| View previous topic :: View next topic |
| Author |
Message |
Cereza
Guru
Joined: 14 Apr 2006
Posts: 428
|
 Posted: Thu Nov 22, 2007 12:52 am Post subject: Mutant ~/.bashrc |
 |
|
Hello.
Te point is some lines of my .bashrc are changing alone, I have a cute ascii bear as user welcome who as my prompt is deformed sometimes, the ~/.bashrc lines are:
| Code: | if [[ ${EUID} == 0 ]]
then
# we are root
PS1="${top}${RED}(${CYAN}\d, \t${RED})${NC}-${RED}(\u@\H)${NC}-${RED}(${BLUE}\w${RED})${NC}-·\n${bottom}${pink}[\#]${NC}-> # "
else
# we are not root
PS1="${top}${RED}(${CYAN}\d, \t${RED})${NC}-${RED}(${GREEN}\u@\H${RED})${NC}-${RED}(${BLUE}\w${RED})${NC}-·\n${bottom}${pink}[\#]${NC}-> $ "
fi
# Welcome the user
echo
echo ' (()__(()'
echo ' / \'
echo ' ( / \ \'
echo ' \ o o /'
echo ' (_()_)__/ \'
echo ' / _,==.____ \'
echo ' ( |--| )'
echo ' /\_.|__|´-.__/\_'
echo ' / ( / \'
echo ' \ \ ( /'
echo ' ) ´._____) /'
echo ' (((____.--(((____/'
echo |
But sometimes I noticed the bear and the prompt are deformed, then I see at my ~/.bashrc and I can see it changed alone! the same lines look like this:
| Code: | if [[ ${EUID} == 0 ]]
then
# we are root
PS1="${top}${RED}(${CYAN}\d, \t${RED})${NC}-${RED}(\u@\H)${NC}-${RED}(${BLUE}\w${RED})${NC}-ÀÀÀÀÀÀÀÀÀÀÀÀ·\n${bottom}${pink}[\#]${NC}-> # "
else
# we are not root
PS1="${top}${RED}(${CYAN}\d, \t${RED})${NC}-${RED}(${GREEN}\u@\H${RED})${NC}-${RED}(${BLUE}\w${RED})${NC}-ÀÀÀÀÀÀÀÀÀÀÀÀ·\n${bottom}${pink}[\#]${NC}-> $ "
fi
# Welcome the user
echo
echo ' (()__(()'
echo ' / \'
echo ' ( / \ \'
echo ' \ o o /'
echo ' (_()_)__/ \'
echo ' / _,==.____ \'
echo ' ( |--| )'
echo ' /\_.|__|ÀÀÀÀÀÀÀÀÀÀÀÀ´-.__/\_'
echo ' / ( / \'
echo ' \ \ ( /'
echo ' ) ÀÀÀÀÀÀÀÀÀÀÀÀ´._____) /'
echo ' (((____.--(((____/'
echo |
Poor bear he doesn't deserve bad for anyone, why him?
OK let's face it, I know this is not a mortal issue but I don't understand why my ~/.bashrc is changing alone. |
|
| Back to top |
|
 |
ThomasAdam
Guru
Joined: 20 Mar 2005
Posts: 448
Location: England
|
| Posted: Thu Nov 22, 2007 7:19 am Post subject: |
|
|
Aww, cute bear. 
Does it actually render like that changed?
-- Thomas Adam |
|
| Back to top |
|
|
Cereza
Guru
Joined: 14 Apr 2006
Posts: 428
|
| Posted: Thu Nov 22, 2007 4:27 pm Post subject: |
|
|
Mmmm I don't understand you very well, my english is a bit poor :/
Do you mean if bear and prompt are shown correctly in the terminal even if the .bashrc change? No, they look deformed in terminal if the .bashrc is deformed. I take a snapshot: http://img91.imageshack.us/img91/6900/mutantbearim5.jpg
Looks like a car knocked down the bear.
Actually I "solved" it removing the write permission of my user to .bashrc but I think this is not a clear solution and still missunderstanding why .bashrc changes alone. I think the point is in the characters before deformation the "´" and the "·", the deformed characters always appear there.
Last edited by Cereza on Thu Nov 22, 2007 7:41 pm; edited 1 time in total |
|
| Back to top |
|
|
platojones
Veteran
Joined: 23 Oct 2002
Posts: 1602
Location: Just over the horizon
|
| Posted: Thu Nov 22, 2007 7:09 pm Post subject: |
|
|
| It's pretty obvious that some application is writing to your .bashrc. I'm not sure what would do that as it seems like a very bad idea (and it may have serious security implications). In other words, nothing should be writing to your .bashrc and if it is, it is probably bad. I think you may want to emerge chkrootkit or some other rootkit detection utility to ensure that your box has not been compromised. |
|
| Back to top |
|
|
Cereza
Guru
Joined: 14 Apr 2006
Posts: 428
|
| Posted: Thu Nov 22, 2007 11:41 pm Post subject: |
|
|
| platojones wrote: | | It's pretty obvious that some application is writing to your .bashrc. I'm not sure what would do that as it seems like a very bad idea (and it may have serious security implications). In other words, nothing should be writing to your .bashrc and if it is, it is probably bad. I think you may want to emerge chkrootkit or some other rootkit detection utility to ensure that your box has not been compromised. |
Thank you for the answer, I didn't known about rootkits, I tried it:
| Code: | # chkrootkit
ROOTDIR is `/'
Checking `amd'... not found
Checking `basename'... not infected
Checking `biff'... not found
Checking `chfn'... not infected
Checking `chsh'... not infected
Checking `cron'... not infected
Checking `crontab'... not infected
Checking `date'... not infected
Checking `du'... not infected
Checking `dirname'... not infected
Checking `echo'... not infected
Checking `egrep'... not infected
Checking `env'... not infected
Checking `find'... not infected
Checking `fingerd'... not found
Checking `gpm'... not infected
Checking `grep'... not infected
Checking `hdparm'... not infected
Checking `su'... not infected
Checking `ifconfig'... not infected
Checking `inetd'... not tested
Checking `inetdconf'... not found
Checking `identd'... not found
Checking `init'... not infected
Checking `killall'... not infected
Checking `ldsopreload'... not infected
Checking `login'... not infected
Checking `ls'... not infected
Checking `lsof'... not found
Checking `mail'... not found
Checking `mingetty'... not found
Checking `netstat'... not infected
Checking `named'... not found
Checking `passwd'... not infected
Checking `pidof'... not infected
Checking `pop2'... not found
Checking `pop3'... not found
Checking `ps'... not infected
Checking `pstree'... not infected
Checking `rpcinfo'... not infected
Checking `rlogind'... not found
Checking `rshd'... not found
Checking `slogin'... not infected
Checking `sendmail'... not infected
Checking `sshd'... not infected
Checking `syslogd'... not infected
Checking `tar'... not infected
Checking `tcpd'... not infected
Checking `tcpdump'... not infected
Checking `top'... not infected
Checking `telnetd'... not found
Checking `timed'... not found
Checking `traceroute'... not found
Checking `vdir'... not infected
Checking `w'... not infected
Checking `write'... not infected
Checking `aliens'... no suspect files
Searching for sniffer's logs, it may take a while... nothing found
Searching for HiDrootkit's default dir... nothing found
Searching for t0rn's default files and dirs... nothing found
Searching for t0rn's v8 defaults... nothing found
Searching for Lion Worm default files and dirs... nothing found
Searching for RSHA's default files and dir... nothing found
Searching for RH-Sharpe's default files... nothing found
Searching for Ambient's rootkit (ark) default files and dirs... nothing found
Searching for suspicious files and dirs, it may take a while... nothing found
Searching for LPD Worm files and dirs... nothing found
Searching for Ramen Worm files and dirs... nothing found
Searching for Maniac files and dirs... nothing found
Searching for RK17 files and dirs... nothing found
Searching for Ducoci rootkit... nothing found
Searching for Adore Worm... nothing found
Searching for ShitC Worm... nothing found
Searching for Omega Worm... nothing found
Searching for Sadmind/IIS Worm... nothing found
Searching for MonKit... nothing found
Searching for Showtee... nothing found
Searching for OpticKit... nothing found
Searching for T.R.K... nothing found
Searching for Mithra... nothing found
Searching for OBSD rk v1... nothing found
Searching for LOC rootkit... nothing found
Searching for Romanian rootkit... nothing found
Searching for Suckit rootkit... nothing found
Searching for Volc rootkit... nothing found
Searching for Gold2 rootkit... nothing found
Searching for TC2 Worm default files and dirs... nothing found
Searching for Anonoying rootkit default files and dirs... nothing found
Searching for ZK rootkit default files and dirs... nothing found
Searching for ShKit rootkit default files and dirs... nothing found
Searching for AjaKit rootkit default files and dirs... nothing found
Searching for zaRwT rootkit default files and dirs... nothing found
Searching for Madalin rootkit default files... nothing found
Searching for Fu rootkit default files... nothing found
Searching for ESRK rootkit default files... nothing found
Searching for rootedoor... nothing found
Searching for ENYELKM rootkit default files... nothing found
Searching for anomalies in shell history files... nothing found
Checking `asp'... not infected
Checking `bindshell'... not infected
Checking `lkm'... You have 1 process hidden for readdir command
You have 1 process hidden for ps command
chkproc: Warning: Possible LKM Trojan installed
Checking `rexedcs'... not found
Checking `sniffer'... /proc/4023/fd: No such file or directory
ppp0: PF_PACKET(/usr/bin/jnettop)
Checking `w55808'... not infected
Checking `wted'... chkwtmp: nothing deleted
Checking `scalper'... not infected
Checking `slapper'... not infected
Checking `z2'... chklastlog: nothing deleted
Checking `chkutmp'... The tty of the following user process(es) were not found
in /var/run/utmp !
! RUID PID TTY CMD
! 500 12928 pts/1 htop
! 500 13027 pts/3 screen -c /home/pelusilla/.fvwm/app-config-files/screenrc-pelusilla -D -RR
! 500 18817 tty7 X :0 -nolisten tcp -br -auth /home/pelusilla/.serverauth.18797 -deferglyphs 16
! 500 18862 pts/0 /usr/bin/python /usr/bin/mtail -n 2 -f --remove-blanks /var/log/messages /var/log/apache2/access_log logs/fvwm.log
! root 18864 pts/2 jnettop -i ppp0
chkutmp: nothing deleted |
But everything looks fine, unless | Code: | Checking `lkm'... You have 1 process hidden for readdir command
You have 1 process hidden for ps command
chkproc: Warning: Possible LKM Trojan installed |
Edit: In a second test I didn't get that warning. |
|
| Back to top |
|
|
platojones
Veteran
Joined: 23 Oct 2002
Posts: 1602
Location: Just over the horizon
|
| Posted: Thu Nov 22, 2007 11:57 pm Post subject: |
|
|
| Code: |
Checking `lkm'... You have 1 process hidden for readdir command
You have 1 process hidden for ps command
chkproc: Warning: Possible LKM Trojan installed
|
Ok, that is a another indicator that something is wrong. Now you have 2 pieces of evidence that indicate that someone has illegal access to your box. I would advise that you install another rootkit detection utility, like rkhunter, and run it to see if it finds anything. If it does, I would say your best alternative is to do a complete re-install. Then, do not connect to the internet again until you have a good firewall in place. Again, I know of no legitimate application that modifies an existing .bashrc file. If someone does have root access, they can do terrible things to your computer and you. Unless proven otherwise, I would advise you treat this machine as if it was controlled by someone else and don't do anything you would not fear exposing to a criminal.
If this is turns out to be the case (and I suspect it will), it's fascinating. You will have detected an illegal intrusion on your machine with a piece of ascii art 
Let us know what you find.
Best Wishes. |
|
| Back to top |
|
|
Cereza
Guru
Joined: 14 Apr 2006
Posts: 428
|
| Posted: Fri Nov 23, 2007 12:26 am Post subject: |
|
|
| platojones wrote: | | Code: |
Checking `lkm'... You have 1 process hidden for readdir command
You have 1 process hidden for ps command
chkproc: Warning: Possible LKM Trojan installed
|
Ok, that is a another indicator that something is wrong. Now you have 2 pieces of evidence that indicate that someone has illegal access to your box. I would advise that you install another rootkit detection utility, like rkhunter, and run it to see if it finds anything. If it does, I would say your best alternative is to do a complete re-install. Then, do not connect to the internet again until you have a good firewall in place. Again, I know of no legitimate application that modifies an existing .bashrc file. If someone does have root access, they can do terrible things to your computer and you. Unless proven otherwise, I would advise you treat this machine as if it was controlled by someone else and don't do anything you would not fear exposing to a criminal.
If this is turns out to be the case (and I suspect it will), it's fascinating. You will have detected an illegal intrusion on your machine with a piece of ascii art :D
Let us know what you find.
Best Wishes. |
Wow you are scaring me :S
Thank you again, I tried with rkhunter and I get the following:
| Code: | # rkhunter -c
Rootkit Hunter 1.2.9 is running
Determining OS... Unknown
Warning: This operating system is not fully supported!
All MD5 checks will be skipped!
Checking binaries
* Selftests
Strings (command) [ OK ]
* System tools
Skipped!
Check rootkits
* Default files and directories
Rootkit '55808 Trojan - Variant A'... [ OK ]
ADM Worm... [ OK ]
Rootkit 'AjaKit'... [ OK ]
Rootkit 'aPa Kit'... [ OK ]
Rootkit 'Apache Worm'... [ OK ]
Rootkit 'Ambient (ark) Rootkit'... [ OK ]
Rootkit 'Balaur Rootkit'... [ OK ]
Rootkit 'BeastKit'... [ OK ]
Rootkit 'beX2'... [ OK ]
Rootkit 'BOBKit'... [ OK ]
Rootkit 'CiNIK Worm (Slapper.B variant)'... [ OK ]
Rootkit 'Danny-Boy's Abuse Kit'... [ OK ]
Rootkit 'Devil RootKit'... [ OK ]
Rootkit 'Dica'... [ OK ]
Rootkit 'Dreams Rootkit'... [ OK ]
Rootkit 'Duarawkz'... [ OK ]
Rootkit 'Flea Linux Rootkit'... [ OK ]
Rootkit 'FreeBSD Rootkit'... [ OK ]
Rootkit 'Fuck`it Rootkit'... [ OK ]
Rootkit 'GasKit'... [ OK ]
Rootkit 'Heroin LKM'... [ OK ]
Rootkit 'HjC Kit'... [ OK ]
Rootkit 'ignoKit'... [ OK ]
Rootkit 'ImperalsS-FBRK'... [ OK ]
Rootkit 'Irix Rootkit'... [ OK ]
Rootkit 'Kitko'... [ OK ]
Rootkit 'Knark'... [ OK ]
Rootkit 'Li0n Worm'... [ OK ]
Rootkit 'Lockit / LJK2'... [ OK ]
Rootkit 'MRK'... [ OK ]
Rootkit 'Ni0 Rootkit'... [ OK ]
Rootkit 'RootKit for SunOS / NSDAP'... [ OK ]
Rootkit 'Optic Kit (Tux)'... [ OK ]
Rootkit 'Oz Rootkit'... [ OK ]
Rootkit 'Portacelo'... [ OK ]
Rootkit 'R3dstorm Toolkit'... [ OK ]
Rootkit 'RH-Sharpe's rootkit'... [ OK ]
Rootkit 'RSHA's rootkit'... [ OK ]
Sebek LKM... [ OK ]
Rootkit 'Scalper Worm'... [ OK ]
Rootkit 'Shutdown'... [ OK ]
Rootkit 'SHV4'... [ OK ]
Rootkit 'SHV5'... [ OK ]
Rootkit 'Sin Rootkit'... [ OK ]
Rootkit 'Slapper'... [ OK ]
Rootkit 'Sneakin Rootkit'... [ OK ]
Rootkit 'Suckit Rootkit'... [ OK ]
Rootkit 'SunOS Rootkit'... [ OK ]
Rootkit 'Superkit'... [ OK ]
Rootkit 'TBD (Telnet BackDoor)'... [ OK ]
Rootkit 'TeLeKiT'... [ OK ]
Rootkit 'T0rn Rootkit'... [ OK ]
Rootkit 'Trojanit Kit'... [ OK ]
Rootkit 'Tuxtendo'... [ OK ]
Rootkit 'URK'... [ OK ]
Rootkit 'VcKit'... [ OK ]
Rootkit 'Volc Rootkit'... [ OK ]
Rootkit 'X-Org SunOS Rootkit'... [ OK ]
Rootkit 'zaRwT.KiT Rootkit'... [ OK ]
* Suspicious files and malware
Scanning for known rootkit strings [ OK ]
Scanning for known rootkit files [ OK ]
Testing running processes... [ OK ]
Miscellaneous Login backdoors [ OK ]
Miscellaneous directories [ OK ]
Software related files [ OK ]
Sniffer logs [ OK ]
[Press <ENTER> to continue]
* Trojan specific characteristics
shv4
Checking /etc/rc.d/rc.sysinit [ Not found ]
Checking /etc/inetd.conf [ Not found ]
Checking /etc/xinetd.conf [ Skipped ]
* Suspicious file properties
chmod properties
Checking /bin/ps [ Clean ]
Checking /bin/ls [ Clean ]
Checking /usr/bin/w [ Clean ]
Checking /usr/bin/who [ Clean ]
Checking /bin/netstat [ Clean ]
Checking /bin/login [ Clean ]
Script replacements
Checking /bin/ps [ Clean ]
Checking /bin/ls [ Clean ]
Checking /usr/bin/w [ Clean ]
Checking /usr/bin/who [ Clean ]
Checking /bin/netstat [ Clean ]
Checking /bin/login [ Clean ]
* OS dependant tests
Linux
Checking loaded kernel modules... [ OK ]
Checking file attributes [ OK ]
Checking LKM module path [ OK ]
Networking
* Check: frequently used backdoors
Port 2001: Scalper Rootkit [ OK ]
Port 2006: CB Rootkit [ OK ]
Port 2128: MRK [ OK ]
Port 14856: Optic Kit (Tux) [ OK ]
Port 47107: T0rn Rootkit [ OK ]
Port 60922: zaRwT.KiT [ OK ]
* Interfaces
Scanning for promiscuous interfaces... [ OK ]
[Press <ENTER> to continue]
System checks
* Allround tests
Checking hostname... Found. Hostname is localhost
Checking for passwordless user accounts... OK
Checking for differences in user accounts... [ NA ]
Checking for differences in user groups... Creating file It seems this is your first time.
Checking boot.local/rc.local file...
- /etc/rc.local [ Not found ]
- /etc/rc.d/rc.local [ Not found ]
- /usr/local/etc/rc.local [ Not found ]
- /usr/local/etc/rc.d/rc.local [ Not found ]
- /etc/conf.d/local.start [ OK ]
- /etc/init.d/boot.local [ Not found ]
Checking rc.d files... [ Not found ]
Checking Gentoo local.start file... [ OK ]
Checking history files
Bourne Shell [ OK ]
* Filesystem checks
Checking /dev for suspicious files... [ OK ]
Scanning for hidden files... [ OK ]
[Press <ENTER> to continue]
Application advisories
* Application scan
Checking Apache2 modules ... [ Not found ]
Checking Apache configuration ... [ OK ]
* Application version scan
- GnuPG 2.0.7 [ Unknown ]
- OpenSSL 0.9.8e [ Unknown ]
- OpenSSH 4.7p1 [ Unknown ]
Your system contains some unknown version numbers. Please run Rootkit Hunter
with the --update parameter or contact us through the Rootkit Hunter mailinglist
at rkhunter-users@lists.sourceforge.net.
Security advisories
* Check: Groups and Accounts
Searching for /etc/passwd... [ Found ]
Checking users with UID '0' (root)... [ OK ]
* Check: SSH
Searching for sshd_config...
Found /etc/ssh/sshd_config
Checking for allowed root login... Watch out Root login possible. Possible risk!
info: No 'PermitRootLogin' entry found in file /etc/ssh/sshd_config
Hint: See logfile for more information about this issue
Checking for allowed protocols... [ OK (Only SSH2 allowed) ]
* Check: Events and Logging
Search for syslog configuration... [ OK ]
Checking for running syslog slave... [ OK ]
Checking for logging to remote system... [ OK (no remote logging) ]
[Press <ENTER> to continue]
---------------------------- Scan results ----------------------------
MD5 scan
Skipped
File scan
Scanned files: 342
Possible infected files: 0
Application scan
Vulnerable applications: 0
Scanning took 116 seconds
-----------------------------------------------------------------------
Do you have some problems, undetected rootkits, false positives, ideas
or suggestions? Please e-mail us through the Rootkit Hunter mailinglist
at rkhunter-users@lists.sourceforge.net.
----------------------------------------------------------------------- |
Everything seems OK. A third chkrootkit:
| Code: | # chkrootkit
ROOTDIR is `/'
Checking `amd'... not found
Checking `basename'... not infected
Checking `biff'... not found
Checking `chfn'... not infected
Checking `chsh'... not infected
Checking `cron'... not infected
Checking `crontab'... not infected
Checking `date'... not infected
Checking `du'... not infected
Checking `dirname'... not infected
Checking `echo'... not infected
Checking `egrep'... not infected
Checking `env'... not infected
Checking `find'... not infected
Checking `fingerd'... not found
Checking `gpm'... not infected
Checking `grep'... not infected
Checking `hdparm'... not infected
Checking `su'... not infected
Checking `ifconfig'... not infected
Checking `inetd'... not tested
Checking `inetdconf'... not found
Checking `identd'... not found
Checking `init'... not infected
Checking `killall'... not infected
Checking `ldsopreload'... not infected
Checking `login'... not infected
Checking `ls'... not infected
Checking `lsof'... not infected
Checking `mail'... not found
Checking `mingetty'... not found
Checking `netstat'... not infected
Checking `named'... not found
Checking `passwd'... not infected
Checking `pidof'... not infected
Checking `pop2'... not found
Checking `pop3'... not found
Checking `ps'... not infected
Checking `pstree'... not infected
Checking `rpcinfo'... not infected
Checking `rlogind'... not found
Checking `rshd'... not found
Checking `slogin'... not infected
Checking `sendmail'... not infected
Checking `sshd'... not infected
Checking `syslogd'... not infected
Checking `tar'... not infected
Checking `tcpd'... not infected
Checking `tcpdump'... not infected
Checking `top'... not infected
Checking `telnetd'... not found
Checking `timed'... not found
Checking `traceroute'... not found
Checking `vdir'... not infected
Checking `w'... not infected
Checking `write'... not infected
Checking `aliens'... no suspect files
Searching for sniffer's logs, it may take a while... nothing found
Searching for HiDrootkit's default dir... nothing found
Searching for t0rn's default files and dirs... nothing found
Searching for t0rn's v8 defaults... nothing found
Searching for Lion Worm default files and dirs... nothing found
Searching for RSHA's default files and dir... nothing found
Searching for RH-Sharpe's default files... nothing found
Searching for Ambient's rootkit (ark) default files and dirs... nothing found
Searching for suspicious files and dirs, it may take a while... nothing found
Searching for LPD Worm files and dirs... nothing found
Searching for Ramen Worm files and dirs... nothing found
Searching for Maniac files and dirs... nothing found
Searching for RK17 files and dirs... nothing found
Searching for Ducoci rootkit... nothing found
Searching for Adore Worm... nothing found
Searching for ShitC Worm... nothing found
Searching for Omega Worm... nothing found
Searching for Sadmind/IIS Worm... nothing found
Searching for MonKit... nothing found
Searching for Showtee... nothing found
Searching for OpticKit... nothing found
Searching for T.R.K... nothing found
Searching for Mithra... nothing found
Searching for OBSD rk v1... nothing found
Searching for LOC rootkit... nothing found
Searching for Romanian rootkit... nothing found
Searching for Suckit rootkit... nothing found
Searching for Volc rootkit... nothing found
Searching for Gold2 rootkit... nothing found
Searching for TC2 Worm default files and dirs... nothing found
Searching for Anonoying rootkit default files and dirs... nothing found
Searching for ZK rootkit default files and dirs... nothing found
Searching for ShKit rootkit default files and dirs... nothing found
Searching for AjaKit rootkit default files and dirs... nothing found
Searching for zaRwT rootkit default files and dirs... nothing found
Searching for Madalin rootkit default files... nothing found
Searching for Fu rootkit default files... nothing found
Searching for ESRK rootkit default files... nothing found
Searching for rootedoor... nothing found
Searching for ENYELKM rootkit default files... nothing found
Searching for anomalies in shell history files... nothing found
Checking `asp'... not infected
Checking `bindshell'... not infected
Checking `lkm'... chkproc: nothing detected
Checking `rexedcs'... not found
Checking `sniffer'... ppp0: PF_PACKET(/usr/bin/jnettop)
Checking `w55808'... not infected
Checking `wted'... chkwtmp: nothing deleted
Checking `scalper'... not infected
Checking `slapper'... not infected
Checking `z2'... chklastlog: nothing deleted
Checking `chkutmp'... The tty of the following user process(es) were not found
in /var/run/utmp !
! RUID PID TTY CMD
! 500 12928 pts/1 htop
! 500 13027 pts/3 screen -c /home/pelusilla/.fvwm/app-config-files/screenrc-pelusilla -D -RR
! 500 18817 tty7 X :0 -nolisten tcp -br -auth /home/pelusilla/.serverauth.18797 -deferglyphs 16
! 500 18862 pts/0 /usr/bin/python /usr/bin/mtail -n 2 -f --remove-blanks /var/log/messages /var/log/apache2/access_log logs/fvwm.log
! root 18864 pts/2 jnettop -i ppp0
chkutmp: nothing deleted |
Doesn't show any problem (as second time). I was googling and I find the following at this forum
http://www.linuxquestions.org/questions/linux-security-4/possible-lkm-trojan-install-kernel-2.6.0-127748/
| Quote: | Checking `lkm'... You have 6 process hidden for readdir command
This message comes from the chkproc binary.
| Code: | $ grep -a readdir /usr/local/sbin/chkproc
/proc/%dPID %5d: not in readdir output
You have % 5d process hidden for readdir command |
Chkproc checks "ps" output with process dirs in /proc.
Some processes are shortlived and die before chkproc can check 'em.
Then chkproc shows an error. |
I don't know what to think.
Edit: I still thinking it can be something related to the characters "´" and "·" the deformed characters appears always before them.
I believe I am using a secure firewall configuration:
| Code: | # iptables -nL
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
ACCEPT all -- 127.0.0.1 0.0.0.0/0
ACCEPT tcp -- 213.4.149.12 0.0.0.0/0
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:80
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:8010
Chain FORWARD (policy DROP)
target prot opt source destination
ACCEPT all -- 192.168.0.0/16 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 192.168.0.0/16
Chain OUTPUT (policy ACCEPT)
target prot opt source destination |
But if anyone knows how to improve it and want to share I will be thankful. :)
Last edited by Cereza on Fri Nov 23, 2007 12:40 am; edited 1 time in total |
|
| Back to top |
|
|
platojones
Veteran
Joined: 23 Oct 2002
Posts: 1602
Location: Just over the horizon
|
| Posted: Fri Nov 23, 2007 12:39 am Post subject: |
|
|
| Code: |
Wow you are scaring me :S
|
Well, I'm not trying to scare you, but I do believe you have reason to be extremely concerned. I have never seen a case where a program modifies .bashrc. There is really no good legitimate reason for it. I do not know what your setup is (i.e., what if any firewall protection you have, what applications your are running, if you have ever connected to the internet without a good firewall in place, etc), but I would seriously take the worst case scenario into consideration. I mean, you have to weigh the potential downside here, but if you need more information, please to a search on these forums by simply searching for the word 'rootkit'. You will get an eye full, and some very good tips on how to deal with it. Paranoia is a virtue when dealing with the internet. I still think you have an intruder. Try running the command 'last' and look at the third column to see if there are any FQDN's or IP addresses that you do not recognize. If so, that's another piece of evidence. |
|
| Back to top |
|
|
platojones
Veteran
Joined: 23 Oct 2002
Posts: 1602
Location: Just over the horizon
|
| Posted: Fri Nov 23, 2007 12:48 am Post subject: |
|
|
| BTW, there is one other possibility that I didn't consider earlier. You hard disk may be corrupted to some extent. Have you run fsck on it lately? |
|
| Back to top |
|
|
Cereza
Guru
Joined: 14 Apr 2006
Posts: 428
|
| Posted: Fri Nov 23, 2007 1:36 am Post subject: |
|
|
| platojones wrote: | | BTW, there is one other possibility that I didn't consider earlier. You hard disk may be corrupted to some extent. Have you run fsck on it lately? |
I check partitions often on boot, but I tried fsck on a livecd anyways, it corrected some problems but the home partition which bashrc lives was clean.
I just noticed lots of weird .exe files are invading my home directory... A piece of slocate *.exe
| Code: | /home/pelusilla/doc/linux/ssjbjewb.exe
/home/pelusilla/doc/linux/jvtjjssn.exe
/home/pelusilla/doc/linux/rrvtkstq.exe
/home/pelusilla/doc/linux/rwjwbbst.exe
/home/pelusilla/doc/linux/vththhrh.exe
/home/pelusilla/doc/linux/bejblecb.exe
/home/pelusilla/doc/linux/kjjblbhh.exe
/home/pelusilla/doc/linux/stwzzjeb.exe
/home/pelusilla/doc/linux/HOWTO_Castellanizar_Gentoo_files/qjvjtqzk.exe
/home/pelusilla/doc/linux/HOWTO_Castellanizar_Gentoo_files/kzhhqqee.exe
/home/pelusilla/doc/linux/btrkhrne.exe
/home/pelusilla/doc/linux/lrjtcrjk.exe
/home/pelusilla/doc/linux/xxbbeeje.exe
/home/pelusilla/doc/linux/zbnkenjs.exe
/home/pelusilla/opt/ktamaga-0.7.2/ktamaga/doc/en/klbsntzh.exe
/home/pelusilla/opt/ktamaga-0.7.2/ktamaga/doc/en/ttbkkkxv.exe
/home/pelusilla/opt/ktamaga-0.7.2/ktamaga/doc/en/ltezweek.exe
/home/pelusilla/opt/ktamaga-0.7.2/ktamaga/doc/en/whlksklz.exe
/home/pelusilla/opt/ktamaga-0.7.2/ktamaga/doc/en/bskzrrhs.exe
/home/pelusilla/opt/ktamaga-0.7.2/ktamaga/doc/en/rkhlshrb.exe
/home/pelusilla/opt/ktamaga-0.7.2/ktamaga/doc/en/wscjvhrs.exe
/home/pelusilla/opt/ktamaga-0.7.2/ktamaga/doc/en/slnscbnr.exe
/home/pelusilla/opt/ktamaga-0.7.2/ktamaga/doc/en/tnkbtnce.exe
/home/pelusilla/opt/ktamaga-0.7.2/ktamaga/doc/en/lshbclhc.exe
/home/pelusilla/opt/ktamaga-0.7.2/ktamaga/doc/en/blcnnvlz.exe
/home/pelusilla/opt/ktamaga-0.7.2/ktamaga/doc/en/jzvwrsez.exe
/home/pelusilla/opt/ktamaga-0.7.2/ktamaga/doc/en/xrvbhbtz.exe
/home/pelusilla/opt/ktamaga-0.7.2/ktamaga/doc/en/bsstnqlt.exe
|
O__O I have no idea how them apper, this looks soooooo extrange, looks like I a have a break system :P
Edit: Well I know now I must make a new install but the point is I felt my iptables configuration was secure, so before make a new installation I have to study about how to secure my box...
| Code: | # iptables -nL
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
ACCEPT all -- 127.0.0.1 0.0.0.0/0
ACCEPT tcp -- 213.4.149.12 0.0.0.0/0
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:80
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:8010
Chain FORWARD (policy DROP)
target prot opt source destination
ACCEPT all -- 192.168.0.0/16 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 192.168.0.0/16
Chain OUTPUT (policy ACCEPT)
target prot opt source destination |
|
|
| Back to top |
|
|
platojones
Veteran
Joined: 23 Oct 2002
Posts: 1602
Location: Just over the horizon
|
| Posted: Fri Nov 23, 2007 2:24 am Post subject: |
|
|
| Quote: |
Edit: Well I know now I must make a new install but the point is I felt my iptables configuration was secure, so before make a new installation I have to study about how to secure my box...
|
Yes, you have definitely been taken over, I'm afraid. I, long ago, bought a commercial hardware firewall (linux based) because I have two boxes and never really trusted myself to get it 100% right. Fortunately, there are several good, free linux firewalls available to you in Gentoo Portage. The last one I used was shorewall, but there are probably better ones out there by now. I would recommend you look at using one of those instead of trying to create a custom iptables firewall (unless you are quite confident in your tcp/ip and linux iptables skills). |
|
| Back to top |
|
|
Hu
Administrator
Joined: 06 Mar 2007
Posts: 23082
|
| Posted: Fri Nov 23, 2007 4:31 am Post subject: |
|
|
Those iptables rules look wrong. Specifically, the second to last rule on the INPUT chain appears to allow far too much. This may be OK, since you are not showing all criteria. In the future, I recommend using iptables-save -c to list the contents of your iptables rules. It shows all tables, shows packet counters, and shows all conditions. Also, the output is machine readable, so other users can analyze it more easily.
I suggest you use the enclosed script as a starting point, and modify it as needed to poke specific holes for the services you intend to allow. It is designed to provide a simple and safe filter for a workstation. Ultimately, you may be better served by a more user friendly firewall, but this should protect you until you have time to configure and activate your firewall front end of choice.
| Code: | #!/bin/bash
WAN_IFACE='eth0'
LAN_IFACE='eth1'
IPTABLES='/sbin/iptables'
# Silently discard incoming traffic which does not match any rule.
${IPTABLES} -P INPUT DROP
# Silently refuse to forward traffic which does not match any rule.
${IPTABLES} -P FORWARD DROP
${IPTABLES} -P OUTPUT ACCEPT
# Flush the tables.
for table in $(< /proc/net/ip_tables_names ) ; do
${IPTABLES} -t "${table}" -F
${IPTABLES} -t "${table}" -X
done
# Reset all the chains to a known policy.
if grep -q nat /proc/net/ip_tables_names ; then
for chain in PREROUTING POSTROUTING OUTPUT; do
${IPTABLES} -t nat -P "${chain}" ACCEPT
done
fi
if grep -q mangle /proc/net/ip_tables_names ; then
for chain in PREROUTING INPUT FORWARD OUTPUT POSTROUTING; do
${IPTABLES} -t mangle -P "${chain}" ACCEPT
done
fi
# Accept loopback traffic. Necessary to keep IP-over-localhost working.
# *** Do not remove unless you know _EXACTLY_ what you are doing. ***
${IPTABLES} -A INPUT -i lo -j ACCEPT
# Accept traffic from connections which already existed. Without any
# rules to permit incoming connections, this rule requires that this
# machine initiate all connections.
# Requires NETFILTER_XT_STATE_MATCH
${IPTABLES} -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
# LAN users have unrestricted access to services on this machine.
#${IPTABLES} -A INPUT -i "${LAN_IFACE}" -j ACCEPT
# Log any traffic which gets here, but use a limit modifier so that the
# logs do not fill with every single incoming dropped packet. This is a
# non-terminating target, so traffic which matches it will continue on.
${IPTABLES} -A INPUT -m limit -j LOG --log-tcp-options --log-ip-options
# If you are serving as a gateway for other hosts, uncomment the FORWARD
# and POSTROUTING rules.
#${IPTABLES} -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
# LAN users have unrestricted access outbound.
#${IPTABLES} -A FORWARD -i "${LAN_IFACE}" -j ACCEPT
# Traffic sent to the WAN should be masqueraded so that private range IP
# addresses are not sent to the public Internet.
#${IPTABLES} -t nat -A POSTROUTING -o "${WAN_IFACE}" -j MASQUERADE
exit 0
# Optional features (comment out the exit to run them)
# Accept incoming connections to TCP port 12345. This is needed if you
# want to run a TCP server on port 12345 and have someone connect to it.
${IPTABLES} -A INPUT -p tcp -m tcp --dport 12345 -j ACCEPT
# Accept incoming packets on UDP port 12345. This is needed if you
# want to run a UDP server on port 12345 and have someone connect to it.
${IPTABLES} -A INPUT -p udp -m udp --dport 12345 -j ACCEPT
|
|
|
| Back to top |
|
|
mark_alec
Bodhisattva
Joined: 11 Sep 2004
Posts: 6066
Location: Melbourne, Australia
|
| Posted: Sun Nov 25, 2007 1:46 am Post subject: |
|
|
Moved from Other Things Gentoo to Networking & Security.
_________________
www.gentoo.org.au || #gentoo-au |
|
| Back to top |
|
|
Cereza
Guru
Joined: 14 Apr 2006
Posts: 428
|
| Posted: Mon Nov 26, 2007 1:17 am Post subject: |
|
|
Thank you all.
Finally I made a new installation but still thinking the issue was about the special characters and not about a security fail/intrussion, now I placed "." instead of "·" in prompt and "-" and "\" instead "´" in the poor bear, who now looks like this:
| Code: | # Welcome the user
echo
echo ' (()__(() (Now 100% free of special characters!)'
echo ' / \ /'
echo ' ( / \ \ /'
echo ' \ o o /'
echo ' (_()_)__/ \'
echo ' / _,==.____ \'
echo ' ( |--| )'
echo ' /\_.|__|--.__/\_'
echo ' / ( / \'
echo ' \ \ ( /'
echo ' ) \._____) /'
echo ' (((____.--(((____/'
echo |
About the .exe files invading my home: I play too much Windows games through Wine and Cedega, and sometimes I use mods, updates, etc... I think the .exe files are related to this, maybe I executed some kind of malware through Wine, or a game didn't work too well, this sounds silly but I don't think it is, I remember playing worms3D generates in my home dir a lot of files called as all my home dirs but .snd (pictures.snd, music.snd, videos.snd, documents.snd........)
To avoid that, in the new installation I decided to create a new user only for play Windows games and manage files related to them. I don't want more unsafe .exe in my user home.
Last edited by Cereza on Wed Nov 28, 2007 4:46 am; edited 1 time in total |
|
| Back to top |
|
|
swimmer
Veteran
Joined: 15 Jul 2002
Posts: 1330
Location: Netherlands
|
| Posted: Mon Nov 26, 2007 10:34 am Post subject: |
|
|
Back to "Other Things Gentoo" then?  |
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
Networking & Security
