[GLLUG] Infected - Help/advice?

Benjamin Cathey benjamincathey at catheycompany.com
Mon Mar 12 09:49:20 EDT 2007 

Okay - I noticed some strange traffic on our firewall this morning

root at hekate:/var/log/guardian # cat guardian.log |grep 192.168.1.3
Odd.. source = 86.106.27.71, dest = 192.168.1.3 - No action done.
Odd.. source = 192.168.1.3, dest = 85.204.193.88 - No action done.
Odd.. source = 86.106.27.71, dest = 192.168.1.3 - No action done.
Odd.. source = 192.168.1.3, dest = 85.204.193.215 - No action done.
Odd.. source = 193.230.240.150, dest = 192.168.1.3 - No action done.
Odd.. source = 192.168.1.3, dest = 89.38.78.104 - No action done.
Odd.. source = 193.230.240.150, dest = 192.168.1.3 - No action done.
Odd.. source = 192.168.1.3, dest = 89.36.90.199 - No action done.
Odd.. source = 193.230.240.150, dest = 192.168.1.3 - No action done.
Odd.. source = 192.168.1.3, dest = 86.106.133.28 - No action done.
Odd.. source = 193.230.240.150, dest = 192.168.1.3 - No action done.
Odd.. source = 192.168.1.3, dest = 89.42.119.254 - No action done.
Odd.. source = 193.230.240.150, dest = 192.168.1.3 - No action done.
Odd.. source = 192.168.1.3, dest = 86.106.27.100 - No action done.
Odd.. source = 193.230.240.150, dest = 192.168.1.3 - No action done.
Odd.. source = 192.168.1.3, dest = 86.104.31.128 - No action done.
root at hekate:/var/log/guardian #

It seems our mailserver was trying to get out

Date:	03/12 07:52:35 	Name:	ICMP Destination Unreachable (Communication Administratively Prohibited)
Priority:	3 	Type:	Misc activity
IP info: 	192.168.1.3:80 -> 86.106.27.100:40068
References:	none found

Date:	03/12 07:24:45 	Name:	ICMP Destination Unreachable (Communication Administratively Prohibited)
Priority:	3 	Type:	Misc activity
IP info: 	192.168.1.3:80 -> 86.106.133.28:31838
References:	none found

to romania

Anyway, I ran chkrootkit and this is what I got:

[root at hermes etc]# chkrootkit
ROOTDIR is `/'
Checking `amd'... not found
Checking `basename'... not infected
Checking `biff'... not found
Checking `chfn'... not infected
Checking `chsh'... not infected
Checking `cron'... not infected
Checking `crontab'... not infected
Checking `date'... not infected
Checking `du'... not infected
Checking `dirname'... not infected
Checking `echo'... not infected
Checking `egrep'... not infected
Checking `env'... not infected
Checking `find'... not infected
Checking `fingerd'... not found
Checking `gpm'... not infected
Checking `grep'... not infected
Checking `hdparm'... not infected
Checking `su'... not infected
Checking `ifconfig'... not infected
Checking `inetd'... not found
Checking `inetdconf'... not found
Checking `identd'... not found
Checking `init'... not infected
Checking `killall'... not infected
Checking `ldsopreload'... not infected
Checking `login'... not infected
Checking `ls'... not infected
Checking `lsof'... not infected
Checking `mail'... not infected
Checking `mingetty'... not infected
Checking `netstat'... not infected
Checking `named'... not found
Checking `passwd'... not infected
Checking `pidof'... not infected
Checking `pop2'... not found
Checking `pop3'... not found
Checking `ps'... not infected
Checking `pstree'... not infected
Checking `rpcinfo'... not infected
Checking `rlogind'... not found
Checking `rshd'... not found
Checking `slogin'... not infected
Checking `sendmail'... not infected
Checking `sshd'... not infected
Checking `syslogd'... not infected
Checking `tar'... not infected
Checking `tcpd'... not infected
Checking `tcpdump'... not infected
Checking `top'... not infected
Checking `telnetd'... not found
Checking `timed'... not found
Checking `traceroute'... not infected
Checking `vdir'... not infected
Checking `w'... not infected
Checking `write'... not infected
Checking `aliens'... no suspect files
Searching for sniffer's logs, it may take a while... nothing found
Searching for HiDrootkit's default dir... nothing found
Searching for t0rn's default files and dirs... nothing found
Searching for t0rn's v8 defaults... nothing found
Searching for Lion Worm default files and dirs... nothing found
Searching for RSHA's default files and dir... nothing found
Searching for RH-Sharpe's default files... nothing found
Searching for Ambient's rootkit (ark) default files and dirs... nothing found
Searching for suspicious files and dirs, it may take a while...
/usr/lib/perl5/5.8.0/i386-linux-thread-multi/.packlist /usr/lib/qt-3.1/etc/settings/.qtrc.lock

Searching for LPD Worm files and dirs... nothing found
Searching for Ramen Worm files and dirs... nothing found
Searching for Maniac files and dirs... nothing found
Searching for RK17 files and dirs... nothing found
Searching for Ducoci rootkit... nothing found
Searching for Adore Worm... nothing found
Searching for ShitC Worm... nothing found
Searching for Omega Worm... nothing found
Searching for Sadmind/IIS Worm... nothing found
Searching for MonKit... nothing found
Searching for Showtee... nothing found
Searching for OpticKit... nothing found
Searching for T.R.K... nothing found
Searching for Mithra... nothing found
Searching for LOC rootkit... nothing found
Searching for Romanian rootkit... nothing found
Searching for HKRK rootkit... nothing found
Searching for Suckit rootkit... nothing found
Searching for Volc rootkit... nothing found
Searching for Gold2 rootkit... nothing found
Searching for TC2 Worm default files and dirs... nothing found
Searching for Anonoying rootkit default files and dirs... nothing found
Searching for ZK rootkit default files and dirs... nothing found
Searching for ShKit rootkit default files and dirs... nothing found
Searching for AjaKit rootkit default files and dirs... nothing found
Searching for zaRwT rootkit default files and dirs... nothing found
Searching for Madalin rootkit default files... nothing found
Searching for Fu rootkit default files... nothing found
Searching for ESRK rootkit default files... nothing found
Searching for rootedoor... nothing found
Searching for ENYELKM rootkit default files... nothing found
Searching for anomalies in shell history files... nothing found
Checking `asp'... not infected
Checking `bindshell'... INFECTED (PORTS:  465)
Checking `lkm'... chkproc: nothing detected
Checking `rexedcs'... not found
Checking `sniffer'... eth0: not promisc and no PF_PACKET sockets
Checking `w55808'... not infected
Checking `wted'... chkwtmp: nothing deleted
Checking `scalper'... not infected
Checking `slapper'... not infected
Checking `z2'... chklastlog: nothing deleted
Checking `chkutmp'... chkutmp: nothing deleted


Should I be worried or is there something I am not understanding here?  According to what I can find on the net this (the bindshell port 465) is a common false positive.

But what about all this -

netstat -a on the mailserver shows:

tcp        0      0 192.168.1.3:http        86.104.31.200:40681     SYN_RECV
tcp        0      0 192.168.1.3:http        86-104-24-216.dcn:31080 SYN_RECV
tcp        0      0 192.168.1.3:http        86-104-25-13.dcn.r:2588 SYN_RECV
tcp        0      0 192.168.1.3:http        89.38.76.167:11036      SYN_RECV
tcp        0      0 192.168.1.3:http        89.36.90.234:53767      SYN_RECV
tcp        0      0 192.168.1.3:http        89.35.250.183:19545     SYN_RECV
tcp        0      0 192.168.1.3:http        86.106.135.250:21940    SYN_RECV
tcp        0      0 192.168.1.3:http        86-104-25-149.dcn.:4078 SYN_RECV
tcp        0      0 192.168.1.3:http        86-104-26-82.dcn.:33662 SYN_RECV
tcp        0      0 192.168.1.3:http        89.35.251.116:33549     SYN_RECV

why would the mailserver have outgoing http to all these IP addresses?


Benjamin Cathey
System Administrator
Cathey Company
4917 Tranter St.
Lansing, MI 48910 USA
Phone:     517.393.4720
Fax:       517.393.4225
Toll Free: 800.333.1972
"Service is Our Profession"

**********************
** LEGAL DISCLAIMER **
**********************

This E-mail message and any attachments may contain legally privileged, confidential or proprietary information. If you are not the intended recipient(s), or the employee or agent responsible for delivery of this message to the intended recipient(s), you are hereby notified that any dissemination, distribution or copying of this E-mail message is strictly prohibited. If you have received this message in error, please immediately notify the sender and delete this E-mail message from your computer.

More information about the linux-user mailing list