From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from pigeon.gentoo.org ([208.92.234.80] helo=lists.gentoo.org) by finch.gentoo.org with esmtp (Exim 4.60) (envelope-from ) id 1OiXQN-00043m-DA for garchives@archives.gentoo.org; Mon, 09 Aug 2010 18:50:32 +0000 Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 59998E0CF8; Mon, 9 Aug 2010 18:48:59 +0000 (UTC) Received: from mail-ww0-f53.google.com (mail-ww0-f53.google.com [74.125.82.53]) by pigeon.gentoo.org (Postfix) with ESMTP id B62E5E0CF8 for ; Mon, 9 Aug 2010 18:48:58 +0000 (UTC) Received: by wwb22 with SMTP id 22so2399549wwb.10 for ; Mon, 09 Aug 2010 11:48:58 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:sender:received :in-reply-to:references:date:x-google-sender-auth:message-id:subject :from:to:content-type; bh=6n5d/hm89Tuc9HkXBbTsctVwXW2hVSOejn+VLCdJzcE=; b=ZQ753cOw8/MCS54Q5lQprKXdq9C0ySnJgcFVegtXChGiX232V6pN2zqHZA3LaDzpMa 0J+y6+8lK4v0R0fZpHlqIaNd0W3RgR31+8Sbr+6EVOmo5TEl1B3iq2+XAwoqNG7DAVGr ypFu51DEqCN1d+UjU3F3hcKbGZMnbNNiHnaPs= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:sender:in-reply-to:references:date :x-google-sender-auth:message-id:subject:from:to:content-type; b=OsflyqIwpt8B10YETnUfNhyT6KrUdX2JWauKzn7mCY73Ph+FI2LTvO01mbhi3lrZ30 dQqIM9407XZcBhc1ZVYElV/OQCl9XFdxuU5d2uzOqXhcGimPunjUlkdhk23Cn1gWl/WP EQtaXXZCpUrc58MckE6On4YCo78JV9AKbQXNQ= Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-user@lists.gentoo.org Reply-to: gentoo-user@lists.gentoo.org MIME-Version: 1.0 Received: by 10.227.133.72 with SMTP id e8mr1550833wbt.71.1281379738060; Mon, 09 Aug 2010 11:48:58 -0700 (PDT) Sender: paul.hartman@gmail.com Received: by 10.227.83.213 with HTTP; Mon, 9 Aug 2010 11:48:57 -0700 (PDT) In-Reply-To: <201008091848.46139.alan.mckinnon@gmail.com> References: <201008091848.46139.alan.mckinnon@gmail.com> Date: Mon, 9 Aug 2010 13:48:57 -0500 X-Google-Sender-Auth: 1aV6lkgiJPnl2W0wAFlsgkL5DgA Message-ID: Subject: Re: [gentoo-user] Rooted/compromised Gentoo, seeking advice From: Paul Hartman To: gentoo-user@lists.gentoo.org Content-Type: text/plain; charset=ISO-8859-1 X-Archives-Salt: ccf89036-73d0-4771-b1e1-13e1383d9c6c X-Archives-Hash: 9656c5be2087e628665509a5987be563 On Mon, Aug 9, 2010 at 11:48 AM, Alan McKinnon wrote: > On Monday 09 August 2010 18:25:56 Paul Hartman wrote: >> Hi, today when working remotely I ran nethogs and noticed suspicious >> network traffic coming from my home gentoo box. It was very low >> traffic (less than 1KB/sec bandwidth usage) but according to nethogs >> it was between a root user process and various suspicious-looking >> ports on outside hosts in other countries that I have no business >> with. netstat didn't show anything, however, but when I ran chkrootkit >> told me that netstat was INFECTED. I immediately issued "shutdown -h >> now" and now I won't be able to take a further look at it until I get >> home and have physical access to the box. System uptime was a few >> months. It was last updated for installation of a 2.6.33 kernel >> (2.6.35 is out now). >> >> I have 3 goals now: >> >> 1) Figure out what is running on my box and how long it has been there. >> 2) Find out how it got there. >> 3) Sanitizing, or most likely rebuilding the system from scratch. > > Here's the bad news: > > An intruder probably gained access through a script kiddie script, which has > likely already removed all the logs. Or they have possibly been rotated away > by now. > > I would proceed as follows: > > 1. Keep that machine off the internet till it is reinstalled > 2. Fresh reinstall using boot media that you have downloaded and written > elsewhere, plus a portage tree. Don't worry about distfiles - a fresh portage > tree won't use existing copies on that machine if the hashes don't match. So > you can re-use them. If you boot off new install media it is safe to download > new distfiles using it. > 3. Keep your old partitions around if you want to do forensics, you can mount > them somewhere when a reinstall is done and peruse them at your leisure. > However, doing that is often a waste of time unless you still have logs. You > can use a scanner like nessus to look things over. > 4. And it goes without saying that you should change all passwords and keys > used on that trojaned machine. Hi Alan, thanks for the advice. I just remembered that my DD-WRT router stats page had an anomaly, on 31st of July it showed I had over 700 terabytes of traffic, which is impossible. Coincidentally, my cable modem stopped working on the same day, so I wrote it off as a bug or a result of the broken modem. I replaced the modem and everything seemed to work normally after that. At this point my mind is running wild thinking of all of the possibilities. Could the router have been infected? The modem? It'll still be another 5 or 6 hours before I'm able to lay my hands on the machine. I'm imagining every doomsday scenario. :) My hope is that it was "only" a botnet or ssh-scanner or something, and not sniffer or keylogger or anything nefarious. I fear I may never truly be able to know, though.