# Unintended and unauthorized remote access to my Gentoo box?

## BonezTheGoon

Something very odd, and very disturbing happened this evening that I am in the middle of trying to figure-out.  I had my Gentoo box up and running with the screen locked and while I was in the other room my machine suddenly started playing a song, from somewhere mid-song, that I do happen to have on the machine in an mp3 file.  It is not in any recent or current playlists though.  I came over to my machine to see if one of my kids had somehow done something (they are not allowed to use my machine) and found that Xscreensaver still had the screen locked, so I doubt my kids had any part in it.  I unlocked my machine, and checked that Audacious (the only graphical player I have installed) wasn't playing anything -- though I had already had it opened with a playlist stopped.  Before I could do anything more than that the music stopped.  I did a quick ps -A to see if I could spot anything, but whatever was going on was already over.  I'm concerned someone has remotely connected to my Gentoo box and played the song.  I immediately emerged chkrootkit and rkhunter.  I ran rkhunter which didn't find anything terrifying, there were some warnings given I had never run it before so it didn't have a base-line comparison.  When I ran chkrootkit I watched quite a few things that were testing just fine, and walked away.  When I came back to check on it the output seems very very weird, it had generated more than the Eterm buffer so I don't know what came before the strange output but I will post what there is below.  [[Edit: I have edited the "code" below to make it shorter in hopes that my post will actually work, it barfed all over when posting]]

```

?¡£¼²¨¤¦!Ë`!ÜVÒ#Ø4ÒÑBIÙJ×VDáTÑ4DÑ,!ÛBÓ(0ßRÒ(0ß`:Ù8×Ñ!#ÒDIÝZÒ?Ù8ÐØ6Ñ!ÚLÑÑE(ÙBØUÜ?×6×ÔÙ8Ó:ÝUÙ=

ÜEØ#Ô2Ó×6Ú,ØDáVÙÛ8Ó×(×Ø=ÜIÓ6ÝU×#Ø#ÔÙ8ÔÙZ&Ù4ÚGÑÔ!ÑÛGÚ?Ò!ÜJÓÔ6ÒÔI(×?ÓE4ÝLÏ(ØDÊ!:ÔLË,2×aÊ6ÔTËÔDÊº2ÌI¾OIÎp°2©

£!&6!}:&Z#~2ÂD !#e(!!ª0±!º48cu´À¾ÑâÚÝ

ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ

ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ

ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ

ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿäÞÊ±Æpf6&VffjUG4R=G,R\DQ4#jlkyE&!46OEQGVIB6J?&!20(!!&?=fUG&#Dg

QOQLVpQ_#ch26RjkI0R\k02!82::6&6&2lU464BLJ`G(4!:IB0,!6LhaG!J0!#6lpe8\fXfL0::?I8?Jgc(&&42_g`\\]nJG0LJ0=,OGQ6&

2?ZLuh~]slaOev`LB,=!,:2&&44!!#!h~°­²¨·¬¤¯¸&£DO×\LXX&!!BJ2O?,#&©·ª{¤¡¬¥x6(BÒJÓ4Ò2Ø?Ò8ÜlJÜ2Ô6ÓÒ2Ù2×VEßOØRDß8Ñ#!Ø4×(Û=ÔÔ_UÛ?Ø]QÜ6×2Ò,#ÚBÒUOßUÎ8ØV=Ô!Ù=Ø(ÜQ

Ó#×]LÛØÙ,Ø8Ü?×,ÞZÓÜRØ6Ù(Ò×8Ñ!ÚJÔ#Ù6Ø#Ó#×(Ô(Ú4Ô&ÛEÑÓ!ÒÒ2ÓDÙ8Ò(ÓÏÒÍÓ6Î:,ÒÅ!2ËO4ÈÁ(¼&À48ÁX©ZaÇhªB´!Ê?j£k

}!sZ±­·ºÈÉÉÊ!Ã¨=nV¡¥ÎÚÒÚÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ

ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ

ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ

ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿíãÔÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿïäÍéØÃåÙÂçÛ¼áÙ¼±¼nR_B2VIETRI_GhJ?JODRI?6I=RE(G6!(B&GELpgxeTQ?0&(#&(08!8826&&6&&(((UXLUv~uaEf_4D!,28&B\!G8&!::!,(64#(804!4,(,!QDZggU?gODJ4=QOQLE!2B\8!440I__e\k}¥yBaL6L6#B0&,,(42D4#0q¤q¤°£¯tDf8luláØ:Ô?ÔÑ,ÔD!Ó&ÜX0Ù]Ù(Ó0ÓÔBÙ2ÔO#ÜIÚEÞIÒØ8Ó!Ü`6Û6Üa,Ù(ÙQ×!Ó4Ø,Ï,:Ýr0×GfÔÙ=ÑØ?4ásÝ:Þ\ßD×#Ù0ÏØBÑ!gÜ4Ó4×&Ñ!Ô,Ò,ÙEØ0Ú]×(Ô&ÑÎÊ:Î0Ê:Ò&ÎÉÅÊÃ¿=Ê=±0±ª&#E!#rk0}·¥¥·±¹¡£v¸¼ÃÈÇÊËËÎ#Ï4Á!0!vr´Å¿×ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ

ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ

ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ

ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ

ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ

ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ

ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ

ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ

ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ

ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ

ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ v2|2D

                                                                                       åê(1+

                                                                                  w'''''''''''''''''''''''''''''''''''''''''''''''''À        ddHandmade Software, Inc. Image Alchemy v1.6ÿØÿàJFIFÿÛC         

Searching for anomalies in shell history files... nothing found

Checking `asp'... not infected

Checking `bindshell'... not infected

Checking `lkm'... chkproc: nothing detected

chkdirs: nothing detected

Checking `rexedcs'... not found

Checking `sniffer'... eth0: not promisc and no PF_PACKET sockets

Checking `w55808'... not infected

Checking `wted'... chkwtmp: nothing deleted

Checking `scalper'... not infected

Checking `slapper'... not infected

Checking `z2'... chklastlog: nothing deleted

Checking `chkutmp'...  The tty of the following user process(es) were not found

 in /var/run/utmp !

! RUID          PID TTY    CMD

! root         4719 tty7   /usr/bin/X :0 vt7 -auth /etc/X11/xdm/authdir/authfiles/A:0-NvP7jx

chkutmp: nothing deleted

```

Which looks to me like some kind of an image file somehow dumped with the output, like the ASCII view of a jpeg or gif possibly.  When I Google  "Handmade Software, Inc. Image Alchemy v1.6" it appears that only Russian sites with images by the fantasy artist Boris Vallejo come up as results.  While I have long been a fan of Boris Vallejo I cannot locate any files on my machine of his artwork, but the coincidence seems odd to me.  I guess my biggest question that I am hoping for feedback and other perspectives on is, what happened to chkrootkit's output?  Is it cause for concern?  I don't have anything important on this machine, so I am not worried about that at all.  More than anything I want to learn here.  So no need for alarm or concern, nothing stressful or scary here, just some things that look crazy to me.

Thanks for your time in reading such a bizarre thread, and thanks in advance for any replies!

----------

## didl

First off, it is good that you checked and are careful. However, at least

for me chkrootkit has been of picking up weird things when scanning

for "PHP files" (I think there might be a bug in bugzilla related to this as well). 

In my case it goes through /var/tmp/ccache/ and dumps a

whole zoo of suspected ELF files as suspect PHP which is obviously wrong. 

That said, if what you posted below is picked up during the PHP file search

it might be benign (since what you posted certainly isn't PHP). In any

case, you might want to track down where the file came from on your HD.

If you're worried about somebody having logged into your computer

take it off the net and check logs, history, etc. for anything suspect.

Also netstat might help to see what is currently connected to your

box.

----------

## BonezTheGoon

Thanks for the info!  Last night after I posted my original post I ran chkrootkit again directing it's output to a file this time so I could see better what was going on.  Your hypothesis was correct, this file is spewed-out during the suspect PHP files search.  I don't see if it indicates what file it is though, and I have been unable to find the file searching for "Handmade" -- perhaps my searches have not been formed correctly though.  I don't often search for text in files so it's possible I am doing it wrong.  Here is the relevant information from the output, well at least the first part of it.

```

Searching for suspect PHP files... /var/tmp/portage/app-office/openoffice-3.1.1/work/ooo/build/ooo310-m19/ooo_custom_images/industrial/res/commandimagelist/frobnicate-icons.php

g++ -Wl,-z,combreloc -Wl,-z,defs -Wl,-Bsymbolic-functions -Wl,--dynamic-list-cpp-new -Wl,--dynamic-list-cpp-typeinfo -Wl,--as-needed -Wl,-rpath,'$ORIGIN:$ORIGIN/../ure-link/lib' -shared -L../unxlngx6.pro/lib -L../lib -L/var/tmp/portage/$

#!/usr/bin/php4

```

The next line in my file of the chkrootkit output is the image file that chokes the forums if I post it.

```
netstat

Active Internet connections (w/o servers)

Proto Recv-Q Send-Q Local Address           Foreign Address         State      

tcp        0      0 192.168.1.69:59645      192.168.1:ms-wbt-server ESTABLISHED

Active UNIX domain sockets (w/o servers)

Proto RefCnt Flags       Type       State         I-Node   Path

unix  2      [ ]         DGRAM                    347      @/org/kernel/udev/udevd

unix  2      [ ]         DGRAM                    9996     @/org/freedesktop/hal/udev_event

unix  3      [ ]         STREAM     CONNECTED     372442   @/tmp/.X11-unix/X0

unix  4      [ ]         STREAM     CONNECTED     372441   

unix  3      [ ]         STREAM     CONNECTED     366816   /var/run/dbus/system_bus_socket

unix  3      [ ]         STREAM     CONNECTED     366815   

unix  3      [ ]         STREAM     CONNECTED     366802   /tmp/.X11-unix/X0

unix  3      [ ]         STREAM     CONNECTED     366801   

unix  3      [ ]         STREAM     CONNECTED     141150   @/tmp/.X11-unix/X0

unix  3      [ ]         STREAM     CONNECTED     141149   

unix  3      [ ]         STREAM     CONNECTED     132050   @/tmp/.X11-unix/X0

unix  3      [ ]         STREAM     CONNECTED     132049   

unix  3      [ ]         STREAM     CONNECTED     132045   

unix  3      [ ]         STREAM     CONNECTED     132044   

unix  3      [ ]         STREAM     CONNECTED     132031   @/tmp/.X11-unix/X0

unix  3      [ ]         STREAM     CONNECTED     132030   

unix  3      [ ]         STREAM     CONNECTED     12303    @/tmp/.X11-unix/X0

unix  3      [ ]         STREAM     CONNECTED     12302    

unix  3      [ ]         STREAM     CONNECTED     12243    @/tmp/.X11-unix/X0

unix  3      [ ]         STREAM     CONNECTED     12242    

unix  3      [ ]         STREAM     CONNECTED     12084    @/tmp/.X11-unix/X0

unix  3      [ ]         STREAM     CONNECTED     12083    

unix  3      [ ]         STREAM     CONNECTED     11640    @/tmp/.X11-unix/X0

unix  3      [ ]         STREAM     CONNECTED     11639    

unix  3      [ ]         STREAM     CONNECTED     11630    @/tmp/.X11-unix/X0

unix  3      [ ]         STREAM     CONNECTED     11629    

unix  3      [ ]         STREAM     CONNECTED     11622    @/tmp/.X11-unix/X0

unix  3      [ ]         STREAM     CONNECTED     11621    

unix  3      [ ]         STREAM     CONNECTED     11598    /dev/log

unix  3      [ ]         STREAM     CONNECTED     11595    

unix  4      [ ]         STREAM     CONNECTED     11557    @/tmp/.X11-unix/X0

unix  3      [ ]         STREAM     CONNECTED     11556    

unix  3      [ ]         STREAM     CONNECTED     11240    /dev/log

unix  3      [ ]         STREAM     CONNECTED     11239    

unix  3      [ ]         STREAM     CONNECTED     10724    /dev/log

unix  3      [ ]         STREAM     CONNECTED     10723    

unix  3      [ ]         STREAM     CONNECTED     10610    /dev/log

unix  3      [ ]         STREAM     CONNECTED     10609    

unix  3      [ ]         STREAM     CONNECTED     10431    /dev/log

unix  3      [ ]         STREAM     CONNECTED     10430    

unix  3      [ ]         STREAM     CONNECTED     10428    @/var/run/hald/dbus-r62AhmOdGa

unix  3      [ ]         STREAM     CONNECTED     10427    

unix  3      [ ]         STREAM     CONNECTED     10426    /var/run/dbus/system_bus_socket

unix  3      [ ]         STREAM     CONNECTED     10425    

unix  3      [ ]         STREAM     CONNECTED     10370    @/var/run/hald/dbus-r62AhmOdGa

unix  3      [ ]         STREAM     CONNECTED     10358    

unix  3      [ ]         STREAM     CONNECTED     10118    @/var/run/hald/dbus-r62AhmOdGa

unix  3      [ ]         STREAM     CONNECTED     10029    

unix  3      [ ]         STREAM     CONNECTED     9990     @/var/run/hald/dbus-8it2jzFWmr

unix  3      [ ]         STREAM     CONNECTED     9988     

unix  3      [ ]         STREAM     CONNECTED     9972     /var/run/dbus/system_bus_socket

unix  3      [ ]         STREAM     CONNECTED     9971     

unix  3      [ ]         STREAM     CONNECTED     9957     /var/run/dbus/system_bus_socket

unix  3      [ ]         STREAM     CONNECTED     9956     

unix  3      [ ]         STREAM     CONNECTED     9744     

unix  3      [ ]         STREAM     CONNECTED     9743     

unix  3      [ ]         DGRAM                    350      

unix  3      [ ]         DGRAM                    349   
```

I had firefox-bin opened and an rdesktop connection to a Windows XP box on my LAN when that netstat was run.

----------

## didl

 *BonezTheGoon wrote:*   

> 
> 
> ```
> 
> Searching for suspect PHP files... /var/tmp/portage/app-office/openoffice-3.1.1/work/ooo/build/ooo310-m19/ooo_custom_images/industrial/res/commandimagelist/frobnicate-icons.php
> ...

 

It looks like chkrootkit looks through your /var/tmp/portage so you might want to clean that

out completely. The netstat output looks fine. In any case, go through your logs and see

if anything sticks out (what you're looking for depends a bit on what the box is running, like

sshd or any other services that might be a target vector).

----------

## krinn

generally ~/.bash_history is a good info when suspecting break in (if you have some memory and not too much computers to handle).

----------

## BonezTheGoon

Thanks all.  I can't see anything going on.  Nothing more to report, nothing interesting.  Seems this one has "gone cold" and there isn't much to do.  I will keep a suspicious eye on it, and update this thread with any developments in the mystery.  I'll continue to try and check on things posted here, like I said more than anything I want to use this experience as a launching-point for learning.

Thanks again!

----------

## r3tep

Here some things not told before.

- Any other Systems in your network could be infected. Make sure to change any passwords.

- A kernel-rootkit could replaces something on your system. The cracker can hide everything he wants. I've read about this some years ago on a magazine. There was (as I remember) an exploit available http://en.wikipedia.org/wiki/Rootkit#Kernel_level

- Also possible: a rootkit on a higher level. At some onlineshops, you can buy spyhardware, i.e. hardware-keylogger to put in your keyboard or in your computercase. At this point is physical access needed.

- And I could carry that idea very far: manufacturers could implement some "features" in hardware. (i.e. machine identification code in printers is a hard fact)

- Why should someone crack your system? For fun? Or is someone paid? Are you political (or otherwise) active and someone could try to denunciate you? In some countries are IP's logged and crime done with that IP leads to the IP's owner.

----------

## krinn

 *r3tep wrote:*   

> Why should someone crack your system?

 

Just having an internet connection and a computer is enough to be a target : this is the main ressource for botnet to spam mail and help attacking a bigger target. So any computer with internet is a raw material today.

----------

## BonezTheGoon

 *r3tep wrote:*   

> Any other Systems in your network could be infected.

 

Actually I've been looking into this a lot over the last twenty minutes.  Because I realized that when the music was played I had been connected via rdesktop to the Windows XP machine on my LAN.  The music most certainly came through my Linux box, because it is the ONLY box with any speakers at all.  However at this point I am trying to determine if the sound was routed from the Windows XP box to my Linux box.  A moment ago my WinXP box had a hard lock, which caused me to start questioning it's health.  It hasn't had any issues in the several years it has been in use, so I suspect it might have been the "lower hanging fruit" that was used in what looks like a probable hack attempt/event.

----------

## BonezTheGoon

After removing the contents of /var/tmp/portage the output (and run time) of chkrootkit is MUCH shorter.

```
ROOTDIR is `/'

Checking `amd'... not found

Checking `basename'... not infected

Checking `biff'... not found

Checking `chfn'... not infected

Checking `chsh'... not infected

Checking `cron'... not infected

Checking `crontab'... not infected

Checking `date'... not infected

Checking `du'... not infected

Checking `dirname'... not infected

Checking `echo'... not infected

Checking `egrep'... not infected

Checking `env'... not infected

Checking `find'... not infected

Checking `fingerd'... not found

Checking `gpm'... not infected

Checking `grep'... not infected

Checking `hdparm'... not found

Checking `su'... not infected

Checking `ifconfig'... not infected

Checking `inetd'... not tested

Checking `inetdconf'... not found

Checking `identd'... not found

Checking `init'... not infected

Checking `killall'... not infected

Checking `ldsopreload'... not infected

Checking `login'... not infected

Checking `ls'... not infected

Checking `lsof'... not infected

Checking `mail'... not found

Checking `mingetty'... not found

Checking `netstat'... not infected

Checking `named'... not found

Checking `passwd'... not infected

Checking `pidof'... not infected

Checking `pop2'... not found

Checking `pop3'... not found

Checking `ps'... not infected

Checking `pstree'... not infected

Checking `rpcinfo'... not infected

Checking `rlogind'... not infected

Checking `rshd'... not infected

Checking `slogin'... not infected

Checking `sendmail'... not infected

Checking `sshd'... not infected

Checking `syslogd'... not tested

Checking `tar'... not infected

Checking `tcpd'... not infected

Checking `tcpdump'... not infected

Checking `top'... not infected

Checking `telnetd'... not found

Checking `timed'... not found

Checking `traceroute'... not found

Checking `vdir'... not infected

Checking `w'... not infected

Checking `write'... not infected

Checking `aliens'... no suspect files

Searching for sniffer's logs, it may take a while... nothing found

Searching for HiDrootkit's default dir... nothing found

Searching for t0rn's default files and dirs... nothing found

Searching for t0rn's v8 defaults... nothing found

Searching for Lion Worm default files and dirs... nothing found

Searching for RSHA's default files and dir... nothing found

Searching for RH-Sharpe's default files... nothing found

Searching for Ambient's rootkit (ark) default files and dirs... nothing found

Searching for suspicious files and dirs, it may take a while... nothing found

Searching for LPD Worm files and dirs... nothing found

Searching for Ramen Worm files and dirs... nothing found

Searching for Maniac files and dirs... nothing found

Searching for RK17 files and dirs... nothing found

Searching for Ducoci rootkit... nothing found

Searching for Adore Worm... nothing found

Searching for ShitC Worm... nothing found

Searching for Omega Worm... nothing found

Searching for Sadmind/IIS Worm... nothing found

Searching for MonKit... nothing found

Searching for Showtee... nothing found

Searching for OpticKit... nothing found

Searching for T.R.K... nothing found

Searching for Mithra... nothing found

Searching for LOC rootkit... nothing found

Searching for Romanian rootkit... nothing found

Searching for Suckit rootkit... nothing found

Searching for Volc rootkit... nothing found

Searching for Gold2 rootkit... nothing found

Searching for TC2 Worm default files and dirs... nothing found

Searching for Anonoying rootkit default files and dirs... nothing found

Searching for ZK rootkit default files and dirs... nothing found

Searching for ShKit rootkit default files and dirs... nothing found

Searching for AjaKit rootkit default files and dirs... nothing found

Searching for zaRwT rootkit default files and dirs... nothing found

Searching for Madalin rootkit default files... nothing found

Searching for Fu rootkit default files... nothing found

Searching for ESRK rootkit default files... nothing found

Searching for rootedoor... nothing found

Searching for ENYELKM rootkit default files... nothing found

Searching for common ssh-scanners default files... nothing found

Searching for suspect PHP files... nothing found

Searching for anomalies in shell history files... nothing found

Checking `asp'... not infected

Checking `bindshell'... not infected

Checking `lkm'... chkproc: nothing detected

chkdirs: nothing detected

Checking `rexedcs'... not found

Checking `sniffer'... eth0: not promisc and no PF_PACKET sockets

Checking `w55808'... not infected

Checking `wted'... chkwtmp: nothing deleted

Checking `scalper'... not infected

Checking `slapper'... not infected

Checking `z2'... chklastlog: nothing deleted

Checking `chkutmp'...  The tty of the following user process(es) were not found

 in /var/run/utmp !

! RUID          PID TTY    CMD

! root        23598 tty7   /usr/bin/X :0 vt7 -auth /etc/X11/xdm/authdir/authfiles/A:0-osd8ZM

chkutmp: nothing deleted
```

----------

