# Help! Trojaned. :(

## mr-simon

Looks like I've been a bit slow off the mark with my security patches. Doh.

It's not a critical box, and I can rebuild it if nessecary... I just ran chkrootkit and it reported:

Possible T0rn v8 rootkit installed

Possible RH-Sharpe's rootkit installed

Possible LPD worm installed

Possible Showtee rootkit installed

Possible LKM Trojan installed

Wooeee... Nasty. Looks like someone's been having a field day.   :Embarassed:   :Embarassed:   :Embarassed: 

So... How to sort out this mess. Should I trash the box and start again? Or can I fix all of the above with an emerge -e world...

I started by having a google for 'T0rn removal instructions' and it seems either a rebuild or 'remove and replace the infected files' is the way to go... Will emerge -e world sort it out, or is it rebuld time?

thanks  

 :Crying or Very sad: 

----------

## derk

my recommendation if it's not a critical box is scrub and start-over. 

Once you have a problem it's best to purge and rebuild, there is no way to determine what has been altered or changed on most boxes if you don't have a monitoring system in place and even then you are taking a risk.

If you want to study the situation first do so with known good tools from a clean boot disk or fresh gentoo CD burnt on a non-compromised machine.  It is generally a good idea to try to determine how you were compromised so you can eliminate the entry point. I suggest a good secuirty network audit and use a good security book as a reference.

I suggest you make sure none of your other boxen are compromised as well. Once someone else is on your local network you may have difficulties making sure they are truely gone without a lot of work.

keep us posted ..  the rest of us Gentoo users/fans would like to know of any holes you may find so we can patch/block them accordingly.

derk

----------

## Auka

Hi

Ouch, that's not really nice...    :Crying or Very sad: 

Ok, so first of all you might boot FIRE (http://fire.dmzs.com/) a specifically designed linux boot cdrom for forensics, contains chkrootkit and co) to verify wheather your system really has been trojaned. 

If someone did break into you box (and it seems so....) then you should really rebuild it from scratch. Completely. Also take care - avoid using backup files (at least if they are binaries) these might also contain trojaned files!  Think twice about every file you want to take off of this box if you really have to.

Yes rebuilding is (or at least can be) an immense amout of work. But it should be better to rebuild from scratch than spend a few hours not beeing sure if something has been left over or not.  While I'm at it...also think about how and why this could happen -> try to avoid getting trojaned just again and don't make the same mistakes twice...  :Wink:  (too old services? unneeded services? binaries from "friends"?) 

Good luck. 

 :Wink: 

----------

## puddpunk

Could I just have your IP address?  :Wink: 

----------

## mr-simon

 *Auka wrote:*   

> Yes rebuilding is (or at least can be) an immense amout of work. But it should be better to rebuild from scratch than spend a few hours not beeing sure if something has been left over or not.  While I'm at it...also think about how and why this could happen -> try to avoid getting trojaned just again and don't make the same mistakes twice...  (too old services? unneeded services? binaries from "friends"?)

 

Yeah I decided to pull the network jack out of the box, and not plug it in again until I'd booted off a livecd.

Last emerge -u world was about 2 weeks ago, but I wasn't running a proper firewall. I was only running proftpd, ssh and samba on it, and samba was pointing internally only, or at least it was supposed to be. My thinking was something like "well, if all the other ports are closed and I update fairly often, why do I need a firewall?" - well, that coupled with "I'm too lazy to bother writing one."  :Wink: 

I think it was samba that caused the problem. Althoug I'd told it to only listen on 192.168.x.x it seems one smb port was still awake on the external interface. Something to do with nmbd I think.

Well, that'll learn me. Update more than once every two weeks... Run a proper firewall. *sigh*

----------

## simcop2387

nah, once every two weeks should be fine for most cases but just keep a lookout for GLSA's

----------

## refriedbean

Well, if you are lazy (like me). Using a prebuilt firewall script is better than nothing. Currently I'm using http://projectfiles.com/firewall

Its all in one file.. So just edit the file, change a few variables, and run it. For normal desktops that doesnt have any services (except ssh maybe), you can just run it, without changing anything, and it will secure the connection.

I'm using it on my firewall box at home, and its doing a pretty decent job. NAT and port forwards etc..

If you are looking for a more complete firewall, check out Shorewall (can't remember the URL right now). Its a bit more feature-complete, and it uses an almost 'natural language' syntax in its configs.

Personally, I'm not really so paranoid that I would write my own scripts.. For me, just using one that someone spent months developing is perfect.

Well, have fun with the reinstall  :Wink: 

	-Refried

----------

## Auka

Yep. Or you might have a look at the fwbuilder GUI. If you have a basic understanding of networking, have at look at  this and use the wizard you should by able to fairly easily build a quite decent and secure policy. (and it "scales" - if you do know what you are doing it also is a quite powerful tool, at bit similar to the "famous" Checkpoint FW-1 GUI if anyone else knows it...  :Wink: 

----------

## jbrown

if you have had any compromise whatsoever then you should always reformat and reinstall completely

----------

## tgoodaire

I would recommend that you do this:

Get the computer off the internet!

Do as much as you can to try and figure out how they got in. If you just format and reinstall everything, they could just get in the same way!

----------

