Hmm. Possible problem of a big order.

Fenster

I have a nasty, feeling that my Fedora installation has been compromised, ie hacked, due to poor security on my part (as I'm still a bit clueless on securing it). I had Fedora running overnight and today while I was at work. I came home to find the PC locked up, this was the first odd thing, I run my PC, both in Windows and Fedora, with minimal services, to prevent this kind of thing.

I reboot and I notice several odd things:

1. There's net traffic when there should be none. First thing I did was ifdown

2. Under Preferences-> Preferred Applications-> Startup, the programs I had listed were changed. I had Gaim, a firewall proggy and gnome terminal in it. Gaim and the terminal were removed.

3. Firefox was telling me it was launched, even though it wasn't showing in the system monitor or my desktop.

4. When I actually open the terminal, my prompt was changed to:
[root@filer3-b xxxx]

Oviously my NTFS drive hasn't been touched as I'm posting from it as about the only way to feck with it from Fedora is to reformat it, which hasn't happened. I go to great lengths to keep Windows secure and my files on it safe and encrypted, so I'm assuming they're untouched, but on the flipside, until I know it was some sort of weird bug, I'm also assuming Fedora has been tampered with and my root password is known.

Assuming this to be the case, what steps can I take to resecure Fedora? I'm quite possibly over reacting, but I think its better to be paranoid and be proved wrong than be sloppy and lose a machine as a result. :

And this is probably the wrong board for this kind of thing, but I've found advice that I've been given here so far has been far better than elsewhere, such as on linuxquestions.org.

Syth

Well one of the first things you should do is change all the passwords. Issue new passwords to each user and treathen them with death if they revert to the original.

That's just my 2c though. I know feck all about security.

Fenster

I'm the only user of my machine, but I keep seperate passwords for my account and for root. It'd be pointless changing passwords though, if a trojan/keylogger has been planted.

Fenster

Okay, I did some digging and it looks like Eircom made my entire system visible to the internet, as opposed to just my router, so that's how Fedora got screwed. Info on this seems slim at best.

OfflerCrocGod

Fenster wrote:

Okay, I did some digging and it looks like Eircom made my entire system visible to the internet, as opposed to just my router

Could you elaborate on this please? any nice links to back this up? I'm now worried about my own network. Also once a machine has been compromised you afto reinstall you cannot trust a hacked box, just start from scratch.

Fenster

OfflerCrocGod wrote:

Could you elaborate on this please? any nice links to back this up? I'm now worried about my own network. Also once a machine has been compromised you afto reinstall you cannot trust a hacked box, just start from scratch.

It was actually from this very board that I learned that:

Clicky

I had a bit of trouble following what was in those threads, but at the very least I gather I've been hit by a worm.

mneylon

Fenster wrote:

but at the very least I gather I've been hit by a worm.

You are running linux, so that is highly unlikely, but you'd be better off reinstalling from scratch.

Fenster

Who knows, but when it comes to security, I assume the worst. Either way, my PC has been compromised.

I'm not so much worried now as to the cuase of it as I am about ensuring it doesn't happen again. Once I burn files I downloaded to disc, I'm going to do a low-level format from Windows.

nadir

I know its a bit late now, but what i would have done is run tcpdump to a log file, for a few mins first, to see exactly what was going on, and analyse it later. I think it is possible that you were hit by a worm, although more likely hacked. Its important to subscribe to mailing lists and keep up with security updates. Its also good to keep your kernel updated, and run as few services as possible. Doing these is easily as important if not more so than running a firewall, even with a firewall up and running, you still arn't amune to attacks on services, although im sure you are aware of that.

looks like you wern't root compromised though.

Fenster

nadir wrote:

I know its a bit late now, but what i would have done is run tcpdump to a log file, for a few mins first, to see exactly what was going on, and analyse it later. I think it is possible that you were hit by a worm, although more likely hacked. Its important to subscribe to mailing lists and keep up with security updates. Its also good to keep your kernel updated, and run as few services as possible. Doing these is easily as important if not more so than running a firewall, even with a firewall up and running, you still arn't amune to attacks on services, although im sure you are aware of that.

looks like you wern't root compromised though.

Well second time round, I've guarddog install and running correctly and its given me peace of mind. I installed Ethereal also to keep a real-time monitor on traffic.

I'm looking at this also, as I've heard some good things about it.

ssh

You've misunderstood the thread you linked to.

Your PC still has a local, non-routable IP address (192.168.blah.blah). There is no way (short of you specifically configuring your router to do so) for a random computer on the internet to address your computer. No, Eircom shouldn't be reverse resolving non-routable IP addresses, but I don't think it's forbidden by the RFCs. It certainly hasn't compromised your security.

Download chkrootkit, install lsof and run lsof -i. Take a look at what connections are open. I'd bet it's all good.

Fenster

ssh wrote:

You've misunderstood the thread you linked to.

Your PC still has a local, non-routable IP address (192.168.blah.blah). There is no way (short of you specifically configuring your router to do so) for a random computer on the internet to address your computer. No, Eircom shouldn't be reverse resolving non-routable IP addresses, but I don't think it's forbidden by the RFCs. It certainly hasn't compromised your security.

Download chkrootkit, install lsof and run lsof -i. Take a look at what connections are open. I'd bet it's all good.

I've the page bookmaked and I'll give it a look tonight.

Gavin

ssh wrote:

You've misunderstood the thread you linked to.

Your PC still has a local, non-routable IP address (192.168.blah.blah). There is no way (short of you specifically configuring your router to do so) for a random computer on the internet to address your computer. No, Eircom shouldn't be reverse resolving non-routable IP addresses, but I don't think it's forbidden by the RFCs. It certainly hasn't compromised your security.

Download chkrootkit, install lsof and run lsof -i. Take a look at what connections are open. I'd bet it's all good.

Depends on the router, no ? If the router isn't configured to only allow ESTABLISHED connections, then one could use source routing to get in.

Gav

Fenster

[root@localhost chkrootkit-0.44]# sh chkrootkit
ROOTDIR is `/'
Checking `amd'... not infected
Checking `basename'... not infected
Checking `biff'... not found
Checking `chfn'... not infected
Checking `chsh'... not infected
Checking `cron'... not infected
Checking `date'... not infected
Checking `du'... not infected
Checking `dirname'... not infected
Checking `echo'... not infected
Checking `egrep'... not infected
Checking `env'... not infected
Checking `find'... not infected
Checking `fingerd'... not found
Checking `gpm'... not infected
Checking `grep'... not infected
Checking `hdparm'... not infected
Checking `su'... not infected
Checking `ifconfig'... not infected
Checking `inetd'... not tested
Checking `inetdconf'... not found
Checking `identd'... not found
Checking `init'... not infected
Checking `killall'... not infected
Checking `ldsopreload'... can't exec ./strings-static, not tested
Checking `login'... not infected
Checking `ls'... not infected
Checking `lsof'... not infected
Checking `mail'... not infected
Checking `mingetty'... not infected
Checking `netstat'... not infected
Checking `named'... not infected
Checking `passwd'... not infected
Checking `pidof'... not infected
Checking `pop2'... not found
Checking `pop3'... not found
Checking `ps'... not infected
Checking `pstree'... not infected
Checking `rpcinfo'... not infected
Checking `rlogind'... not found
Checking `rshd'... not found
Checking `slogin'... not infected
Checking `sendmail'... not infected
Checking `sshd'... not infected
Checking `syslogd'... not infected
Checking `tar'... not infected
Checking `tcpd'... not infected
Checking `tcpdump'... not infected
Checking `top'... not infected
Checking `telnetd'... not found
Checking `timed'... not found
Checking `traceroute'... not infected
Checking `vdir'... not infected
Checking `w'... not infected
Checking `write'... not infected
Checking `aliens'... no suspect files
Searching for sniffer's logs, it may take a while... nothing found
Searching for HiDrootkit's default dir... nothing found
Searching for t0rn's default files and dirs... nothing found
Searching for t0rn's v8 defaults... nothing found
Searching for Lion Worm default files and dirs... nothing found
Searching for RSHA's default files and dir... nothing found
Searching for RH-Sharpe's default files... nothing found
Searching for Ambient's rootkit (ark) default files and dirs... nothing found
Searching for suspicious files and dirs, it may take a while...
/usr/lib/perl5/vendor_perl/5.8.3/i386-linux-thread-multi/auto/mod_perl/.packlist /usr/lib/perl5/vendor_perl/5.8.3/i386-linux-thread-multi/auto/Gaim/.packlist /usr/lib/perl5/5.8.3/i386-linux-thread-multi/.packlist /usr/lib/transgaming_cedega/.transgaming /usr/lib/qt-3.3/etc/settings/.qtrc.lock /usr/lib/qt-3.3/etc/settings/.qt_plugins_3.3rc.lock /lib/modules/2.6.5-1.358/build/scripts/.elfconfig.h.cmd /lib/modules/2.6.5-1.358/build/scripts/.file2alias.o.cmd /lib/modules/2.6.5-1.358/build/scripts/.conmakehash.cmd /lib/modules/2.6.5-1.358/build/scripts/.pnmtologo.cmd /lib/modules/2.6.5-1.358/build/scripts/basic/.docproc.cmd /lib/modules/2.6.5-1.358/build/scripts/basic/.split-include.cmd /lib/modules/2.6.5-1.358/build/scripts/basic/.fixdep.cmd /lib/modules/2.6.5-1.358/build/scripts/.mk_elfconfig.cmd /lib/modules/2.6.5-1.358/build/scripts/.modpost.cmd /lib/modules/2.6.5-1.358/build/scripts/.kallsyms.cmd /lib/modules/2.6.5-1.358/build/scripts/.modpost.o.cmd /lib/modules/2.6.5-1.358/build/scripts/.sumversion.o.cmd /lib/modules/2.6.5-1.358/build/scripts/.bin2c.cmd /lib/modules/2.6.5-1.358/build/scripts/.empty.o.cmd /lib/modules/2.6.5-1.358/build/scripts/kconfig/.zconf.tab.o.cmd /lib/modules/2.6.5-1.358/build/scripts/kconfig/.libkconfig.so.cmd /lib/modules/2.6.5-1.358/build/scripts/kconfig/.conf.cmd /lib/modules/2.6.5-1.358/build/scripts/kconfig/.mconf.o.cmd /lib/modules/2.6.5-1.358/build/scripts/kconfig/.conf.o.cmd /lib/modules/2.6.5-1.358/build/.config /lib/modules/2.6.8-1.521/build/scripts/.conmakehash.cmd /lib/modules/2.6.8-1.521/build/scripts/.pnmtologo.cmd /lib/modules/2.6.8-1.521/build/scripts/basic/.docproc.cmd /lib/modules/2.6.8-1.521/build/scripts/basic/.split-include.cmd /lib/modules/2.6.8-1.521/build/scripts/basic/.fixdep.cmd /lib/modules/2.6.8-1.521/build/scripts/.kallsyms.cmd /lib/modules/2.6.8-1.521/build/scripts/mod/.elfconfig.h.cmd /lib/modules/2.6.8-1.521/build/scripts/mod/.file2alias.o.cmd /lib/modules/2.6.8-1.521/build/scripts/mod/.mk_elfconfig.cmd /lib/modules/2.6.8-1.521/build/scripts/mod/.modpost.cmd /lib/modules/2.6.8-1.521/build/scripts/mod/.modpost.o.cmd /lib/modules/2.6.8-1.521/build/scripts/mod/.sumversion.o.cmd /lib/modules/2.6.8-1.521/build/scripts/mod/.empty.o.cmd /lib/modules/2.6.8-1.521/build/scripts/.bin2c.cmd /lib/modules/2.6.8-1.521/build/scripts/kconfig/.zconf.tab.o.cmd /lib/modules/2.6.8-1.521/build/scripts/kconfig/.libkconfig.so.cmd /lib/modules/2.6.8-1.521/build/scripts/kconfig/.conf.cmd /lib/modules/2.6.8-1.521/build/scripts/kconfig/.mconf.o.cmd /lib/modules/2.6.8-1.521/build/scripts/kconfig/.conf.o.cmd /lib/modules/2.6.8-1.521/build/.config
/usr/lib/transgaming_cedega/.transgaming
Searching for LPD Worm files and dirs... nothing found
Searching for Ramen Worm files and dirs... nothing found
Searching for Maniac files and dirs... nothing found
Searching for RK17 files and dirs... nothing found
Searching for Ducoci rootkit... nothing found
Searching for Adore Worm... nothing found
Searching for ****C Worm... nothing found
Searching for Omega Worm... nothing found
Searching for Sadmind/IIS Worm... nothing found
Searching for MonKit... nothing found
Searching for Showtee... nothing found
Searching for OpticKit... nothing found
Searching for T.R.K... nothing found
Searching for Mithra... nothing found
Searching for LOC rootkit... nothing found
Searching for Romanian rootkit... nothing found
Searching for HKRK rootkit... nothing found
Searching for Suckit rootkit... nothing found
Searching for Volc rootkit... nothing found
Searching for Gold2 rootkit... nothing found
Searching for TC2 Worm default files and dirs... nothing found
Searching for Anonoying rootkit default files and dirs... nothing found
Searching for ZK rootkit default files and dirs... nothing found
Searching for ShKit rootkit default files and dirs... nothing found
Searching for AjaKit rootkit default files and dirs... nothing found
Searching for zaRwT rootkit default files and dirs... nothing found
Searching for Madalin rootkit default files... nothing found
Searching for anomalies in shell history files... nothing found
Checking `asp'... not infected
Checking `bindshell'... not infected
Checking `lkm'... Checking `rexedcs'... not found
Checking `sniffer'... not tested: can't exec ./ifpromisc
Checking `w55808'... not infected
Checking `wted'... not tested: can't exec ./chkwtmp
Checking `scalper'... not infected
Checking `slapper'... not infected
Checking `z2'... not tested: can't exec ./chklastlog

Seems clean to me. What do the rest of you make of it?

Fenster

[root@localhost chkrootkit-0.44]# /usr/sbin/lsof -i
COMMAND    PID    USER   FD   TYPE DEVICE SIZE NODE NAME
dhclient  1992    root    4u  IPv4   3690       UDP *:bootpc
portmap   2392     rpc    3u  IPv4   4177       UDP *:sunrpc
portmap   2392     rpc    4u  IPv4   4178       TCP *:sunrpc (LISTEN)
rpc.statd 2412 rpcuser    4u  IPv4   4210       UDP *:1024
rpc.statd 2412 rpcuser    5u  IPv4   4202       UDP *:892
rpc.statd 2412 rpcuser    6u  IPv4   4215       TCP *:1024 (LISTEN)
cupsd     2574    root    0u  IPv4   4652       TCP localhost.localdomain:ipp (LISTEN)
cupsd     2574    root    2u  IPv4   4653       UDP *:ipp
sshd      2766    root    3u  IPv6   4673       TCP *:ssh (LISTEN)
xinetd    2781    root    5u  IPv4   4747       TCP localhost.localdomain:1025 (LISTEN)
sendmail  2800    root    4u  IPv4   4763       TCP localhost.localdomain:smtp (LISTEN)
fam       3272    xxxx    0u  IPv4   4747       TCP localhost.localdomain:1025 (LISTEN)
fam       3272    xxxx    1u  IPv4   4747       TCP localhost.localdomain:1025 (LISTEN)
fam       3272    xxxx    2u  IPv4   4747       TCP localhost.localdomain:1025 (LISTEN)
eggcups   3370    xxxx   16u  IPv4   6215       TCP localhost.localdomain:1028->localhost.localdomain:ipp (CLOSE_WAIT)
gaim      3378    xxxx    7u  IPv4   6336       TCP 192.168.1.1:1035->64.12.24.51:5190 (ESTABLISHED)
gaim      3378    xxxx    9u  IPv4   6337       TCP 192.168.1.1:1036->64.12.24.124:5190 (ESTABLISHED)
gaim      3378    xxxx   12u  IPv4   6402       TCP 192.168.1.1:1039->205.188.7.34:5190 (ESTABLISHED)
wine-prel 4198    xxxx   11u  IPv4   7887       TCP localhost.localdomain:1058->localhost.localdomain:ipp (CLOSE_WAIT)
wine-prel 4198    xxxx   14u  IPv4   8027       TCP 192.168.1.1:1059->r026.d1.funcom.com:7012 (ESTABLISHED)
wineserve 4201    xxxx   26u  IPv4   8027       TCP 192.168.1.1:1059->r026.d1.funcom.com:7012 (ESTABLISHED)
firefox-b 4949    xxxx   27u  IPv4  18277       TCP 192.168.1.1:1487->66.102.11.104:http (ESTABLISHED)
firefox-b 4949    xxxx   45u  IPv4  18337       TCP 192.168.1.1:1502->A159-134-196-117.deploy.akamaitechnologies.com:http
(ESTABLISHED)

For good or bad, this is my network traffic. What can be done here to tighten things up? I'm using Guarddog right now with it set to block more or less everything I don't allow. That said, I need to tackle iptables directly sooner or later. Every "guide" I've googled has assumed a far greater expertise I can lay claim to right now. Are there an idiots guides out there with big, pretty pictures for slow people like me?

ssh

Not sure about disabling services in fedora, but you can probably afford to lose:

rpcd
portmap
cups
sendmail (!!!)
xinetd

chkrootkit looks fine.

ssh

Verb wrote:

Depends on the router, no ? If the router isn't configured to only allow ESTABLISHED connections, then one could use source routing to get in.

Gav

I assume you mean destination natting?

Gavin

ssh wrote:

I assume you mean destination natting?

I don't know, I haven't heard that term before.

Gav

flamegrill

chkconfig $SERVER off will disable the service you want to on Redhat and Redhat like distros.

Paul

Fenster

Well its happened again.

Logged on to find my bash changed to bash prompt changed to [root@filer3-b home]#, Fedora running slow and my net bogged down. I'm running Ethereal and tcpdump to log packets. tcpdump shows me as spamming out to filer3-b.inidigo.ie.
Talking 50-60 messages a second.

21:14:45.036516 IP 64.106.154.149.http > filer3-b.indigo.ie.1071: P 110083:110309(226) ack 5400 win 16479
21:14:45.064570 IP 64.106.154.149.http > filer3-b.indigo.ie.1073: P 29612:30896(1284) ack 4566 win 15621
21:14:45.064730 IP filer3-b.indigo.ie.1073 > 64.106.154.149.http: . ack 30896 win 372
21:14:45.064851 IP filer3-b.indigo.ie.1073 > 64.106.154.149.http: P 4566:4984(418) ack 30896 win 372
21:14:45.076081 IP filer3-b.indigo.ie.1071 > 64.106.154.149.http: . ack 110309 win 501
21:14:45.206618 IP 64.106.154.149.http > filer3-b.indigo.ie.1073: P 30896:31122(226) ack 4984 win 16896
21:14:45.232136 IP 64.106.154.149.http > filer3-b.indigo.ie.1073: . 31122:32530(1408) ack 4984 win 16896
21:14:45.232200 IP filer3-b.indigo.ie.1073 > 64.106.154.149.http: . ack 32530 win 395
21:14:45.259660 IP 64.106.154.149.http > filer3-b.indigo.ie.1073: . 32530:33938(1408) ack 4984 win 16896
21:14:45.266815 IP 64.106.154.149.http > filer3-b.indigo.ie.1073: P 33938:34343(405) ack 4984 win 16896
21:14:45.266916 IP filer3-b.indigo.ie.1073 > 64.106.154.149.http: . ack 34343 win 418
21:14:45.268332 IP filer3-b.indigo.ie.1073 > 64.106.154.149.http: P 4984:5402(418) ack 34343 win 418
21:14:45.284435 IP 64.106.154.149.http > filer3-b.indigo.ie.1071: P 110309:111185(876) ack 5400 win 16479
21:14:45.284616 IP filer3-b.indigo.ie.1071 > 64.106.154.149.http: . ack 111185 win 501
21:14:45.284752 IP filer3-b.indigo.ie.1071 > 64.106.154.149.http: P 5400:5814(414) ack 111185 win 501
21:14:45.409130 IP 64.106.154.149.http > filer3-b.indigo.ie.1073: P 34343:34568(225) ack 5402 win 16478
21:14:45.449011 IP filer3-b.indigo.ie.1073 > 64.106.154.149.http: . ack 34568 win 418
21:14:45.454192 IP 64.106.154.149.http > filer3-b.indigo.ie.1071: P 111185:111411(226) ack 5814 win 16065
21:14:45.494009 IP filer3-b.indigo.ie.1071 > 64.106.154.149.http: . ack 111411 win 501

And so on. 64.106.154.149 resolves to:
[Querying whois.arin.net]
[whois.arin.net]

OrgName: DataPipe
OrgID: DATAPI-2
Address: 80 River Street, 5th Floor
City: Hoboken
StateProv: NJ
PostalCode: 07030
Country: US

NetRange: 64.106.128.0 - 64.106.255.255
CIDR: 64.106.128.0/17
NetName: DATAPIPE-BLK4
NetHandle: NET-64-106-128-0-1
Parent: NET-64-0-0-0-0
NetType: Direct Allocation
NameServer: NS1.DATAPIPE.NET
NameServer: NS2.DATAPIPE.NET
NameServer: NS3.DATAPIPE.NET
Comment: ADDRESSES WITHIN THIS BLOCK ARE NON-PORTABLE
RegDate: 2002-04-02
Updated: 2004-06-14

AbuseHandle: DATAP-ARIN
AbuseName: DataPipe Abuse
AbusePhone: +1-201-792-1918
AbuseEmail: abuse@datapipe.com

TechHandle: DH1029-ARIN
TechName: DataPipe Hostmaster
TechPhone: +1-201-792-1918
TechEmail: hostmaster@datapipe.com

OrgTechHandle: DH1029-ARIN
OrgTechName: DataPipe Hostmaster
OrgTechPhone: +1-201-792-1918
OrgTechEmail: hostmaster@datapipe.com

# ARIN WHOIS database, last updated 2004-09-12 19:10
# Enter ? for additional hints on searching ARIN's WHOIS database.

chkrootkit didn't show anything anomalous.

Fenster

lsof -i turned up this:

http 4009 root 3u IPv4 59848 TCP filer3-b.indigo.ie:1550->ie

My earlier assumption this was wrong, so can anyone tell me just what the hell filer3-b is? Google doesn't turn up anything. It bugs me to hell and back everytime I see it in my bash prompt.

I ran clamav also. It turned up 8 virii/infected files in /usr and 7 in /home

tomk

You've already correctly identified filer3-b - it's caused by €ircon incorrectly resolving private IP addresses in public internet space. A fair few people have seen this, but you're the first I have come across that's been adversely affected. I suppose it was bound to happen sooner or later, though.

There's one solution that will definitely work - change your internal addressing scheme to one that €ircon haven't hijacked e.g. 10.x.x.x or 172.16.x.x. I don't know how much hassle this might be for you, but it will prevent any further reoccurrence.

Fenster

tomk wrote:

You've already correctly identified filer3-b - it's caused by €ircon incorrectly resolving private IP addresses in public internet space. A fair few people have seen this, but you're the first I have come across that's been adversely affected. I suppose it was bound to happen sooner or later, though.

There's one solution that will definitely work - change your internal addressing scheme to one that €ircon haven't hijacked e.g. 10.x.x.x or 172.16.x.x. I don't know how much hassle this might be for you, but it will prevent any further reoccurrence.

I don't think changing my internal addressing is possible, due to my router. I don't want to just wipe the fecking HD again as I'd rather sit down and sort this problem out.

What I really need is further reading on iptables-everything I've turned up so far has been useless as it skips the basics and delves right into advanced scripting and on filer3-b as Google, Symantec, Security Focus and a few other sites I know of don't have anything whatsoever on this, which is always a bad sign.

Fenster

Someone must know what filer3-b is.

tomk

A lot of people know what filer3-b is, Fenster - I'm one of them, but it seems my explanation is not acceptable to you. I'll give it one more try.........

You have an internal address of 192.168.1.1. You are using Eircom's DNS servers. These servers are incorrectly resolving 192.168.1.1 to filer3-b.indigo.ie. This behaviour has been observed by users of Indigo and Eircom since 2000.

Even though your IP address is private, filer3-b.indigo.ie is a public URL. There is therefore the possibility that someone could access your system. This is what appears to have happened.

I'll also offer one more possible answer, as you have ruled out changing your addressing scheme. This may not work, but if you can configure your router to use someone else's DNS service, the problem should also disappear.

Fenster

Geh, I was just dumb earlier. Apologies.

I changed my internal IPs and found that my system was no longer behaving...oddly.

Long story short, it happened again and I've wiped the HD.