# I have been hacked some weeks ago.. and..

## drspewfy

hello  i have been hacked some week ago cuz some kiddie knew the user/p and the root passwd so he installed a rootkit ..

and i tried to fix it up to LEARN how to delete it,, after i backed up everything and 

i thounght that the rookit wwas deleted (suckit rootkit) and from that day noboby has entered again.. 

but i never did this ...

and now today im worried if a backdoor is still there or something. .

check what i did now..

root@linux root # netstat -tlp

Active Internet connections (only servers)

Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name

tcp        0      0 *:5347                  *:*                     LISTEN      21076/router

tcp        0      0 *:5222                  *:*                     LISTEN      2931/c2s

tcp        0      0 *:mysql                 *:*                     LISTEN      15327/

tcp        0      0 *:www                   *:*                     LISTEN      28327/apache

tcp        0      0 *:5269                  *:*                     LISTEN      31071/s2s

tcp        0      0 *:ssh                   *:*                     LISTEN      18599/sshd

tcp        0      0 *:smtp                  *:*                     LISTEN      3250/

and i just use mysql, ssh, www and smtp, why are the others ports open ???

i made also

Starting nmap 3.45 ( http://www.insecure.org/nmap/ ) at 2004-01-06 00:30 CST

Interesting ports on localhost (127.0.0.1):

(The 3129 ports scanned but not shown below are in state: closed)

PORT     STATE SERVICE

22/tcp   open  ssh

25/tcp   open  smtp

68/udp   open  dhcpclient

80/tcp   open  http

123/udp  open  ntp

3306/tcp open  mysql

and i killed the Udp conection 

root@linux soldier # ps aux | grep ntp

ntp      11025  0.0  1.7  2160 2152 ?        SL    2003   0:00 [ntpd]

and i did again the same

netstat -tlp

and i got the same Ports open.

why =???

and ..

123/udp  open  ntp   <--- this one is closed now, but the others still open!

pd. i dont want you just telling to format it, cuz i wanna  learn to stop it and to delete the rootkit, or understand how to detect in all the ways..

THANKS FOR ALL!! from mexico!

----------

## fleed

Use 

```
lsof -i :port
```

 for all the listening ports so you can check what daemon has the port open. Then reemerge that daemon to make sure it's not a modified version. But even then this might not be enough since a malicious program could pretend to be something else by changing it's execution name. You might need to 

```
emerge lsof
```

.

----------

## drspewfy

i used chkrootkit to check if a i have a rootkit

and still saying that im infected!.

nobody have joined my b0x anyways cuz always im checking the logs and who joins and goes out...

this what i got on the chkrootkit

the files infected..

Checking `ifconfig'... INFECTED

Checking `inetd'... not tested

Checking `inetdconf'... not found

Checking `identd'... not found

Checking `init'... not infected

Checking `killall'... not infected

Checking `ldsopreload'... not infected

Checking `login'... INFECTED

....

..

Searching for Showtee... Warning: Possible Showtee Rootkit installed

Searching for ShKit rootkit default files and dirs... Possible ShKit rootkit installed

Searching for anomalies in shell history files... nothing found

Checking `asp'... not infected

Checking `bindshell'... not infected

Checking `lkm'... You have     2 process hidden for ps command

Warning: Possible LKM Trojan installed

Checking `rexedcs'... not found

Checking `sniffer'...

eth0: PROMISC

.. is promisc cuz i have snort now  :Smile: 

well

i hope so i can still trying to fix my server to learn how to detect it in all the ways and how to deleted it completely, i dont wanna format Yet...

 :Smile: 

thanks guys i hope your help!!!

bie

----------

## fleed

Which logs are you talking about? If it's logs on the infected machine then they're worthless since the machine is/was infected. Is it logs from a NAT router which logs all packets? You could also have other programs infected by a nonrootkit program that the perpetrator installed. chkrootkit won't detect that.

Just FYI, ifconfig can be restored by 

```
emerge sys-apps/net-tools
```

 and login by 

```
emerge sys-apps/pam-login sys-apps/shadow
```

 Even if chkrootkit doesn't show anything else, *assume* you're still infected!

----------

## drspewfy

gzipping man page: login.1

prepallstrip:

strip:

strip:

   bin/login

>>> Completed installing into /var/tmp/portage/pam-login-3.11/image/

>>> Merging sys-apps/pam-login-3.11 to /

--- /bin/

!!! copy /var/tmp/portage/pam-login-3.11/image/bin/login -> /bin/login failed.

!!! [Errno 1] Operation not permitted

that happened with login and with lsof pretty the same...

im pretty sure, understand everything of this compromised system i will format my system

hehe

----------

## fleed

Well, the good thing is that you now understand why it's a bad idea to try to fix it instead of reformatting! It sucks to get rooted, been there.

----------

## RexSum

well prolly the best thing you can do is reinstall completely after being hacked because you cant really tell what they did. 

just for your information suckit doesnt open ports it just listens on open sockets between the socket and services. so its hard to detect, it alsof infects init and login binaries. as ifconfig is infected as well they installed other backdoors as well it seems. 

so in short your best bet is to reinstall completely and update it pretty constantly. also snort will tell you if someone is probing your system for access. to prevent rootkits from changing stuff you should also use tripwire which will detect which files have been altered.

without info on what they did there is no knowing what they did. so better be save then sorry.

----------

## slestak

if you put all your data on another partition, can you just reformat the /boot and / partitions?  WOndering if savvy kit could live through that?

----------

## jesterspet

if you search the net or pick up any security book, they all say the exact same thing about what to do after you find a compromised machine. Disconnect it from any network.

 Wipe it & reinstall.

Your attempt to delete a rootkit & return your computer to a secure status, is a snipe hunt at best.

The reason for this is, that once a computer is compromised, all of the data on that box is suspect.

Everything from your logs, your wtmp & utmp files, to your personal data and your binaries are now no longer trustworthy.  Anything you put on that computer can also become trojaned as it is not unheard of to have cron jobs, batchfiles, aliases, shell functions , etc that look for clean binaries & augment them to the attackers whims.  

Your inital report showed that you used nmap.  what makes you think you can trust that tool?  Many trojan programs rely on not being able to be seen.  If your output is to be trusted, You would have to run that program from CD, & ensure that it's output is not diddled with.  It is completely possible to hide open ports from nmap if you have root on a computer.

Your results also show login was compromised.  Now anyone that logs in will be at the mercy of the attacker.  As you are now in a shell they control.  Perhaps you are only seeing what they want you to see. You could "clean your computer" and get rid of any visible signs of a break in, and still be open to the attackers wishes.  Since you "cleaned" the rootkit off of the computer, and believe you are now secure, the attacker will not need to be as carefull as they were before the "cleaning" as you will now , no longer be looking for them.

If you must recover the data, use read only media to run your tools from, get your data, and then wipe the drive partitions.  This is the only way to be sure that you are not still owned.

----------

