| View previous topic :: View next topic |
| Author |
Message |
runningwithscissors
Guru
Joined: 21 Apr 2006
Posts: 454
Location: the third world
|
 Posted: Sat Oct 20, 2007 8:17 am Post subject: Is my machine pwnd? |
 |
|
This morning, I saw the lights on my router blinking like crazy so I ran a netstat and there were a few connections being established to one particular addresses. I immediately banned the address, and all the connections died. However, I am not sure if my linux machine is pwnt or the older one behind the Linux machine that runs Windows.
ps ax shows this.
| Code: |
PID TTY STAT TIME COMMAND
1 ? Ss 0:00 init [3]
2 ? S< 0:00 [kthreadd]
3 ? RN 0:00 [ksoftirqd/0]
4 ? S< 0:00 [watchdog/0]
5 ? S< 0:00 [events/0]
6 ? S< 0:00 [khelper]
66 ? S< 0:00 [kblockd/0]
67 ? S< 0:00 [kacpid]
68 ? S< 0:00 [kacpi_notify]
205 ? S< 0:00 [ata/0]
206 ? S< 0:00 [ata_aux]
207 ? S< 0:00 [ksuspend_usbd]
210 ? S< 0:00 [khubd]
212 ? S< 0:00 [kseriod]
242 ? S 0:00 [pdflush]
243 ? S 0:00 [pdflush]
244 ? S< 0:00 [kswapd0]
245 ? S< 0:00 [aio/0]
246 ? S< 0:00 [cifsoplockd]
247 ? S< 0:00 [cifsdnotifyd]
248 ? S< 0:00 [jfsIO]
249 ? S< 0:00 [jfsCommit]
250 ? S< 0:00 [jfsSync]
251 ? S< 0:00 [xfslogd/0]
252 ? S< 0:00 [xfsdatad/0]
253 ? S< 0:00 [v9fs/0]
929 ? S< 0:00 [scsi_eh_0]
931 ? S< 0:00 [scsi_eh_1]
933 ? S< 0:00 [scsi_eh_2]
935 ? S< 0:00 [scsi_eh_3]
985 ? S< 0:00 [kpsmoused]
990 ? S< 0:00 [kondemand/0]
999 ? S< 0:00 [kjournald]
1090 ? S<s 0:00 /sbin/udevd --daemon
2489 ? S< 0:00 [kjournald]
2490 ? S< 0:00 [kjournald]
2491 ? S< 0:00 [kjournald]
2492 ? S< 0:00 [kjournald]
3317 ? Ss 0:00 /usr/sbin/gpm -m /dev/input/mice -t imps2 -l "a-zA-Z0
4257 ? Ss 0:00 /usr/sbin/syslog-ng
5910 ? Sl 0:00 /usr/sbin/pdnsd -s -t -d -p /var/run/pdnsd.pid
6040 ? Ss 0:00 /usr/sbin/sshd
6161 ? Ss 0:00 /usr/bin/postmaster -D /var/lib/postgresql/data --sil
6243 ? Ss 0:00 postgres: logger process
6245 ? Ss 0:00 postgres: writer process
6246 ? Ss 0:00 postgres: stats collector process
6315 ? Ss 0:00 /usr/sbin/smbd -D
6319 ? S 0:00 /usr/sbin/smbd -D
6325 ? Ss 0:00 /usr/sbin/nmbd -D
6400 tty2 Ss 0:00 /bin/login --
6401 tty3 Ss+ 0:00 /sbin/agetty 38400 tty3 linux
6402 tty4 Ss+ 0:00 /sbin/agetty 38400 tty4 linux
6403 tty5 Ss+ 0:00 /sbin/agetty 38400 tty5 linux
6404 tty6 Ss+ 0:00 /sbin/agetty 38400 tty6 linux
6492 tty1 Ss 0:00 /bin/login --
6499 tty1 S+ 0:00 -bash
6733 tty1 S 0:00 /bin/sh /usr/bin/startx
6749 tty1 S 0:00 xinit /home/user/.xinitrc -- -nolisten tcp -br -auth
6750 tty7 SLs+ 0:53 X :0 -nolisten tcp -br -auth /home/xxxx/.serverauth.6
6754 tty1 S 0:00 /bin/sh /usr/kde/3.5/bin/startkde
6780 tty1 S 0:00 /usr/bin/dbus-launch --sh-syntax --exit-with-session
6781 ? Ss 0:00 /usr/bin/dbus-daemon --fork --print-pid 4 --print-add
6800 tty1 S 0:00 start_kdeinit --new-startup +kcminit_startup
6801 ? Ss 0:00 kdeinit Running...
6804 ? S 0:00 dcopserver [kdeinit] --nosid
6806 ? S 0:00 klauncher [kdeinit] --new-startup
6808 ? S 0:01 kded [kdeinit] --new-startup
6813 tty1 S 0:00 kwrapper ksmserver
6815 ? S 0:00 ksmserver [kdeinit]
6816 ? S 0:00 kwin [kdeinit] -session 10c9d6d8740001171188734000001
6818 ? S 0:00 kdesktop [kdeinit]
6820 ? S 0:00 kicker [kdeinit]
6822 ? S 0:00 kio_uiserver [kdeinit]
6832 ? S 0:00 kaccess [kdeinit]
6834 ? S 0:01 yakuake -session 10c9d6d87400011903112510000006391000
6835 ? S 0:03 gkrellm --sm-client-id 10c9d6d87400011896218540000007
6842 pts/1 Ss 0:00 /bin/bash
6847 ? S 0:00 knotify [kdeinit]
6926 tty2 S 0:00 -bash
6932 tty2 S+ 0:00 /bin/sh /usr/bin/startx -- :1
6948 tty2 S+ 0:00 xinit /home/tiku/.xinitrc -- :1 -auth /home/xxxx/.ser
6949 tty8 SLs+ 0:15 X :1 -auth /home/tiku/.serverauth.6932 -deferglyphs 1
6953 tty2 S 0:00 /bin/sh /usr/kde/3.5/bin/startkde
6979 tty2 S 0:00 /usr/bin/dbus-launch --sh-syntax --exit-with-session
6980 ? Ss 0:00 /usr/bin/dbus-daemon --fork --print-pid 4 --print-add
6996 tty2 S 0:00 start_kdeinit --new-startup +kcminit_startup
6997 ? Ss 0:00 kdeinit Running...
7000 ? S 0:00 dcopserver [kdeinit] --nosid
7002 ? S 0:00 klauncher [kdeinit] --new-startup
7004 ? S 0:00 kded [kdeinit] --new-startup
7009 tty2 S 0:00 kwrapper ksmserver
7011 ? S 0:00 ksmserver [kdeinit]
7012 ? S 0:00 kwin [kdeinit] -session 10c9d6d8740001159287680000001
7014 ? S 0:02 kdesktop [kdeinit]
7016 ? S 0:00 kicker [kdeinit]
7018 ? S 0:00 kio_file [kdeinit] file /tmp/ksocket-tiku/klauncherYX
7025 ? S 0:00 kaccess [kdeinit]
7026 ? S 0:00 yakuake -session 10c9d6d87400011831891970000006387001
7027 ? S 0:04 gkrellm2 --sm-client-id 10c9d6d8740001172644070000002
7033 pts/3 Ss+ 0:00 /bin/bash
7038 ? S 0:00 knotify [kdeinit]
7363 ? S 0:00 kio_file [kdeinit] file /tmp/ksocket-user/klauncher3L
12054 pts/5 Ss+ 0:00 /bin/bash
12167 pts/1 S 0:00 /bin/sh /usr/sbin/pppoe-connect /dev/fd/63
12179 ? Ss 0:00 /usr/sbin/pppd pty /usr/sbin/pppoe -p /var/run/-pppoe
12180 ? S 0:00 /usr/sbin/pppoe -p /var/run/-pppoe.pid.pppoe -I eth0
12658 pts/1 S 0:00 su
12663 pts/1 S+ 0:00 bash
16643 ? Ss 0:00 sshd: xxxxx [priv]
16648 ? S 0:00 sshd: xxxxx@pts/6
16649 pts/6 Ss 0:00 -bash
16670 pts/6 S 0:00 su
16673 pts/6 S 0:00 bash
16839 ? S 0:00 /usr/sbin/lighttpd -f /etc/lighttpd/lighttpd.conf
16840 ? Ss 0:00 /usr/bin/php-cgi
16844 ? S 0:00 /usr/bin/php-cgi
16845 ? Ss 0:00 /usr/bin/php-cgi
16848 ? S 0:00 /usr/bin/php-cgi
16855 ? Ss 0:00 /usr/bin/php-cgi
16856 ? S 0:00 /usr/bin/php-cgi
16857 ? Ss 0:00 /usr/bin/php-cgi
16858 ? S 0:00 /usr/bin/php-cgi
16902 pts/6 R+ 0:00 ps ax |
Can you spot anything irregular? I am not much of a sysadmin, so... I can't. |
|
| Back to top |
|
 |
justwantstohelp
Apprentice
Joined: 29 Jun 2006
Posts: 251
Location: Sacramento, California
|
| Posted: Sat Oct 20, 2007 8:28 am Post subject: |
|
|
all those kde processes look suspicious
_________________
We need to shoot cops, and hang politicians. Concentrate the vision, concentrate the vision. |
|
| Back to top |
|
|
Pithlit
l33t
Joined: 27 Dec 2003
Posts: 887
Location: fuhen
|
| Posted: Sun Oct 21, 2007 4:27 am Post subject: |
|
|
He started 2 kde sessions, that's why there's so many of them.
Other than that there's no way of telling with this little info. Did you start 2 sessions? Did you start lighttpd? Why do you even suspect you're getting "pwned"? etc etc...
_________________
If someone solves a problem for you say thanks... and put [SOLVED] in the title! |
|
| Back to top |
|
|
petrjanda
Veteran
Joined: 05 Sep 2003
Posts: 1557
Location: Brno, Czech Republic
|
| Posted: Sun Oct 21, 2007 4:50 am Post subject: |
|
|
you should have saved a tcpdump before you cut those connections, that way we could identify what kind of trafic was being transfered, whether it was a threat or not.
_________________
There is, a not-born, a not-become, a not-made, a not-compounded. If that unborn, not-become, not-made, not-compounded were not, there would be no escape from this here that is born, become, made and compounded. - Gautama Siddharta |
|
| Back to top |
|
|
bunder
Bodhisattva
Joined: 10 Apr 2004
Posts: 5947
|
| Posted: Sun Oct 21, 2007 5:14 am Post subject: |
|
|
Security related, moved from Off the Wall to Networking & Security.
have you considered installing rkhunter or chrootkit? i don't see anything out of the ordinary, but if you're paranoid, it's probably a good start along with tcpdump.
cheers
_________________
| Neddyseagoon wrote: | | The problem with leaving is that you can only do it once and it reduces your influence. |
banned from #gentoo since sept 2017 |
|
| Back to top |
|
|
runningwithscissors
Guru
Joined: 21 Apr 2006
Posts: 454
Location: the third world
|
| Posted: Sun Oct 21, 2007 5:24 am Post subject: |
|
|
| Pithlit wrote: | | He started 2 kde sessions, that's why there's so many of them. |
Yes. But you don't need to pay attention to those.
| Pithlit wrote: | | Other than that there's no way of telling with this little info. |
I understand. But,
| runningwithscissors wrote: | | I am not much of a sysadmin |
A reminder. 
| Pithlit wrote: | | Did you start 2 sessions? |
Yes, I did. Also, I don't know why an attacker would start a kde session.
| Pithlit wrote: | | Did you start lighttpd? |
Yes. But those weren't connections to the webserver. Also, postgres was started by me and it's not available outside my local network. Only ssh, http and https are, but none of the connections were on ports 22, 80 or 443. Which makes me suspicious that one of my two machines may have been taken over.
I suppose it would be wise for me to invest some time in reading up about iptables' connection tracking.
| Pithlit wrote: | | Why do you even suspect you're getting "pwned"? etc etc... |
Bunch of connections to a foreign address on non-standard ports.
| petrjanda wrote: | | you should have saved a tcpdump before you cut those connections, that way we could identify what kind of trafic was being transfered, whether it was a threat or not. |
Thanks. That's something that didn't occur to me at all. Like I said, not much of a sysadmin.
I'll just try and be more careful in the future.
| bunder wrote: | | have you considered installing rkhunter or chrootkit? i don't see anything out of the ordinary, but if you're paranoid, it's probably a good start along with tcpdump. |
Have both installed. rkhunter says everything is okay. Except for eth1 being in promiscuous mode, but that is part of a local bridge. And it didn't occur to me to use tcpdump. I use it regularly while setting up other services on my machine.
EDIT: I realise that the information provided is too little to conclude anything. Thanks for all your help. |
|
| Back to top |
|
|
cokey
Advocate
Joined: 23 Apr 2004
Posts: 3355
|
| Posted: Sun Oct 21, 2007 6:35 am Post subject: |
|
|
well you have 2 X sessions which is probably the 2 KDE sessions, JFS being loaded up by the kernel so i hope that is your fs.
There is one thing that stands out to me and that is the two ssh sessions. Either you have started both or that is someone else starting one and allowing another to be brought it by way of rootkit and discovering/changing passwords but without a packet dump you won't know what is being sent.
Be safe and run a packet sniffer for the next couple of days and if you see anything strange log the times and post it
_________________
https://otw20.com/ OTW20 The new place for off the wall chat |
|
| Back to top |
|
|
Hu
Administrator
Joined: 06 Mar 2007
Posts: 23081
|
| Posted: Sun Oct 21, 2007 4:15 pm Post subject: |
|
|
If you remember the foreign address or the ports involved, please post those. Also, please show us your iptables rules. You can print them all by running iptables-save -c. Consider modifying the rules which banned the suspicious hosts so that you get log records for any future contact. Use -d suspicious-foreign-host -m limit --limit 5/min -j LOG --log-prefix "FW-LOG-suspicious " --log-ip-options --log-tcp-options in the chains where you have a DROP rule. Then watch your firewall logs for anything with that prefix.
You might also find net-analyzer/iptstate useful. It shows both connections originating from the box (like netstat) and connections forwarded through the box. |
|
| Back to top |
|
|
runningwithscissors
Guru
Joined: 21 Apr 2006
Posts: 454
Location: the third world
|
| Posted: Sun Oct 21, 2007 8:03 pm Post subject: |
|
|
| Hu wrote: | | If you remember the foreign address or the ports involved, please post those. |
The foreign address was: 116.90.184.41
I didn't make a note of the ports involved, sadly. However, they weren't the ports that I've left open to the internet (22, 80 and 443).
| Hu wrote: | | Also, please show us your iptables rules. You can print them all by running iptables-save -c. |
| Code: | # Generated by iptables-save v1.3.8 on Mon Oct 22 01:32:59 2007
*raw
:PREROUTING ACCEPT [48196461:41061699019]
:OUTPUT ACCEPT [48261228:32541021623]
COMMIT
# Completed on Mon Oct 22 01:32:59 2007
# Generated by iptables-save v1.3.8 on Mon Oct 22 01:32:59 2007
*nat
:PREROUTING ACCEPT [34:6342]
:POSTROUTING ACCEPT [23:4012]
:OUTPUT ACCEPT [75:7195]
[0:0] -A POSTROUTING -o ppp0 -j MASQUERADE
COMMIT
# Completed on Mon Oct 22 01:32:59 2007
# Generated by iptables-save v1.3.8 on Mon Oct 22 01:32:59 2007
*mangle
:PREROUTING ACCEPT [804:580326]
:INPUT ACCEPT [803:580283]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [818:140941]
:POSTROUTING ACCEPT [868:147615]
COMMIT
# Completed on Mon Oct 22 01:32:59 2007
# Generated by iptables-save v1.3.8 on Mon Oct 22 01:32:59 2007
*filter
:INPUT ACCEPT [6:774]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [6:324]
[0:0] -A INPUT -i eth1 -j ACCEPT
[0:0] -A INPUT -i br0 -j ACCEPT
[0:0] -A INPUT -i lo -j ACCEPT
[0:0] -A INPUT -s 116.90.184.41 -j DROP
[0:0] -A INPUT -i ppp0 -p tcp -m tcp --dport 22 -j ACCEPT
[0:0] -A INPUT -i ppp0 -p tcp -m tcp --dport 80 -j ACCEPT
[0:0] -A INPUT -i ppp0 -p tcp -m tcp --dport 443 -j ACCEPT
[0:0] -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j DROP
[0:0] -A FORWARD -d xxx.xxx.xxx.xxx -i br0 -j DROP
[0:0] -A FORWARD -s xxx.xxx.xxx.xxx -i br0 -j ACCEPT
[0:0] -A FORWARD -d xxx.xxx.xxx.xxx -i ppp0 -j ACCEPT
[0:0] -A OUTPUT -d 116.90.184.41 -j DROP
COMMIT
# Completed on Mon Oct 22 01:32:59 2007 |
ppp0 is the internet interface. eth1 is the LAN and br0 is a bridge I've created for any VMs I run to be available through the LAN.
I know those aren't the tightest set of rules you can come up with. For starters they don't pay much attention to non tcp traffic. I'll fix them soon.
| Hu wrote: | | Consider modifying the rules which banned the suspicious hosts so that you get log records for any future contact. Use -d suspicious-foreign-host -m limit --limit 5/min -j LOG --log-prefix "FW-LOG-suspicious " --log-ip-options --log-tcp-options in the chains where you have a DROP rule. Then watch your firewall logs for anything with that prefix. |
Thanks for the tip. I'll do that.
| Hu wrote: | | You might also find net-analyzer/iptstate useful. It shows both connections originating from the box (like netstat) and connections forwarded through the box. |
Thanks. I'll give that program a go. |
|
| Back to top |
|
|
Hu
Administrator
Joined: 06 Mar 2007
Posts: 23081
|
| Posted: Mon Oct 22, 2007 1:17 am Post subject: |
|
|
| runningwithscissors wrote: |
I know those aren't the tightest set of rules you can come up with. For starters they don't pay much attention to non tcp traffic. I'll fix them soon. |
If you want assistance tightening the rules, or if you want a critique after you make your planned changes, feel free to ask. |
|
| Back to top |
|
|
|
Networking & Security
