Dear groups,

My computer was told that it sent unusual packets from port 60609 to
some computer with IP 61.50.138.237 port 22. (more than 20 flows per
second!!!)

I am running Fedora Core 5 plus "OpenSSH_4.3p2, OpenSSL 0.9.8a 11 Oct
2005", I use netstat to check services I open, only mysql, samba,
vsftp, ssh, http.

I check /var/log, message and security. I can't find any successful
logging from others. But I do find many many attacks from 61.50.138.*
(not including the one 61.50.138.237 which my computer attacked!!!),
and none of them successes.

I have some questions to ask all of you, please me!!!

1. is my computer hacked? if no, then why my computer sends packets
from port 60609 to some computer port 22 ?

2. if my computer is hacked, then what can I do? reinstalling the
system is the only way???


THANK YOU VERY MUCH!!!


Jenny

"Jenny" <ahajenny@gmail.com> writes:
> Dear groups,
>
> My computer was told that it sent unusual packets from port 60609 to
> some computer with IP 61.50.138.237 port 22. (more than 20 flows per
> second!!!)
>
> I am running Fedora Core 5 plus "OpenSSH_4.3p2, OpenSSL 0.9.8a 11 Oct
> 2005", I use netstat to check services I open, only mysql, samba,
> vsftp, ssh, http.
>
> I check /var/log, message and security. I can't find any successful
> logging from others. But I do find many many attacks from 61.50.138.*
> (not including the one 61.50.138.237 which my computer attacked!!!),
> and none of them successes.
>
> I have some questions to ask all of you, please me!!!
>
> 1. is my computer hacked? if no, then why my computer sends packets
> from port 60609 to some computer port 22 ?

If neither you nor any authorized user to your knowledge is using the
machine then this ssh connection to an IP in china is very likely a
compromise.

> 2. if my computer is hacked, then what can I do? reinstalling the
> system is the only way???

Yup. It's the only way to get back to a known state. Wiping and
reinstalling from original media.

--
Todd H.
http://www.toddh.net/

Todd H. wrote:
> "Jenny" <ahajenny@gmail.com> writes:
> > Dear groups,
> >
> > My computer was told that it sent unusual packets from port 60609 to
> > some computer with IP 61.50.138.237 port 22. (more than 20 flows per
> > second!!!)
> >
> > I am running Fedora Core 5 plus "OpenSSH_4.3p2, OpenSSL 0.9.8a 11 Oct
> > 2005", I use netstat to check services I open, only mysql, samba,
> > vsftp, ssh, http.
> >
> > I check /var/log, message and security. I can't find any successful
> > logging from others. But I do find many many attacks from 61.50.138.*
> > (not including the one 61.50.138.237 which my computer attacked!!!),
> > and none of them successes.
> >
> > I have some questions to ask all of you, please me!!!
> >
> > 1. is my computer hacked? if no, then why my computer sends packets
> > from port 60609 to some computer port 22 ?
>
> If neither you nor any authorized user to your knowledge is using the
> machine then this ssh connection to an IP in china is very likely a
> compromise.
>

do you mean that my computer is hacked???
well, is it possible that the computer is not hacked, but itself sends
packets to some other computer automatically?

sorry, i think i am asking stupid question, but this really confuses
me!


> > 2. if my computer is hacked, then what can I do? reinstalling the
> > system is the only way???
>
> Yup. It's the only way to get back to a known state. Wiping and
> reinstalling from original media.
>
> --
> Todd H.
> http://www.toddh.net/

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


Jenny wrote:
> Dear groups,
>
> My computer was told that it sent unusual packets from port 60609 to
> some computer with IP 61.50.138.237 port 22. (more than 20 flows per
> second!!!)
>
> I am running Fedora Core 5 plus "OpenSSH_4.3p2, OpenSSL 0.9.8a 11 Oct
> 2005", I use netstat to check services I open, only mysql, samba,
> vsftp, ssh, http.
>
> I check /var/log, message and security. I can't find any successful
> logging from others. But I do find many many attacks from 61.50.138.*
> (not including the one 61.50.138.237 which my computer attacked!!!),
> and none of them successes.
>
> I have some questions to ask all of you, please me!!!
>
> 1. is my computer hacked? if no, then why my computer sends packets
> from port 60609 to some computer port 22 ?

Maybe, maybe not.
Port 60609 is one of those ports your user processes is permitted to
use
So, on your side, you have a user process calling out on port 60609

On the other side, port 22 is the port for that SSH listens on.

So, you have someone on your side running an SSH client that's talking
to the SSH server on the 138.237 machine. Does anyone on your machine
SSH into that outside machine? If so, then you may not have been
"hacked".

> 2. if my computer is hacked, then what can I do? reinstalling the
> system is the only way???

Take your machine off the network.

(Optional) take a copy of your hd so that the criminal investigation
has something to run forensics on

Save any user data you feel necessary - note that it may be corrupt or
suspect, as the intruder may have altered or corrupted your data.

Delete everything, and reinstall from known good sources

(Important) Secure your machine (firewalls, passwords, IDS apps, etc.)

/Then/ you may consider putting the machine back on the network

HTH

- --
Lew Pitcher

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (MingW32) - WinPT 0.11.12

iD8DBQFFCCjvagVFX4UWr64RAkCtAKDBplBNLUFsLavf4sSe7M 7pVVo3tgCfV599
of7z12hNlUXGIljl6osXdnc=
=nupL
-----END PGP SIGNATURE-----

"Jenny" <ahajenny@gmail.com> writes:

> do you mean that my computer is hacked???

If you are the only authorized user of this machine, yes.

> well, is it possible that the computer is not hacked, but itself sends
> packets to some other computer automatically?

I'm afraid this would fall into the wishful thinking category. I wish
I had better news.

If you weren't hyper vigilant about keeping up with patches/updates on
your machine, you can be pretty sure you were hacked I'm afraid.


--
Todd H.
http://www.toddh.net/

Lew Pitcher wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
>
> Jenny wrote:
> > Dear groups,
> >
> > My computer was told that it sent unusual packets from port 60609 to
> > some computer with IP 61.50.138.237 port 22. (more than 20 flows per
> > second!!!)
> >
> > I am running Fedora Core 5 plus "OpenSSH_4.3p2, OpenSSL 0.9.8a 11 Oct
> > 2005", I use netstat to check services I open, only mysql, samba,
> > vsftp, ssh, http.
> >
> > I check /var/log, message and security. I can't find any successful
> > logging from others. But I do find many many attacks from 61.50.138.*
> > (not including the one 61.50.138.237 which my computer attacked!!!),
> > and none of them successes.
> >
> > I have some questions to ask all of you, please me!!!
> >
> > 1. is my computer hacked? if no, then why my computer sends packets
> > from port 60609 to some computer port 22 ?
>
> Maybe, maybe not.
> Port 60609 is one of those ports your user processes is permitted to
> use
> So, on your side, you have a user process calling out on port 60609
>
> On the other side, port 22 is the port for that SSH listens on.
>
> So, you have someone on your side running an SSH client that's talking
> to the SSH server on the 138.237 machine. Does anyone on your machine
> SSH into that outside machine? If so, then you may not have been
> "hacked".
>
> > 2. if my computer is hacked, then what can I do? reinstalling the
> > system is the only way???
>
> Take your machine off the network.
>
> (Optional) take a copy of your hd so that the criminal investigation
> has something to run forensics on
>
> Save any user data you feel necessary - note that it may be corrupt or
> suspect, as the intruder may have altered or corrupted your data.
>
> Delete everything, and reinstall from known good sources
>
> (Important) Secure your machine (firewalls, passwords, IDS apps, etc.)
>
> /Then/ you may consider putting the machine back on the network
>
> HTH
>
> - --
> Lew Pitcher
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.3 (MingW32) - WinPT 0.11.12
>
> iD8DBQFFCCjvagVFX4UWr64RAkCtAKDBplBNLUFsLavf4sSe7M 7pVVo3tgCfV599
> of7z12hNlUXGIljl6osXdnc=
> =nupL
> -----END PGP SIGNATURE-----

Thank you all of you!!!

Now I conclude that my computer is hacked....

Todd H. wrote:

> "Jenny" <ahajenny@gmail.com> writes:
> > Dear groups,
> >
> > My computer was told that it sent unusual packets from port 60609 to
> > some computer with IP 61.50.138.237 port 22. (more than 20 flows per
> > second!!!)
> >
> > I am running Fedora Core 5 plus "OpenSSH_4.3p2, OpenSSL 0.9.8a 11 Oct
> > 2005", I use netstat to check services I open, only mysql, samba,
> > vsftp, ssh, http.
> >
> > I check /var/log, message and security. I can't find any successful
> > logging from others. But I do find many many attacks from 61.50.138.*
> > (not including the one 61.50.138.237 which my computer attacked!!!),
> > and none of them successes.
> >
> > I have some questions to ask all of you, please me!!!
> >
> > 1. is my computer hacked? if no, then why my computer sends packets
> > from port 60609 to some computer port 22 ?
>
> If neither you nor any authorized user to your knowledge is using the
> machine then this ssh connection to an IP in china is very likely a
> compromise.
>
> > 2. if my computer is hacked, then what can I do? reinstalling the
> > system is the only way???
>
> Yup. It's the only way to get back to a known state. Wiping and
> reinstalling from original media.

But that's not needed, you can find which process is using that
particular port and kill it (use lsof). Then run a rootkit detection
and/or anti-virus detection to try to find out where that process came
from (there are several to choose from). Before that I would harden
ssh access, no access except your user.

HTH
--
René Berber

"René Berber" <rberber@mailandnews.com> writes:

> Todd H. wrote:
> > Yup. It's the only way to get back to a known state. Wiping and
> > reinstalling from original media.
>
> But that's not needed, you can find which process is using that
> particular port and kill it (use lsof).

BUT, that assumes lsof hasn't been replaced.

If someone has compromised your box, all bets are off. Rootkits and
kernel mode rootkits are sufficiently advanced, (many impossible to
detect), that if you've been owned, especially if your admin account
has been compromised, that's why you have to flatten and rebuild from
original media.

> Then run a rootkit detection and/or anti-virus detection to try to
> find out where that process came from (there are several to choose
> from).

Good luck with that. There's plenty of malware out there that evades
AV detection and rootkit detection. All your detectors can tell you
is whether you have malware that they know about. There's plenty they
don't know about (or which has been repacked in order to evade
detection).

Flatten and rebuild from original media. As I stated, it's the only
way to get back to a known state.

--
Todd H.
http://www.toddh.net/

On 2006-09-13 16:52:59 +0200, "Jenny" <ahajenny@gmail.com> said:

> Dear groups,
>
> My computer was told that it sent unusual packets from port 60609 to
> some computer with IP 61.50.138.237 port 22. (more than 20 flows per
> second!!!) [...]

As almost anybody told you here, I'd wipe out the OS, you cannot trust
*ANY* binary in that system anomore.

--
Sensei <senseiwa@Apple's mail>

Research (n.): a discovery already published by a chinese guy one month
before you, copying a russian who did it in the 60s.

"René Berber" typed:
> Todd H. wrote:
>> Yup. It's the only way to get back to a known state. Wiping and
>> reinstalling from original media.
>
> But that's not needed, you can find which process is using that
> particular port and kill it (use lsof). Then run a rootkit
> detection and/or anti-virus detection to try to find out where that
> process came from (there are several to choose from). Before that I
> would harden ssh access, no access except your user.

Reinstalling (and rebuilding) a system is far easier and quicker than
figuring out how deep and thorough the compromise is and cleaning the
system to some reasonable extent.

--
Ayaz Ahmed Khan

Then, gently touching my face, she hesitated for a moment as her
incredible eyes poured forth into mine love, joy, pain, tragedy,
acceptance, and peace. "'Bye for now," she said warmly.
-- Thea Alexander, "2150 A.D."

Ayaz Ahmed Khan <ayaz@redirect.devnull> writes:

> "René Berber" typed:
>> Todd H. wrote:
>>> Yup. It's the only way to get back to a known state. Wiping and
>>> reinstalling from original media.
>>
>> But that's not needed, you can find which process is using that
>> particular port and kill it (use lsof). Then run a rootkit
>> detection and/or anti-virus detection to try to find out where that
>> process came from (there are several to choose from). Before that I
>> would harden ssh access, no access except your user.
>
> Reinstalling (and rebuilding) a system is far easier and quicker than
> figuring out how deep and thorough the compromise is and cleaning the
> system to some reasonable extent.

If the OP's like me, they are loathe to do this not for the basic OS
install, but for the dozens or perhaps hundreds of other
upgrades/applications/tweaks that they've performed since they first
installed their OS. If i had to re-install, it would probably chew
up a week of my time to reconfigure everything back just the way it
was.
--
% Randy Yates % "How's life on earth?
%% Fuquay-Varina, NC % ... What is it worth?"
%%% 919-577-9882 % 'Mission (A World Record)',
%%%% <yates@ieee.org> % *A New World Record*, ELO
http://home.earthlink.net/~yatescr

Todd H. wrote:

> René Berber writes:
>
> > Todd H. wrote:
> > > Yup. It's the only way to get back to a known state. Wiping and
> > > reinstalling from original media.
> >
> > But that's not needed, you can find which process is using that
> > particular port and kill it (use lsof).
>
> BUT, that assumes lsof hasn't been replaced.

Are we geting paranoid? So what if it was replaced, is it going to lie
and you are not going to catch the lie? Granted you need some
experience, knowledge and/or outside .

> If someone has compromised your box, all bets are off. Rootkits and
> kernel mode rootkits are sufficiently advanced, (many impossible to
> detect), that if you've been owned, especially if your admin account
> has been compromised, that's why you have to flatten and rebuild from
> original media.
>
> > Then run a rootkit detection and/or anti-virus detection to try to
> > find out where that process came from (there are several to choose
> > from).
>
> Good luck with that. There's plenty of malware out there that evades
> AV detection and rootkit detection. All your detectors can tell you
> is whether you have malware that they know about. There's plenty they
> don't know about (or which has been repacked in order to evade
> detection).

Do you have any experience at all?

"Evade detection", you must be kidding. FYI most rootkits are very
simple, they install a modified telnet or ssh and some scripts, that's
it; and any good anti-virus detects those and you have the option of
using things like tripwire so you don't even need anti-virus.

If you really want to do things carefully, you can boot from a CD and
check your drive from there. There are several options for the CD, I
have "System Rescue CD".

> Flatten and rebuild from original media. As I stated, it's the only
> way to get back to a known state.
--
R.Berber

On Thu, 14 Sep 2006 23:20:22 GMT, Randy Yates <yates@ieee.org> wrote:

>Ayaz Ahmed Khan <ayaz@redirect.devnull> writes:
>
>> "René Berber" typed:
>>> Todd H. wrote:
>>>> Yup. It's the only way to get back to a known state. Wiping and
>>>> reinstalling from original media.
>>>
>>> But that's not needed, you can find which process is using that
>>> particular port and kill it (use lsof). Then run a rootkit
>>> detection and/or anti-virus detection to try to find out where that
>>> process came from (there are several to choose from). Before that I
>>> would harden ssh access, no access except your user.
>>
>> Reinstalling (and rebuilding) a system is far easier and quicker than
>> figuring out how deep and thorough the compromise is and cleaning the
>> system to some reasonable extent.
>
>If the OP's like me, they are loathe to do this not for the basic OS
>install, but for the dozens or perhaps hundreds of other
>upgrades/applications/tweaks that they've performed since they first
>installed their OS.

So?

tar cvzf .../backup-config.tar.gz /etc /boot/config-*

Wipe OS partition (6Ps) re-install OS, unpack backup-config to /tmp
and cherry pick custom .conf files --> take me less than an hour to
reinstall router with this technique.

Reminds me, take a backup now

> If i had to re-install, it would probably chew
>up a week of my time to reconfigure everything back just the way it
>was.

That's just plain pessimistic or bad planning. If you have separate
/home and /usr/local partitions, replacing the OS is a snap...

Grant.
--
http://bugsplatter.mine.nu/

"René Berber" <rberber@mailandnews.com> writes:
> Todd H. wrote:
>
> > René Berber writes:
> >
> > > Todd H. wrote:
> > > > Yup. It's the only way to get back to a known state. Wiping and
> > > > reinstalling from original media.
> > >
> > > But that's not needed, you can find which process is using that
> > > particular port and kill it (use lsof).
> >
> > BUT, that assumes lsof hasn't been replaced.
>
> Are we geting paranoid? So what if it was replaced, is it going to
> lie and you are not going to catch the lie? Granted you need some
> experience, knowledge and/or outside .

Rene have you ever done forensic analysis on a system that had been
infected with a kernel mode rootkit installed? Do you work with folks
in a security operations center, or have a team at your company that
responds to incidents? You may need to widen your circle of
colleagues.

> Do you have any experience at all?

Honestly, I was just wondering the same about you.

If you think that there aren't stealth malware out there and kernel
mode rootkits that can't be detected, I think you need to figure out
what exactly "0day" code is, why its prized in the black hat
community, and just how much of it is out there that AV and IDS
vendors don't yet know about.

Your mentality may get you cleaned up from a script kiddie attack, but
for all you know, you're probably working right now on a machine owned
by someone with just a little more knowledge than a script kiddie.

> "Evade detection", you must be kidding.

Nope.

Arguing against flattening and rebuilding a compromised system? You
must be kidding.

> FYI most rootkits are very simple, they install a modified telnet or
> ssh and some scripts, that's it;

Most are. It's the rest your method is gonna screw ya hard if you
think you can use bandaids to patch up a compromised machine with
cancer.

> and any good anti-virus detects those and you have the option of
> using things like tripwire so you don't even need anti-virus.

Antivirus? Oh dear god--are you a windows drone?

Tripwire is great if you're using it already. But reread the original
post--what are the odds that the OP is a) using it and b) monitoring
changed files on a regular basis and c) able to undo anything that's
done? And here's the deal, if someone owns your system with a kernel
mode rootkit and can intercept library calls coming from a program
like tripwire, tripwire can be made to hum along like nothing is the
matter. That of course you could get around running the analysis from
a bootable CD.

> If you really want to do things carefully, you can boot from a CD
> and check your drive from there. There are several options for the
> CD, I have "System Rescue CD".

Did you get a Hello Kitty sticker when you burned that CD?
If you think it's gonna clean you up from anything more than script
kiddie stuff, you have got a lot of learning to do.

Auditor and Helix would be better choices.

Sorry, I don't mean to shred you but you are strenuously clinging to
an assinine position on this one.

Best Regards,
--
Todd H.
http://www.toddh.net/

Grant <bugsplatter@gmail.com> writes:

> On Thu, 14 Sep 2006 23:20:22 GMT, Randy Yates <yates@ieee.org> wrote:
>
>>Ayaz Ahmed Khan <ayaz@redirect.devnull> writes:
>>
>>> "René Berber" typed:
>>>> Todd H. wrote:
>>>>> Yup. It's the only way to get back to a known state. Wiping and
>>>>> reinstalling from original media.
>>>>
>>>> But that's not needed, you can find which process is using that
>>>> particular port and kill it (use lsof). Then run a rootkit
>>>> detection and/or anti-virus detection to try to find out where that
>>>> process came from (there are several to choose from). Before that I
>>>> would harden ssh access, no access except your user.
>>>
>>> Reinstalling (and rebuilding) a system is far easier and quicker than
>>> figuring out how deep and thorough the compromise is and cleaning the
>>> system to some reasonable extent.
>>
>>If the OP's like me, they are loathe to do this not for the basic OS
>>install, but for the dozens or perhaps hundreds of other
>>upgrades/applications/tweaks that they've performed since they first
>>installed their OS.
>
> So?
>
> tar cvzf .../backup-config.tar.gz /etc /boot/config-*

Ha! And you think that's all there is to it? What about
all the libraries and sym links strung all over heck?

> Wipe OS partition (6Ps)

6Ps?

> re-install OS, unpack backup-config to /tmp
> and cherry pick custom .conf files

Oh yeah - that's going to be a picnic. I just
did a count in my /etc and I have 405 configuration
files.

--> take me less than an hour to
> reinstall router with this technique.

I'm happy for you, Grant. Really. But I don't think that
would be the case for me.

> Reminds me, take a backup now

Always a good idea.

>> If i had to re-install, it would probably chew
>>up a week of my time to reconfigure everything back just the way it
>>was.
>
> That's just plain pessimistic or bad planning.

And I think you're being optimistic.

> If you have separate
> /home and /usr/local partitions, replacing the OS is a snap...

Although I couldn't name a specific one, I bet there are more than a
few local apps that install themselves in /usr/bin and whatever other
non-standard locations, and they don't ask the installers permission
for it.

I've been wondering lately if there's some God-send utility that would
track installs for the purpose of alleviating the pain of such
reinstalls.
--
% Randy Yates % "She's sweet on Wagner-I think she'd die for Beethoven.
%% Fuquay-Varina, NC % She love the way Puccini lays down a tune, and
%%% 919-577-9882 % Verdi's always creepin' from her room."
%%%% <yates@ieee.org> % "Rockaria", *A New World Record*, ELO
http://home.earthlink.net/~yatescr

René Berber <rberber@mailandnews.com> wrote:

>> > Then run a rootkit detection and/or anti-virus detection to try to
>> > find out where that process came from (there are several to choose
>> > from).
>>
>> Good luck with that. There's plenty of malware out there that evades
>> AV detection and rootkit detection. All your detectors can tell you
>> is whether you have malware that they know about. There's plenty they
>> don't know about (or which has been repacked in order to evade
>> detection).

> Do you have any experience at all?

> "Evade detection", you must be kidding. FYI most rootkits are very
> simple, they install a modified telnet or ssh and some scripts, that's
> it; and any good anti-virus detects those and you have the option of
> using things like tripwire so you don't even need anti-virus.

Ouch. So now you're assuming no one has ever used a basically
unmodified rootkit and additionally placed a 'stealth' component on the
target. It'll make you feel nice and happy when you find and "remove"
the rootkit, but you won't be any less vulnerable.

> If you really want to do things carefully, you can boot from a CD and
> check your drive from there. There are several options for the CD, I
> have "System Rescue CD".

Unless the CD nukes any unknown (read non-OS) executable on the drive or
you have some known state to compare against (a la tripwire), I don't
see how you can effectively check a drive. It's certainly possible, but
requires you've done work before the attack. Afterward is too late.

--
Darren Dunham ddunham@taos.com
Senior Technical Consultant TAOS http://www.taos.com/
Got some Dr Pepper? San Francisco, CA bay area
< This line left intentionally blank to confuse you. >

Randy Yates <yates@ieee.org> writes:

> I've been wondering lately if there's some God-send utility that would
> track installs for the purpose of alleviating the pain of such
> reinstalls.

The intricacies you cite are among the reasons manual compile and
installation is troublesome.

On the linux platform anyway, Package managers (emerge, yum, rpm, apt)
attempt to be the god-send utility. A Gentoo linux user would hardly
stop himself from yelling "Emerge!" and running down the street as a
solution. In Gentoo, you can emerge almost anything you might want to
run. Of course you have to wait for it to compile which is painful
for large pacakages. But the source code basis of it all makes the
dependencies work remarkably nicely for rebuilding.

If you have a distro with a nice enough package manager, reinstalling
becomes a task of running a script of package manager commands to get
all the packages you want, restoring a known good backup of /home, and
a known-good backup of /etc.

But folks struggling with their first linux systems and navigating a
confusing mess of documentation on the net all referring to different
distributions and older versions of software are unlikely to have a
clean, easy to restore system, it's true! And windows users... oy.
Unless you have a slipstream installation CD made or a Ghost image
backup that you can absolutely trust, reinstalling and transferring
data is a royal PITA and well beyond the knowledge of the users who
are most in need to doing such a reinstall.

Best Regards,
--
Todd H.
http://www.toddh.net/

Darren Dunham wrote:
> René Berber wrote:
>
> >> > Then run a rootkit detection and/or anti-virus detection to try to
> >> > find out where that process came from (there are several to choose
> >> > from).
> >>
> >> Good luck with that. There's plenty of malware out there that evades
> >> AV detection and rootkit detection. All your detectors can tell you
> >> is whether you have malware that they know about. There's plenty they
> >> don't know about (or which has been repacked in order to evade
> >> detection).
>
> > Do you have any experience at all?
>
> > "Evade detection", you must be kidding. FYI most rootkits are very
> > simple, they install a modified telnet or ssh and some scripts, that's
> > it; and any good anti-virus detects those and you have the option of
> > using things like tripwire so you don't even need anti-virus.
>
> Ouch. So now you're assuming no one has ever used a basically
> unmodified rootkit and additionally placed a 'stealth' component on the
> target. It'll make you feel nice and happy when you find and "remove"
> the rootkit, but you won't be any less vulnerable.

Assuming? Do you see any assumptions above? Basically unmodified
rootkit? A rootkit is a class not a singleton.

> > If you really want to do things carefully, you can boot from a CD and
> > check your drive from there. There are several options for the CD, I
> > have "System Rescue CD".
>
> Unless the CD nukes any unknown (read non-OS) executable on the drive or
> you have some known state to compare against (a la tripwire), I don't
> see how you can effectively check a drive. It's certainly possible, but
> requires you've done work before the attack. Afterward is too late.

Not true, and it really makes no sense continuing to discuss this.
--
R.Berber

Todd H. wrote:
> René Berber writes:
> > Todd H. wrote:
> >
> > > René Berber writes:
> > >
> > > > Todd H. wrote:
> > > > > Yup. It's the only way to get back to a known state. Wiping and
> > > > > reinstalling from original media.
> > > >
> > > > But that's not needed, you can find which process is using that
> > > > particular port and kill it (use lsof).
> > >
> > > BUT, that assumes lsof hasn't been replaced.
> >
> > Are we geting paranoid? So what if it was replaced, is it going to
> > lie and you are not going to catch the lie? Granted you need some
> > experience, knowledge and/or outside .
>
> Rene have you ever done forensic analysis on a system that had been
> infected with a kernel mode rootkit installed? Do you work with folks
> in a security operations center, or have a team at your company that
> responds to incidents? You may need to widen your circle of
> colleagues.
>
> > Do you have any experience at all?
>
> Honestly, I was just wondering the same about you.

Yes I do.

> If you think that there aren't stealth malware out there and kernel
> mode rootkits that can't be detected, I think you need to figure out
> what exactly "0day" code is, why its prized in the black hat
> community, and just how much of it is out there that AV and IDS
> vendors don't yet know about.
>
> Your mentality may get you cleaned up from a script kiddie attack, but
> for all you know, you're probably working right now on a machine owned
> by someone with just a little more knowledge than a script kiddie.
>
> > "Evade detection", you must be kidding.
>
> Nope.
>
> Arguing against flattening and rebuilding a compromised system? You
> must be kidding.
>
> > FYI most rootkits are very simple, they install a modified telnet or
> > ssh and some scripts, that's it;
>
> Most are. It's the rest your method is gonna screw ya hard if you
> think you can use bandaids to patch up a compromised machine with
> cancer.

So, you kill the patient in case he has cancer, if he didn't, oh too
bad. In other words, don't you think you should at least try to see
how bad the computer was hacked, hey it is even possible that it was
one of those "script kiddies" that you mention.

On the practical side, as mentioned in other message, how much time
will it take to diagnose the problem? how much to re-install?

Bottom line, I do agree that there will be situations where you are
better off installing from scratch but, if you know what you are doing,
that will not be 100% of the time.

> > and any good anti-virus detects those and you have the option of
> > using things like tripwire so you don't even need anti-virus.
>
> Antivirus? Oh dear god--are you a windows drone?

Who mentioned Windows? Oh, I see, your famous kernel mode rootkits
seem to affect Windows mostly, no wonder I've never seen one of those.

> Tripwire is great if you're using it already. But reread the original
> post--what are the odds that the OP is a) using it and b) monitoring
> changed files on a regular basis and c) able to undo anything that's
> done? And here's the deal, if someone owns your system with a kernel
> mode rootkit and can intercept library calls coming from a program
> like tripwire, tripwire can be made to hum along like nothing is the
> matter. That of course you could get around running the analysis from
> a bootable CD.
>
> > If you really want to do things carefully, you can boot from a CD
> > and check your drive from there. There are several options for the
> > CD, I have "System Rescue CD".
>
> Did you get a Hello Kitty sticker when you burned that CD?

Is that supposed to be funny? Is this thread amusing to you?

> If you think it's gonna clean you up from anything more than script
> kiddie stuff, you have got a lot of learning to do.
>
> Auditor and Helix would be better choices.
>
> Sorry, I don't mean to shred you but you are strenuously clinging to
> an assinine position on this one.

So, do you have any experience or just FUD?
--
R.Berber

"René Berber" <rberber@mailandnews.com> writes:

> So, you kill the patient in case he has cancer, if he didn't, oh too
> bad.

Nah, you don't kill it--you reincarnate it. We have that luxury with
computers.

> In other words, don't you think you should at least try to see
> how bad the computer was hacked, hey it is even possible that it was
> one of those "script kiddies" that you mention.

Once you see that someone got in, got access to an account and started
establishing ssh connections to China, (as in this case), yeah, I'm
saying "It's time to crack out the intallation media and fdisk."

> Bottom line, I do agree that there will be situations where you are
> better off installing from scratch but, if you know what you are
> doing, that will not be 100% of the time.

I agree that you can make a calculated risk mitigated decision that
says "well, if I am still owned through a toehold that I cannot
presently detect with the system rescue CD I got in my box of
Cheerios, I'm willing to live with that if the cost of my rebuild is
this much. I'll take some time and try to get rid of the low hanging
fruit I can find and hope for the best." These are business
realities.

But, if you want to be certain you got everything, you flatten and
reinstall from original media. A lot of businesses and individuals
are fairly risk averse, and if they are not, perhaps they should be.

> > Antivirus? Oh dear god--are you a windows drone?
>
> Who mentioned Windows?

Is anti-virus a required piece of software on machines other than
Windows?

> > Did you get a Hello Kitty sticker when you burned that CD?
>
> Is that supposed to be funny? Is this thread amusing to you?

You mean, let me understand this cause, ya know maybe it's me, I'm a
little fscked up maybe, but I'm funny how, I mean funny like I'm a
clown, I amuse you? I make you laugh, I'm here to fsckin' amuse you?
What do you mean funny, funny how? How am I funny?

> So, do you have any experience or just FUD?

Nah, it's all just FUD. I'm a college student who rented a copy of
Hackers last weekend and my mind's been abuzz ever since. ;-)

--
Todd H.
http://www.toddh.net/

On Fri, 15 Sep 2006 02:13:50 GMT, Randy Yates <yates@ieee.org> wrote:

>Grant <bugsplatter@gmail.com> writes:
>
>> On Thu, 14 Sep 2006 23:20:22 GMT, Randy Yates <yates@ieee.org> wrote:
....
>> tar cvzf .../backup-config.tar.gz /etc /boot/config-*
>
>Ha! And you think that's all there is to it? What about
>all the libraries and sym links strung all over heck?
>
>> Wipe OS partition (6Ps)
>
>6Ps?
Prior Planning Prevents Piss Poor Performance
>
>> re-install OS, unpack backup-config to /tmp
>> and cherry pick custom .conf files
>
>Oh yeah - that's going to be a picnic. I just
>did a count in my /etc and I have 405 configuration
>files.

The most recent dozen or so matter, the rest don't. I don't run an MTA
here, but got samba, nfs, sshd, etc.

>And I think you're being optimistic.

Well I took a config backup and updated to slack-current 'live', prepared
to reinstall if it fell over, it didn't fall over, renamed some .new configs
to replace old ones, checked and kept custom configs, rebooted to get all
new files into memory: pppoe, web, ftp, sshd servers all fine.

Offline time 1 or 2 minutes. Box is Internet facing router / server.
>
>> If you have separate
>> /home and /usr/local partitions, replacing the OS is a snap...
>
>Although I couldn't name a specific one, I bet there are more than a
>few local apps that install themselves in /usr/bin and whatever other
>non-standard locations, and they don't ask the installers permission
>for it.

That should be under admin control -- I expect non-distro apps to go
into /usr/local area, I don't know why so much extras are shoved into
the OS 'space'.

Again, a logbook (or text file) of changes made s a lot.

>I've been wondering lately if there's some God-send utility that would
>track installs for the purpose of alleviating the pain of such
>reinstalls.

There is one called 'checkinstall', dunno if it is generic, never used
it. Takes place of the 'make install' step and records all the damage
and insults to the OS for later unwind?

Grant.
--
http://bugsplatter.mine.nu/

Randy Yates <yates@ieee.org> wrote:

> If the OP's like me, they are loathe to do this not for the basic OS
> install, but for the dozens or perhaps hundreds of other
> upgrades/applications/tweaks that t