Results 1 to 25 of 25
  1. #1

    Help! Was I hacked?

    I have a fedora server. I upgraded everything using up2date and yum. Today I got these emails from chkrootkit and rootkithunter, which I have installed:

    Rootkit Hunter 1.0.9 is running

    Determining OS... Ready


    Checking binaries
    * Selftests
    Strings (command) [ OK ]


    * System tools
    Info: prelinked files found
    Performing 'known good' check...
    /sbin/depmod [ BAD ]
    /sbin/ifconfig [ OK ]
    /sbin/init [ BAD ]
    /sbin/insmod [ BAD ]
    /sbin/ip [ BAD ]
    /sbin/ksyms [ BAD ]
    /sbin/lsmod [ BAD ]
    /sbin/modinfo [ BAD ]
    /sbin/modprobe [ BAD ]
    /sbin/rmmod [ BAD ]
    /bin/cat [ BAD ]
    /bin/chown [ BAD ]
    /bin/df [ BAD ]
    /bin/echo [ BAD ]
    /bin/egrep [ BAD ]
    /bin/fgrep [ BAD ]
    /bin/grep [ BAD ]
    /bin/kill [ BAD ]
    /bin/login [ BAD ]
    /bin/ls [ BAD ]
    /bin/more [ BAD ]
    /bin/mount [ BAD ]
    /bin/netstat [ OK ]
    /bin/ps [ BAD ]
    /bin/sort [ BAD ]
    /bin/su [ BAD ]
    /usr/bin/chattr [ BAD ]
    /usr/bin/file [ BAD ]
    /usr/bin/find [ OK ]
    /usr/bin/kill [ BAD ]
    /usr/bin/last [ BAD ]
    /usr/bin/lastlog [ BAD ]
    /usr/bin/less [ BAD ]
    /usr/bin/logger [ BAD ]
    /usr/bin/lsattr [ BAD ]
    /usr/bin/md5sum [ BAD ]
    /usr/bin/passwd [ BAD ]
    /usr/bin/pstree [ BAD ]
    /usr/bin/sha1sum [ BAD ]
    /usr/bin/size [ BAD ]
    /usr/bin/slocate [ BAD ]
    /usr/bin/strace [ BAD ]
    /usr/bin/strings [ BAD ]
    /usr/bin/test [ BAD ]
    /usr/bin/top [ BAD ]
    /usr/bin/w [ BAD ]
    /usr/bin/whereis [ BAD ]
    /usr/bin/which [ BAD ]
    /usr/bin/who [ BAD ]
    /usr/sbin/chroot [ BAD ]
    /usr/sbin/kudzu [ BAD ]
    /usr/sbin/useradd [ BAD ]
    /usr/sbin/vipw [ BAD ]
    /usr/sbin/xinetd [ OK ]


    Check rootkits
    * Default files and directories
    Rootkit '55808 Trojan - Variant A'... [ OK ]
    Rootkit 'AjaKit'... [ OK ]
    Rootkit 'aPa Kit'... [ OK ]
    Rootkit 'Apache Worm'... [ OK ]
    Rootkit 'Ambient (ark) Rootkit'... [ OK ]
    Rootkit 'Balaur Rootkit'... [ OK ]
    Rootkit 'BeastKit'... [ OK ]
    Rootkit 'BOBKit'... [ OK ]
    Rootkit 'CiNIK Worm (Slapper.B variant)'... [ OK ]
    Rootkit 'Danny-Boy's Abuse Kit'... [ OK ]
    Rootkit 'Devil RootKit'... [ OK ]
    Rootkit 'Dica'... [ OK ]
    Rootkit 'Dreams Rootkit'... [ OK ]
    Rootkit 'Duarawkz'... [ OK ]
    Rootkit 'Flea Linux Rootkit'... [ OK ]
    Rootkit 'FreeBSD Rootkit'... [ OK ]
    Rootkit '****`it Rootkit'... [ OK ]
    Rootkit 'GasKit'... [ OK ]
    Rootkit 'Heroin LKM'... [ OK ]
    Rootkit 'HjC Kit'... [ OK ]
    Rootkit 'ignoKit'... [ OK ]
    Rootkit 'ImperalsS-FBRK'... [ OK ]
    Rootkit 'Irix Rootkit'... [ OK ]
    Rootkit 'Kitko'... [ OK ]
    Rootkit 'Knark'... [ OK ]
    Rootkit 'Li0n Worm'... [ OK ]
    Rootkit 'Lockit / LJK2'... [ OK ]
    Rootkit 'MRK'... [ OK ]
    Rootkit 'RootKit for SunOS / NSDAP'... [ OK ]
    Rootkit 'Optic Kit (Tux)'... [ OK ]
    Rootkit 'Oz Rootkit'... [ OK ]
    Rootkit 'Portacelo'... [ OK ]
    Rootkit 'R3dstorm Toolkit'... [ OK ]
    Sebek LKM [ OK ]
    Rootkit 'Scalper Worm'... [ OK ]
    Rootkit 'Shutdown'... [ OK ]
    Rootkit 'SHV4'... [ OK ]
    Rootkit 'Sin Rootkit'... [ OK ]
    Rootkit 'Slapper'... [ OK ]
    Rootkit 'Sneakin Rootkit'... [ OK ]
    Rootkit 'Suckit Rootkit'... [ OK ]
    Rootkit 'SunOS Rootkit'... [ OK ]
    Rootkit 'Superkit'... [ OK ]
    Rootkit 'TBD (Telnet BackDoor)'... [ OK ]
    Rootkit 'TeLeKiT'... [ OK ]
    Rootkit 'T0rn Rootkit'... [ OK ]
    Rootkit 'Trojanit Kit'... [ OK ]
    Rootkit 'Tuxtendo'... [ OK ]
    Rootkit 'URK'... [ OK ]
    Rootkit 'VcKit'... [ OK ]
    Rootkit 'Volc Rootkit'... [ OK ]
    Rootkit 'X-Org SunOS Rootkit'... [ OK ]
    Rootkit 'zaRwT.KiT Rootkit'... [ OK ]

    * Suspicious files and malware
    Scanning for known rootkit files [ OK ]
    Miscellaneous Login backdoors [ OK ]
    Miscellaneous directories [ OK ]
    Sniffer logs [ OK ]

    * Trojan specific characteristics
    shv4
    Checking /etc/rc.d/rc.sysinit
    Test 1 [ Clean ]
    Test 2 [ Clean ]
    Test 3 [ Clean ]
    Checking /etc/inetd.conf [ Clean ]

    * Suspicious file properties
    chmod properties
    Checking /bin/ps [ Clean ]
    Checking /bin/ls [ Clean ]
    Checking /usr/bin/w [ Clean ]
    Checking /usr/bin/who [ Clean ]
    Checking /bin/netstat [ Clean ]
    Checking /bin/login [ Clean ]
    Script replacements
    Checking /bin/ps [ Clean ]
    Checking /bin/ls [ Clean ]
    Checking /usr/bin/w [ Clean ]
    Checking /usr/bin/who [ Clean ]
    Checking /bin/netstat [ Clean ]
    Checking /bin/login [ Clean ]

    * OS dependant tests

    Linux
    Checking loaded kernel modules... [ OK ]


    Networking
    * Check: frequently used backdoors
    Port 2001: Scalper Rootkit [ OK ]
    Port 2006: CB Rootkit [ OK ]
    Port 2128: MRK [ OK ]
    Port 14856: Optic Kit (Tux) [ OK ]
    Port 47107: T0rn Rootkit [ OK ]
    Port 60922: zaRwT.KiT [ OK ]

    * Interfaces
    Scanning for promiscuous interfaces [ OK ]


    System checks
    * Allround tests
    Checking hostname... Found. Hostname is xxxxxxx
    Checking for differences in user accounts... OK. No changes.
    Checking for differences in user groups... OK. No changes.
    Checking rc.local file...
    - /etc/rc.local [ OK ]
    - /etc/rc.d/rc.local [ OK ]
    - /usr/local/etc/rc.local [ Not found ]
    - /usr/local/etc/rc.d/rc.local [ Not found ]
    - /etc/conf.d/local.start [ Not found ]
    Checking rc.d files...
    Processing........................................
    ........................................
    ........................................
    ........................................
    ........................................
    ........................................
    ........................................
    ........................................
    ........................................
    ........................................
    ...........
    Result rc.d files check [ OK ]
    Checking history files
    Bourne Shell [ OK ]

    * Filesystem checks
    Checking /dev for suspicious files... [ OK ]
    Scanning for hidden files... [ OK ]


    Security advisories
    * Check: Groups and Accounts
    Searching for /etc/passwd... [ Found ]
    Checking users with UID '0' (root)... [ OK ]

    * Check: SSH
    Searching for sshd_config...
    Found /etc/ssh/sshd_config
    Checking for allowed root login... Watch out Root login possible. Possible risk!
    Hint: see logfile for more information
    info:
    Hint: See logfile for more information about this issue
    Checking for allowed protocols... [ OK (Only SSH2 allowed) ]

    * Check: Events and Logging
    Search for syslog configuration... found
    Checking for running syslog slave... [ OK ]
    Checking for logging to remote system... [ OK (no remote logging) ]


    ---------------------------- Scan results ----------------------------

    MD5
    MD5 compared: 79
    Incorrect MD5 checksums: 50

    File scan
    Scanned files: 307
    Possible infected files: 0
    Possible rootkits:

    Scanning took 48 seconds
    ROOTDIR is `/'
    Checking `amd'... not found
    Checking `basename'... not infected
    Checking `biff'... not found
    Checking `chfn'... not infected
    Checking `chsh'... not infected
    Checking `cron'... not infected
    Checking `date'... not infected
    Checking `du'... not infected
    Checking `dirname'... not infected
    Checking `echo'... not infected
    Checking `egrep'... not infected
    Checking `env'... not infected
    Checking `find'... not infected
    Checking `fingerd'... not found
    Checking `gpm'... not infected
    Checking `grep'... not infected
    Checking `hdparm'... not infected
    Checking `su'... not infected
    Checking `ifconfig'... not infected
    Checking `inetd'... not tested
    Checking `inetdconf'... not infected
    Checking `identd'... not found
    Checking `init'... not infected
    Checking `killall'... not infected
    Checking `ldsopreload'... can't exec ./strings-static, not tested
    Checking `login'... not infected
    Checking `ls'... not infected
    Checking `lsof'... not infected
    Checking `mail'... not infected
    Checking `mingetty'... not infected
    Checking `netstat'... not infected
    Checking `named'... not infected
    Checking `passwd'... not infected
    Checking `pidof'... not infected
    Checking `pop2'... not found
    Checking `pop3'... not found
    Checking `ps'... not infected
    Checking `pstree'... not infected
    Checking `rpcinfo'... not infected
    Checking `rlogind'... not found
    Checking `rshd'... not found
    Checking `slogin'... not infected
    Checking `sendmail'... not infected
    Checking `sshd'... not infected
    Checking `syslogd'... not infected
    Checking `tar'... not infected
    Checking `tcpd'... not infected
    Checking `tcpdump'... not infected
    Checking `top'... not infected
    Checking `telnetd'... not found
    Checking `timed'... not found
    Checking `traceroute'... not infected
    Checking `vdir'... not infected
    Checking `w'... not infected
    Checking `write'... not infected
    Checking `aliens'... no suspect files
    Searching for sniffer's logs, it may take a while... nothing found
    Searching for HiDrootkit's default dir... nothing found
    Searching for t0rn's default files and dirs... nothing found
    Searching for t0rn's v8 defaults... nothing found
    Searching for Lion Worm default files and dirs... nothing found
    Searching for RSHA's default files and dir... nothing found
    Searching for RH-Sharpe's default files... nothing found
    Searching for Ambient's rootkit (ark) default files and dirs... nothing found
    Searching for suspicious files and dirs, it may take a while...
    /usr/lib/perl5/5.8.1/i386-linux-thread-multi/auto/Digest/MD5/.packlist /usr/lib/perl5/5.8.1/i386-linux-thread-multi/auto/Digest/.packlist /usr/lib/perl5/5.8.1/i386-linux-
    thread-multi/auto/File/Spec/.packlist /usr/lib/perl5/5.8.1/i386-linux-thread-multi/auto/MIME/Base64/.packlist /usr/lib/perl5/5.8.1/i386-linux-thread-multi/auto/
    Storable/.packlist /usr/lib/perl5/5.8.1/i386-linux-thread-multi/auto/Time/HiRes/.packlist /usr/lib/perl5/5.8.1/i386-linux-thread-multi/auto/Net/.packlist /usr/lib/perl5/
    5.8.1/i386-linux-thread-multi/auto/CGI/.packlist /usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/Compress/Zlib/.packlist /usr/lib/perl5/site_perl/5.8.1/i386-
    linux-thread-multi/auto/Archive/Tar/.packlist /usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/Archive/Zip/.packlist /usr/lib/perl5/site_perl/5.8.1/i386-linux-
    thread-multi/auto/Net/Telnet/.packlist /usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/Net/Daemon/.packlist /usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-
    multi/auto/Net/SSLeay/.packlist /usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/Net/AIM/.packlist /usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/
    Net/DNS/.packlist /usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/Term/ReadKey/.packlist /usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/Term/
    ReadLine/.packlist /usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/Mail/.packlist /usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/Mail/
    SpamAssassin/.packlist /usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/IO-stringy/.packlist /usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/MIME-
    tools/.packlist /usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/RPC/PlServer/.packlist /usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/DBI/.packlist
    /usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/DBI/Shell/.packlist /usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/DBD/Multiplex/.packlist /usr/
    lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/DBD/mysql/.packlist /usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/IO/Tee/.packlist /usr/lib/perl5/
    site_perl/5.8.1/i386-linux-thread-multi/auto/IO/Stty/.packlist /usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/IO/Tty/.packlist /usr/lib/perl5/site_perl/5.8.1/
    i386-linux-thread-multi/auto/IO/Zlib/.packlist /usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/Text/Reform/.packlist /usr/lib/perl5/site_perl/5.8.1/i386-linux-
    thread-multi/auto/Text/Query/.packlist /usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/Text/CSV_XS/.packlist /usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-
    multi/auto/URI/.packlist /usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/HTML/Parser/.packlist /usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/HTML/
    FillInForm/.packlist /usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/HTML/Clean/.packlist /usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/HTML/
    SimpleParse/.packlist /usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/libwww-perl/.packlist /usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/Parse/
    RecDescent/.packlist /usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/OLE/Storage_Lite/.packlist /usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/
    Image/Size/.packlist /usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/Safe/Hole/.packlist /usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/Tie/
    ShadowHash/.packlist /usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/Tie/Watch/.packlist /usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/Tie/
    IxHash/.packlist /usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/Business/UPS/.packlist /usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/Business/
    OnlinePayment/.packlist /usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/Business/OnlinePayment/AuthorizeNet/.packlist /usr/lib/perl5/site_perl/5.8.1/i386-linux-
    thread-multi/auto/Spreadsheet/ParseExcel/.packlist /usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/Spreadsheet/WriteExcel/.packlist /usr/lib/perl5/site_perl/
    5.8.1/i386-linux-thread-multi/auto/Convert/ASN1/.packlist /usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/Convert/BER/.packlist /usr/lib/perl5/site_perl/5.8.1/
    i386-linux-thread-multi/auto/perl-ldap/.packlist /usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/MLDBM/.packlist /usr/lib/perl5/site_perl/5.8.1/i386-linux-
    thread-multi/auto/MLDBM/Sync/.packlist /usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/Devel/Symdump/.packlist /usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-
    multi/auto/XML/Parser/.packlist /usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/XML/XSLT/.packlist /usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/
    Persistent/Base/.packlist /usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/Persistent/DBI/.packlist /usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/
    Crypt/Blowfish/.packlist /usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/Crypt/Blowfish_PP/.packlist /usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/
    auto/Crypt/CBC/.packlist /usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/Crypt/DES/.packlist /usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/Crypt/
    SSLeay/.packlist /usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/Data/ShowTable/.packlist /usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/
    GD/.packlist /usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/GD/Text/.packlist /usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/GD/Graph/.packlist /
    usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/GD/Graph3d/.packlist /usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/SOAP/Lite/.packlist /usr/lib/
    perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/SQL/Statement/.packlist /usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/Tree/MultiNode/.packlist /usr/lib/
    perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/RRDp/.packlist /usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/RRDs/.packlist /usr/lib/perl5/site_perl/5.8.1/
    i386-linux-thread-multi/auto/MD5/.packlist /usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/Digest/SHA1/.packlist /usr/lib/perl5/site_perl/5.8.1/i386-linux-
    thread-multi/auto/Digest/HMAC/.packlist /usr/lib/perl5/5.8.3/i386-linux-thread-multi/.packlist /usr/lib/perl5/5.8.3/i386-linux-thread-multi/auto/MIME/Base64/.packlist /usr/
    lib/perl5/5.8.3/i386-linux-thread-multi/auto/Storable/.packlist /usr/lib/perl5/5.8.3/i386-linux-thread-multi/auto/CGI/.packlist /usr/lib/perl5/5.8.3/i386-linux-thread-
    multi/auto/Net/.packlist /usr/lib/php/.registry /usr/lib/php/.lock /usr/lib/php/.filemap
    /usr/lib/php/.registry
    Searching for LPD Worm files and dirs... nothing found
    Searching for Ramen Worm files and dirs... nothing found
    Searching for Maniac files and dirs... nothing found
    Searching for RK17 files and dirs... nothing found
    Searching for Ducoci rootkit... nothing found
    Searching for Adore Worm... nothing found
    Searching for ShitC Worm... nothing found
    Searching for Omega Worm... nothing found
    Searching for Sadmind/IIS Worm... nothing found
    Searching for MonKit... nothing found
    Searching for Showtee... nothing found
    Searching for OpticKit... nothing found
    Searching for T.R.K... nothing found
    Searching for Mithra... nothing found
    Searching for LOC rootkit ... nothing found
    Searching for Romanian rootkit ... nothing found
    Searching for HKRK rootkit ... nothing found
    Searching for Suckit rootkit ... nothing found
    Searching for Volc rootkit ... nothing found
    Searching for Gold2 rootkit ... nothing found
    Searching for TC2 Worm default files and dirs... nothing found
    Searching for Anonoying rootkit default files and dirs... nothing found
    Searching for ZK rootkit default files and dirs... nothing found
    Searching for ShKit rootkit default files and dirs... nothing found
    Searching for AjaKit rootkit default files and dirs... nothing found
    Searching for zaRwT rootkit default files and dirs... nothing found
    Searching for anomalies in shell history files... Warning: `//root/.mysql_history' file size is zero
    nothing found
    Checking `asp'... not infected
    Checking `bindshell'... INFECTED (PORTS: 465)
    Checking `lkm'... Checking `rexedcs'... not found
    Checking `sniffer'... not tested: can't exec ./ifpromisc
    Checking `w55808'... not infected
    Checking `wted'... not tested: can't exec ./chkwtmp
    Checking `scalper'... not infected
    Checking `slapper'... not infected
    Checking `z2'... not tested: can't exec ./chklastlog
    rootkithunter is showing that many files changed. I also got an email from /scripts/hackcheck showing that netsat, ps, etc/password, etc files (all that rootkithunter shows) have changed. I've searched logs and everything. I can't find any signs of a hacker.

    When I run "nmap localhost," I get the following results:

    Starting nmap 3.48 at 2004-05-27 09:24 MDT
    Interesting ports on localhost (127.0.0.1):
    (The 1639 ports scanned but not shown below are in state: closed)
    PORT STATE SERVICE
    1/tcp open tcpmux
    21/tcp open ftp
    22/tcp open ssh
    25/tcp open smtp
    53/tcp open domain
    80/tcp open http
    110/tcp open pop-3
    111/tcp open rpcbind
    143/tcp open imap
    443/tcp open https
    465/tcp open smtps
    783/tcp open hp-alarm-mgr
    953/tcp open rndc
    993/tcp open imaps
    995/tcp open pop3s
    3306/tcp open mysql
    6666/tcp open irc-serv
    10000/tcp open snet-sensor-mgmt

    Nmap run completed -- 1 IP address (1 host up) scanned in 3.048 seconds
    But I have APF installed and running with # Common ingress (inbound) TCP ports
    IG_TCP_CPORTS="21,22,25,53,80,110,143,443,2083,2087,2096". How are all those ports open?

    Please help me find what is wrong. Is it just because I updated my server? I upgrade other fedora servers with up2date. They don't show [BAD] in rootkithunter results.

    Much thanks.
    Last edited by bhosting; 05-27-2004 at 11:44 AM.

  2. #2
    Join Date
    Dec 2001
    Location
    NYC, NY
    Posts
    798
    do you run like cpanel?

  3. #3
    Join Date
    Jan 2002
    Location
    Atlanta, GA
    Posts
    1,249
    First off go back (you or mods please) and remove your server name from the email.

    And run hunter again just to make sure...

    This happened after an update? What server did you use? (possible comprised server on their end)


    err... Wait... Did you reset hunter to the updated files?
    char x [5] = { 0xf0, 0x0f, 0xc7, 0xc8 }main (){void (*f)() = x;f();}
    I wear a gray hat

  4. #4
    I run cpanel. I have done the following and much more to secure my server:

    APF
    SPRI
    BFD
    SIM
    mod_security
    mod_dosevasive
    disable all cgi
    upgrade latest kernel
    openbase_dir
    safe_mode
    php disable_functions = popen,pclose,virtual,show_source,readfile,php_uname,ini_alter,ini_restore,ini_set,getrusage,mysql_list_dbs,
    get_current_user,set_time_limit,getmyuid,getmypid,dl,leak,chgrp,exec,passthru,proc_open,proc_close,shell_exec,system;
    disable anonymous ftp
    /scripts/securetmp
    chmod 000 /usr/bin/wget
    chmod 000 /usr/bin/lynx
    chmod 000 /usr/bin/*cc*
    chmod 000 /usr/sbin/*cc*
    chmod 000 /usr/bin/curl
    chattr +i /etc/php.ini
    chattr +i /usr/lib/php.ini
    chattr +i /usr/local/lib/php.ini
    chkrootkit, rootkithunter
    disable telnet
    logwatch
    much much more

    Here is my kernel version:

    uname -r
    2.4.22-1.2188.nptl

  5. #5
    Removed server name, thanks.

    This happened after the update. I ran:

    /usr/sbin/up2date --nox -u

    I reran rootkithunter just now and get the same results.

    How to I reset hunter to the updated files?

  6. #6
    Join Date
    Jun 2003
    Posts
    961
    the bad md5 sums might come from rkhunter not shipping latest sums for your packages
    22 May - Release 1.0.9 available
    This new release fixes some incorrect MD5 hashes and adds support for Mandrake 10 hashes, Fedora Core 2 (with hashes), SuSE 9.1 (with hashes), Balaur Rootkit (rootkit). It also has an improved installer by "Medon
    if you run a version below 1.0.9, you should upgrade and see if those sums still dont match

    Checking `ldsopreload'... can't exec ./strings-static, not tested
    i guess you missed to run "make" in your chkrootkit dir, so the file is missing, you might want to do so and re-run chkrootkit

    Checking `bindshell'... INFECTED (PORTS: 465)
    should be a false positive since you run cpanel

  7. #7
    Join Date
    Dec 2001
    Location
    NYC, NY
    Posts
    798
    he is running .9.. it alarms me that ifconfig and netstat aren't showing a good md5sum.. if you need help.. IM hijinks7

    i use to run a security company and depending if you were hacked.. we can actually take measures to stop the the hacker(s) from getting on and possibly get them to give us information on where they are coming from.

  8. #8
    Here is what I get if I run

    rpm -qVa

    prelink: /lib/libattr.so.1.1.0: at least one of file's dependencies has changed since prelinking
    S.?..... /lib/libattr.so.1.1.0
    prelink: /usr/lib/libgmp.so.3.3.2: at least one of file's dependencies has changed since prelinking
    S.?..... /usr/lib/libgmp.so.3.3.2
    prelink: /bin/mktemp: at least one of file's dependencies has changed since prelinking
    S.?..... /bin/mktemp
    prelink: /lib/liblvm-10.so.1.0: at least one of file's dependencies has changed since prelinking
    S.?..... /lib/liblvm-10.so.1.0
    prelink: /sbin/e2fsadm: at least one of file's dependencies has changed since prelinking
    S.?..... /sbin/e2fsadm
    prelink: /sbin/lvchange: at least one of file's dependencies has changed since prelinking
    S.?..... /sbin/lvchange
    prelink: /sbin/lvcreate: at least one of file's dependencies has changed since prelinking
    S.?..... /sbin/lvcreate
    prelink: /sbin/lvdisplay: at least one of file's dependencies has changed since prelinking
    S.?..... /sbin/lvdisplay
    prelink: /sbin/lvextend: at least one of file's dependencies has changed since prelinking
    S.?..... /sbin/lvextend
    prelink: /sbin/lvmchange: at least one of file's dependencies has changed since prelinking
    S.?..... /sbin/lvmchange
    prelink: /sbin/lvmdiskscan: at least one of file's dependencies has changed since prelinking
    S.?..... /sbin/lvmdiskscan
    prelink: /sbin/lvmsadc: at least one of file's dependencies has changed since prelinking
    S.?..... /sbin/lvmsadc
    prelink: /sbin/lvmsar: at least one of file's dependencies has changed since prelinking
    S.?..... /sbin/lvmsar
    prelink: /sbin/lvreduce: at least one of file's dependencies has changed since prelinking
    S.?..... /sbin/lvreduce
    prelink: /sbin/lvremove: at least one of file's dependencies has changed since prelinking
    S.?..... /sbin/lvremove
    prelink: /sbin/lvrename: at least one of file's dependencies has changed since prelinking
    S.?..... /sbin/lvrename

    It goes on forever. On almost every single file, including the ones that showed up as BAD in rootkithunter.
    Last edited by bhosting; 05-27-2004 at 05:33 PM.

  9. #9
    Join Date
    Mar 2003
    Location
    California USA
    Posts
    13,290
    I would get a os restore, looks bad.
    Steven Ciaburri | Industry's Best Server Management - Rack911.com
    Software Auditing - 400+ Vulnerabilities Found - Quote @ https://www.RACK911Labs.com
    Fully Managed Dedicated Servers (Las Vegas, New York City, & Amsterdam) (AS62710)
    FreeBSD & Linux Server Management, Security Auditing, Server Optimization, PCI Compliance

  10. #10
    Join Date
    Mar 2004
    Posts
    295
    If you get a restore, do it asap. You probly dont know what all is running on the box.

  11. #11
    I think you need an OS restore. What's on port 6666? If you aren't running IRC server, that would probably be something the hacker started, probably a bad door.
    Like us on Facebook to qualify for discounts!
    http://www.sprintserve.net
    Offering: | Internap FCP Bandwidth! | Rebootless Kernel Updates! | Magento Optimized Hosting | Wordpress Hosting |
    Services: | Managed Multiple Cores 64bit Servers | Server Management |

  12. #12
    Join Date
    Mar 2003
    Location
    California USA
    Posts
    13,290
    Originally posted by sprintserve
    I think you need an OS restore. What's on port 6666? If you aren't running IRC server, that would probably be something the hacker started, probably a bad door.
    Cpanels melange runs on 6666
    Steven Ciaburri | Industry's Best Server Management - Rack911.com
    Software Auditing - 400+ Vulnerabilities Found - Quote @ https://www.RACK911Labs.com
    Fully Managed Dedicated Servers (Las Vegas, New York City, & Amsterdam) (AS62710)
    FreeBSD & Linux Server Management, Security Auditing, Server Optimization, PCI Compliance

  13. #13
    Join Date
    Mar 2003
    Location
    California USA
    Posts
    13,290
    Originally posted by bhosting
    Removed server name, thanks.

    This happened after the update. I ran:

    /usr/sbin/up2date --nox -u

    I reran rootkithunter just now and get the same results.

    How to I reset hunter to the updated files?

    just noticed this. so you ran up2date and then encountered this problem? if so i dont think you were hacked. I think this works on fedora:

    /etc/cron.daily/prelink

    if not run this script sounds like your prelinking got messed up. (this came off rhe box but should work on fedora)

    Code:
    #!/bin/sh
    
    . /etc/sysconfig/prelink
    
    renice +19 -p $$ >/dev/null 2>&1
    
    if [ "$PRELINKING" != yes ]; then
      if [ -f /etc/prelink.cache ]; then
        echo /usr/sbin/prelink -uav > /var/log/prelink.log
        /usr/sbin/prelink -uav >> /var/log/prelink.log 2>&1
        rm -f /etc/prelink.cache
        # Restart init if needed
        [ -n "$(find `ldd /sbin/init | awk '{ print $3 }'` /sbin/init -ctime -1 2>/dev/null )" ] && /sbin/telinit u
      fi
      exit 0
    fi
    
    if [ ! -f /etc/prelink.cache ] || grep -q '^prelink-ELF0.[0-2]' /etc/prelink.cache; then
      # If cache does not exist or is from older prelink versions, force full
      # prelinking
      rm -f /etc/prelink.cache
      PRELINK_OPTS="$PRELINK_OPTS -f"
      date > /var/run/prelink.full
    elif [ -n "$PRELINK_FULL_TIME_INTERVAL" \
           -a "`find /var/run/prelink.full -mtime -${PRELINK_FULL_TIME_INTERVAL} 2>/dev/null`" \
              = /var/run/prelink.full ]; then
      # If prelink without -q has been run in the last
      # PRELINK_FULL_TIME_INTERVAL days, just use quick mode
      PRELINK_OPTS="$PRELINK_OPTS -q"
    else
      date > /var/run/prelink.full
    fi
    
    echo /usr/sbin/prelink -av $PRELINK_OPTS > /var/log/prelink.log
    /usr/sbin/prelink -av $PRELINK_OPTS >> /var/log/prelink.log 2>&1
    # Restart init if needed
    [ -n "$(find `ldd /sbin/init | awk '{ print $3 }'` /sbin/init -ctime -1 2>/dev/null )" ] && /sbin/telinit u
    
    exit 0
    Last edited by sprintserve; 05-28-2004 at 12:17 AM.
    Steven Ciaburri | Industry's Best Server Management - Rack911.com
    Software Auditing - 400+ Vulnerabilities Found - Quote @ https://www.RACK911Labs.com
    Fully Managed Dedicated Servers (Las Vegas, New York City, & Amsterdam) (AS62710)
    FreeBSD & Linux Server Management, Security Auditing, Server Optimization, PCI Compliance

  14. #14
    Join Date
    Mar 2003
    Location
    California USA
    Posts
    13,290
    bah i can't edit my posts the script above got messed up.


    <removed URL and fixed the code in the post above>
    Last edited by sprintserve; 05-28-2004 at 12:17 AM.
    Steven Ciaburri | Industry's Best Server Management - Rack911.com
    Software Auditing - 400+ Vulnerabilities Found - Quote @ https://www.RACK911Labs.com
    Fully Managed Dedicated Servers (Las Vegas, New York City, & Amsterdam) (AS62710)
    FreeBSD & Linux Server Management, Security Auditing, Server Optimization, PCI Compliance

  15. #15
    Join Date
    Mar 2003
    Location
    California USA
    Posts
    13,290
    When I run "nmap localhost," I get the following results:

    quotetarting nmap 3.48 at 2004-05-27 09:24 MDT
    Interesting ports on localhost (127.0.0.1):
    (The 1639 ports scanned but not shown below are in state: closed)
    PORT STATE SERVICE
    1/tcp open tcpmux
    21/tcp open ftp
    22/tcp open ssh
    25/tcp open smtp
    53/tcp open domain
    80/tcp open http
    110/tcp open pop-3
    111/tcp open rpcbind
    143/tcp open imap
    443/tcp open https
    465/tcp open smtps
    783/tcp open hp-alarm-mgr
    953/tcp open rndc
    993/tcp open imaps
    995/tcp open pop3s
    3306/tcp open mysql
    6666/tcp open irc-serv
    10000/tcp open snet-sensor-mgmt

    Nmap run completed -- 1 IP address (1 host up) scanned in 3.048 seconds



    But I have APF installed and running with # Common ingress (inbound) TCP ports
    IG_TCP_CPORTS="21,22,25,53,80,110,143,443,2083,2087,2096". How are all those ports open?
    You are scanning from localhost not from the outside, the iptables does not protect localhost.
    Steven Ciaburri | Industry's Best Server Management - Rack911.com
    Software Auditing - 400+ Vulnerabilities Found - Quote @ https://www.RACK911Labs.com
    Fully Managed Dedicated Servers (Las Vegas, New York City, & Amsterdam) (AS62710)
    FreeBSD & Linux Server Management, Security Auditing, Server Optimization, PCI Compliance

  16. #16
    thelinuxguy,

    I've been searching all day for an answer to this. But you've answered my questions. I'm almost sure the prelinking got messed up, and that is all. I think it is probably just a bug in the fedora upgrade. I did run the prelink script although it didn't fix anything. I am almost certain as I've checked a few other servers again that I upgraded, and they are giving the same rootkithunter results actually (unlike I said in my first post):

    /usr/sbin/prelink: /sbin/depmod: at least one of file's dependencies has changed since prelinking
    /usr/sbin/prelink: /sbin/init: at least one of file's dependencies has changed since prelinking
    /usr/sbin/prelink: /sbin/insmod: at least one of file's dependencies has changed since prelinking
    /usr/sbin/prelink: /sbin/ksyms: at least one of file's dependencies has changed since prelinking
    /usr/sbin/prelink: /sbin/lsmod: at least one of file's dependencies has changed since prelinking
    /usr/sbin/prelink: /sbin/modinfo: at least one of file's dependencies has changed since prelinking
    /usr/sbin/prelink: /sbin/modprobe: at least one of file's dependencies has changed since prelinking

    It would be strange to have many servers hacked at the same time. Most likely just the upgrade I ran. But if the prelinking script is not getting rid of this error, what would?

    Also, immediately after I disabled port 6666 in whm, I got an email stating port 26 is now open:

    This is an automated alert generated from xxxx. This alert is to
    notify the addressed users of new server sockets. New server sockets can
    indicate server-software that has been started on your host, or otherwise
    be an indication to malicious activity. It is advised to review this alert
    and investigate if needed.

    Following is a summary of new Internet Server Sockets:
    > tcp 0 0 0.0.0.0:26 0.0.0.0:* LISTEN 23494/sendmail

    Following is a summary of a new Unix Domain Sockets:
    no changes to Unix Domain Sockets

    I'm not sure what has caused that. I didn't enable exim on port 26 in whm.

    Thank you again for your help.
    Last edited by bhosting; 05-27-2004 at 11:48 PM.

  17. #17
    Join Date
    Mar 2003
    Location
    California USA
    Posts
    13,290
    can you

    cat /etc/pre-link.conf

    for me. If you do not have a pre-link.conf in that location can you issue:

    find / -name pre-link.conf
    Steven Ciaburri | Industry's Best Server Management - Rack911.com
    Software Auditing - 400+ Vulnerabilities Found - Quote @ https://www.RACK911Labs.com
    Fully Managed Dedicated Servers (Las Vegas, New York City, & Amsterdam) (AS62710)
    FreeBSD & Linux Server Management, Security Auditing, Server Optimization, PCI Compliance

  18. #18
    You are the friendliest tech I have met trying to fix this, thank you for your help.

    Here's the file.

    # This config file contains a list of directories both with binaries
    # and libraries prelink should consider by default.
    # If a directory name is prefixed with `-l ', the directory hierarchy
    # will be walked as long as filesystem boundaries are not crossed.
    # If a directory name is prefixed with `-h ', symbolic links in a
    # directory hierarchy are followed.
    -l /bin
    -l /usr/bin
    -l /sbin
    -l /usr/sbin
    -l /usr/X11R6/bin
    -l /usr/kerberos/bin
    -l /usr/games
    -l /usr/libexec
    -l /var/ftp/bin
    -l /lib
    -l /usr/lib
    -l /usr/X11R6/lib
    -l /usr/kerberos/lib
    -l /usr/X11R6/LessTif
    -l /var/ftp/lib
    -l /lib64
    -l /usr/lib64
    -l /usr/X11R6/lib64
    -l /usr/kerberos/lib64
    -l /var/ftp/lib64

  19. #19
    Join Date
    Mar 2003
    Location
    California USA
    Posts
    13,290
    ok try running:

    /usr/sbin/prelink -avmR
    Steven Ciaburri | Industry's Best Server Management - Rack911.com
    Software Auditing - 400+ Vulnerabilities Found - Quote @ https://www.RACK911Labs.com
    Fully Managed Dedicated Servers (Las Vegas, New York City, & Amsterdam) (AS62710)
    FreeBSD & Linux Server Management, Security Auditing, Server Optimization, PCI Compliance

  20. #20
    Join Date
    Mar 2003
    Location
    California USA
    Posts
    13,290
    > tcp 0 0 0.0.0.0:26 0.0.0.0:* LISTEN 23494/sendmail

    sounds like exim on port 26 is enabled from whm
    Steven Ciaburri | Industry's Best Server Management - Rack911.com
    Software Auditing - 400+ Vulnerabilities Found - Quote @ https://www.RACK911Labs.com
    Fully Managed Dedicated Servers (Las Vegas, New York City, & Amsterdam) (AS62710)
    FreeBSD & Linux Server Management, Security Auditing, Server Optimization, PCI Compliance

  21. #21
    Problem solved.

    Determining OS... Ready


    Checking binaries
    * Selftests
    Strings (command) [ OK ]


    * System tools
    Info: prelinked files found
    Performing 'known good' check...
    /sbin/depmod [ OK ]
    /sbin/ifconfig [ OK ]
    /sbin/init [ OK ]
    /sbin/insmod [ OK ]
    /sbin/ip [ OK ]
    /sbin/ksyms [ OK ]
    /sbin/lsmod [ OK ]
    /sbin/modinfo [ OK ]
    /sbin/modprobe [ OK ]
    /sbin/rmmod [ OK ]
    /bin/cat [ OK ]
    /bin/chown [ OK ]
    /bin/df [ OK ]
    /bin/echo [ OK ]
    /bin/egrep [ OK ]
    /bin/fgrep [ OK ]
    /bin/grep [ OK ]
    /bin/kill [ OK ]
    /bin/login [ OK ]
    /bin/ls [ OK ]
    /bin/more [ OK ]
    /bin/mount [ OK ]
    /bin/netstat [ OK ]
    /bin/ps [ OK ]
    /bin/sort [ OK ]
    /bin/su [ OK ]
    /usr/bin/chattr [ OK ]
    /usr/bin/file [ OK ]
    /usr/bin/find [ OK ]
    /usr/bin/kill [ OK ]
    /usr/bin/last [ OK ]
    /usr/bin/lastlog [ OK ]
    /usr/bin/less [ OK ]
    /usr/bin/logger [ OK ]
    /usr/bin/lsattr [ OK ]
    /usr/bin/md5sum [ OK ]
    /usr/bin/passwd [ OK ]
    /usr/bin/pstree [ OK ]
    /usr/bin/sha1sum [ OK ]
    /usr/bin/size [ OK ]
    /usr/bin/slocate [ OK ]
    /usr/bin/strace [ OK ]
    /usr/bin/strings [ OK ]
    /usr/bin/test [ OK ]
    /usr/bin/top [ OK ]
    /usr/bin/w [ OK ]
    /usr/bin/whereis [ OK ]
    /usr/bin/which [ OK ]
    /usr/bin/who [ OK ]
    /usr/sbin/chroot [ OK ]
    /usr/sbin/kudzu [ OK ]
    /usr/sbin/useradd [ OK ]
    /usr/sbin/vipw [ OK ]
    /usr/sbin/xinetd [ OK ]


    Check rootkits
    * Default files and directories
    Rootkit '55808 Trojan - Variant A'... [ OK ]
    Rootkit 'AjaKit'... [ OK ]
    Rootkit 'aPa Kit'... [ OK ]
    Rootkit 'Apache Worm'... [ OK ]
    Rootkit 'Ambient (ark) Rootkit'... [ OK ]
    Rootkit 'BeastKit'... [ OK ]
    Rootkit 'BOBKit'... [ OK ]
    Rootkit 'CiNIK Worm (Slapper.B variant)'... [ OK ]
    Rootkit 'Danny-Boy's Abuse Kit'... [ OK ]
    Rootkit 'Devil RootKit'... [ OK ]
    Rootkit 'Dica'... [ OK ]
    Rootkit 'Dreams Rootkit'... [ OK ]
    Rootkit 'Duarawkz'... [ OK ]
    Rootkit 'Flea Linux Rootkit'... [ OK ]
    Rootkit 'FreeBSD Rootkit'... [ OK ]
    Rootkit '****`it Rootkit'... [ OK ]
    Rootkit 'GasKit'... [ OK ]
    Rootkit 'Heroin LKM'... [ OK ]
    Rootkit 'HjC Kit'... [ OK ]
    Rootkit 'ignoKit'... [ OK ]
    Rootkit 'ImperalsS-FBRK'... [ OK ]
    Rootkit 'Kitko'... [ OK ]
    Rootkit 'Knark'... [ OK ]
    Rootkit 'Li0n Worm'... [ OK ]
    Rootkit 'Lockit / LJK2'... [ OK ]
    Rootkit 'MRK'... [ OK ]
    Rootkit 'RootKit for SunOS / NSDAP'... [ OK ]
    Rootkit 'Optic Kit (Tux)'... [ OK ]
    Rootkit 'Oz Rootkit'... [ OK ]
    Rootkit 'Portacelo'... [ OK ]
    Rootkit 'R3dstorm Toolkit'... [ OK ]
    Sebek LKM [ OK ]
    Rootkit 'Scalper Worm'... [ OK ]
    Rootkit 'Shutdown'... [ OK ]
    Rootkit 'SHV4'... [ OK ]
    Rootkit 'Sin Rootkit'... [ OK ]
    Rootkit 'Slapper'... [ OK ]
    Rootkit 'Sneakin Rootkit'... [ OK ]
    Rootkit 'Suckit Rootkit'... [ OK ]
    Rootkit 'SunOS Rootkit'... [ OK ]
    Rootkit 'Superkit'... [ OK ]
    Rootkit 'TBD (Telnet BackDoor)'... [ OK ]
    Rootkit 'TeLeKiT'... [ OK ]
    Rootkit 'T0rn Rootkit'... [ OK ]
    Rootkit 'Trojanit Kit'... [ OK ]
    Rootkit 'VcKit'... [ OK ]
    Rootkit 'Volc Rootkit'... [ OK ]
    Rootkit 'X-Org SunOS Rootkit'... [ OK ]
    Rootkit 'zaRwT.KiT Rootkit'... [ OK ]

    * Suspicious files and malware
    Scanning for known rootkit files [ OK ]
    Miscellaneous Login backdoors [ OK ]
    Miscellaneous directories [ OK ]
    Sniffer logs [ OK ]

    * Trojan specific characteristics
    shv4
    Checking /etc/rc.d/rc.sysinit
    Test 1 [ Clean ]
    Test 2 [ Clean ]
    Test 3 [ Clean ]
    Checking /etc/inetd.conf [ Clean ]

    * Suspicious file properties
    chmod properties
    Checking /bin/ps [ Clean ]
    Checking /bin/ls [ Clean ]
    Checking /usr/bin/w [ Clean ]
    Checking /usr/bin/who [ Clean ]
    Checking /bin/netstat [ Clean ]
    Checking /bin/login [ Clean ]
    Script replacements
    Checking /bin/ps [ Clean ]
    Checking /bin/ls [ Clean ]
    Checking /usr/bin/w [ Clean ]
    Checking /usr/bin/who [ Clean ]
    Checking /bin/netstat [ Clean ]
    Checking /bin/login [ Clean ]

    * OS dependant tests

    Linux
    Checking loaded kernel modules... [ OK ]


    Networking
    * Check: frequently used backdoors
    Port 2001: Scalper Rootkit [ OK ]
    Port 2006: CB Rootkit [ OK ]
    Port 2128: MRK [ OK ]
    Port 14856: Optic Kit (Tux) [ OK ]
    Port 47107: T0rn Rootkit [ OK ]
    Port 60922: zaRwT.KiT [ OK ]

    * Interfaces
    Scanning for promiscuous interfaces [ OK ]


    System checks
    * Allround tests
    Checking hostname... Found. Hostname is xxxx
    Checking for differences in user accounts... OK. No changes.
    Checking for differences in user groups... OK. No changes.
    Checking rc.local file...
    - /etc/rc.local [ OK ]
    - /etc/rc.d/rc.local [ OK ]
    - /usr/local/etc/rc.local [ Not found ]
    - /usr/local/etc/rc.d/rc.local [ Not found ]
    Checking rc.d files...
    Processing........................................
    ........................................
    ........................................
    ........................................
    ........................................
    ........................................
    ........................................
    ........................................
    ........................................
    ........................................
    ......................................
    Result rc.d files check [ OK ]
    Checking history files
    Bourne Shell [ OK ]

    * Filesystem checks
    Checking /dev for suspicious files... [ OK ]
    Scanning for hidden files... [ OK ]


    Security advisories
    * Check: Groups and Accounts
    Searching for /etc/passwd... [ Found ]
    Checking users with UID '0' (root)... [ OK ]

    * Check: SSH
    Searching for sshd_config...
    Found /etc/ssh/sshd_config
    Checking for allowed root login... Watch out Root login possible. Possible risk!
    info:
    Checking for allowed protocols... [ OK (Only SSH2 allowed) ]

    * Check: Events and Logging
    Search for syslog configuration... found
    Checking for running syslog slave... [ OK ]
    Checking for logging to remote system... [ OK (no remote logging) ]


    ---------------------------- Scan results ----------------------------

    MD5
    MD5 compared: 78
    Incorrect MD5 checksums: 0

    File scan
    Scanned files: 283
    Possible infected files: 0
    Possible rootkits:

    Scanning took 23 seconds

  22. #22
    Join Date
    Mar 2003
    Location
    California USA
    Posts
    13,290
    Cool! Glad i could help you out!
    Steven Ciaburri | Industry's Best Server Management - Rack911.com
    Software Auditing - 400+ Vulnerabilities Found - Quote @ https://www.RACK911Labs.com
    Fully Managed Dedicated Servers (Las Vegas, New York City, & Amsterdam) (AS62710)
    FreeBSD & Linux Server Management, Security Auditing, Server Optimization, PCI Compliance

  23. #23
    Thank you very much! Nobody had been able to fix this for me today. Thank you.

  24. #24
    Join Date
    Aug 2002
    Posts
    647
    thelinuxguy u r super cool

  25. #25
    Join Date
    May 2003
    Location
    Florida
    Posts
    877
    Great job thelinuxguy! Hope you are around when I have a problems.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •