net/ubuntu/+source/nethogs/+question/113880 I changed my designated port setting in Vuze, opened that port on my firewall, and then waited a few minutes and sure enough this same kind of "mystery traffic" started to appear on that port. So it would seem to be innocent bittorrent traffic. Egg on my face. Second, the problem of chkrootkit telling me "find" and "netstat" were INFECTED, in big scary upper-case letters. The files appear to be genuine, I checked and double-checked and they appear to be legitimate. I re-emerged them and the files match and still fail the test. After looking into how chkroot does its tests, it's simply grepping the strings from the file. I have debugging info compiled into everything on my system and perhaps that means the files are quite a bit more chatty than usual when it comes to strings. The damning strings that caused it to give me an INFECTED warning? (using the pattern from chkrootkit's test) /usr/bin/find: sharefile.h /bin/netstat: sockaddr.h To further test this false-positive theory, I stripped those two binaries of debugging data and now they do not appear as INFECTED by the test. If anyone else wants to compile net-tools or findutils with debugging data and nostrip and then run chkrootkit to see what results you get on these files, that would be quite helpful in confirming this. I then tried rkhunter. It gave me numerous warnings, but after checking the log for details they all appear to be harmless (For example, it warns that /usr/bin/ldd is a script, not a binary... as far as I can tell, that is how it's supposed to be) Next I ran app-forensics/lynis, which is a more general system settings audit. Everything looked normal there, too. I've audited all of my logs, bash history, etc and everything looks fine. The logs are complete. I use metalog so I've got duplicate log data in most cases, split up into different files and directories, and they all match. I've checked the other computers/devices in the house and don't see any signs of any funny business. The router settings and activity all look normal as well. I already had non-default password, telnet disabled, external admin interface disabled, web interface disabled, etc. and the firmware is the latest version, supposedly not vulnerable to the milw0rm attack so I think it is secure as can be expected. I've checked all servers & online services that allow me to view my login history and I don't see any unusual activity. At this point I feel pretty good that my box was not compromised and it was only ignorance and panic on my part. To play it safe, I'm going to leave it disconnected for tonight and do some monitoring tomorrow with wireshark just to be absolutely sure there's nothing going on. Wish me luck! :) I am grateful to everyone for their ideas and suggestions, and I'm definitely going to change my sudoers privileges and more importantly my habits and assumptions. The grace period that William alluded to (timestamp_timeout is what Google tells me) may help to relieve a bit of the "pain" of having to type my password so often. Thanks, Paul