View Single Post
  #5  
Old 3rd January 2007, 01:25
lubod lubod is offline
Junior Member
 
Join Date: Dec 2006
Posts: 5
Thanks: 0
Thanked 0 Times in 0 Posts
Default

Again, thanks for the tips. The page you refer to has chkrootkit typed in as ckrootkit in several places!

Chkrootkit has shown false positives for the ports portsentry is guarding, like 1524, which correctly drops telnet connections. I wonder if testing the defenses by trying to connect to that triggered adding the computers I tried it from to the blocking list. Quite possible. Being hacked is unlikely, I just wondered how things got blocked, and one scenario that came to mind, (unlikely as it is) is that someone who has gained access is trying to block me from administering the server. But here is the output anyway:

chkrootkit:

Quote:
sudo chkrootkit
ROOTDIR is `/'
Checking `amd'... not found
Checking `basename'... not infected
Checking `biff'... not found
Checking `chfn'... not infected
Checking `chsh'... not infected
Checking `cron'... not infected
Checking `date'... not infected
Checking `du'... not infected
Checking `dirname'... not infected
Checking `echo'... not infected
Checking `egrep'... not infected
Checking `env'... not infected
Checking `find'... not infected
Checking `fingerd'... not found
Checking `gpm'... not found
Checking `grep'... not infected
Checking `hdparm'... not infected
Checking `su'... not infected
Checking `ifconfig'... not infected
Checking `inetd'... not infected
Checking `inetdconf'... not infected
Checking `identd'... not found
Checking `init'... not infected
Checking `killall'... not infected
Checking `ldsopreload'... not infected
Checking `login'... not infected
Checking `ls'... not infected
Checking `lsof'... not infected
Checking `mail'... not infected
Checking `mingetty'... not found
Checking `netstat'... not infected
Checking `named'... not infected
Checking `passwd'... not infected
Checking `pidof'... not infected
Checking `pop2'... not found
Checking `pop3'... not found
Checking `ps'... not infected
Checking `pstree'... not infected
Checking `rpcinfo'... not infected
Checking `rlogind'... not found
Checking `rshd'... not found
Checking `slogin'... not infected
Checking `sendmail'... not infected
Checking `sshd'... not infected
Checking `syslogd'... not infected
Checking `tar'... not infected
Checking `tcpd'... not infected
Checking `tcpdump'... not infected
Checking `top'... not infected
Checking `telnetd'... not found
Checking `timed'... not found
Checking `traceroute'... not found
Checking `vdir'... not infected
Checking `w'... not infected
Checking `write'... not infected
Checking `aliens'... no suspect files
Searching for sniffer's logs, it may take a while... nothing found
Searching for HiDrootkit's default dir... nothing found
Searching for t0rn's default files and dirs... nothing found
Searching for t0rn's v8 defaults... nothing found
Searching for Lion Worm default files and dirs... nothing found
Searching for RSHA's default files and dir... nothing found
Searching for RH-Sharpe's default files... nothing found
Searching for Ambient's rootkit (ark) default files and dirs... nothing found
Searching for suspicious files and dirs, it may take a while... nothing found
Searching for LPD Worm files and dirs... nothing found
Searching for Ramen Worm files and dirs... nothing found
Searching for Maniac files and dirs... nothing found
Searching for RK17 files and dirs... nothing found
Searching for Ducoci rootkit... nothing found
Searching for Adore Worm... nothing found
Searching for ShitC Worm... nothing found
Searching for Omega Worm... nothing found
Searching for Sadmind/IIS Worm... nothing found
Searching for MonKit... nothing found
Searching for Showtee... nothing found
Searching for OpticKit... nothing found
Searching for T.R.K... nothing found
Searching for Mithra... nothing found
Searching for OBSD rk v1... nothing found
Searching for LOC rootkit... nothing found
Searching for Romanian rootkit... nothing found
Searching for Suckit rootkit... nothing found
Searching for Volc rootkit... nothing found
Searching for Gold2 rootkit... nothing found
Searching for TC2 Worm default files and dirs... nothing found
Searching for Anonoying rootkit default files and dirs... nothing found
Searching for ZK rootkit default files and dirs... nothing found
Searching for ShKit rootkit default files and dirs... nothing found
Searching for AjaKit rootkit default files and dirs... nothing found
Searching for zaRwT rootkit default files and dirs... nothing found
Searching for Madalin rootkit default files... nothing found
Searching for Fu rootkit default files... nothing found
Searching for ESRK rootkit default files... nothing found
Searching for rootedoor... nothing found
Searching for anomalies in shell history files... nothing found
Checking `asp'... not infected
Checking `bindshell'... not infected
Checking `lkm'... chkproc: nothing detected
Checking `rexedcs'... not found
Checking `sniffer'... lo: not promisc and no packet sniffer sockets
eth0: PACKET SNIFFER(/usr/sbin/dhcpd3[24353])
eth1: not promisc and no packet sniffer sockets
Checking `w55808'... not infected
Checking `wted'... chkwtmp: nothing deleted
Checking `scalper'... not infected
Checking `slapper'... not infected
Checking `z2'... chklastlog: nothing deleted
rkhunter (which is up to date, --update says so):

Quote:
---------------------------- Scan results ----------------------------

MD5 scan
Scanned files: 0
Incorrect MD5 checksums: 0

File scan
Scanned files: 342
Possible infected files: 0

Application scan
Vulnerable applications: 0

Scanning took 103 seconds

-----------------------------------------------------------------------
It does note, however:

Quote:
* Filesystem checks
Checking /dev for suspicious files... [ OK ]
Scanning for hidden files... [ Warning! ]
---------------
/etc/.pwd.lock /dev/.static
/dev/.udev
/dev/.initramfs
/dev/.initramfs-tools
---------------
Please inspect: /dev/.static (directory) /dev/.udev (directory) /dev/.initramfs (directory)
and

Quote:
Application advisories
* Application scan
Checking Apache2 modules ... [ OK ]
Checking Apache configuration ... [ OK ]

* Application version scan
- GnuPG 1.4.2.2 [ OK ]
- Bind DNS 9.3.2 [ OK ]
- OpenSSL 0.9.8a [ Unknown ]
- OpenSSH 4.2p1 [ OK ]

Your system contains some unknown version numbers.
I'll reboot without portsentry at the next opportunity, but it can't be done immediately, maybe tomorrow or the day after. I found a temporary workaround, to use one system which can still access the server to reassign a new 192.x.y.z IP address to the one being blocked.

I can post the contents of the files in question, but having glanced at them they do look harmless, like configurations for the various services like postfix set up automatically by webmin. But here's what they say:

mountnfs:

Quote:
#! /bin/sh
# Mount network file systems now that at least one interface is
# configured.

[ "$IFACE" != "lo" ] || exit 0

test -f /etc/fstab || exit 0

[ -f /etc/default/rcS ] && . /etc/default/rcS
. /lib/init/functions.sh


# Lock around this otherwise insanity may occur
mkdir /var/run/network/mountnfs 2>/dev/null || exit 0

#
# Read through fstab line by line. If it is NFS, set the flag
# for mounting NFS file systems. If any NFS partition is found and it
# not mounted with the nolock option, we start the portmapper.
#
portmap=no
while read device mountpt fstype options
do
case "$device" in
""|\#*)
continue
;;
esac

case "$options" in
*noauto*)
continue
;;
esac

case "$fstype" in
nfs|nfs4)
case "$options" in
*nolock*)
;;
*)
portmap=yes
;;
esac
;;
smbfs|cifs|coda|ncp|ncpfs)
;;
*)
fstype=
;;
esac
if [ -n "$fstype" ]
then
case "$NETFS" in
$fstype|*,$fstype|$fstype,*|*,$fstype,*)
;;
*)
NETFS="$NETFS${NETFS:+,}$fstype"
;;
esac
fi
done < /etc/fstab

if [ "$portmap" = yes ]
then
if [ -x /sbin/portmap ] && [ -z "`pidof portmap`" ]
then
start-stop-daemon --start --quiet --exec /sbin/portmap
fi
fi

if [ -n "$NETFS" ]
then
pre_mountall
mount -a -t$NETFS 2>&1 | egrep -v '(already|nothing was) mounted'
post_mountall
fi

rmdir /var/run/network/mountnfs 2>/dev/null || exit 0
ntp-server:

Quote:
#!/bin/sh

# remove (or comment out) the next line if your network addresses change
exit 0

case $IFACE in
eth*)
/etc/init.d/ntp-server restart
;;
esac
ntpdate:

Quote:
#!/bin/sh
# Adjust the system clock with ntp whenever a network interface is
# brought up, as it might mean we can contact the server.

[ "$IFACE" != "lo" ] || exit 0

test -f /usr/sbin/ntpdate || exit 0

if [ -f /etc/default/ntpdate ]; then
. /etc/default/ntpdate
test -n "$NTPSERVERS" || exit 0
else
NTPSERVERS="ntp.ubuntu.com"
fi

if [ "$VERBOSITY" = 1 ]; then
echo "Synchronizing clock to $NTPSERVERS..."
/usr/sbin/ntpdate -b -s $NTPOPTIONS $NTPSERVERS || true
else
/usr/sbin/ntpdate -b -s $NTPOPTIONS $NTPSERVERS >/dev/null 2>&1 || true
fi
continued on next post, over 10000 characters
Reply With Quote