[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [cobalt-users] chkrootkit output show possible ambient

Subject: Re: [cobalt-users] chkrootkit output show possible ambient
From: "alan@" <alan@xxxxxxxxx>
Date: Wed Nov 20 08:25:01 2002
List-id: Mailing list for users to share thoughts on Sun Cobalt products. <cobalt-users.list.cobalt.com>

----- Original Message -----
From: "alan@"
> ----- Original Message -----
> From: "Richard Siddall"
> > "alan@" wrote:
> > >
> > > Hi all,
> > >
> > > I have just installed the chkrootkit-0.37 tarball.
> > >
> >
> > Is this the first time you've had chkrootkit on this machine, or
> > is this an upgrade?
> >
> > > When I run it, netstat and traceroute come back as infected.
> > > Would they be false positives ?
> > >
> >
> > There's always a possibility of a false positive with chkrootkit.
> > It's like "lint" with C programming, it looks for things that might
> > be problems.
> >
> > However, chkrootkit has gained a reputation for generating spurious
> > warnings due to the way it checks for hidden processes.
> >
> > If chkrootkit generates ANY warnings, it's time to go investigating.
> >
> > 1/ Do a search.
> >
> > 2/ Look at the chkrootkit source code.  chkrootkit itself is a shell
> > script, so you can figure out what it's looking for.
> >
> > Generating warnings for infected programs is a bad sign; you almost
> > never replace the programs with ones that might trigger a false
> > positive.
> >
> > In the case of netstat, chkrootkit seems to be looking for the
> > following strings in the binary:
> >
>
/dev/hdl0/dev/xdta|/dev/ttyoa|/dev/pty[pqrsx]|/dev/cui|/dev/hdn0|/dev/cui221
> |/dev/dszy|/dev/ddth3|/dev/caca|/prof|/dev/tux
> >
> > > Also when its checking for Ambients rootkit, it says its possibly
there,
> > > then it says its looking for suspicious files, and then lists a
mixture
> of
> > > files. Does this mean yes or no, if the files appear in the list ?
> > > Is suspicious, deadly ?
> >
> > Having suspicious files isn't necessarily bad.
> >
> > > Here is the relevant section of the output from chkrootkit :
> > >
> > > Searching for Ambient's rootkit (ark) default files and dirs...
Possible
> > > Ambient's rootkit (ark) installed
> >
> > You need to look to see what could have triggered this.
> >
> > > Searching for suspicious files and dirs, it may take a while...
> > > /usr/lib/.ark?
> >
> > I don't like the look of that...
> >
> > > /usr/lib/perl5/site_perl/5.005/i386-linux/auto/mod_perl/.packlist
> > > /usr/lib/perl5/site_perl/5.005/i386-linux/auto/MD5/.packlist
> > > /usr/lib/perl5/site_perl/5.005/i386-linux/auto/Quota/.packlist
> > > /usr/lib/perl5/site_perl/5.005/i386-linux/auto/XML/Parser/.packlist
> > > /usr/lib/perl5/site_perl/5.005/i386-linux/auto/Devel/Symdump/.packlist
> > > /usr/lib/perl5/site_perl/5.005/i386-linux/auto/DBI/.packlist
> > >
>
/usr/lib/perl5/site_perl/5.005/i386-linux/auto/Msql-Mysql-modules/.packlist
> > > /usr/lib/perl5/5.00503/i386-linux/.packlist
> >
> > Generally when you install a Perl modules, it leaves behind a .packlist
> > file.  Can you justify having these modules installed?  (They look
> > innocuous to me.)
> >
> > >
> > > TIA
> > >
> >
> > I hope this helps.  I think you're in for a bad day.
> >
> > > Alan
> > >
> >
> > Richard.
>
> Thanks Richard,
> This is a fresh install on a clients server. Last week "somebody" changed
> the admin password. I got the co-lo to change it back but we still don't
> know why/how it was changed.
> So I have begun investigations ! ( I only gained this client when the
> password locked them out !!)
>
> I have been researching a little through the archives, and am considering
> whether to go through the suggestions in this posting :
> http://list.cobalt.com/pipermail/cobalt-users/2002-November/081008.html
>
> I have deleted /usr/lib/.ark? but I am not sure about the posters
> instruction to delete /dev/ptyxx
> ( is ptyxx pty with 2 wildcards or an actual file ptyxx ? )
>
> I guess, what I am trying to get away with, is not to have to wipe the
disk
> and start again.
>
> Any body want to lay odds ? :-(
>
> Thanks
>
> Alan
>

Hi again,

I have checked out the filestamps on traceroute and netstat and they both
have the same stamp as every other (un-updated) file on the server, ie June
20 2000, so I think they are probably ok.

I am going to check out what the ARK actually does and how, before I go
panicking, as I said, "somebody" changed the admin password, but there is no
guarantee that it was a hacker. This is the problem when coming late to a
project, every body denies everything.
This server has however got all the patches installed (I just installed the
last 2 myself) and it has ssh 3.1 and telnet is turned off.

I will be installing ip chains etc but I want to make sure there isn't a
back door first.

Thanks

Alan

Follow-Ups:
- Re: [cobalt-users] chkrootkit output show possible ambient
  - From: Steve Werby
- Re: [cobalt-users] chkrootkit output show possible ambient
  - From: Richard Siddall

References:
- [cobalt-users] chkrootkit output show possible ambient
  - From: alan@
- Re: [cobalt-users] chkrootkit output show possible ambient
  - From: Richard Siddall
- Re: [cobalt-users] chkrootkit output show possible ambient
  - From: alan@

Prev by Date: RE: [cobalt-users] chkrootkit output show possible ambient
Next by Date: Re: [cobalt-users] Mailman install craps out
Previous by thread: Re: [cobalt-users] chkrootkit output show possible ambient
Next by thread: Re: [cobalt-users] chkrootkit output show possible ambient

Sun Cobalt Users Message Index

Sun Cobalt Users Thread Index