rootkit found system compromised

[Unguidedone]

my system was hardened (not saying it was perfect but it was reasonably safe)

i installed apparmor,selinux, harded the kernel, encrypted huge partions of my hardrive with truecrypt, used a password safe, only used aes encryption, setup firewalls (software firewall and physical firewall), used strong passwords, installed snort, installed 2 anti virus programs, checked all ports (all were steathed none were open) ~ updated my system often, i only downloaded programs from the ubuntu software center.


i found out before my system was scanned that something was wrong, i was using nmap and was seeing odd packet traffic activity yes from 3 ports (failed to write it down) and had higher then normal cpu usage

the only thing i would change is connect to the internet with a secure encrypted vpn. ya ill power down now...

[crispy_420]

Maybe look into bastille to further lock down the system. Its in the repos.

[Unguidedone]

the rootkit is back....

the only thing i did not install was bastille (because it failed to run in terminal)

3 ports are infected and there is +1 users on the system..... (same ports to)
i am running port senetry so it could be a false positive.

ill have to reinstall (5th time in total)


the system is locked down pertty well and remote access is disabled i dont know if they are using ssh. There is a security hole somewhere in here that i have yet to find. ill keep working....

[linuxpenguin]

I'm no security pro... but...

What non-default programs are you installing?
Do you have a backup that you're restoring from?
Is the drive/partition you're installing to the only one in the system? (And if not, have you tried scanning the other partitions or reinstalling without all the other drives hooked up?)

Are you installing from a burned ISO, or are you installing from an external drive (and if you are installing from an external drive, has that drive been scanned)?

The fact that it comes back (and comes back so quick) says to me that either someone is really dedicated and you're being targeted, or there's something snuck into something you're installing, or there's something that found its way onto a backup. If you're using backups, or have stuff outside the repos that you install, try holding off on all that for a while and see if it comes back.

[Unguidedone]

i have the following on my system:

last fm squabbler
skype
diablo 2 lod (tested and its safe)
codelite
truecrypt
wine
apparmor
selinux
codexs to run dvds/mp3's

i only install stuff from the repository but i was thinking what ever it is that is installed to the boot sector because thats the only area that does not get wiped with i wipe the drives and reinstall.

but heres something really odd:

http://ubuntuforums.org/showthread.php?t=1362074

same problem what i have 100%

heres the terminal readout :

julio@julio-ThinkCentre-M52:~$ sudo chkrootkit
ROOTDIR is `/'
Checking `amd'... not found
Checking `basename'... not infected
Checking `biff'... not found
Checking `chfn'... not infected
Checking `chsh'... not infected
Checking `cron'... not infected
Checking `crontab'... not infected
Checking `date'... not infected
Checking `du'... not infected
Checking `dirname'... not infected
Checking `echo'... not infected
Checking `egrep'... not infected
Checking `env'... not infected
Checking `find'... not infected
Checking `fingerd'... not found
Checking `gpm'... not found
Checking `grep'... not infected
Checking `hdparm'... not infected
Checking `su'... not infected
Checking `ifconfig'... not infected
Checking `inetd'... not infected
Checking `inetdconf'... not found
Checking `identd'... not found
Checking `init'... not infected
Checking `killall'... not infected
Checking `ldsopreload'... not infected
Checking `login'... not infected
Checking `ls'... not infected
Checking `lsof'... not infected
Checking `mail'... not found
Checking `mingetty'... not found
Checking `netstat'... not infected
Checking `named'... not found
Checking `passwd'... not infected
Checking `pidof'... not infected
Checking `pop2'... not found
Checking `pop3'... not found
Checking `ps'... not infected
Checking `pstree'... not infected
Checking `rpcinfo'... not infected
Checking `rlogind'... not found
Checking `rshd'... not found
Checking `slogin'... not infected
Checking `sendmail'... not infected
Checking `sshd'... not found
Checking `syslogd'... not tested
Checking `tar'... not infected
Checking `tcpd'... not infected
Checking `tcpdump'... not infected
Checking `top'... not infected
Checking `telnetd'... not found
Checking `timed'... not found
Checking `traceroute'... not found
Checking `vdir'... not infected
Checking `w'... not infected
Checking `write'... not infected
Checking `aliens'... no suspect files
Searching for sniffer's logs, it may take a while... nothing found
Searching for rootkit HiDrootkit's default files... nothing found
Searching for rootkit t0rn's default files... nothing found
Searching for t0rn's v8 defaults... nothing found
Searching for rootkit Lion's default files... nothing found
Searching for rootkit RSHA's default files... nothing found
Searching for rootkit RH-Sharpe's default files... nothing found
Searching for Ambient's rootkit (ark) default files and dirs... nothing found
Searching for suspicious files and dirs, it may take a while... The following suspicious files and directories were found:
/usr/lib/pymodules/python2.6/.path /usr/lib/firefox-3.6.18/.autoreg /usr/lib/xulrunner-1.9.2.18/.autoreg

Searching for LPD Worm files and dirs... nothing found
Searching for Ramen Worm files and dirs... nothing found
Searching for Maniac files and dirs... nothing found
Searching for RK17 files and dirs... nothing found
Searching for Ducoci rootkit... nothing found
Searching for Adore Worm... nothing found
Searching for ShitC Worm... nothing found
Searching for Omega Worm... nothing found
Searching for Sadmind/IIS Worm... nothing found
Searching for MonKit... nothing found
Searching for Showtee... nothing found
Searching for OpticKit... nothing found
Searching for T.R.K... nothing found
Searching for Mithra... nothing found
Searching for LOC rootkit... nothing found
Searching for Romanian rootkit... nothing found
Searching for Suckit rootkit... Warning: /sbin/init INFECTED
Searching for Volc rootkit... nothing found
Searching for Gold2 rootkit... nothing found
Searching for TC2 Worm default files and dirs... nothing found
Searching for Anonoying rootkit default files and dirs... nothing found
Searching for ZK rootkit default files and dirs... nothing found
Searching for ShKit rootkit default files and dirs... nothing found
Searching for AjaKit rootkit default files and dirs... nothing found
Searching for zaRwT rootkit default files and dirs... nothing found
Searching for Madalin rootkit default files... nothing found
Searching for Fu rootkit default files... nothing found
Searching for ESRK rootkit default files... nothing found
Searching for rootedoor... nothing found
Searching for ENYELKM rootkit default files... nothing found
Searching for common ssh-scanners default files... nothing found
Searching for suspect PHP files... nothing found
Searching for anomalies in shell history files... nothing found
Checking `asp'... not infected
Checking `bindshell'... not infected
Checking `lkm'... chkproc: nothing detected
chkdirs: nothing detected
Checking `rexedcs'... not found
Checking `sniffer'... lo: not promisc and no packet sniffer sockets
eth0: PACKET SNIFFER(/sbin/dhclient3[7853])
Checking `w55808'... not infected
Checking `wted'... chkwtmp: nothing deleted
Checking `scalper'... not infected
Checking `slapper'... not infected
Checking `z2'... user julio deleted or never logged from lastlog!
Checking `chkutmp'... chkutmp: nothing deleted
Checking `OSX_RSPLUG'... not infected
julio@julio-ThinkCentre-M52:~$ sudo rkhunter --check
[ Rootkit Hunter version 1.3.6 ]

Checking system commands...

Performing 'strings' command checks
Checking 'strings' command [ OK ]

Performing 'shared libraries' checks
Checking for preloading variables [ None found ]
Checking for preloaded libraries [ None found ]
Checking LD_LIBRARY_PATH variable [ Not found ]

Performing file properties checks
Checking for prerequisites [ OK ]
/bin/bash [ OK ]
/bin/cat [ OK ]
/bin/chmod [ OK ]
/bin/chown [ OK ]
/bin/cp [ OK ]
/bin/date [ OK ]
/bin/df [ OK ]
/bin/dmesg [ OK ]
/bin/echo [ OK ]
/bin/ed [ OK ]
/bin/egrep [ OK ]
/bin/fgrep [ OK ]
/bin/fuser [ OK ]
/bin/grep [ OK ]
/bin/ip [ OK ]
/bin/kill [ OK ]
/bin/less [ OK ]
/bin/login [ OK ]
/bin/ls [ OK ]
/bin/lsmod [ OK ]
/bin/mktemp [ OK ]
/bin/more [ OK ]
/bin/mount [ OK ]
/bin/mv [ OK ]
/bin/netstat [ OK ]
/bin/ps [ OK ]
/bin/pwd [ OK ]
/bin/readlink [ OK ]
/bin/sed [ OK ]
/bin/sh [ OK ]
/bin/su [ OK ]
/bin/touch [ OK ]
/bin/uname [ OK ]
/bin/which [ OK ]
/bin/dash [ OK ]
/usr/bin/awk [ OK ]
/usr/bin/basename [ OK ]
/usr/bin/chattr [ OK ]
/usr/bin/cut [ OK ]
/usr/bin/diff [ OK ]
/usr/bin/dirname [ OK ]
/usr/bin/dpkg [ OK ]
/usr/bin/dpkg-query [ OK ]
/usr/bin/du [ OK ]
/usr/bin/env [ OK ]
/usr/bin/file [ OK ]
/usr/bin/find [ OK ]
/usr/bin/GET [ OK ]
/usr/bin/groups [ OK ]
/usr/bin/head [ OK ]
/usr/bin/id [ OK ]
/usr/bin/killall [ OK ]
/usr/bin/last [ OK ]
/usr/bin/lastlog [ OK ]
/usr/bin/ldd [ OK ]
/usr/bin/less [ OK ]
/usr/bin/locate [ OK ]
/usr/bin/logger [ OK ]
/usr/bin/lsattr [ OK ]
/usr/bin/lsof [ OK ]
/usr/bin/md5sum [ OK ]
/usr/bin/mlocate [ OK ]
/usr/bin/newgrp [ OK ]
/usr/bin/passwd [ OK ]
/usr/bin/perl [ OK ]
/usr/bin/pgrep [ OK ]
/usr/bin/pstree [ OK ]
/usr/bin/rkhunter [ OK ]
/usr/bin/runcon [ OK ]
/usr/bin/sha1sum [ OK ]
/usr/bin/sha224sum [ OK ]
/usr/bin/sha256sum [ OK ]
/usr/bin/sha384sum [ OK ]
/usr/bin/sha512sum [ OK ]
/usr/bin/size [ OK ]
/usr/bin/sort [ OK ]
/usr/bin/stat [ OK ]
/usr/bin/strace [ OK ]
/usr/bin/strings [ OK ]
/usr/bin/sudo [ OK ]
/usr/bin/tail [ OK ]
/usr/bin/test [ OK ]
/usr/bin/top [ OK ]
/usr/bin/touch [ OK ]
/usr/bin/tr [ OK ]
/usr/bin/uniq [ OK ]
/usr/bin/users [ OK ]
/usr/bin/vmstat [ OK ]
/usr/bin/w [ OK ]
/usr/bin/watch [ OK ]
/usr/bin/wc [ OK ]
/usr/bin/wget [ OK ]
/usr/bin/whatis [ OK ]
/usr/bin/whereis [ OK ]
/usr/bin/which [ OK ]
/usr/bin/who [ OK ]
/usr/bin/whoami [ OK ]
/usr/bin/mawk [ OK ]
/usr/bin/lwp-request [ OK ]
/usr/bin/w.procps [ OK ]
/sbin/depmod [ OK ]
/sbin/ifconfig [ OK ]
/sbin/ifdown [ OK ]
/sbin/ifup [ OK ]
/sbin/init [ OK ]
/sbin/insmod [ OK ]
/sbin/ip [ OK ]
/sbin/lsmod [ OK ]
/sbin/modinfo [ OK ]
/sbin/modprobe [ OK ]
/sbin/rmmod [ OK ]
/sbin/runlevel [ OK ]
/sbin/sulogin [ OK ]
/sbin/sysctl [ OK ]
/usr/sbin/adduser [ OK ]
/usr/sbin/chroot [ OK ]
/usr/sbin/cron [ OK ]
/usr/sbin/groupadd [ OK ]
/usr/sbin/groupdel [ OK ]
/usr/sbin/groupmod [ OK ]
/usr/sbin/grpck [ OK ]
/usr/sbin/nologin [ OK ]
/usr/sbin/pwck [ OK ]
/usr/sbin/rsyslogd [ OK ]
/usr/sbin/tcpd [ OK ]
/usr/sbin/useradd [ OK ]
/usr/sbin/userdel [ OK ]
/usr/sbin/usermod [ OK ]
/usr/sbin/vipw [ OK ]
/usr/sbin/unhide-linux26 [ OK ]

[Press <ENTER> to continue]


Checking for rootkits...

Performing check of known rootkit files and directories
55808 Trojan - Variant A [ Not found ]
ADM Worm [ Not found ]
AjaKit Rootkit [ Not found ]
Adore Rootkit [ Not found ]
aPa Kit [ Not found ]
Apache Worm [ Not found ]
Ambient (ark) Rootkit [ Not found ]
Balaur Rootkit [ Not found ]
BeastKit Rootkit [ Not found ]
beX2 Rootkit [ Not found ]
BOBKit Rootkit [ Not found ]
cb Rootkit [ Not found ]
CiNIK Worm (Slapper.B variant) [ Not found ]
Danny-Boy's Abuse Kit [ Not found ]
Devil RootKit [ Not found ]
Dica-Kit Rootkit [ Not found ]
Dreams Rootkit [ Not found ]
Duarawkz Rootkit [ Not found ]
Enye LKM [ Not found ]
Flea Linux Rootkit [ Not found ]
FreeBSD Rootkit [ Not found ]
Fu Rootkit [ Not found ]
****`it Rootkit [ Not found ]
GasKit Rootkit [ Not found ]
Heroin LKM [ Not found ]
HjC Kit [ Not found ]
ignoKit Rootkit [ Not found ]
iLLogiC Rootkit [ Not found ]
IntoXonia-NG Rootkit [ Not found ]
Irix Rootkit [ Not found ]
Kitko Rootkit [ Not found ]
Knark Rootkit [ Not found ]
ld-linuxv.so Rootkit [ Not found ]
Li0n Worm [ Not found ]
Lockit / LJK2 Rootkit [ Not found ]
Mood-NT Rootkit [ Not found ]
MRK Rootkit [ Not found ]
Ni0 Rootkit [ Not found ]
Ohhara Rootkit [ Not found ]
Optic Kit (Tux) Worm [ Not found ]
Oz Rootkit [ Not found ]
Phalanx Rootkit [ Not found ]
Phalanx2 Rootkit [ Not found ]
Phalanx2 Rootkit (extended tests) [ Not found ]
Portacelo Rootkit [ Not found ]
R3dstorm Toolkit [ Not found ]
RH-Sharpe's Rootkit [ Not found ]
RSHA's Rootkit [ Not found ]
Scalper Worm [ Not found ]
Sebek LKM [ Not found ]
Shutdown Rootkit [ Not found ]
SHV4 Rootkit [ Not found ]
SHV5 Rootkit [ Not found ]
Sin Rootkit [ Not found ]
Slapper Worm [ Not found ]
Sneakin Rootkit [ Not found ]
'Spanish' Rootkit [ Not found ]
Suckit Rootkit [ Not found ]
SunOS Rootkit [ Not found ]
SunOS / NSDAP Rootkit [ Not found ]
Superkit Rootkit [ Not found ]
TBD (Telnet BackDoor) [ Not found ]
TeLeKiT Rootkit [ Not found ]
T0rn Rootkit [ Not found ]
trNkit Rootkit [ Not found ]
Trojanit Kit [ Not found ]
Tuxtendo Rootkit [ Not found ]
URK Rootkit [ Not found ]
Vampire Rootkit [ Not found ]
VcKit Rootkit [ Not found ]
Volc Rootkit [ Not found ]
Xzibit Rootkit [ Not found ]
X-Org SunOS Rootkit [ Not found ]
zaRwT.KiT Rootkit [ Not found ]
ZK Rootkit [ Not found ]

Performing additional rootkit checks
Suckit Rookit additional checks [ OK ]
Checking for possible rootkit files and directories [ None found ]
Checking for possible rootkit strings [ None found ]

Performing malware checks
Checking running processes for suspicious files [ None found ]
Checking for login backdoors [ None found ]
Checking for suspicious directories [ None found ]
Checking for sniffer log files [ None found ]

Performing Linux specific checks
Checking loaded kernel modules [ OK ]
Checking kernel module names [ OK ]

[Press <ENTER> to continue]


Checking the network...

Performing check for backdoor ports
Checking for TCP port 1524 [ Not found ]
Checking for TCP port 1984 [ Not found ]
Checking for UDP port 2001 [ Not found ]
Checking for TCP port 2006 [ Not found ]
Checking for TCP port 2128 [ Not found ]
Checking for TCP port 6666 [ Not found ]
Checking for TCP port 6667 [ Not found ]
Checking for TCP port 6668 [ Not found ]
Checking for TCP port 6669 [ Not found ]
Checking for TCP port 7000 [ Not found ]
Checking for TCP port 13000 [ Not found ]
Checking for TCP port 14856 [ Not found ]
Checking for TCP port 25000 [ Not found ]
Checking for TCP port 29812 [ Not found ]
Checking for TCP port 31337 [ Not found ]
Checking for TCP port 32982 [ Not found ]
Checking for TCP port 33369 [ Not found ]
Checking for TCP port 47107 [ Not found ]
Checking for TCP port 47018 [ Not found ]
Checking for TCP port 60922 [ Not found ]
Checking for TCP port 62883 [ Not found ]
Checking for TCP port 65535 [ Not found ]

Performing checks on the network interfaces
Checking for promiscuous interfaces [ None found ]

[Press <ENTER> to continue]


Checking the local host...

Performing system boot checks
Checking for local host name [ Found ]
Checking for system startup files [ Found ]
Checking system startup files for malware [ None found ]

Performing group and account checks
Checking for passwd file [ Found ]
Checking for root equivalent (UID 0) accounts [ None found ]
Checking for passwordless accounts [ None found ]
Checking for passwd file changes [ None found ]
Checking for group file changes [ None found ]
Checking root account shell history files [ None found ]

Performing system configuration file checks
Checking for SSH configuration file [ Not found ]
Checking for running syslog daemon [ Found ]
Checking for syslog configuration file [ Found ]
Checking if syslog remote logging is allowed [ Not allowed ]

Performing filesystem checks
Checking /dev for suspicious file types [ Warning ]
Checking for hidden files and directories [ Warning ]

[Press <ENTER> to continue]



System checks summary
=====================

File properties checks...
Files checked: 130
Suspect files: 0

Rootkit checks...
Rootkits checked : 242
Possible rootkits: 0

Applications checks...
All checks skipped

The system checks took: 1 minute and 24 seconds

All results have been written to the log file (/var/log/rkhunter.log)

One or more warnings have been found while checking the system.
Please check the log file (/var/log/rkhunter.log)

julio@julio-ThinkCentre-M52:~$


strange huh?


from rkunter.log

[18:22:38] Checking for running syslog daemon [ Found ]
[18:22:38] Checking for syslog configuration file [ Found ]
[18:22:38] Info: Found syslog configuration file: /etc/rsyslog.conf
[18:22:38] Checking if syslog remote logging is allowed [ Not allowed ]
[18:22:38]
[18:22:38] Performing filesystem checks
[18:22:38] Info: Starting test name 'filesystem'
[18:22:38] Info: SCAN_MODE_DEV set to 'THOROUGH'
[18:22:39] Checking /dev for suspicious file types [ Warning ]
[18:22:39] Warning: Suspicious file types found in /dev:
[18:22:39] /dev/shm/pulse-shm-2435996179: data
[18:22:39] /dev/shm/pulse-shm-112226101: data
[18:22:39] /dev/shm/pulse-shm-3764120937: data
[18:22:39] /dev/shm/pulse-shm-3230137181: data
[18:22:39] /dev/shm/pulse-shm-2994921804: data
[18:22:39] /dev/shm/ecryptfs-julio-Private: ASCII text
[18:22:39] Checking for hidden files and directories [ Warning ]
[18:22:39] Warning: Hidden directory found: /dev/.udev
[18:22:39] Warning: Hidden directory found: /dev/.initramfs
[18:22:39] Warning: Hidden file found: /dev/.blkid.tab: ASCII text
[18:22:39] Warning: Hidden file found: /dev/.blkid.tab.old: ASCII text
[18:22:43]
[18:22:43] Info: Test 'apps' disabled at users request.
[18:22:43]
[18:22:43] System checks summary
[18:22:43] =====================
[18:22:43]
[18:22:43] File properties checks...
[18:22:43] Files checked: 130
[18:22:43] Suspect files: 0
[18:22:43]
[18:22:43] Rootkit checks...
[18:22:43] Rootkits checked : 242
[18:22:43] Possible rootkits: 0
[18:22:43]
[18:22:43] Applications checks...
[18:22:43] All checks skipped
[18:22:43]
[18:22:43] The system checks took: 1 minute and 24 seconds
[18:22:43]
[18:22:43] Info: End date is Wed Jun 29 18:22:43 MST 2011

"data" is a 5 gb truecrypt container ment for holding secure files and its empty but the odd thing is "data" the file i made is in home folder so thats quite odd.

[Dangertux]

Ok -- let's take it back to square 1.

First , the above output does not show anything that leads me to believe there is a root-kit present on the system as of this moment.

Second, chkrootkit really is not the best option for Ubuntu, it tends to return a lot of false positives because of how Ubuntu functions. In order to maintain compatibility with certain scripts Ubuntu uses symlinks in place of certain files that by default are not installed on this distribution. This makes chkrootkit crap its pants thinking something bad is happening when in reality it's nothing out of the ordinary.

Third, if you're using nmap to scan your machine FROM your machine, any firewalling you have in place is going to be bypassed (due to UFW automatically allowing loopback traffic). So you're going to get different results then someone scanning your computer remotely. If you're really concerned about outbound traffic, I would use wireshark to monitor it and see what is going on. See what is connecting to where. Failing this use netstat to find out what is listening (discount things listening only on localhost). You are particularly interested in ESTABLISHED or LISTENING sockets.

Fourth , SELinux and Apparmor don't play well together, I would advise using only one.

Fifth, I highly doubt that you got a rootkit that is still residing on your hard drive. IF for some reason it has eluded your multiple reinstalls. You can wipe your entire hard drive from a liveCD prior to reinstalling. You can do something like this

Code:

sudo shred -n7 -v /dev/sda

WARNING: THIS WILL DESTROY ALL DATA ON THE HARD DRIVE IT IS USED ON, IT IS HIGHLY IMPROBABLE THAT THIS DATA WILL EVER BE RECOVERED

Then reinstall your OS.

Sixth, I really think you're letting this get to you too much. If anything follow the above step, reinstall fresh, don't install anything from the previous installation, turn on UFW and just chill out for a little bit.

Edit: Another suggestion would be once you have your OS back up install your programs in a VM instance 1 at a time and observe which one of them is backdoored.

Good luck.

[Unguidedone]

ok just to be safe ill do a full wipe


very useful command ^.^

I am thinking of getting some thermite in a bag resting on top of the ssd (airtight so it does not dirty my computers system) and have a small glass bottle of kmn04/glycerin so i can break the bottle with a metal pin and have it leak. I can always test out that command instead but i dont have to type a sudo password : )

[Dangertux]

ok just to be safe ill do a full wipe


very useful command ^.^

I am thinking of getting some thermite in a bag resting on top of the ssd (airtight so it does not dirty my computers system) and have a small glass bottle of kmn04/glycerin so i can break the bottle with a metal pin and have it leak. I can always test out that command instead but i dont have to type a sudo password : )

Or maybe you should just go out with friends and let the paranoia wear off? LOL

The new Transformers movie was pretty cool , should go see that.

[linuxpenguin]

Yeah there always is the possibility of a false positive with any security scanner. If you know that you've been installing from scratch and have been using an uninfected install disk, I wouldn't worry about it. Try another anti-rootkit, and if that checks out OK then don't worry.

[doas777]

Or maybe you should just go out with friends and let the paranoia wear off? LOL

The new Transformers movie was pretty cool , should go see that.

wait, so, the suggestion is to get out and be more sociable, but also to go see Michael Bay's latest crapfest? my guess is that will instill additional paranoia and agoraphobia.