Help! Trojaned. :(

mr-simon · Posted: Sat Apr 19, 2003 5:28 pm Post subject: Help! Trojaned. :(

Looks like I've been a bit slow off the mark with my security patches. Doh.

It's not a critical box, and I can rebuild it if nessecary... I just ran chkrootkit and it reported:

Possible T0rn v8 rootkit installed
Possible RH-Sharpe's rootkit installed
Possible LPD worm installed
Possible Showtee rootkit installed
Possible LKM Trojan installed

Wooeee... Nasty. Looks like someone's been having a field day. :oops:

So... How to sort out this mess. Should I trash the box and start again? Or can I fix all of the above with an emerge -e world...

I started by having a google for 'T0rn removal instructions' and it seems either a rebuild or 'remove and replace the infected files' is the way to go... Will emerge -e world sort it out, or is it rebuld time?

thanks
:cry:

_________________
"Pokey, are you drunk on love?"
"Yes. Also whiskey. But mostly love... and whiskey."

derk · Posted: Sat Apr 19, 2003 5:44 pm Post subject:

my recommendation if it's not a critical box is scrub and start-over.

Once you have a problem it's best to purge and rebuild, there is no way to determine what has been altered or changed on most boxes if you don't have a monitoring system in place and even then you are taking a risk.

If you want to study the situation first do so with known good tools from a clean boot disk or fresh gentoo CD burnt on a non-compromised machine. It is generally a good idea to try to determine how you were compromised so you can eliminate the entry point. I suggest a good secuirty network audit and use a good security book as a reference.

I suggest you make sure none of your other boxen are compromised as well. Once someone else is on your local network you may have difficulties making sure they are truely gone without a lot of work.

keep us posted .. the rest of us Gentoo users/fans would like to know of any holes you may find so we can patch/block them accordingly.

derk

Auka · Posted: Sat Apr 19, 2003 8:14 pm Post subject:

Hi

Ouch, that's not really nice... :cry:

Ok, so first of all you might boot FIRE (http://fire.dmzs.com/) a specifically designed linux boot cdrom for forensics, contains chkrootkit and co) to verify wheather your system really has been trojaned.

If someone did break into you box (and it seems so....) then you should really rebuild it from scratch. Completely. Also take care - avoid using backup files (at least if they are binaries) these might also contain trojaned files! Think twice about every file you want to take off of this box if you really have to.

Yes rebuilding is (or at least can be) an immense amout of work. But it should be better to rebuild from scratch than spend a few hours not beeing sure if something has been left over or not. While I'm at it...also think about how and why this could happen -> try to avoid getting trojaned just again and don't make the same mistakes twice... ;-)

(too old services? unneeded services? binaries from "friends"?)

Good luck.
:wink:

puddpunk · l33t Joined: 20 Jul 2002 Posts: 681 Location: New Zealand

Could I just have your IP address?

mr-simon · Posted: Tue Apr 22, 2003 10:17 am Post subject:

simcop2387 · Posted: Tue Apr 22, 2003 6:38 pm Post subject:

nah, once every two weeks should be fine for most cases but just keep a lookout for GLSA's

refriedbean · Posted: Wed Apr 23, 2003 3:40 am Post subject:

Well, if you are lazy (like me). Using a prebuilt firewall script is better than nothing. Currently I'm using http://projectfiles.com/firewall

Its all in one file.. So just edit the file, change a few variables, and run it. For normal desktops that doesnt have any services (except ssh maybe), you can just run it, without changing anything, and it will secure the connection.

I'm using it on my firewall box at home, and its doing a pretty decent job. NAT and port forwards etc..

If you are looking for a more complete firewall, check out Shorewall (can't remember the URL right now). Its a bit more feature-complete, and it uses an almost 'natural language' syntax in its configs.

Personally, I'm not really so paranoid that I would write my own scripts.. For me, just using one that someone spent months developing is perfect.

Well, have fun with the reinstall

-Refried

Auka · Posted: Thu Apr 24, 2003 5:59 pm Post subject:

Yep. Or you might have a look at the fwbuilder GUI. If you have a basic understanding of networking, have at look at this and use the wizard you should by able to fairly easily build a quite decent and secure policy. (and it "scales" - if you do know what you are doing it also is a quite powerful tool, at bit similar to the "famous" Checkpoint FW-1 GUI if anyone else knows it... ;-)

jbrown · Tux's lil' helper Joined: 17 Feb 2003 Posts: 81

if you have had any compromise whatsoever then you should always reformat and reinstall completely

tgoodaire · Posted: Sat Apr 26, 2003 2:13 am Post subject: Hacked

I would recommend that you do this:

Get the computer off the internet!
Do as much as you can to try and figure out how they got in. If you just format and reinstall everything, they could just get in the same way!
_________________
I bent my wookie.