[CLUE-Tech] network issues

[Mike Staver]

> The important ones are: 
> 
> S.5.....   /bin/netstat
> S.5.....   /sbin/ifconfig
> SM5.....   /bin/ps
> S.5.....   /usr/bin/ssh
> S.5.....   /sbin/iptables
> S.5.....   /usr/sbin/sshd
> 
> Those are all critical system binaries that have a md5 checksum that
> no longer matches whats in the rpm database (ie, they have been
> replaced). 
> 
> So is your firewall on the local machine? If so, then with iptables
> replaced it will only work as the intruder wants. 

No, it's not - I have a Cisco box with access list firewalls blocking 
all ports to this box except 53 and 80.  So, I'm at a loss of how 
someone could have used ssh to comprimise this box. I'm also confused as 
to why someone would install an IRC client on this box if they can't use 
it, unless they are using it over 80 or 53.

> Did you use the same passwords when you re-installed? 
> If the intruder sniffed your passwords when you logged in via ssh (see
> the ssh and sshd above) they could be getting in via that. 

Yeah, I used all new passwords.

>>>Also, try www.chkrootikit.org - the application will check for the
>>>presence of a root kit and let you know which one it has found.
> 
Here are my results from that:

Checking `lkm'... You have     1 process hidden for ps command
Warning: Possible LKM Trojan installed
Checking `rexedcs'... not found
Checking `sniffer'... Checking `w55808'... not infected
Checking `wted'... 1 deletion(s) between Wed Oct  1 17:09:54 2003 and 
Fri Oct 10 15:31:36 2003
nothing deleted
Checking `scalper'... not infected
Checking `slapper'... not infected
Checking `z2'... user root deleted or never loged from lastlog!

So, once again, I'll be rebuilding this box.... and putting tripwire on 
it immediately, and again, changing my administrator passwords on my 
network.
-- 

                                 -Mike Staver
                                  staver at fimble.com
                                  mstaver at globaltaxnetwork.com