# Mutant ~/.bashrc

## Cereza

Hello.

Te point is some lines of my .bashrc are changing alone, I have a cute ascii bear as user welcome who as my prompt is deformed sometimes, the ~/.bashrc lines are:

```
  if [[ ${EUID} == 0 ]]

  then 

    # we are root 

    PS1="${top}${RED}(${CYAN}\d, \t${RED})${NC}-${RED}(\u@\H)${NC}-${RED}(${BLUE}\w${RED})${NC}-·\n${bottom}${pink}[\#]${NC}-> # " 

  else 

    # we are not root 

    PS1="${top}${RED}(${CYAN}\d, \t${RED})${NC}-${RED}(${GREEN}\u@\H${RED})${NC}-${RED}(${BLUE}\w${RED})${NC}-·\n${bottom}${pink}[\#]${NC}-> $ " 

  fi

# Welcome the user

echo

echo '        (()__(()'

echo '        /       \'

echo '       ( /    \  \'

echo '        \ o o    /'

echo '        (_()_)__/ \'

echo '       / _,==.____ \'

echo '      (   |--|      )'

echo '      /\_.|__|´-.__/\_'

echo '     / (        /     \'

echo '     \  \      (      /'

echo '      )  ´._____)    /'

echo '   (((____.--(((____/'

echo 
```

But sometimes I noticed the bear and the prompt are deformed, then I see at my ~/.bashrc and I can see it changed alone! the same lines look like this:

```
  if [[ ${EUID} == 0 ]]

  then 

    # we are root 

    PS1="${top}${RED}(${CYAN}\d, \t${RED})${NC}-${RED}(\u@\H)${NC}-${RED}(${BLUE}\w${RED})${NC}-ÀÀÀÀÀÀÀÀÀÀÀÀ·\n${bottom}${pink}[\#]${NC}-> # " 

  else 

    # we are not root 

    PS1="${top}${RED}(${CYAN}\d, \t${RED})${NC}-${RED}(${GREEN}\u@\H${RED})${NC}-${RED}(${BLUE}\w${RED})${NC}-ÀÀÀÀÀÀÀÀÀÀÀÀ·\n${bottom}${pink}[\#]${NC}-> $ " 

  fi

# Welcome the user

echo

echo '        (()__(()'

echo '        /       \'

echo '       ( /    \  \'

echo '        \ o o    /'

echo '        (_()_)__/ \'

echo '       / _,==.____ \'

echo '      (   |--|      )'

echo '      /\_.|__|ÀÀÀÀÀÀÀÀÀÀÀÀ´-.__/\_'

echo '     / (        /     \'

echo '     \  \      (      /'

echo '      )  ÀÀÀÀÀÀÀÀÀÀÀÀ´._____)    /'

echo '   (((____.--(((____/'

echo 
```

Poor bear he doesn't deserve bad for anyone, why him?

OK let's face it, I know this is not a mortal issue but I don't understand why my ~/.bashrc is changing alone.

----------

## ThomasAdam

Aww, cute bear.   :Smile: 

Does it actually render like that changed? 

-- Thomas Adam

----------

## Cereza

Mmmm I don't understand you very well, my english is a bit poor :/

Do you mean if bear and prompt are shown correctly in the terminal even if the .bashrc change? No, they look deformed in terminal if the .bashrc is deformed. I take a snapshot: http://img91.imageshack.us/img91/6900/mutantbearim5.jpg

Looks like a car knocked down the bear.

Actually I "solved" it removing the write permission of my user to .bashrc but I think this is not a clear solution and still missunderstanding why .bashrc changes alone. I think the point is in the characters before deformation the "´" and the "·", the deformed characters always appear there.Last edited by Cereza on Thu Nov 22, 2007 7:41 pm; edited 1 time in total

----------

## platojones

It's pretty obvious that some application is writing to your .bashrc.  I'm not sure what would do that as it seems like a very bad idea (and it may have serious security implications).  In other words, nothing should be writing to your .bashrc and if it is, it is probably bad.  I think you may want to emerge chkrootkit or some other rootkit detection utility to ensure that your box has not been compromised.

----------

## Cereza

 *platojones wrote:*   

> It's pretty obvious that some application is writing to your .bashrc.  I'm not sure what would do that as it seems like a very bad idea (and it may have serious security implications).  In other words, nothing should be writing to your .bashrc and if it is, it is probably bad.  I think you may want to emerge chkrootkit or some other rootkit detection utility to ensure that your box has not been compromised.

 

Thank you for the answer, I didn't known about rootkits, I tried it:

```
# chkrootkit 

ROOTDIR is `/'

Checking `amd'... not found

Checking `basename'... not infected

Checking `biff'... not found

Checking `chfn'... not infected

Checking `chsh'... not infected

Checking `cron'... not infected

Checking `crontab'... not infected

Checking `date'... not infected

Checking `du'... not infected

Checking `dirname'... not infected

Checking `echo'... not infected

Checking `egrep'... not infected

Checking `env'... not infected

Checking `find'... not infected

Checking `fingerd'... not found

Checking `gpm'... not infected

Checking `grep'... not infected

Checking `hdparm'... not infected

Checking `su'... not infected

Checking `ifconfig'... not infected

Checking `inetd'... not tested

Checking `inetdconf'... not found

Checking `identd'... not found

Checking `init'... not infected

Checking `killall'... not infected

Checking `ldsopreload'... not infected

Checking `login'... not infected

Checking `ls'... not infected

Checking `lsof'... not found

Checking `mail'... not found

Checking `mingetty'... not found

Checking `netstat'... not infected

Checking `named'... not found

Checking `passwd'... not infected

Checking `pidof'... not infected

Checking `pop2'... not found

Checking `pop3'... not found

Checking `ps'... not infected

Checking `pstree'... not infected

Checking `rpcinfo'... not infected

Checking `rlogind'... not found

Checking `rshd'... not found

Checking `slogin'... not infected

Checking `sendmail'... not infected

Checking `sshd'... not infected

Checking `syslogd'... not infected

Checking `tar'... not infected

Checking `tcpd'... not infected

Checking `tcpdump'... not infected

Checking `top'... not infected

Checking `telnetd'... not found

Checking `timed'... not found

Checking `traceroute'... not found

Checking `vdir'... not infected

Checking `w'... not infected

Checking `write'... not infected

Checking `aliens'... no suspect files

Searching for sniffer's logs, it may take a while... nothing found

Searching for HiDrootkit's default dir... nothing found

Searching for t0rn's default files and dirs... nothing found

Searching for t0rn's v8 defaults... nothing found

Searching for Lion Worm default files and dirs... nothing found

Searching for RSHA's default files and dir... nothing found

Searching for RH-Sharpe's default files... nothing found

Searching for Ambient's rootkit (ark) default files and dirs... nothing found

Searching for suspicious files and dirs, it may take a while... nothing found

Searching for LPD Worm files and dirs... nothing found

Searching for Ramen Worm files and dirs... nothing found

Searching for Maniac files and dirs... nothing found

Searching for RK17 files and dirs... nothing found

Searching for Ducoci rootkit... nothing found

Searching for Adore Worm... nothing found

Searching for ShitC Worm... nothing found

Searching for Omega Worm... nothing found

Searching for Sadmind/IIS Worm... nothing found

Searching for MonKit... nothing found

Searching for Showtee... nothing found

Searching for OpticKit... nothing found

Searching for T.R.K... nothing found

Searching for Mithra... nothing found

Searching for OBSD rk v1... nothing found

Searching for LOC rootkit... nothing found

Searching for Romanian rootkit... nothing found

Searching for Suckit rootkit... nothing found

Searching for Volc rootkit... nothing found

Searching for Gold2 rootkit... nothing found

Searching for TC2 Worm default files and dirs... nothing found

Searching for Anonoying rootkit default files and dirs... nothing found

Searching for ZK rootkit default files and dirs... nothing found

Searching for ShKit rootkit default files and dirs... nothing found

Searching for AjaKit rootkit default files and dirs... nothing found

Searching for zaRwT rootkit default files and dirs... nothing found

Searching for Madalin rootkit default files... nothing found

Searching for Fu rootkit default files... nothing found

Searching for ESRK rootkit default files... nothing found

Searching for rootedoor... nothing found

Searching for ENYELKM rootkit default files... nothing found

Searching for anomalies in shell history files... nothing found

Checking `asp'... not infected

Checking `bindshell'... not infected

Checking `lkm'... You have     1 process hidden for readdir command

You have     1 process hidden for ps command

chkproc: Warning: Possible LKM Trojan installed

Checking `rexedcs'... not found

Checking `sniffer'... /proc/4023/fd: No such file or directory

ppp0: PF_PACKET(/usr/bin/jnettop)

Checking `w55808'... not infected

Checking `wted'... chkwtmp: nothing deleted

Checking `scalper'... not infected

Checking `slapper'... not infected

Checking `z2'... chklastlog: nothing deleted

Checking `chkutmp'...  The tty of the following user process(es) were not found

 in /var/run/utmp !

! RUID          PID TTY    CMD

! 500         12928 pts/1  htop

! 500         13027 pts/3  screen -c /home/pelusilla/.fvwm/app-config-files/screenrc-pelusilla -D -RR

! 500         18817 tty7   X :0 -nolisten tcp -br -auth /home/pelusilla/.serverauth.18797 -deferglyphs 16

! 500         18862 pts/0  /usr/bin/python /usr/bin/mtail -n 2 -f --remove-blanks /var/log/messages /var/log/apache2/access_log logs/fvwm.log

! root        18864 pts/2  jnettop -i ppp0

chkutmp: nothing deleted
```

But everything looks fine, unless 

```
Checking `lkm'... You have     1 process hidden for readdir command

You have     1 process hidden for ps command

chkproc: Warning: Possible LKM Trojan installed
```

Edit: In a second test I didn't get that warning.

----------

## platojones

```

Checking `lkm'... You have     1 process hidden for readdir command

You have     1 process hidden for ps command

chkproc: Warning: Possible LKM Trojan installed

```

Ok, that is a another indicator that something is wrong.  Now you have 2 pieces of evidence that indicate that someone has illegal access to your box.  I would advise that you install another rootkit detection utility, like rkhunter, and run it to see if it finds anything.  If it does, I would say your best alternative is to do a complete re-install.  Then, do not connect to the internet again until you have a good firewall in place.  Again, I know of no legitimate application that modifies an existing .bashrc file.  If someone does have root access, they can do terrible things to your computer and you.  Unless proven otherwise, I would advise you treat this machine as if it was controlled by someone else and don't do anything you would not fear exposing to a criminal.

If this is turns out to be the case (and I suspect it will), it's fascinating.  You will have detected an illegal intrusion on your machine with a piece of ascii art   :Very Happy: 

Let us know what you find.

Best Wishes.

----------

## Cereza

 *platojones wrote:*   

> 
> 
> ```
> 
> Checking `lkm'... You have     1 process hidden for readdir command
> ...

 

Wow you are scaring me :S

Thank you again, I tried with rkhunter and I get the following:

```
# rkhunter -c

Rootkit Hunter 1.2.9 is running

Determining OS... Unknown

Warning: This operating system is not fully supported!

All MD5 checks will be skipped!

Checking binaries

* Selftests

     Strings (command)                                        [ OK ]

* System tools

     Skipped!

Check rootkits

* Default files and directories

   Rootkit '55808 Trojan - Variant A'...                      [ OK ]

   ADM Worm...                                                [ OK ]

   Rootkit 'AjaKit'...                                        [ OK ]

   Rootkit 'aPa Kit'...                                       [ OK ]

   Rootkit 'Apache Worm'...                                   [ OK ]

   Rootkit 'Ambient (ark) Rootkit'...                         [ OK ]

   Rootkit 'Balaur Rootkit'...                                [ OK ]

   Rootkit 'BeastKit'...                                      [ OK ]

   Rootkit 'beX2'...                                          [ OK ]

   Rootkit 'BOBKit'...                                        [ OK ]

   Rootkit 'CiNIK Worm (Slapper.B variant)'...                [ OK ]

   Rootkit 'Danny-Boy's Abuse Kit'...                         [ OK ]

   Rootkit 'Devil RootKit'...                                 [ OK ]

   Rootkit 'Dica'...                                          [ OK ]

   Rootkit 'Dreams Rootkit'...                                [ OK ]

   Rootkit 'Duarawkz'...                                      [ OK ]

   Rootkit 'Flea Linux Rootkit'...                            [ OK ]

   Rootkit 'FreeBSD Rootkit'...                               [ OK ]

   Rootkit 'Fuck`it Rootkit'...                               [ OK ]

   Rootkit 'GasKit'...                                        [ OK ]

   Rootkit 'Heroin LKM'...                                    [ OK ]

   Rootkit 'HjC Kit'...                                       [ OK ]

   Rootkit 'ignoKit'...                                       [ OK ]

   Rootkit 'ImperalsS-FBRK'...                                [ OK ]

   Rootkit 'Irix Rootkit'...                                  [ OK ]

   Rootkit 'Kitko'...                                         [ OK ]

   Rootkit 'Knark'...                                         [ OK ]

   Rootkit 'Li0n Worm'...                                     [ OK ]

   Rootkit 'Lockit / LJK2'...                                 [ OK ]

   Rootkit 'MRK'...                                           [ OK ]

   Rootkit 'Ni0 Rootkit'...                                   [ OK ]

   Rootkit 'RootKit for SunOS / NSDAP'...                     [ OK ]

   Rootkit 'Optic Kit (Tux)'...                               [ OK ]

   Rootkit 'Oz Rootkit'...                                    [ OK ]

   Rootkit 'Portacelo'...                                     [ OK ]

   Rootkit 'R3dstorm Toolkit'...                              [ OK ]

   Rootkit 'RH-Sharpe's rootkit'...                           [ OK ]

   Rootkit 'RSHA's rootkit'...                                [ OK ]

   Sebek LKM...                                               [ OK ]

   Rootkit 'Scalper Worm'...                                  [ OK ]

   Rootkit 'Shutdown'...                                      [ OK ]

   Rootkit 'SHV4'...                                          [ OK ]

   Rootkit 'SHV5'...                                          [ OK ]

   Rootkit 'Sin Rootkit'...                                   [ OK ]

   Rootkit 'Slapper'...                                       [ OK ]

   Rootkit 'Sneakin Rootkit'...                               [ OK ]

   Rootkit 'Suckit Rootkit'...                                [ OK ]

   Rootkit 'SunOS Rootkit'...                                 [ OK ]

   Rootkit 'Superkit'...                                      [ OK ]

   Rootkit 'TBD (Telnet BackDoor)'...                         [ OK ]

   Rootkit 'TeLeKiT'...                                       [ OK ]

   Rootkit 'T0rn Rootkit'...                                  [ OK ]

   Rootkit 'Trojanit Kit'...                                  [ OK ]

   Rootkit 'Tuxtendo'...                                      [ OK ]

   Rootkit 'URK'...                                           [ OK ]

   Rootkit 'VcKit'...                                         [ OK ]

   Rootkit 'Volc Rootkit'...                                  [ OK ]

   Rootkit 'X-Org SunOS Rootkit'...                           [ OK ]

   Rootkit 'zaRwT.KiT Rootkit'...                             [ OK ]

* Suspicious files and malware

   Scanning for known rootkit strings                         [ OK ]

   Scanning for known rootkit files                           [ OK ]

   Testing running processes...                               [ OK ]

   Miscellaneous Login backdoors                              [ OK ]

   Miscellaneous directories                                  [ OK ]

   Software related files                                     [ OK ]

   Sniffer logs                                               [ OK ]

[Press <ENTER> to continue]

* Trojan specific characteristics

   shv4

     Checking /etc/rc.d/rc.sysinit                            [ Not found ]

     Checking /etc/inetd.conf                                 [ Not found ]

     Checking /etc/xinetd.conf                                [ Skipped ]

* Suspicious file properties

   chmod properties

     Checking /bin/ps                                         [ Clean ]

     Checking /bin/ls                                         [ Clean ]

     Checking /usr/bin/w                                      [ Clean ]

     Checking /usr/bin/who                                    [ Clean ]

     Checking /bin/netstat                                    [ Clean ]

     Checking /bin/login                                      [ Clean ]

   Script replacements

     Checking /bin/ps                                         [ Clean ]

     Checking /bin/ls                                         [ Clean ]

     Checking /usr/bin/w                                      [ Clean ]

     Checking /usr/bin/who                                    [ Clean ]

     Checking /bin/netstat                                    [ Clean ]

     Checking /bin/login                                      [ Clean ]

* OS dependant tests

   Linux

     Checking loaded kernel modules...                        [ OK ]

     Checking file attributes                                 [ OK ]

     Checking LKM module path                                 [ OK ]

Networking

* Check: frequently used backdoors

  Port 2001: Scalper Rootkit                                  [ OK ]

  Port 2006: CB Rootkit                                       [ OK ]

  Port 2128: MRK                                              [ OK ]

  Port 14856: Optic Kit (Tux)                                 [ OK ]

  Port 47107: T0rn Rootkit                                    [ OK ]

  Port 60922: zaRwT.KiT                                       [ OK ]

* Interfaces

     Scanning for promiscuous interfaces...                   [ OK ]

[Press <ENTER> to continue]

System checks

* Allround tests

   Checking hostname... Found. Hostname is localhost

   Checking for passwordless user accounts... OK

   Checking for differences in user accounts...                    [ NA ]

   Checking for differences in user groups... Creating file It seems this is your first time.

   Checking boot.local/rc.local file... 

     - /etc/rc.local                                          [ Not found ]

     - /etc/rc.d/rc.local                                     [ Not found ]

     - /usr/local/etc/rc.local                                [ Not found ]

     - /usr/local/etc/rc.d/rc.local                           [ Not found ]

     - /etc/conf.d/local.start                                [ OK ]

     - /etc/init.d/boot.local                                 [ Not found ]

   Checking rc.d files...                                     [ Not found ]

   Checking Gentoo local.start file...                        [ OK ]

   Checking history files

     Bourne Shell                                             [ OK ]

* Filesystem checks

   Checking /dev for suspicious files...                      [ OK ]

   Scanning for hidden files...                               [ OK ]

[Press <ENTER> to continue]

Application advisories

* Application scan

   Checking Apache2 modules ...                               [ Not found ]

   Checking Apache configuration ...                          [ OK ]

* Application version scan

   - GnuPG 2.0.7                                              [ Unknown ]

   - OpenSSL 0.9.8e                                           [ Unknown ]

   - OpenSSH 4.7p1                                            [ Unknown ]

Your system contains some unknown version numbers. Please run Rootkit Hunter

with the --update parameter or contact us through the Rootkit Hunter mailinglist

at rkhunter-users@lists.sourceforge.net.

Security advisories

* Check: Groups and Accounts

   Searching for /etc/passwd...                               [ Found ]

   Checking users with UID '0' (root)...                      [ OK ]

* Check: SSH

   Searching for sshd_config... 

   Found /etc/ssh/sshd_config

   Checking for allowed root login... Watch out Root login possible. Possible risk!

    info: No 'PermitRootLogin' entry found in file /etc/ssh/sshd_config

    Hint: See logfile for more information about this issue

   Checking for allowed protocols...                          [ OK (Only SSH2 allowed) ]

* Check: Events and Logging

   Search for syslog configuration...                         [ OK ]

   Checking for running syslog slave...                       [ OK ]

   Checking for logging to remote system...                   [ OK (no remote logging) ]

[Press <ENTER> to continue]

---------------------------- Scan results ----------------------------

MD5 scan

Skipped

File scan

Scanned files: 342

Possible infected files: 0

Application scan

Vulnerable applications: 0

Scanning took 116 seconds

-----------------------------------------------------------------------

Do you have some problems, undetected rootkits, false positives, ideas

or suggestions? Please e-mail us through the Rootkit Hunter mailinglist

at rkhunter-users@lists.sourceforge.net.

-----------------------------------------------------------------------
```

Everything seems OK. A third chkrootkit:

```
# chkrootkit 

ROOTDIR is `/'

Checking `amd'... not found

Checking `basename'... not infected

Checking `biff'... not found

Checking `chfn'... not infected

Checking `chsh'... not infected

Checking `cron'... not infected

Checking `crontab'... not infected

Checking `date'... not infected

Checking `du'... not infected

Checking `dirname'... not infected

Checking `echo'... not infected

Checking `egrep'... not infected

Checking `env'... not infected

Checking `find'... not infected

Checking `fingerd'... not found

Checking `gpm'... not infected

Checking `grep'... not infected

Checking `hdparm'... not infected

Checking `su'... not infected

Checking `ifconfig'... not infected

Checking `inetd'... not tested

Checking `inetdconf'... not found

Checking `identd'... not found

Checking `init'... not infected

Checking `killall'... not infected

Checking `ldsopreload'... not infected

Checking `login'... not infected

Checking `ls'... not infected

Checking `lsof'... not infected

Checking `mail'... not found

Checking `mingetty'... not found

Checking `netstat'... not infected

Checking `named'... not found

Checking `passwd'... not infected

Checking `pidof'... not infected

Checking `pop2'... not found

Checking `pop3'... not found

Checking `ps'... not infected

Checking `pstree'... not infected

Checking `rpcinfo'... not infected

Checking `rlogind'... not found

Checking `rshd'... not found

Checking `slogin'... not infected

Checking `sendmail'... not infected

Checking `sshd'... not infected

Checking `syslogd'... not infected

Checking `tar'... not infected

Checking `tcpd'... not infected

Checking `tcpdump'... not infected

Checking `top'... not infected

Checking `telnetd'... not found

Checking `timed'... not found

Checking `traceroute'... not found

Checking `vdir'... not infected

Checking `w'... not infected

Checking `write'... not infected

Checking `aliens'... no suspect files

Searching for sniffer's logs, it may take a while... nothing found

Searching for HiDrootkit's default dir... nothing found

Searching for t0rn's default files and dirs... nothing found

Searching for t0rn's v8 defaults... nothing found

Searching for Lion Worm default files and dirs... nothing found

Searching for RSHA's default files and dir... nothing found

Searching for RH-Sharpe's default files... nothing found

Searching for Ambient's rootkit (ark) default files and dirs... nothing found

Searching for suspicious files and dirs, it may take a while... nothing found

Searching for LPD Worm files and dirs... nothing found

Searching for Ramen Worm files and dirs... nothing found

Searching for Maniac files and dirs... nothing found

Searching for RK17 files and dirs... nothing found

Searching for Ducoci rootkit... nothing found

Searching for Adore Worm... nothing found

Searching for ShitC Worm... nothing found

Searching for Omega Worm... nothing found

Searching for Sadmind/IIS Worm... nothing found

Searching for MonKit... nothing found

Searching for Showtee... nothing found

Searching for OpticKit... nothing found

Searching for T.R.K... nothing found

Searching for Mithra... nothing found

Searching for OBSD rk v1... nothing found

Searching for LOC rootkit... nothing found

Searching for Romanian rootkit... nothing found

Searching for Suckit rootkit... nothing found

Searching for Volc rootkit... nothing found

Searching for Gold2 rootkit... nothing found

Searching for TC2 Worm default files and dirs... nothing found

Searching for Anonoying rootkit default files and dirs... nothing found

Searching for ZK rootkit default files and dirs... nothing found

Searching for ShKit rootkit default files and dirs... nothing found

Searching for AjaKit rootkit default files and dirs... nothing found

Searching for zaRwT rootkit default files and dirs... nothing found

Searching for Madalin rootkit default files... nothing found

Searching for Fu rootkit default files... nothing found

Searching for ESRK rootkit default files... nothing found

Searching for rootedoor... nothing found

Searching for ENYELKM rootkit default files... nothing found

Searching for anomalies in shell history files... nothing found

Checking `asp'... not infected

Checking `bindshell'... not infected

Checking `lkm'... chkproc: nothing detected

Checking `rexedcs'... not found

Checking `sniffer'... ppp0: PF_PACKET(/usr/bin/jnettop)

Checking `w55808'... not infected

Checking `wted'... chkwtmp: nothing deleted

Checking `scalper'... not infected

Checking `slapper'... not infected

Checking `z2'... chklastlog: nothing deleted

Checking `chkutmp'...  The tty of the following user process(es) were not found

 in /var/run/utmp !

! RUID          PID TTY    CMD

! 500         12928 pts/1  htop

! 500         13027 pts/3  screen -c /home/pelusilla/.fvwm/app-config-files/screenrc-pelusilla -D -RR

! 500         18817 tty7   X :0 -nolisten tcp -br -auth /home/pelusilla/.serverauth.18797 -deferglyphs 16

! 500         18862 pts/0  /usr/bin/python /usr/bin/mtail -n 2 -f --remove-blanks /var/log/messages /var/log/apache2/access_log logs/fvwm.log

! root        18864 pts/2  jnettop -i ppp0

chkutmp: nothing deleted
```

Doesn't show any problem (as second time). I was googling and I find the following at this forum 

http://www.linuxquestions.org/questions/linux-security-4/possible-lkm-trojan-install-kernel-2.6.0-127748/

 *Quote:*   

> Checking `lkm'... You have 6 process hidden for readdir command
> 
> This message comes from the chkproc binary.
> 
> ```
> ...

  I don't know what to think.

Edit: I still thinking it can be something related to the characters "´" and "·" the deformed characters appears always before them.

I believe I am using a secure firewall configuration:

```
# iptables -nL

Chain INPUT (policy DROP)

target     prot opt source               destination         

ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED 

ACCEPT     all  --  127.0.0.1            0.0.0.0/0           

ACCEPT     tcp  --  213.4.149.12         0.0.0.0/0           

ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:80 

ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           

ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:8010 

Chain FORWARD (policy DROP)

target     prot opt source               destination         

ACCEPT     all  --  192.168.0.0/16       0.0.0.0/0           

ACCEPT     all  --  0.0.0.0/0            192.168.0.0/16      

Chain OUTPUT (policy ACCEPT)

target     prot opt source               destination
```

But if anyone knows how to improve it and want to share I will be thankful. :)Last edited by Cereza on Fri Nov 23, 2007 12:40 am; edited 1 time in total

----------

## platojones

```

Wow you are scaring me :S 

```

Well, I'm not trying to scare you, but I do believe you have reason to be extremely concerned.  I have never seen a case where a program modifies .bashrc.  There is really no good legitimate reason for it.  I do not know what your setup is (i.e., what if any firewall protection you have, what applications your are running, if you have ever connected to the internet without a good firewall in place, etc), but I would seriously take the worst case scenario into consideration.  I mean, you have to weigh the potential downside here, but if you need more information, please to a search on these forums by simply searching for the word 'rootkit'.  You will get an eye full,  and some very good tips on how to deal with it.  Paranoia is a virtue when dealing with the internet.  I still think you have an intruder.  Try running the command 'last' and look at the third column to see if there are any FQDN's or IP addresses that you do not recognize.  If so, that's another piece of evidence.

----------

## platojones

BTW, there is one other possibility that I didn't consider earlier.  You hard disk may be corrupted to some extent.  Have you run fsck on it lately?

----------

## Cereza

 *platojones wrote:*   

> BTW, there is one other possibility that I didn't consider earlier.  You hard disk may be corrupted to some extent.  Have you run fsck on it lately?

 

I check partitions often on boot, but I tried fsck on a livecd anyways, it corrected some problems but the home partition which bashrc lives was clean. 

I just noticed lots of weird .exe files are invading my home directory... A piece of slocate *.exe

```
/home/pelusilla/doc/linux/ssjbjewb.exe

/home/pelusilla/doc/linux/jvtjjssn.exe

/home/pelusilla/doc/linux/rrvtkstq.exe

/home/pelusilla/doc/linux/rwjwbbst.exe

/home/pelusilla/doc/linux/vththhrh.exe

/home/pelusilla/doc/linux/bejblecb.exe

/home/pelusilla/doc/linux/kjjblbhh.exe

/home/pelusilla/doc/linux/stwzzjeb.exe

/home/pelusilla/doc/linux/HOWTO_Castellanizar_Gentoo_files/qjvjtqzk.exe

/home/pelusilla/doc/linux/HOWTO_Castellanizar_Gentoo_files/kzhhqqee.exe

/home/pelusilla/doc/linux/btrkhrne.exe

/home/pelusilla/doc/linux/lrjtcrjk.exe

/home/pelusilla/doc/linux/xxbbeeje.exe

/home/pelusilla/doc/linux/zbnkenjs.exe

/home/pelusilla/opt/ktamaga-0.7.2/ktamaga/doc/en/klbsntzh.exe

/home/pelusilla/opt/ktamaga-0.7.2/ktamaga/doc/en/ttbkkkxv.exe

/home/pelusilla/opt/ktamaga-0.7.2/ktamaga/doc/en/ltezweek.exe

/home/pelusilla/opt/ktamaga-0.7.2/ktamaga/doc/en/whlksklz.exe

/home/pelusilla/opt/ktamaga-0.7.2/ktamaga/doc/en/bskzrrhs.exe

/home/pelusilla/opt/ktamaga-0.7.2/ktamaga/doc/en/rkhlshrb.exe

/home/pelusilla/opt/ktamaga-0.7.2/ktamaga/doc/en/wscjvhrs.exe

/home/pelusilla/opt/ktamaga-0.7.2/ktamaga/doc/en/slnscbnr.exe

/home/pelusilla/opt/ktamaga-0.7.2/ktamaga/doc/en/tnkbtnce.exe

/home/pelusilla/opt/ktamaga-0.7.2/ktamaga/doc/en/lshbclhc.exe

/home/pelusilla/opt/ktamaga-0.7.2/ktamaga/doc/en/blcnnvlz.exe

/home/pelusilla/opt/ktamaga-0.7.2/ktamaga/doc/en/jzvwrsez.exe

/home/pelusilla/opt/ktamaga-0.7.2/ktamaga/doc/en/xrvbhbtz.exe

/home/pelusilla/opt/ktamaga-0.7.2/ktamaga/doc/en/bsstnqlt.exe

```

O__O I have no idea how them apper, this looks soooooo extrange, looks like I a have a break system :P

Edit: Well I know now I must make a new install but the point is I felt my iptables configuration was secure, so before make a new installation I have to study about how to secure my box...

```
# iptables -nL

Chain INPUT (policy DROP)

target     prot opt source               destination         

ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED

ACCEPT     all  --  127.0.0.1            0.0.0.0/0           

ACCEPT     tcp  --  213.4.149.12         0.0.0.0/0           

ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:80

ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           

ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:8010

Chain FORWARD (policy DROP)

target     prot opt source               destination         

ACCEPT     all  --  192.168.0.0/16       0.0.0.0/0           

ACCEPT     all  --  0.0.0.0/0            192.168.0.0/16     

Chain OUTPUT (policy ACCEPT)

target     prot opt source               destination
```

----------

## platojones

 *Quote:*   

> 
> 
> Edit: Well I know now I must make a new install but the point is I felt my iptables configuration was secure, so before make a new installation I have to study about how to secure my box... 
> 
> 

 

Yes, you have definitely been taken over, I'm afraid.  I, long ago, bought a commercial hardware firewall (linux based) because I have two boxes and never really trusted myself to get it 100% right.  Fortunately, there are several good, free linux firewalls available to you in Gentoo Portage.  The last one I used was shorewall, but there are probably better ones out there by now.  I would recommend you look at using one of those instead of trying to create a custom iptables firewall (unless you are quite confident in your tcp/ip and linux iptables skills).

----------

## Hu

Those iptables rules look wrong.  Specifically, the second to last rule on the INPUT chain appears to allow far too much.  This may be OK, since you are not showing all criteria.  In the future, I recommend using iptables-save -c to list the contents of your iptables rules.  It shows all tables, shows packet counters, and shows all conditions.  Also, the output is machine readable, so other users can analyze it more easily.

I suggest you use the enclosed script as a starting point, and modify it as needed to poke specific holes for the services you intend to allow.  It is designed to provide a simple and safe filter for a workstation.  Ultimately, you may be better served by a more user friendly firewall, but this should protect you until you have time to configure and activate your firewall front end of choice.

```
#!/bin/bash

WAN_IFACE='eth0'

LAN_IFACE='eth1'

IPTABLES='/sbin/iptables'

# Silently discard incoming traffic which does not match any rule.

${IPTABLES} -P INPUT DROP

# Silently refuse to forward traffic which does not match any rule.

${IPTABLES} -P FORWARD DROP

${IPTABLES} -P OUTPUT ACCEPT

# Flush the tables.

for table in $(< /proc/net/ip_tables_names ) ; do

   ${IPTABLES} -t "${table}" -F

   ${IPTABLES} -t "${table}" -X

done

# Reset all the chains to a known policy.

if grep -q nat /proc/net/ip_tables_names ; then

   for chain in PREROUTING POSTROUTING OUTPUT; do

      ${IPTABLES} -t nat -P "${chain}" ACCEPT

   done

fi

if grep -q mangle /proc/net/ip_tables_names ; then

   for chain in PREROUTING INPUT FORWARD OUTPUT POSTROUTING; do

      ${IPTABLES} -t mangle -P "${chain}" ACCEPT

   done

fi

# Accept loopback traffic.  Necessary to keep IP-over-localhost working.

# *** Do not remove unless you know _EXACTLY_ what you are doing. ***

${IPTABLES} -A INPUT -i lo -j ACCEPT

# Accept traffic from connections which already existed.  Without any

# rules to permit incoming connections, this rule requires that this

# machine initiate all connections.

# Requires NETFILTER_XT_STATE_MATCH

${IPTABLES} -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

# LAN users have unrestricted access to services on this machine.

#${IPTABLES} -A INPUT -i "${LAN_IFACE}" -j ACCEPT

# Log any traffic which gets here, but use a limit modifier so that the

# logs do not fill with every single incoming dropped packet.  This is a

# non-terminating target, so traffic which matches it will continue on.

${IPTABLES} -A INPUT -m limit -j LOG --log-tcp-options --log-ip-options 

# If you are serving as a gateway for other hosts, uncomment the FORWARD

# and POSTROUTING rules.

#${IPTABLES} -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT

# LAN users have unrestricted access outbound.

#${IPTABLES} -A FORWARD -i "${LAN_IFACE}" -j ACCEPT

# Traffic sent to the WAN should be masqueraded so that private range IP

# addresses are not sent to the public Internet.

#${IPTABLES} -t nat -A POSTROUTING -o "${WAN_IFACE}" -j MASQUERADE

exit 0

# Optional features (comment out the exit to run them)

# Accept incoming connections to TCP port 12345.  This is needed if you

# want to run a TCP server on port 12345 and have someone connect to it.

${IPTABLES} -A INPUT -p tcp -m tcp --dport 12345 -j ACCEPT

# Accept incoming packets on UDP port 12345.  This is needed if you

# want to run a UDP server on port 12345 and have someone connect to it.

${IPTABLES} -A INPUT -p udp -m udp --dport 12345 -j ACCEPT

```

----------

## mark_alec

Moved from Other Things Gentoo to Networking & Security.

----------

## Cereza

Thank you all. 

Finally I made a new installation but still thinking the issue was about the special characters and not about a security fail/intrussion, now I placed "." instead of "·" in prompt and "-" and "\" instead "´" in the poor bear, who now looks like this:

```
# Welcome the user

echo

echo '        (()__(()   (Now 100% free of special characters!)'

echo '        /       \    /'

echo '       ( /    \  \  /'

echo '        \ o o    /'

echo '        (_()_)__/ \'

echo '       / _,==.____ \'

echo '      (   |--|      )'

echo '      /\_.|__|--.__/\_'

echo '     / (        /     \'

echo '     \  \      (      /'

echo '      )  \._____)    /'

echo '   (((____.--(((____/'

echo
```

About the .exe files invading my home: I play too much Windows games through Wine and Cedega, and sometimes I use mods, updates, etc... I think the .exe files are related to this, maybe I executed some kind of malware through Wine, or a game didn't work too well, this sounds silly but I don't think it is, I remember playing worms3D generates in my home dir a lot of files called as all my home dirs but .snd (pictures.snd, music.snd, videos.snd, documents.snd........)

To avoid that, in the new installation I decided to create a new user only for play Windows games and manage files related to them. I don't want more unsafe .exe in my user home.Last edited by Cereza on Wed Nov 28, 2007 4:46 am; edited 1 time in total

----------

## swimmer

Back to "Other Things Gentoo" then?  :Wink: 

----------

