# How can i know if i have been ROOTED or HACKED i have snort.

## drspewfy

Hey, unfortunately i think so i have been rooted but i dont really know is the alerts of snort are TRUE..

here i show waht happened..

in the snort alert..

[**] [1:2182:2] BACKDOOR typot trojan traffic [**]

[Priority: 0]

03/18-23:28:11.737519 220.168.51.247:3784 -> 10.17.113.195:80

TCP TTL:107 TOS:0x0 ID:28415 IpLen:20 DgmLen:52 DF

******S* Seq: 0x1339E431  Ack: 0x0  Win: 0xDA00  TcpLen: 32

TCP Options (6) => MSS: 1452 NOP WS: 2 NOP NOP SackOK

--- Scanss Before the alert of the backdoor...

[**] [111:12:1] (spp_stream4) NMAP FINGERPRINT (stateful) detection [**]

03/18-18:52:20.792822 10.17.112.20:48968 -> 10.17.42.10:22 TCP TTL:44 TOS:0x0 ID:10515 IpLen:20 DgmLen:60

***A**** Seq: 0x1A464800  Ack: 0x0  Win: 0x400  TcpLen: 40

TCP Options (5) => WS: 10 NOP MSS: 265 TS: 1061109567 0 EOL

[**] [111:10:1] (spp_stream4$03/18-18:52:20.793136 10.17.112.20:48971 -> 10.17.42.10:137

TCP TTL:53 TOS:0x0 ID:25545 IpLen:20 DgmLen:60

**U*P**F Seq: 0x1A464800  Ack: 0x0  Win: 0x800  TcpLen: 40  UrgPtr: 0x0 TCP Options (5) => WS: 10 NOP MSS: 26$                                                                                                              

[**] [111:9:1] (spp_stream4) STEALTH ACTIVITY (NULL scan) detection [**]

03/18-18:52:22.339509 10.17.112.20:48966 -> 10.17.42.10:22 TCP TTL:46 TOS:0x0 ID:63890 IpLen:20 DgmLen:60

******** Seq: 0x1A464800  Ack: 0x0  Win: 0xC00  TcpLen: 40

** Then..i watched my root@site.org mail .... and..

i got this mail ...

X-Original-To: root@linux.mty.itesm.mx

Delivered-To: root@linux.mty.itesm.mx

Date: Sun, 21 Mar 2004 17:50:17 -0600 (CST)

From: Mail Delivery System <MAILER-DAEMON@linux.mty.itesm.mx>

Subject: Undelivered Mail Returned to Sender

To: root@linux.mty.itesm.mx

[-- Attachment #1: Notification --]

[-- Type: text/plain, Encoding: 7bit, Size: 0.7K --]

This is the Postfix program at host linux.mty.itesm.mx.

I'm sorry to have to inform you that the message returned

below could not be delivered to one or more destinations.

For further assistance, please send mail to <postmaster>

If you do so, please include this problem report. You can

delete your own text from the message returned below.

                        The Postfix program

<---@linux.mty.itesm.mx>: invalid recipient syntax: "---@linux.mty.itesm.mx"

<codigo@linux.mty.itesm.mx>: unknown user: "codigo"

<malicioso@linux.mty.itesm.mx>: unknown user: "malicioso"

<esta@linux.mty.itesm.mx>: unknown user: "esta"

<te@linux.mty.itesm.mx>: unknown user: "te"

<metiendo@linux.mty.itesm.mx>: unknown user: "metiendo"

[-- Attachment #2: Delivery error report --]

[-- Type: message/delivery-status, Encoding: 7bit, Size: 0.9K --]

Reporting-MTA: dns; linux.mty.itesm.mx

Final-Recipient: rfc822; ---@linux.mty.itesm.mx

Action: failed

Status: 5.0.0

Diagnostic-Code: X-Postfix; invalid recipient syntax: "---@linux.mty.itesm.mx"

Final-Recipient: rfc822; codigo@linux.mty.itesm.mx

Action: failed

Status: 5.0.0

Diagnostic-Code: X-Postfix; unknown user: "codigo"

Final-Recipient: rfc822; malicioso@linux.mty.itesm.mx

Action: failed

Status: 5.0.0

Diagnostic-Code: X-Postfix; unknown user: "malicioso"

Final-Recipient: rfc822; esta@linux.mty.itesm.mx

Action: failed

Status: 5.0.0

Diagnostic-Code: X-Postfix; unknown user: "esta"

Final-Recipient: rfc822; te@linux.mty.itesm.mx

Action: failed

Status: 5.0.0

Diagnostic-Code: X-Postfix; unknown user: "te"

Final-Recipient: rfc822; metiendo@linux.mty.itesm.mx

Action: failed

Status: 5.0.0

Diagnostic-Code: X-Postfix; unknown user: "metiendo"

[-- Attachment #3: Undelivered Message --]

[-- Type: message/rfc822, Encoding: 7bit, Size: 0.5K --]

To: te@linux.mty.itesm.mx, esta@linux.mty.itesm.mx,

        metiendo@linux.mty.itesm.mx, codigo@linux.mty.itesm.mx,

        malicioso@linux.mty.itesm.mx, exploits <---@linux.mty.itesm.mx>

Subject: ---

Date: Sun, 21 Mar 2004 17:50:13 -0600 (CST)

IN Spanish ... "Codigo " "Malicioso" "esta " te" Metiendo " ,, means ...

malicious code is injecting or Joining...

MAILS that doesnt exists, appeared with thoses words... "exploit " ??..

soo.. then i followed the date of that mail, and i got this

with SNORT

SNORT IS REALLY HELP FULLL DUDES, install it!!!!

[**] [1:1847:3] WEB-MISC webalizer access [**]

[Classification: access to a potentially vulnerable web application] [Priority: 2]

03/21-04:04:38.162233 200.79.236.229:32845 -> 10.17.112.20:80

TCP TTL:45 TOS:0x0 ID:56349 IpLen:20 DgmLen:614 DF

***AP*** Seq: 0x78B0DFA  Ack: 0xC1792671  Win: 0x16D0  TcpLen: 32

TCP Options (3) => NOP NOP TS: 250376 50257049

[Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-1999-0643][Xref => http://cgi.nessus.org/

plugins/dump.php3?id=10816]

->THE FAMOUS SHELLCode that comes with the exploits  :Sad: 

[**] [1:648:6] SHELLCODE x86 NOOP [**]

[Classification: Executable code was detected] [Priority: 1]

03/21-07:40:19.230659 67.113.43.137:2660 -> 10.17.112.20:80

TCP TTL:107 TOS:0x0 ID:34217 IpLen:20 DgmLen:1466 DF

***A**** Seq: 0xE8F7EDDF  Ack: 0x7061584A  Win: 0xFAAA  TcpLen: 20

[Xref => http://www.whitehats.com/info/IDS181]                                                               $                                                                                                              

[**] [1:648:6] SHELLCODE x86 NOOP [**]

[Classification: Executable code was detected] [Priority: 1]

03/21-07:40:19.315870 67.113.43.137:2660 -> 10.17.112.20:80

TCP TTL:107 TOS:0x0 ID:34218 IpLen:20 DgmLen:1466 DF

***A**** Seq: 0xE8F7F371  Ack: 0x7061584A  Win: 0xFAAA  TcpLen: 20

[Xref => http://www.whitehats.com/info/IDS181]

The alerts have been triggered,

HOW CAN I KNOW If i have been rooted, or some files where modified,,

 ** I have used chkrootkit, but didnt detect ANYTHING!..

what should i see or do, to know if i have benn rooted, 

 * i dont wanna RE-install until i know how to know if i have been rooted..

* Any thoughts !?? 

* i will really apreciate your comments.. and dont tell me re-install.. until we know what really  happened, or just a bit..

THANKS 

from mexico

----------

## drspewfy

The question is, How can i know is the script kiddies, Got what they wanted, or, They really

got root, or just was a FALSE -ALERT of snort.. but i dont think so!...

here i missed another alert...

1 day before the shellcode 

i got this..

[**] ATTACK-RESPONSES id check returned root [**]

03/20-03:34:51.818529 10.17.112.20:80 -> 201.128.139.115:25308

TCP TTL:64 TOS:0x0 ID:42330 IpLen:20 DgmLen:1492 DF

***A**** Seq: 0x5D2FC4BB  Ack: 0x39653CBE  Win: 0x1920  TcpLen: 20

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

.. so means something about that they got root ??

:S ??

Well this stuff is intersting to investigate...

THANKS to everybody

----------

## drspewfy

Hello!¡¡ anybody knows?? nothing about snort ??

 :Sad: 

----------

## dvc5

 *drspewfy wrote:*   

> Hello!¡¡ anybody knows?? nothing about snort ??
> 
> 

 

First, grab ACID and set it up if you don't have it already. It makes organizing and viewing snort logs MUCH easier. Second, those messages are fairly common especially if you're running a high-traffic site. The NOOP warnings can occur especially if you've got medium-to-large file transfers taking place from the server, as some binary files can appear like NOOP instructions. So to summarize, install ACID, and your life will be easier.

----------

## drspewfy

I use snortalog...

is not that nicer as is ACID, but it works,

and i got that  some malicious code was ejecuted (probably).

i dont have a big network...

:S

but some things looks that somebody was trying to get root....

 cuz, is weird that before the atack, i had like 4 scans, NULL scan, Xmass scan, And all thoses that we know of NMAP.

so :S, the question is what to search in the system to know if there were changes 

thanks  :Sad: 

----------

## dvc5

If an attacker really knew what he/she was doing, you most likely will never be able to find out if you got rooted until something catastrophic happens to the box (passwords changed, sshd stopped, etc...). 

There are different tools you can emerge like "aide" which actually creates an image snapshot of your harddrive and uses that for file modification comparisons. The howto is here. You might also what to emerge chkrootkit which will check if a rootkit has been installed on your system. 

It basically boils down to how paranoid do you want to get with security, and there's often a tradeoff between security and functionality.

----------

## pakman

 *drspewfy wrote:*   

> 
> 
> [**] ATTACK-RESPONSES id check returned root [**]
> 
> 03/20-03:34:51.818529 10.17.112.20:80 -> 201.128.139.115:25308
> ...

 

Snort gets triggered everytime it sees the text uid=0(root) flowing anywhere in the clear. There its coming from port 80 on 10.17.112.20, the webserver.

That either means that:

a) 10.17.112.20 is your machine, and someone just rooted it via the webserver or more likely:

b) that you visited a website with uid=0(root) on it somewhere

If you check snort now, you should have just got "id check returned root" alert from reading this page  :Smile: 

----------

## Chris W

Here's a few things to check:

Is webalizer installed on your machine?  Possibly vulnerable, otherwise "[1:1847:3] WEB-MISC webalizer access" is false alarm.

Is webalizer visible to the public through your web server?  Possibly vulnerable--cannot be exploited if it can't be seen.

Is webalizer version earlier than 2.1.09?  Vulnerable.

Have you upgraded to 2.01.09 or later and changed webalizer's OutputDir?  Recommended fix.

Look at the output of "netstat -pan --inet" for suspicious open ports etc.  If you are paranoid you could "emerge net-tools" to reduce the risk of a "fixed" netstat.

Check your firewall rules.  You are running a firewall aren't you?

Update your firewall to log connections out to port 25, or all ports, for a while to see if anything untoward is going out.

----------

## drspewfy

Hi ! 

- Yes my ip is that one .. 10.17.112.20

YEs i use webalizer and is to the public, well nobody knows just some friends...

the version is the newest in gentoo, is newer than that one that says taht is vulnerable

Calculating dependencies ...done!

[ebuild   R   ] app-admin/webalizer-2.01.10-r4

pakman:

- I didnt see an alert about .. id check returned root.. 

 Just alot of ICMP PING NMAP...

- mmm nobody log in via webserver, just with ssh, and anybody cant log in ssh with ROOT, less via another service (ftp,apache) .. 

 ** Maybe was a intrusion by the webserver (apache) ... sql injection ? .. 

how you can see in the mail that i got.. the day MArch 21..

How can i know what files where changed since 18 march ???

here is what i get doing netstat -pan --inet

```

root@linux snort # netstat -pan --inet

Active Internet connections (servers and established)

Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name

tcp        0      0 0.0.0.0:5347            0.0.0.0:*               LISTEN      23064/router

tcp        0      0 0.0.0.0:5222            0.0.0.0:*               LISTEN      17919/c2s

tcp        0      0 127.0.0.1:3306          0.0.0.0:*               LISTEN      4476/

tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN      5310/apache

tcp        0      0 0.0.0.0:5269            0.0.0.0:*               LISTEN      19224/s2s

tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      10607/sshd

tcp        0      0 0.0.0.0:25              0.0.0.0:*               LISTEN      17538/

tcp        0      0 10.17.112.20:5269       201.128.162.122:56985   ESTABLISHED 19224/s2s

tcp        0      0 10.17.112.20:5347       10.17.112.20:2452       ESTABLISHED 23064/router

tcp        0      0 10.17.112.20:5222       10.16.85.82:1190        ESTABLISHED 17919/c2s

tcp        0      0 127.0.0.1:4910          127.0.0.1:5347          ESTABLISHED 5689/resolver

tcp        0      0 10.17.112.20:5269       207.182.190.28:50487    ESTABLISHED 19224/s2s

tcp        0      0 10.17.112.20:2761       66.119.199.40:5269      ESTABLISHED 19224/s2s

tcp        0      0 10.17.112.20:5222       207.248.39.254:41389    ESTABLISHED 17919/c2s

tcp        0      0 10.17.112.20:5269       10.17.112.20:3792       ESTABLISHED 19224/s2s

tcp        0      0 10.17.112.20:5269       207.182.190.28:58545    ESTABLISHED 19224/s2s

tcp        0      0 10.17.112.20:5269       207.182.190.28:57873    ESTABLISHED 19224/s2s

tcp        0      0 10.17.112.20:5269       207.182.190.28:51568    ESTABLISHED 19224/s2s

tcp        0      0 10.17.112.20:5269       66.119.199.40:33199     ESTABLISHED 19224/s2s

tcp        0      0 10.17.112.20:1374       10.17.112.20:5347       ESTABLISHED 19224/s2s

tcp        0      0 10.17.112.20:5222       10.17.112.20:3250       ESTABLISHED 17919/c2s

tcp        0      0 10.17.112.20:5269       207.182.190.28:43762    ESTABLISHED 19224/s2s

tcp        0      0 10.17.112.20:22         207.248.39.14:4995      ESTABLISHED 17880/sshd: soldier

tcp        0      0 10.17.112.20:2419       64.156.215.6:25         ESTABLISHED 12196/

tcp        0      0 10.17.112.20:5269       207.182.190.28:36317    ESTABLISHED 19224/s2s

tcp        0      0 10.17.112.20:5222       10.16.81.116:4669       ESTABLISHED 17919/c2s

tcp        0      0 10.17.112.20:3562       207.182.190.28:5269     ESTABLISHED 19224/s2s

tcp        0      0 10.17.112.20:2452       10.17.112.20:5347       ESTABLISHED 17919/c2s

tcp        0      0 10.17.112.20:5347       10.17.112.20:1374       ESTABLISHED 23064/router

tcp        0      0 127.0.0.1:5347          127.0.0.1:4910          ESTABLISHED 23064/router

tcp        0      0 10.17.112.20:3250       10.17.112.20:5222       ESTABLISHED 6697/php

tcp        0      0 10.17.112.20:3792       10.17.112.20:5269       ESTABLISHED 19224/s2s

tcp        0      0 10.17.112.20:1202       201.128.162.122:5269    ESTABLISHED 19224/s2s

tcp        0    240 10.17.112.20:22         207.248.39.14:5227      ESTABLISHED 2690/sshd: soldier

tcp        0      0 127.0.0.1:5347          127.0.0.1:3259          ESTABLISHED 23064/router

tcp        0      0 127.0.0.1:3259          127.0.0.1:5347          ESTABLISHED 1358/sm

tcp        0      0 10.17.112.20:80         64.68.82.199:64276      TIME_WAIT   -

udp     4896      0 0.0.0.0:68              0.0.0.0:*                           24374/dhcpcd

udp        0      0 10.17.112.20:123        0.0.0.0:*                           16014/

udp        0      0 127.0.0.1:123           0.0.0.0:*                           16014/

udp        0      0 0.0.0.0:123             0.0.0.0:*                           16014/

root@linux snort #

```

Any suggestions ???

----------

## drspewfy

i have some services up

- apache

- postfix

- smtp

- jabber

- mysql

the server is inside a network of a university ... and behind a router ...

----------

## pakman

Its more likely that a webpage on the server has the text string "uid=0(root)" on it and that triggered the response. Most webservers don't run as root, if the one on that machine doesn't then thats almost certainly a false alarm. Depends how many sites are on it really. You could do something like:

grep -r "uid=0(root)" /home/*/public_html/*

----------

## Chris W

Out of curiosity, what are s2s and c2s?

----------

## Cptn_Insaneo

Something we do at the office is run NESSUS to check the vulnerability of the system first....fix the issues...run it again.  Then set snort up...the problem is that all the false positives seen using just one or the other but if you get a good database built up from both you can start narrowing down intrusion issues.

----------

