Hello All,

I have slackware version 10.1.0 installed on an Intel P-IV for some
time now and I use this system as desktop. No particular services
running on this machine except

tcp 37 time
tcp 113 auth
tcp 22 ssh

and occasionally I run X on this system as well and some time download
email.

Today, I switched on my system and did some usual work. I was busy
working
with papers and the monitor went off in the standby mode. After
sometime when I touched the
keyboard the screen came back on. But what made me write this post was
a message below
that appeared on the prompt:

$ rootedrooted

exactly as above. I don't think that it appeared by some accident
pressing of some keys.


(1)How to determine that somebody really rooted this machine?

(2)I would like to know what to do next if so? Any mailing lists or
newsgroups to go to?


Thank you!

devj.nullj@gmail.com wrote:
> Hello All,
>
> I have slackware version 10.1.0 installed on an Intel P-IV for some
> time now and I use this system as desktop. No particular services
> running on this machine except
>
> tcp 37 time
> tcp 113 auth
> tcp 22 ssh
>
> and occasionally I run X on this system as well and some time download
> email.
>
> Today, I switched on my system and did some usual work. I was busy
> working
> with papers and the monitor went off in the standby mode. After
> sometime when I touched the
> keyboard the screen came back on. But what made me write this post was
> a message below
> that appeared on the prompt:
>
> $ rootedrooted
>
> exactly as above. I don't think that it appeared by some accident
> pressing of some keys.
>
>
> (1)How to determine that somebody really rooted this machine?
>
> (2)I would like to know what to do next if so? Any mailing lists or
> newsgroups to go to?
>
>
> Thank you!

Some update that I would like to add.

I downloaded and compiled chkrootkit-0.47. When run, it told me that

"Warning: crontab for nobody found, possible Lupper.Worm... not
infected"

Though when I ran

crontab -u nobody -l

It reported nothing. There was nothing else reported by chkrootkit
either.

Any furhter help on this?

On Thu, 16 Nov 2006 06:55:10 -0800, devj.nullj wrote:

>
> devj.nullj@gmail.com wrote:
>> Hello All,
>>
>> I have slackware version 10.1.0 installed on an Intel P-IV for some
>> time now and I use this system as desktop. No particular services
>> running on this machine except
>>
>> tcp 37 time
>> tcp 113 auth
>> tcp 22 ssh
>>
>> and occasionally I run X on this system as well and some time download
>> email.
>>
>> Today, I switched on my system and did some usual work. I was busy
>> working
>> with papers and the monitor went off in the standby mode. After
>> sometime when I touched the
>> keyboard the screen came back on. But what made me write this post was
>> a message below
>> that appeared on the prompt:
>>
>> $ rootedrooted
>>
>> exactly as above. I don't think that it appeared by some accident
>> pressing of some keys.
>>
>>
>> (1)How to determine that somebody really rooted this machine?
>>
>> (2)I would like to know what to do next if so? Any mailing lists or
>> newsgroups to go to?
>>
>>
>> Thank you!
>
> Some update that I would like to add.
>
> I downloaded and compiled chkrootkit-0.47. When run, it told me that
>
> "Warning: crontab for nobody found, possible Lupper.Worm... not
> infected"
>
> Though when I ran
>
> crontab -u nobody -l
>
> It reported nothing. There was nothing else reported by chkrootkit
> either.
>
> Any furhter help on this?
>
rootkits are rare, but not unheard of in GNU/Linux. From what you say, I
would be wary continuing to use the system without further verification.
One way to begin to verify is to boot a rescue disc, and to compute the
md5sums for every file on the system. Once complete, you can check the
data against the known good values. Aye, there's the rub- you may not have
a table of known good values for the system.

This may be interesting as a research project, because Linux is not
the usual target platform for building botnets. You could attempt to get
the correct md5sum values by building a clean install for your 10.1
platform by installing it on a pristine system and attempting to match
the setup options you used earlier. This could be easy or hard,
depending on how well you documented (or can remember) the setup on the
system. There still can be significant normal differences, which take some
time to sort out.

This would be especially unusual for a fully patched system, behind NAT,
and setup as a single user system.

I can think of one benign explanation. Sometimes applications spit errors
to the terminal where they were launched. The error message attempts to
show some context of the error and why it is flagged as an error.

--
Douglas Mayne

devj.nullj@gmail.com wrote:

>
> devj.nullj@gmail.com wrote:
>> Hello All,
>>
>> I have slackware version 10.1.0 installed on an Intel P-IV for some
>> time now and I use this system as desktop. No particular services
>> running on this machine except
>>
>> tcp 37 time
>> tcp 113 auth
>> tcp 22 ssh
>>
>> and occasionally I run X on this system as well and some time download
>> email.
>>
>> Today, I switched on my system and did some usual work. I was busy
>> working
>> with papers and the monitor went off in the standby mode. After
>> sometime when I touched the
>> keyboard the screen came back on. But what made me write this post was
>> a message below
>> that appeared on the prompt:
>>
>> $ rootedrooted
>>
>> exactly as above. I don't think that it appeared by some accident
>> pressing of some keys.
>>
>>
>> (1)How to determine that somebody really rooted this machine?
>>
>> (2)I would like to know what to do next if so? Any mailing lists or
>> newsgroups to go to?
>>
>>
>> Thank you!
>
> Some update that I would like to add.
>
> I downloaded and compiled chkrootkit-0.47. When run, it told me that
>
> "Warning: crontab for nobody found, possible Lupper.Worm... not
> infected"
>
> Though when I ran
>
> crontab -u nobody -l
>
> It reported nothing. There was nothing else reported by chkrootkit
> either.
>
> Any furhter help on this?

Running ChkRootKit after the fact wont help much. You also can't trust the
programs on the system now as they may have been modified/replaced. I hope
you've unplugged it from the network, so this person can't get back in.

You might want to try booting up with Knoppix. I think it has an antivirus
scanner with it. Mount your hard drive and do a virus scan. You can also
inspect the harddrive with the programs on the Knoppix disk without fear of
them giving false reports.

There's no telling what has been changed or is now running on your computer.
You may want to backup up your data and format the drive.

Good luck,
--
lucas
-------------------------
Perl Coder since 2001
shift || die;
-------------------------

Douglas Mayne wrote:
> On Thu, 16 Nov 2006 06:55:10 -0800, devj.nullj wrote:
>
> >
> > devj.nullj@gmail.com wrote:
> >> Hello All,
> >>
> >> I have slackware version 10.1.0 installed on an Intel P-IV for some
> >> time now and I use this system as desktop. No particular services
> >> running on this machine except
> >>
> >> tcp 37 time
> >> tcp 113 auth
> >> tcp 22 ssh
> >>
> >> and occasionally I run X on this system as well and some time download
> >> email.
> >>
> >> Today, I switched on my system and did some usual work. I was busy
> >> working
> >> with papers and the monitor went off in the standby mode. After
> >> sometime when I touched the
> >> keyboard the screen came back on. But what made me write this post was
> >> a message below
> >> that appeared on the prompt:
> >>
> >> $ rootedrooted
> >>
> >> exactly as above. I don't think that it appeared by some accident
> >> pressing of some keys.
> >>
> >>
> >> (1)How to determine that somebody really rooted this machine?
> >>
> >> (2)I would like to know what to do next if so? Any mailing lists or
> >> newsgroups to go to?
> >>
> >>
> >> Thank you!
> >
> > Some update that I would like to add.
> >
> > I downloaded and compiled chkrootkit-0.47. When run, it told me that
> >
> > "Warning: crontab for nobody found, possible Lupper.Worm... not
> > infected"
> >
> > Though when I ran
> >
> > crontab -u nobody -l
> >
> > It reported nothing. There was nothing else reported by chkrootkit
> > either.
> >
> > Any furhter help on this?
> >
> rootkits are rare, but not unheard of in GNU/Linux. From what you say, I
> would be wary continuing to use the system without further verification.
> One way to begin to verify is to boot a rescue disc, and to compute the
> md5sums for every file on the system. Once complete, you can check the
> data against the known good values. Aye, there's the rub- you may not have
> a table of known good values for the system.
>
> This may be interesting as a research project, because Linux is not
> the usual target platform for building botnets. You could attempt to get
> the correct md5sum values by building a clean install for your 10.1
> platform by installing it on a pristine system and attempting to match
> the setup options you used earlier. This could be easy or hard,
> depending on how well you documented (or can remember) the setup on the
> system. There still can be significant normal differences, which take some
> time to sort out.
>

I am ready to do this though I would like to know an easier way to find
if
the system was compromised. May be I can use knoppix to boot from
a CD and then build md5 sums and then compare it with those for
a clean system.

However, I would need to know for which *important* files to build md5
sums.
Any ideas on this or where from can I get such a list?

> This would be especially unusual for a fully patched system, behind NAT,
> and setup as a single user system.
>
> I can think of one benign explanation. Sometimes applications spit errors
> to the terminal where they were launched. The error message attempts to
> show some context of the error and why it is flagged as an error.
>



> --
> Douglas Mayne

lucas wrote:
> devj.nullj@gmail.com wrote:
>
> >
> > devj.nullj@gmail.com wrote:
> >> Hello All,
> >>
> >> I have slackware version 10.1.0 installed on an Intel P-IV for some
> >> time now and I use this system as desktop. No particular services
> >> running on this machine except
> >>
> >> tcp 37 time
> >> tcp 113 auth
> >> tcp 22 ssh
> >>
> >> and occasionally I run X on this system as well and some time download
> >> email.
> >>
> >> Today, I switched on my system and did some usual work. I was busy
> >> working
> >> with papers and the monitor went off in the standby mode. After
> >> sometime when I touched the
> >> keyboard the screen came back on. But what made me write this post was
> >> a message below
> >> that appeared on the prompt:
> >>
> >> $ rootedrooted
> >>
> >> exactly as above. I don't think that it appeared by some accident
> >> pressing of some keys.
> >>
> >>
> >> (1)How to determine that somebody really rooted this machine?
> >>
> >> (2)I would like to know what to do next if so? Any mailing lists or
> >> newsgroups to go to?
> >>
> >>
> >> Thank you!
> >
> > Some update that I would like to add.
> >
> > I downloaded and compiled chkrootkit-0.47. When run, it told me that
> >
> > "Warning: crontab for nobody found, possible Lupper.Worm... not
> > infected"
> >
> > Though when I ran
> >
> > crontab -u nobody -l
> >
> > It reported nothing. There was nothing else reported by chkrootkit
> > either.
> >
> > Any furhter help on this?
>
> Running ChkRootKit after the fact wont help much. You also can't trust the
> programs on the system now as they may have been modified/replaced. I hope
> you've unplugged it from the network, so this person can't get back in.

Yes, that's what I also thought but just did an effort: may-be!

> You might want to try booting up with Knoppix. I think it has an antivirus
> scanner with it. Mount your hard drive and do a virus scan. You can also
> inspect the harddrive with the programs on the Knoppix disk without fear of
> them giving false reports.
>

I have not used knoppix for this before. If you can direct me to some
pointer where I can read more about using knoppix for this purpose
and the list of utilities that I need to use, it should help me a lot.

> There's no telling what has been changed or is now running on your computer.
> You may want to backup up your data and format the drive.
>
> Good luck,

Thanks for all your help.

> --
> lucas
> -------------------------
> Perl Coder since 2001
> shift || die;
> -------------------------

On Thu, 16 Nov 2006 08:14:49 -0800, devj.nullj wrote:
<snip>
>
>> >> tcp 37 time
>> >> tcp 113 auth
>> >> tcp 22 ssh

<snip>
>
> I am ready to do this though I would like to know an easier way to find
> if
> the system was compromised. May be I can use knoppix to boot from
> a CD and then build md5 sums and then compare it with those for
> a clean system.
>
> However, I would need to know for which *important* files to build md5
> sums.
> Any ideas on this or where from can I get such a list?
>
<snip>
>
Don't assume that the damage is limited to certain directories, (/usr,
/sbin, etc.) Your attacker is much more likely to be a _person_, and
is not necessarily using the prebuilt attacks used by the typical Windows
virus. I see your system was open on port 22, ssh. Was that port open to
attack on the internet using simple password guessing? If that was the
attack vector, and the attack was successful, then the system is pretty
much toast. You can run the verification for _every_ file on your system,
and look for something out of place. Don't limit your search- your
attacker won't necessarily be hiding in plain sight.

ssh is subject to serious attack, BTW. I have recommened using certificate
authentication only for computers used on a public network.

It's not fun chasing ghosts. Consider creating a table of known good
values for your system and keep it up to date when you patch the system.
It's good for peace of mind, if nothing else.

--
Douglas Mayne

devj.nullj@gmail.com wrote:

> Today, I switched on my system and did some usual work. I was busy
> working
> with papers and the monitor went off in the standby mode. After
> sometime when I touched the
> keyboard the screen came back on. But what made me write this post was
> a message below
> that appeared on the prompt:
>
> $ rootedrooted
>
> exactly as above. I don't think that it appeared by some accident
> pressing of some keys.
>
>
> (1)How to determine that somebody really rooted this machine?
>
> (2)I would like to know what to do next if so? Any mailing lists or
> newsgroups to go to?

Have a look at the "helix" live CD.
http://www.e-fense.com/helix/

Helix is a customized distribution of the Knoppix Live Linux CD. Helix
is more than just a bootable live CD. You can still boot into a
customized Linux environment that includes customized linux kernels,
excellent hardware detection and many applications dedicated to Incident
Response and Forensics.


Success,

Kees.

--
Kees Theunissen.

Douglas Mayne wrote:

> On Thu, 16 Nov 2006 08:14:49 -0800, devj.nullj wrote:
> <snip>
> >
> >> >> tcp 37 time
> >> >> tcp 113 auth
> >> >> tcp 22 ssh
>
> <snip>
> >
> > I am ready to do this though I would like to know an easier way to find
> > if
> > the system was compromised. May be I can use knoppix to boot from
> > a CD and then build md5 sums and then compare it with those for
> > a clean system.
> >
> > However, I would need to know for which *important* files to build md5
> > sums.
> > Any ideas on this or where from can I get such a list?
> >
> <snip>
> >
> Don't assume that the damage is limited to certain directories, (/usr,
> /sbin, etc.) Your attacker is much more likely to be a _person_, and
> is not necessarily using the prebuilt attacks used by the typical Windows
> virus. I see your system was open on port 22, ssh. Was that port open to
> attack on the internet using simple password guessing? If that was the
> attack vector, and the attack was successful, then the system is pretty
> much toast. You can run the verification for _every_ file on your system,
> and look for something out of place. Don't limit your search- your
> attacker won't necessarily be hiding in plain sight.
>

When I ran root kit hunter [rkhunter] on my machine, it tagged ssh to
be
vulnerable. ssh ver 1 was allowed with the system that I used.

> ssh is subject to serious attack, BTW. I have recommened using certificate
> authentication only for computers used on a public network.
>
> It's not fun chasing ghosts. Consider creating a table of known good
> values for your system and keep it up to date when you patch the system.
> It's good for peace of mind, if nothing else.
>

What would you recommend for this? tripwire or any other such tool?

> --
> Douglas Mayne

On Thu, 16 Nov 2006 09:25:42 -0800, devj.nullj wrote:
<snip>
>
> What would you recommend for this? tripwire or any other such tool?
>
I haven't used the automated tools. From what I've heard, these tools are
challenged by the same problem that I mentioned- some files are allowed to
change. Setting up a tripwire involves configuring it to ignore certain
changes. This might be worthwhile for a system which is prone to
attack and the risk justifies it. You may need to know that a system has
been compromised right away. For a system with lesser risk, it might be
overkill.

The manual approach I recommended is good for "after the fact analysis."
This may or may not meet your needs. The first thing I would do is to
check your security procedures and lock down the system to prevent
successful attacks from getting started. You know the old saw, "an ounce
of prevention..."

--
Douglas Mayne