| Start with these tools:   A - search for rootkits 
chkrootkit:
Checking `ifconfig'... INFECTED
Checking `pstree'... INFECTED
Searching for t0rn's v8 defaults... Possible t0rn v8 \(or variation\) rootkit installed
Searching for Showtee... Warning: Possible Showtee Rootkit installed
Searching for Romanian rootkit...  /usr/include/file.h /usr/include/proc.h
Checking `bindshell'... INFECTED (PORTS:  465)
Checking `lkm'... You have     1 process hidden for ps command
Warning: Possible LKM Trojan installed
Checking `sniffer'... eth0: PF_PACKET(/usr/sbin/iptotal)
rkhunter:
--------------------------------------------------------------------------------
Rootkit Hunter found some bad or unknown hashes. This can be happen due replaced
binaries or updated packages (which give other hashes). Be sure your hashes are
fully updated (rkhunter --update). If you're in doubt about these hashes, contact
the author (fill in the contact form).
--------------------------------------------------------------------------------
   Rootkit 'SHV4'...                                          [ Warning! ]
             --------------------------------------------------------------------------------
             Found parts of this rootkit/trojan by checking the default files and directories
             Please inspect the available files, by running this check with the parameter
             --createlogfile and check the log file (current file: /var/log/rkhunter.log).
             --------------------------------------------------------------------------------
* Application version scan
   - GnuPG 1.2.4                                              [ Vulnerable ]
   - OpenSSL 0.9.7a                                           [ Vulnerable ]
   - PHP 4.3.9-1                                              [ Unknown ]
   - PHP 4.3.9-1                                              [ Unknown ]
   - Procmail MTA 3.22                                        [ OK ]
   - OpenSSH 3.8.1p1                                          [ OK ]
  B - more detailed investigation 
#> lsof -i
3         12481   root    3u  IPv4 139597       TCP *:2345 (LISTEN)
# telnet localhost 2345
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
SSH-1.5-2.0.13
#> cat /proc/13066/cmdline
ttyload
# which ttyload
/sbin/ttyload
# ls -l /sbin/ttyload
-rwxr-xr-x   1 122      114        212747 Jul 16 13:37 /sbin/ttyload
# kill 12481
# rm /sbin/ttyload
rm: remove write-protected regular file `/sbin/ttyload'? y
rm: cannot remove `/sbin/ttyload': Operation not permitted
# last
bd       pts/0        pd950ea5a.dip.t- Tue Nov 30 19:05   still logged in
reboot   system boot  2.4.21-pre5-1um  Tue Nov 30 19:04          (00:38)
bd       pts/5        pd950ea5a.dip.t- Tue Nov 30 17:52 - down   (00:46)
bd       pts/0        pd950ea5a.dip.t- Tue Nov 30 17:51 - down   (00:47)
bd       pts/4        pd950ea5a.dip.t- Tue Nov 30 16:52 - down   (01:46)
natraj   pts/2        pd9eb7a77.dip0.t Tue Nov 30 14:38 - 18:00  (03:21)
bd       pts/1        pd950ea5a.dip.t- Tue Nov 30 14:38 - down   (04:00)
bd       pts/0        pd950ea5a.dip.t- Tue Nov 30 14:32 - 17:49  (03:17)
reboot   system boot  2.4.21-pre5-1um  Tue Nov 30 14:31          (04:07)
reboot   system boot  2.4.21-pre5-1um  Tue Nov 30 14:24          (04:14)
joko     pts/2        pd950ea5a.dip.t- Tue Nov 30 14:02 - crash  (00:21)
natraj   pts/0        pd9eb7a77.dip0.t Tue Nov 30 11:28 - crash  (02:56)
natraj   pts/0        pd9eb6304.dip0.t Mon Nov 29 14:51 - 17:57  (03:06)
bd       pts/1        p54802510.dip.t- Mon Nov 29 09:59 - 13:49  (03:50)
bd       pts/0        p54802510.dip.t- Mon Nov 29 08:16 - 10:25  (02:09)
reboot   system boot  2.4.21-pre5-1um  Mon Nov 29 08:10         (1+10:28)
wtmp begins Sun Nov 28 06:37:56 2004
   C - more trails 
# nano /root/.bash_history
export TERM=vt100
vi /etc/passwd
passswd bin
passwd bin
# find / -uid 122
/usr/bin/md5sum
/usr/bin/find
/usr/bin/top
/usr/bin/pstree
/usr/sbin/lsof
/bin/ls
/bin/ps
/bin/netstat
find: /proc/25248/fd/4: No such file or directory
/sbin/ifconfig
# cat /proc/25248/cmdline
xukay:/home/uml/quepasa/rootfs/mnt# find . -uid 122
./usr/bin/md5sum
./usr/bin/find
./usr/bin/top
./usr/bin/pstree
./usr/lib/libsh/.bashrc
./usr/lib/libsh/.sniff/shsniff
./usr/lib/libsh/.sniff/shp
./usr/lib/libsh/shsb
./usr/lib/libsh/hide
./usr/sbin/lsof
./bin/ls
./bin/ps
./bin/netstat
./lib/libsh.so/shhk
./lib/libsh.so/shhk.pub
./lib/libsh.so/shrs
./sbin/ifconfig
./sbin/ttyload
./sbin/ttymon
# find / -gid 114
/usr/bin/du
/usr/bin/oldps
/usr/bin/whereis
/usr/include/flio.h
/usr/lib/libsh/.bashrc
/usr/lib/libsh/.sniff/shsniff
/usr/lib/libsh/.sniff/shp
/usr/lib/libsh/shsb
/usr/lib/libsh/hide
/lib/libsh.so/shdcf
/lib/libsh.so/shhk
/lib/libsh.so/shhk.pub
/lib/libsh.so/shrs
find: /proc/1014/fd/4: No such file or directory
    D - remove it! 
# chattr -sia /usr/lib/libsh
# rm -r /usr/lib/libsh/
# chattr -sia /lib/libsh.so
# rm -r /lib/libsh.so
[...]
   E - refresh system find @ http://packages.debian.org/
# apt-get install findutils 
ls:
# apt-get install fileutils coreutils
# cd /var/cache/apt/archives/
root@quepasa:/var/cache/apt/archives# dpkg -i coreutils_5.2.1-2_i386.deb
ps:
# apt-get install procps
lsof:
# apt-get install lsof
md5sum:
# apt-get install dpkg
pstree:
# apt-get install psmisc
ifconfig/netstat:
# apt-get install net-tools
# apt-get install netkit-inetd
# apt-get install textutils
# apt-get install shellutils
# apt-get install qpopper
# apt-get install vsftpd
# apt-get install rsync
# apt-get install uw-imapd-ssl
# apt-get install libssl0.9.7
# apt-get install ssh
# apt-get install cron
# apt-get install inn
# apt-get install util-linux
   F - Todo 
 investigate reason
 breakin via ftp or pop3???
 php?
 twiki search?
 deny loading of kernel modules
 deny public access to cvspserver
 do: #> apt-get upgrade
 install filesystem integrity checker to prevent tampering the filesystem beeing unrecognized
   G - Infos  |