# i ve been hacked ?

## kang_

Hi

just installed gentoo

i have a strict firewall (block all execpt SSH (3.2.2) which is not on a standard port) and no egress filtering other than allow connection established from me, plus the ones new/established/related from a computer on my nat

i just emerged chkrootkit and ran chkwtmp

it found 5 deletions in wtmp (arg!)

my system is like 3 day old (!) so it is very unlikely that i've been hacked (but we never know)

then i choosed to change my (quite secure) password of root and user and here was i get: (chkrootkit said it found no trojan/backdoor etc btw)

```
root # passwd

New UNIX password: 

Retype new UNIX password: 

Enter new UNIX password: 

```

it RE-ASKS ???

so heres my questions

1/ does gentoo uses normal wtmp stuff ? (i guess yes so i will check the unclean deletions with wted. Notice that an attaker not good enought to use a real wipper other than nulling entries is probably not supposed to install it's own backdoors.. but still.. or may be it's an overflow in the way wtmp is logged ? i got my hand on such an exploit (which was binaries :/) and unreleased (sic) but it was totally deleting wtmp instead of just entries so..

2/ is it normal way of gentoo passwd to ask TWO times ? (i guess not -> trojan)

thanx you a lot if you can answer me

kang

----------

## kang_

here are the nulled entries:

 # ./a.out -f /var/log/wtmp -z

                Thu Jan  1 01:00:00 1970        

                Thu Jan  1 01:00:00 1970        

                Thu Jan  1 01:00:00 1970        

                Thu Jan  1 01:00:00 1970        

                Thu Jan  1 01:00:00 1970 

1970 ? what is  this log wiper ? or is this gentoo default install bug ?

i used stage1-2-3 tarballs

anyone with a 1.1a cd iso install could check ?

i will check on the tarballs tho

----------

## kang_

i checked and wtmp is clean on the cd

----------

## Guest

after log exploration it seems i did reboot between the deletions because of a kernel crash

so that would may be explain the garbage in wtmp  ? (i have no firewall hits related to port scan, etc during this period)

----------

## kerframil

1) I'm not sure as I have some stuff to learn myself on wtmp, however I assume you have a perfectly serviceable firewall log. You could grep that to find any connection attempt to your SSH port (or, indeed, any successful inbound connection), if there are none to be found other than connections you know to have been initiated by yourself and your firewall is as secure as you say it is, then it it is a fairly safe bet that you are OK. Sorry, I would give more detailed guidance but I only use *BSD/IPFilter for firewalls ..! Yes, I do realise that such logs could, in theory, be doctored ...

2) Yes, it does re-ask. It's quite conventional, mainly to ensure the user does not enter a password incorrectly without realising it, thus locking themselves out of the most important user account!

Furthermore, if you had a trojan you might expect a port to be opened up for listening so netstat -l to make nothing is there that looks out of the ordinary. And a trojan could "phone home" too so you might want to tighten your ruleset so that not all outgoing connection attempts are allowed - only ports 80/21/53 and so forth just to make things a little bit more secure. Or even just log and drop all outgoing connection attempts from your Gentoo box for a period, and see what happened - no strange connection attempts probably = no trojan.

It would take a fairly skilled person to cover up their tracks completely, so try to establish as much evidence as possible before drawing a conclusion. If you have a good password (no dictionary terms, 10 chars minimum, and some chars other than [0-9a-zA-Z] present) then I doubt somebody walked straight in like that, subject to other potential vulnerabilities on your system of course  :Wink: 

Also, you could do a lot worse than run an IDS such as snort to more comprehensively tackle the issue of intrusion attempts and possible file changes. I hear snort is pretty good and a build is available in portage.

PS: (for the casual reader): IMO, most firewall rulesets aren't as secure as people think they are, particularly if they do not set them up by hand. Especially with regards to tricky topics like anti-spoofing and connection state. For example, my rulesets have block rules for any packets from 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8, 127.0.0.0/8, 0.0.0.0/8, 169.254.0.0/16, 192.0.2.0/24, 204.152.64.0/23, 224.0.0.0/3 and the local LAN subnet - in my case : 192.168.254.0/24 - as no inbound packet on the Internet facing interface should ever have such source addresses (which might just be let straight in otherwise). These rules are checked before any others so any spoofed packets will be blocked regardless - it doesn't matter who initiated them or where they were going. I also check outbound so that people can't spoof from my LAN either  :Smile: .  I also check for packets with ip options and/or excessive fragments inbound before any of that.

----------

## kang_

the double password asking thing was due to a pam missconfiguration

(i had copy-pasted from gentoo securing guide, which had typos, and also, which doesn't work on latest gentoo+pam it seems... also.. noticed it was very secure not to provide full path to libs like they did in the guide... sic..)

----------

## Guest

 *kerframil wrote:*   

> 1) I'm not sure as I have some stuff to learn myself on wtmp, however I assume you have a perfectly serviceable firewall log. You could grep that to find any connection attempt to your SSH port (or, indeed, any successful inbound connection), if there are none to be found other than connections you know to have been initiated by yourself and your firewall is as secure as you say it is, then it it is a fairly safe bet that you are OK. Sorry, I would give more detailed guidance but I only use *BSD/IPFilter for firewalls ..! Yes, I do realise that such logs could, in theory, be doctored ...
> 
> 

 

yeah i did..

 *Quote:*   

> 
> 
> 2) Yes, it does re-ask. It's quite conventional, mainly to ensure the user does not enter a password incorrectly without realising it, thus locking themselves out of the most important user account!
> 
> 

 

No, i meant it RE,REasks but i found the problem (see upper post)

(im not that much of a newbie i hope  :Smile: 

 *Quote:*   

> 
> 
> Furthermore, if you had a trojan you might expect a port to be opened up for listening so netstat -l to make nothing is there that looks out of the ordinary.

 

i did  :Smile:  (hopping that netstat is not trojanned itself, tried lsof too, including EST and LIS

 *Quote:*   

> 
> 
>  And a trojan could "phone home" too so you might want to tighten your ruleset so that not all outgoing connection attempts are allowed - only ports 80/21/53 and so forth just to make things a little bit more secure. Or even just log and drop all outgoing connection attempts from your Gentoo box for a period, and see what happened - no strange connection attempts probably = no trojan.
> 
> 

  that's what i think is called egress filtering (not certain) and i didn't really made it very tigh yet

 *Quote:*   

> 
> 
> It would take a fairly skilled person to cover up their tracks completely, so try to establish as much evidence as possible before drawing a conclusion. If you have a good password (no dictionary terms, 10 chars minimum, and some chars other than [0-9a-zA-Z] present) then I doubt somebody walked straight in like that, subject to other potential vulnerabilities on your system of course 
> 
> 

 

yeah may be i've been a little overreacting to the wtmp check, but, ya know, we're all like that;)

Moreover it give us chance to see what other would do in such occasions and learn  :Smile: 

 *Quote:*   

> 
> 
> Also, you could do a lot worse than run an IDS such as snort to more comprehensively tackle the issue of intrusion attempts and possible file changes. I hear snort is pretty good and a build is available in portage.
> 
> 

 

didn't installed yet since it would requiert me to learn how to write good rules for it (i don't like installing stuff without knowing;)

but it is definitly in my "task list"  :Wink: 

 *Quote:*   

> 
> 
> PS: (for the casual reader): IMO, most firewall rulesets aren't as secure as people think they are, particularly if they do not set them up by hand. Especially with regards to tricky topics like anti-spoofing and connection state. For example, my rulesets have block rules for any packets from 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8, 127.0.0.0/8, 0.0.0.0/8, 169.254.0.0/16, 192.0.2.0/24, 204.152.64.0/23, 224.0.0.0/3 and the local LAN subnet - in my case : 192.168.254.0/24 - as no inbound packet on the Internet facing interface should ever have such source addresses (which might just be let straight in otherwise). These rules are checked before any others so any spoofed packets will be blocked regardless - it doesn't matter who initiated them or where they were going. I also check outbound so that people can't spoof from my LAN either .  I also check for packets with ip options and/or excessive fragments inbound before any of that.

 

yeah i check that too (my firewall is handmade;)) and i deny of course source routed packets (altough i deny it from all sources which may cause problem in specifics networks, but here it's okay, i drop all traffic but 113 and 1080 which i reject (for timeouts to irc servers, etc) and allow my special ssh port;)

also i was about to install aide (emerge package) for binary sum but.. if i got already hacked it's stupid  :Wink: ))

----------

## kerframil

 *Quote:*   

> No, i meant it RE,REasks but i found the problem

 

Ah, I see ... that's alright then, I saw that post just as I clicked Submit  :Smile: .

 *Quote:*   

> i did (hopping that netstat is not trojanned itself, tried lsof too, including EST and LIS

 

Yeah, that is an issue! Here are my MD5s for netstat/lsof if that's any help (my Gentoo box isn't exposed to the Internet), but isn't it possible that they would differ anyway if made from a Stage 1 install? Couldn't you boot from a CD, and manually overwrite suspected binaries with the ones from the stage3 tarball?

```
1f364e9497453271c015154ade78e96c  /bin/netstat

c63362506be1bef74f7a9b00e8095e2c  /usr/sbin/lsof
```

 *Quote:*   

> didn't installed yet since it would requiert me to learn how to write good rules for it (i don't like installing stuff without knowing;)

 

That's extremely sensible ... if only everyone thought like that when it comes to security <sigh>!

 *Quote:*   

> i drop all traffic but 113 and 1080 which i reject (for timeouts to irc servers, etc)

 

Cool ... have you seen this? Deals with the identd issue beautifully: http://hangout.de/fakeidentd/ Ebuild available under net-misc/fakeidentd.

----------

## Guest

 *Quote:*   

> i did (hopping that netstat is not trojanned itself, tried lsof too, including EST and LIS

 

Yeah, that is an issue! Here are my MD5s for netstat/lsof if that's any help (my Gentoo box isn't exposed to the Internet), but isn't it possible that they would differ anyway if made from a Stage 1 install? Couldn't you boot from a CD, and manually overwrite suspected binaries with the ones from the stage3 tarball?

```
1f364e9497453271c015154ade78e96c  /bin/netstat

c63362506be1bef74f7a9b00e8095e2c  /usr/sbin/lsof
```

assuming my md5sum is clean my netstat show right sum and my lsof not

however i installed netstat from stageXX but i compiled lsof with probably different options so it should be fine

thanx for the idea, i didn't though of it (i'm quite stupid when i fear i'm being haxored;)

 :Smile: 

 *Quote:*   

> i drop all traffic but 113 and 1080 which i reject (for timeouts to irc servers, etc)

 

Cool ... have you seen this? Deals with the identd issue beautifully: http://hangout.de/fakeidentd/ Ebuild available under net-misc/fakeidentd.[/quote]

yeah just checked the source, seems ok (perform checks to prevent overflows  :Smile: 

altough we never know exactly..

hm

i always asked myself if it would be better to run a real identd for security or not

an ident would allow me to know from which user something has been done to the outside for example

otherwise i prefer rejecting ident instead of replying fake, it's more secure and faster/easier to deal with  :Smile: 

----------

## kang_

ok, a friend of me told me he has same deletions after switching kernel and crashing too

so i guess i had the same and i'm safe  :Smile: 

ok i'd better be paranoid and wipe/reinstall but hm

gentoo takes days to compile here;)

i think the reason we found was pretty valid  :Smile: 

btw for thoses who want good security article bases, check:

www.nationwide.net/~aleph1/FAQ

it covers all the topic i know (i guess the other ones aren't spread in the wild if there are;)

and cover them good (thanx aleph1=)

----------

## kerframil

Cheers for that, kang_. I would also recommend the following URLs for any fellow Gentoo users concerned with security, firstly the networking bookshelf (which features Building Internet Firewalls and Practical UNIX Security among other very nice things ...):

http://tit.irk.ru/

And a guide to IPFilter which is very good. Note to the curious: read it even if you use iptables because making good firewalls rulesets is chiefly about understanding TCP/IP, not getting wrapped up in the actual syntax of the ruleset  :Wink: 

http://www.obfuscation.org/ipf/

Oh, and Chuck Semeria's "Understanding IP Addressing" is really good too (well it's 3Com endorsed so you'd hope so!!!):

http://www.bergen.org/ATC/Course/InfoTech/Coolip/

----------

## kang_

thx for that  :Smile: 

----------

