# I think I got cracked

## gino_rotormind

I am not sure if this is the right place to post this but it appears I have had my box cracked. I came in this morning to find masses of errors indicating sendmail cound not be found. Now a number of key programs have been deleted including whoami, ls, mv and more of which I am not aware. 

Is there any logs or anything I can look at to confirm what has happened?? (I run metalog) 

What do I need to emerge in order to get the lost programs back?? 

As far as I knew I had a reasonably secure system. It had the latest ssh running, no web server, no other ftp daemons, nothing. The machine was on and logged in but it is in a reasonably secure room. Due to the sendmail errors I assume it was cracked remotely. Is sendmail installed in gentoo automatically?? does it run automatically?? I guess these questions are a bit premature until I can find a log to determine what was actually done.

----------

## jstubbs

I can't help to much coz I'm on a Mandrake machine at the moment, but...

With regard to the logs, check /var/log/everything/current and /var/log/security/current (I think) and one of them should show log ons and log offs. You probably wont get much information from any other logs as if you have been hacked then most traces would be gone. Check for a single logoff with no matching logon - or even a logon/logoff that you can't identify.

sendmail is not installed automatically in Gentoo. The default mail "server" is ssmtpd which I believe to be just a stub that will get mail into /var/spool/mail if called directly - i.e. I don't believe it to listen on port 25.

Maybe a little bit of an overkill, but to ensure you get all your apps back, you can re-emerge everything. To do that, pull out your Gentoo installation CD, extract the Stage 1 tarball over your installation, reboot and then run "emerge -e world".

Good luck!

Jason

----------

## gino_rotormind

Thanks, the exact error message was:

```

[sSMTP] Cannot open mail:25

[sSMTP] Unable to locate mail

```

but there are also entries in the logs such as:

```

[CRON] (root) CMD (test -x /usr/sbin/run-crons && /usr/crons)

[CRON] (root) CMD (rm -f /var/spool/cron/lastrun/cron.hourly)

[CRON] (root) MAIL (mailed 39 bytes of output but got status 0x0001)

```

Does this mean that the cron daemon was compromised?? I use vcron, the latest release i think. I did have a cron job running as root to automatically emerge everything but I removed that last week. Surely it is unrealated. The code for that was:

```

0 21 1 * * /home/root/install.sh >/dev/null 2>&1

```

but like I said, I removed that last week. And this drama has only made itself apparent today.

----------

## indros

```

[CRON] (root) CMD (test -x /usr/sbin/run-crons && /usr/crons)

[CRON] (root) CMD (rm -f /var/spool/cron/lastrun/cron.hourly)

[CRON] (root) MAIL (mailed 39 bytes of output but got status 0x0001) 

```

The first two lines are normal for running vcron. The 3rd, I suspect would be because your you seem to be missing that ssmtpd file.  

I can't really say for sure that you were compromised. You disk may be failing, or you may have been compromised or anything else. Look in /etc/passwd for accounts you didn't create, or look for the system accounts with /bin/bash as the shell.

Do you run any servers (apache, mysql, etc) on this machine?

----------

## Minos

It's very unlikely that sendmail (ssmtp) or cron have been compromised.  By default, vcron mails the output of its jobs to root.  The default configs for ssmtp try to send all mail (even local) to a relay server "mail".  I got tired of ssmtp filling the console with errors similar to yours, so I emerged exim and configured it for local delivery only.

As far as the missing programs, does 

```
env-update && source /etc/profile
```

 help?  If not, can you find them with locate?

----------

## matkel

First check if your nic is in primiscuous mode. If is is, then you've probably been hacked. 

```
ifconfig
```

You can also use chkrootkit to probe you box for rootkits

```
emerge chkrootkit && chkrootkit
```

It'll also check for common binaries.

ls, whoami, mv and so on are in sys-apps/coreutils

try re-emerging this package only before reinstalling the whole box if everything else seems ok.

And if unsure of what processes could be listening, do a 

```
netstat -ap | grep LISTEN
```

You'll get the exact list of running services.

----------

## gino_rotormind

Thanks all for your feedback. The machine that got done was only a P200, too slow really to be compiling anything useful. It had been up for 6 months and had spend 5 months of that compiling to keep current. I have decided to put something else on that particular machine and move Gentoo onto something more powerful. I would hate to think they had a trojan or something to let them back in. Thats why the fresh start. Again, thanks all.

----------

## pfft

i think i recognize the problem.

how does look the emerge script you got in *cron?

i did once a manual "emerge sh-utils" and after it finished i got with some basic tools screwd,like /bin/uname was in /usr/bin/uname and so on,and some utilities like echo and date were missing.

the problem was solved after i did "emerge coreutils"

 :Wink: 

----------

## Robert K.

Hi,

Did you made an

```

emerge depclean

```

?

I did it, and my coreutils are away,too.

Anyone an Idea, how to repair it ?

If I try to reemerge it, I get following error-message.

```

bash-2.05b# emerge coreutils

bash: /usr/bin/emerge: /usr/bin/env: bad interpreter: Datei oder Verzeichnis nicht gefunden

bash-2.05b#

```

Regards

Empty

 Found here an Solution. Worked for me: 

https://forums.gentoo.org/viewtopic.php?t=78838&highlight=coreutilsLast edited by Robert K. on Sat Sep 06, 2003 9:10 pm; edited 2 times in total

----------

## funkmankey

FWIW if you've really been cracked, you probably don't want to trust anything on the box. you're much better off running chkrootkit and such from a known-good F.I.R.E. (or knoppix, etc.) CD.

I agree that it's a very good idea to make 100% fresh start on that machine.

----------

