netbsd-help: Re: system possibly compromised

Subject: Re: system possibly compromised
To: None <michal@pasternak.w.lub.pl>
From: Roger Fischer <rgfisch@excite.com>
List: netbsd-help
Date: 02/24/2004 12:09:44
openssh-3.7.1.2nb1
postfix-2.0.14

[admin@icarus admin]$ netstat -an | grep LISTEN
tcp        0      0  127.0.0.1.6010         *.*                    LISTEN
tcp        0      0  *.25                   *.*                    LISTEN
tcp        0      0  *.110                  *.*                    LISTEN
tcp        0      0  127.0.0.1.53           *.*                    LISTEN
tcp        0      0  192.168.0.7.53         *.*                    LISTEN
tcp6       0      0  ::1.6010               *.*                    LISTEN
tcp6       0      0  *.2080                 *.*                    LISTEN





 --- On Tue 02/24, Michal Pasternak < michal@pasternak.w.lub.pl > wrote:
From: Michal Pasternak [mailto: michal@pasternak.w.lub.pl]
To: rgfisch@excite.com
     Cc: netbsd-help@netbsd.org
Date: Tue, 24 Feb 2004 17:51:49 +0100
Subject: Re: system possibly compromised

Roger Fischer [Tue, Feb 24, 2004 at 11:31:52AM -0500]:<br>> How can I determine if a root-kit has been installed <br><br>security/chkrootkit<br><br>Anyway, only script kiddies would use "rootkits".<br><br>> or my system has been<br>> compromised in some other way?<br><br>You should ask about it before it got compromised. Some programs to have a<br>look at are, for example, tripwire. As USB memory keys are common these<br>days, checksum database on a separate media is quite good option.<br><br>> My ISP  sent me an email about spam comming from my IP address, and I also got<br>> some emails about mail that could not be delivered (that I had not sent).<br>> My ipf firewall only has ports 22 and 25 open.<br><br>... pity you haven't told us what versions of software are you running there.<br><br>> The processes that have me concerned are:<br>> <br>>     13252   296   296 9a1f80    0 I    ??   0:00.01 /USR/SBIN/CRON (cron)<br><br>Caps seem strange.<br><br>Check out for listening sockets using netstat -an | grep LISTEN, for example.<br><br>> I did a find looking for a CRON (in caps) and turned up nothing.<br>> I've looked for hidden directories and haven't found anything.<br><br>That's normal - process 13252 changed its name via setproctitle(3). Original<br>binary was called 'cron'. New one was called '/USR/SBIN/CRON'. See for<br>yourself (main() { setproctitle("foobar"); sleep(60); })<br><br>> If somebody has been in here, what's the best way to recover?<br><br>I'd backup user data ASAP and reinstall whole system.<br><br>You could of course only backup the data, leave the box running for a few<br>days and try to log IP of intruders. Contact your local police department if<br>you find this appropriate.<br><br>-- <br>Michal Pasternak :: http://pasternak.w.lub.pl :: http://winsrc.sf.net<br>"There's so much comedy on television. Does that cause comedy in the streets?" <br>	-- Dick Cavett<br>

_______________________________________________
Join Excite! - http://www.excite.com
The most personalized portal on the Web!