Have I been hacked?

Have I been hacked?

Post by Lee Gre » Tue, 03 Dec 2002 06:57:09



I have a Linksys router and firewall with IP 192.168.1.1, distributing DSL
to three linux boxes (RHL 7.2 or 7.3) and two Windows PCs.  Normally, when I
log in to my linux servers, I see one of the IP addresses of my Windows
machines, where I log in using PuTTY.  Today, however, I just saw the
following:

login as: root
Sent username "root"

Last login: Fri Nov 29 16:14:05 2002 from 192.168.1.1

I have never seen the IP address of my router as the last login.  I was home
and working at that time, so I undoubtedly did login, but why does it show
192.168.1.1, rather than 192.168.1.77 or 192.168.1.20, which are the two
Windows machines?  Does the login from the router indicate that someone got
through my firewall?

Are there any diagnostics I can run to determine if anything has been
compromised?

Thanks,
Lee Grey
http://www.URLinOne.com
http://www.AuctionRelay.com

 
 
 

Have I been hacked?

Post by Richard Pit » Tue, 03 Dec 2002 13:23:48



> I have a Linksys router and firewall with IP 192.168.1.1, distributing
> DSL to three linux boxes (RHL 7.2 or 7.3) and two Windows PCs. Normally,
> when I log in to my linux servers, I see one of the IP addresses of my
> Windows machines, where I log in using PuTTY.  Today, however, I just
> saw the following:

> login as: root
> Sent username "root"

> Last login: Fri Nov 29 16:14:05 2002 from 192.168.1.1

This is _very_ ominous.

I'd check my system for root kits and such, and consider that it is
compromised until proven otherwise.

Don't trust any of the normal "system checking" binaries on your machine
- ps, du, top and others - get fresh copies from somewhere (I have a
number of VMWare bootables that I can get them from on my machine for
example, plus things like Tom's Root Boot http://www.toms.net/rb/ or any
other bootable floppy/CD version.

Please keep us informed - if there is a compromise for the Linksys I'm
sure many would be interested (other than the one shown at:
http://www.securiteam.com/securitynews/6J00L0K60U.html )

richard

Quote:

> I have never seen the IP address of my router as the last login.  I was
> home and working at that time, so I undoubtedly did login, but why does
> it show 192.168.1.1, rather than 192.168.1.77 or 192.168.1.20, which are
> the two Windows machines?  Does the login from the router indicate that
> someone got through my firewall?

> Are there any diagnostics I can run to determine if anything has been
> compromised?

> Thanks,
> Lee Grey
> http://www.URLinOne.com
> http://www.AuctionRelay.com

--
Richard C. Pitt                 C.E.O. Belcarra Technologies

Software Systems - design and implementation: Internet, Linux, Communications
USB, RNDIS, ATM, E-mail, SQL, Encryption, Security, Web, Embedded Systems

 
 
 

Have I been hacked?

Post by Jem Berke » Tue, 03 Dec 2002 14:32:27


Quote:> I'd check my system for root kits and such, and consider that it is
> compromised until proven otherwise.

i.e.
http://www.chkrootkit.org/

--
Jem Berkes
http://www.pc-tools.net/
Windows, Linux & UNIX software

 
 
 

Have I been hacked?

Post by Sherwin Dubre » Thu, 05 Dec 2002 08:07:12


I have a similar set up to the 'attacked' system in question.  Right now,
the Linksys is
my only firewall for Linux programs.  I am well protected on the Windows
side and have programs in place to screen out viruses.  Being new to
Linux (Red Hat 7.3), I
know nothing about anti-virus protection.  Where to begin, and how to
keep up to
date?
                          Sherwin Dubren

> > I'd check my system for root kits and such, and consider that it is
> > compromised until proven otherwise.

> i.e.
> http://www.chkrootkit.org/

> --
> Jem Berkes
> http://www.pc-tools.net/
> Windows, Linux & UNIX software

 
 
 

Have I been hacked?

Post by Lee Gre » Thu, 05 Dec 2002 14:59:54


I downloaded chkrootkit, compiled it, and ran it.  It shows nothing out of
the ordinary, other than:

Searching for suspicious files and dirs, it may take a while...
/usr/lib/perl5/site_perl/5.6.1/i386-linux/auto/Digest/MD5/.packlist
/usr/lib/perl5/site_perl/5.6.1/i386-linux/auto/Compress/Zlib/.packlist
/usr/lib/perl5/site_perl/5.6.1/i386-linux/auto/Archive/Tar/.packlist
/usr/lib/perl5/site_perl/5.6.1/i386-linux/auto/Net/Telnet/.packlist
/usr/lib/perl5/site_perl/5.6.1/i386-linux/auto/Net/.packlist
/usr/lib/perl5/site_perl/5.6.1/i386-linux/auto/Term/ReadKey/.packlist
/usr/lib/perl5/site_perl/5.6.1/i386-linux/auto/Term/ReadLine/.packlist
/usr/lib/perl5/site_perl/5.6.1/i386-linux/auto/Test/Simple/.packlist
/usr/lib/perl5/site_perl/5.6.1/i386-linux/auto/DBI/.packlist
/usr/lib/perl5/site_perl/5.6.1/i386-linux/auto/Data/ShowTable/.packlist
/usr/lib/perl5/5.6.1/i386-linux/auto/Test/Harness/.packlist
/usr/lib/perl5/5.6.1/i386-linux/auto/CPAN/.packlist
/usr/lib/perl5/5.6.1/i386-linux/.packlist

I'm not sure what makes these suspicious to chkrootkit.

Anyway, everything seems to be normal, but I have to wonder how far you can
trust downloading, compiling, and running chkrootkit on a potentially hacked
machine.  Is that foolish, or is it reasonable to assume that such a process
could not be successfully hacked?  Sorry for what may be a really stupid
question, but I'm pretty new to the dark arts of Linux system
administration.

Can I consider my machines clean?  I'm not sure what to make of the
192.168.1.1 message, but does a clean bill of health from chkrootkit mean
I'm in the clear?  And does running it without a clean boot count?

Thanks for all your help!

Lee Grey
Grey Matter
http://www.URLinOne.com
http://www.AuctionRelay.com
http://www.OptionInsight.com


Quote:> > I'd check my system for root kits and such, and consider that it is
> > compromised until proven otherwise.

> i.e.
> http://www.chkrootkit.org/

> --
> Jem Berkes
> http://www.pc-tools.net/
> Windows, Linux & UNIX software

 
 
 

Have I been hacked?

Post by Luke Voge » Thu, 05 Dec 2002 19:18:48



> I downloaded chkrootkit, compiled it, and ran it.  It shows nothing out of
> the ordinary, other than:

> Searching for suspicious files and dirs, it may take a while...
> /usr/lib/perl5/site_perl/5.6.1/i386-linux/auto/Digest/MD5/.packlist
> /usr/lib/perl5/site_perl/5.6.1/i386-linux/auto/Compress/Zlib/.packlist
> /usr/lib/perl5/site_perl/5.6.1/i386-linux/auto/Archive/Tar/.packlist
> /usr/lib/perl5/site_perl/5.6.1/i386-linux/auto/Net/Telnet/.packlist
> /usr/lib/perl5/site_perl/5.6.1/i386-linux/auto/Net/.packlist
> /usr/lib/perl5/site_perl/5.6.1/i386-linux/auto/Term/ReadKey/.packlist
> /usr/lib/perl5/site_perl/5.6.1/i386-linux/auto/Term/ReadLine/.packlist
> /usr/lib/perl5/site_perl/5.6.1/i386-linux/auto/Test/Simple/.packlist
> /usr/lib/perl5/site_perl/5.6.1/i386-linux/auto/DBI/.packlist
> /usr/lib/perl5/site_perl/5.6.1/i386-linux/auto/Data/ShowTable/.packlist
> /usr/lib/perl5/5.6.1/i386-linux/auto/Test/Harness/.packlist
> /usr/lib/perl5/5.6.1/i386-linux/auto/CPAN/.packlist
> /usr/lib/perl5/5.6.1/i386-linux/.packlist

> I'm not sure what makes these suspicious to chkrootkit.

chkrootkit thinks hidden files in /usr are worthy of a closer look.

--
Regards
Luke
------
When I die, I want to die like my Grandmother who died peacefully
in her sleep. Not screaming like all the passengers in her car.
------
C.O.L.S FAQ - http://www.linuxsecurity.com/docs/colsfaq.html
------

 
 
 

1. Csh hacking -- having problems...

[ .globl    _newsfood, 512; ]

I'm doing a major upgrade to the Berkeley C shell (no flames, please;
I speak csh and sh fluently and have different uses for each one).  One
of the things I am implementing is a "push" builtin, which is supposed
to simply fork() and create an exact duplicate of the shell on top of itself.

In the older version of this shell (to which I have regrettably lost the
source), we used to do this for extended alterations of environment without
having to restart the damn thing (i.e. aliases and shell variables were
preserved).  It was easier than throwing it into a ( subshell ), and we
needed the interaction.

Now, never mind *why* I want to do this when there might be other solutions...
When the push command is entered, the following set of events occurs (assume
all necessary variables):

dopush()
{
    switch (fork()) {
    case -1:    /* error */
        setname("push");
        bferr("Couldn't fork!");
        return (1);
    case 0:     /* child */
        /* set $$ = getpid() */
        /* set process group to $$ */
        /* set tty process group to $$ */
        /* increment push level */
        return(0);
    default:    /* parent */
        wait(&exitstat);
        /* reset process group */
        /* reset terminal process group */
        return(exitstat);
    }

Now, the push() occurs fine (it forks and does all the necessary stuff).
HOWEVER:  As soon as I hit an interrupt, the pushed shell prints a prompt,
exits, and the original shell prints a prompt.

The thing that's confusing is that I don't know why the pushed shell is only
catching the interrupt once and then giving up.  It seems as though the
parent shell also gets the interrupt (which I didn't think would happen if
the process group gets reset).  I thought Berkeley signal handlers reset
themselves...?

This is a Pyramid running OSx 5.0b, under the BSD universe (essentially
BSD 4.2-and-a-half).
--
thought:  I ain't so damb dumn! | Your brand new kernel just dump core on you
war: Invalid argument           | And fsck can't find root inode 2
                                | Don't worry -- be happy...
...!{ucbvax,acad,uunet,amdahl,pyramid}!unisoft!greywolf

2. Need Help COmpiling ghostscript 4.03

3. I already RTFM, but am still having problems

4. cutting down

5. I am having trouble with tcpip

6. Dial-in problem: no passwd prompt

7. I am having problems with "fvwm2" or Xwindows

8. Make questions

9. I am having trouble rebuilding xchat

10. Am I being hacked?

11. I am having problems with the 3c905 and the 3c509b with RH 5.0

12. am i hacked ??? / strange IP