# Testing my pc security

## dpetka2001

hello there...i would like to find out how i can test if my computer was hacked or not...i have a rapidshare account and yesterday i couldn't login so i talked with them and told me that my account was hacked...i got it back but i would like to test my computer for possible vulnerabilities or trojans...any help would be appreciated...thanks in advance...

----------

## massimo

You can run rkhunter or chkrootkit to find rootkits. Probably [1] and [2] can help a little.

[1] http://www.securityfocus.com/infocus/1769

[2] http://www.securityfocus.com/infocus/1773

----------

## phajdan.jr

Note that the most probable cause was weak or sniffed password. I would suspect that before a rootkit, but it doesn't harm to check.

----------

## lesourbe

 *_ph wrote:*   

> Note that the most probable cause was weak or sniffed password. I would suspect that before a rootkit, but it doesn't harm to check.

 

++

bad protected Wifi and shared connection would come to mind first if rapidshare does not use https.

----------

## dpetka2001

well i don't have neither a wi-fi connection nor a shared internet connection...i don't even run ssh...the only ports i have opened in my router are the ones for the p2p programmes so that they can run appropiately...i ran chkrootkit but i think nothing was found...here is the output in case i don't interprete it the right way

```
ROOTDIR is `/'

Checking `amd'... not found

Checking `basename'... not infected

Checking `biff'... not found

Checking `chfn'... not infected

Checking `chsh'... not infected

Checking `cron'... not infected

Checking `crontab'... not infected

Checking `date'... not infected

Checking `du'... not infected

Checking `dirname'... not infected

Checking `echo'... not infected

Checking `egrep'... not infected

Checking `env'... not infected

Checking `find'... not infected

Checking `fingerd'... not found

Checking `gpm'... not infected

Checking `grep'... not infected

Checking `hdparm'... not infected

Checking `su'... not infected

Checking `ifconfig'... not infected

Checking `inetd'... not tested

Checking `inetdconf'... not found

Checking `identd'... not found

Checking `init'... not infected

Checking `killall'... not infected

Checking `ldsopreload'... not infected

Checking `login'... not infected

Checking `ls'... not infected

Checking `lsof'... not infected

Checking `mail'... not found

Checking `mingetty'... not found

Checking `netstat'... not infected

Checking `named'... not found

Checking `passwd'... not infected

Checking `pidof'... not infected

Checking `pop2'... not found

Checking `pop3'... not found

Checking `ps'... not infected

Checking `pstree'... not infected

Checking `rpcinfo'... not infected

Checking `rlogind'... not infected

Checking `rshd'... not infected

Checking `slogin'... not infected

Checking `sendmail'... not infected

Checking `sshd'... not infected

Checking `syslogd'... not tested

Checking `tar'... not infected

Checking `tcpd'... not infected

Checking `tcpdump'... not infected

Checking `top'... not infected

Checking `telnetd'... not infected

Checking `timed'... not found

Checking `traceroute'... not found

Checking `vdir'... not infected

Checking `w'... not infected

Checking `write'... not infected

Checking `aliens'... no suspect files

Searching for sniffer's logs, it may take a while... nothing found

Searching for HiDrootkit's default dir... nothing found

Searching for t0rn's default files and dirs... nothing found

Searching for t0rn's v8 defaults... nothing found

Searching for Lion Worm default files and dirs... nothing found

Searching for RSHA's default files and dir... nothing found

Searching for RH-Sharpe's default files... nothing found

Searching for Ambient's rootkit (ark) default files and dirs... nothing found

Searching for suspicious files and dirs, it may take a while... 

/usr/lib/nfs/sm/.keep_net-fs_nfs-utils-0 /usr/lib/nfs/sm.bak/.keep_net-fs_nfs-utils-0 /usr/lib/ruby/site_ruby/1.8/.keep_dev-lang_ruby-1.8 /usr/lib/ruby/site_ruby/1.8/i686-linux/.keep_dev-lang_ruby-1.8 /usr/lib/.keep /usr/lib/perl5/5.8.8/i686-linux/.packlist /usr/lib/perl5/site_perl/5.8.8/i686-linux/auto/Git/.packlist /usr/lib/perl5/site_perl/5.8.8/i686-linux/auto/Image/Magick/.packlist /usr/lib/perl5/site_perl/5.8.8/i686-linux/auto/MythTV/.packlist /usr/lib/perl5/vendor_perl/5.8.8/i686-linux/auto/IO/Zlib/.packlist /usr/lib/perl5/vendor_perl/5.8.8/i686-linux/auto/IO/Compress/Base/.packlist /usr/lib/perl5/vendor_perl/5.8.8/i686-linux/auto/IO/Compress/Zlib/.packlist /usr/lib/perl5/vendor_perl/5.8.8/i686-linux/auto/IO/Socket/SSL/.packlist /usr/lib/perl5/vendor_perl/5.8.8/i686-linux/auto/IO/String/.packlist /usr/lib/perl5/vendor_perl/5.8.8/i686-linux/auto/DBD/mysql/.packlist /usr/lib/perl5/vendor_perl/5.8.8/i686-linux/auto/DBI/.packlist /usr/lib/perl5/vendor_perl/5.8.8/i686-linux/auto/Net/Daemon/.packlist /usr/lib/perl5/vendor_perl/5.8.8/i686-linux/auto/Net/SSLeay/.packlist /usr/lib/perl5/vendor_perl/5.8.8/i686-linux/auto/RPC/PlServer/.packlist /usr/lib/perl5/vendor_perl/5.8.8/i686-linux/auto/Pod/Parser/.packlist /usr/lib/perl5/vendor_perl/5.8.8/i686-linux/auto/SVN/_Core/.packlist /usr/lib/perl5/vendor_perl/5.8.8/i686-linux/auto/URI/.packlist /usr/lib/perl5/vendor_perl/5.8.8/i686-linux/auto/Sys/Syslog/.packlist /usr/lib/perl5/vendor_perl/5.8.8/i686-linux/auto/XML/Parser/.packlist /usr/lib/perl5/vendor_perl/5.8.8/i686-linux/auto/List/Util/.packlist /usr/lib/perl5/vendor_perl/5.8.8/i686-linux/auto/RRDp/.packlist /usr/lib/perl5/vendor_perl/5.8.8/i686-linux/auto/RRDs/.packlist /usr/lib/perl5/vendor_perl/5.8.8/i686-linux/auto/Term/ANSIColor/.packlist /usr/lib/perl5/vendor_perl/5.8.8/i686-linux/auto/Test/Harness/.packlist /usr/lib/perl5/vendor_perl/5.8.8/i686-linux/auto/YAML/.packlist /usr/lib/perl5/vendor_perl/5.8.8/i686-linux/auto/Class/MethodMaker/.packlist /usr/lib/perl5/vendor_perl/5.8.8/i686-linux/auto/PortageXS/.packlist /usr/lib/perl5/vendor_perl/5.8.8/i686-linux/auto/Error/.packlist /usr/lib/perl5/vendor_perl/5.8.8/i686-linux/auto/Irssi/UI/.packlist /usr/lib/perl5/vendor_perl/5.8.8/i686-linux/auto/Irssi/Irc/.packlist /usr/lib/perl5/vendor_perl/5.8.8/i686-linux/auto/Irssi/TextUI/.packlist /usr/lib/perl5/vendor_perl/5.8.8/i686-linux/auto/Irssi/.packlist /usr/lib/perl5/vendor_perl/5.8.8/i686-linux/auto/Shell/EnvImporter/.packlist /usr/lib/perl5/vendor_perl/5.8.8/i686-linux/auto/Archive/Rar/.packlist /usr/lib/perl5/vendor_perl/5.8.8/i686-linux/auto/Archive/Tar/.packlist /usr/lib/perl5/vendor_perl/5.8.8/i686-linux/auto/Locale/gettext/.packlist /usr/lib/perl5/vendor_perl/5.8.8/i686-linux/auto/Module/Build/.packlist /usr/lib/perl5/vendor_perl/5.8.8/i686-linux/auto/Compress/Raw/Zlib/.packlist /usr/lib/perl5/vendor_perl/5.8.8/i686-linux/auto/Compress/Zlib/.packlist /usr/lib/perl5/vendor_perl/5.8.8/i686-linux/auto/Storable/.packlist /usr/lib/perl5/vendor_perl/5.8.8/i686-linux/auto/ExtUtils/ParseXS/.packlist /usr/lib/perl5/vendor_perl/5.8.8/i686-linux/auto/ExtUtils/CBuilder/.packlist /usr/lib/samba/rpc/.keep_net-fs_samba-0 /usr/lib/samba/auth/.keep_net-fs_samba-0 /usr/lib/samba/idmap/.keep_net-fs_samba-0 /usr/lib/dbus-1.0/services/.keep_sys-apps_dbus-0 /usr/lib/latex2html/docs/.latex2html-init /usr/lib/locale/.keep_sys-libs_glibc-2.2 /usr/lib/openldap/openldap/.keep_net-nds_openldap-0 /lib/udev/devices/.keep_sys-fs_udev-0 /lib/udev/state/.keep_sys-fs_udev-0 /lib/.keep /lib/dev-state/.keep /lib/rcscripts/sh/.keep /lib/rcscripts/awk/.keep /lib/rcscripts/.keep /lib/rcscripts/net.modules.d/.keep /lib/rcscripts/net.modules.d/helpers.d/.keep /lib/bootchart/.keep_app-benchmarks_bootchart-0

Searching for LPD Worm files and dirs... nothing found

Searching for Ramen Worm files and dirs... nothing found

Searching for Maniac files and dirs... nothing found

Searching for RK17 files and dirs... nothing found

Searching for Ducoci rootkit... nothing found

Searching for Adore Worm... nothing found

Searching for ShitC Worm... nothing found

Searching for Omega Worm... nothing found

Searching for Sadmind/IIS Worm... nothing found

Searching for MonKit... nothing found

Searching for Showtee... nothing found

Searching for OpticKit... nothing found

Searching for T.R.K... nothing found

Searching for Mithra... nothing found

Searching for OBSD rk v1... nothing found

Searching for LOC rootkit... nothing found

Searching for Romanian rootkit... nothing found

Searching for Suckit rootkit... nothing found

Searching for Volc rootkit... nothing found

Searching for Gold2 rootkit... nothing found

Searching for TC2 Worm default files and dirs... nothing found

Searching for Anonoying rootkit default files and dirs... nothing found

Searching for ZK rootkit default files and dirs... nothing found

Searching for ShKit rootkit default files and dirs... nothing found

Searching for AjaKit rootkit default files and dirs... nothing found

Searching for zaRwT rootkit default files and dirs... nothing found

Searching for Madalin rootkit default files... nothing found

Searching for Fu rootkit default files... nothing found

Searching for ESRK rootkit default files... nothing found

Searching for rootedoor... nothing found

Searching for ENYELKM rootkit default files... nothing found

Searching for anomalies in shell history files... Warning: `//root/.ash_history' file size is zero

Checking `asp'... not infected

Checking `bindshell'... not infected

Checking `lkm'... chkproc: nothing detected

Checking `rexedcs'... not found

Checking `sniffer'... eth1: not promisc and no PF_PACKET sockets

Checking `w55808'... not infected

Checking `wted'... chkwtmp: nothing deleted

Checking `scalper'... not infected

Checking `slapper'... not infected

Checking `z2'... chklastlog: nothing deleted

Checking `chkutmp'...  The tty of the following user process(es) were not found

 in /var/run/utmp !

! RUID          PID TTY    CMD

! jrn23        8200 tty7   X :0 -nolisten tcp -br -auth /home/jrn23/.serverauth.8183 -deferglyphs 16

chkutmp: nothing deleted
```

----------

## lesourbe

nothing wrong in here.

about your connexion ? wifi / shared lan ?

----------

## dpetka2001

well as i've already said i don't have any wi-fi enabled(lacking equipment) nor do i share my lan with other people...i only plugin my laptop in the switch to share files between them...i remember having used the laptop to download files from rapidshare aswell...it is windows vista...how could be the password be sniffed if possible? maybe through a trojan in windows that sends over traffic to the internet? is there any other way i can check my gentoo before moving on to the laptop?

----------

## lesourbe

chkrootkit - rkhunter - checking logs ... won't show anything relevant I bet.

then let's start with the most likely cause in your case : your laptop.

----------

## dpetka2001

thank you for your response...could you advise me for some antispyware or other applications i could use to check my laptop(windows vista) for anything suspicious??

----------

## lesourbe

sniffing from out of the box could tell you relevant stuff ...

spybot and avast could be of some help ... they paranoid freaks will tell you that if you have a doubt that your box is compromised you have to wipe out every single bit and start over with a fresh install.

----------

## dpetka2001

that would apply also for my gentoo box?

----------

## lesourbe

that would apply to any box ... 

decentralized logs and tool like tripwire could help convincing most of the paranoid freaks though.

NB : I hardly think your gentoo box has been compromised ... were you running hazardous services on it ?

----------

## dpetka2001

```
jrn23@ ~ > rc-update show

           alsasound | boot

            bootmisc | boot

             checkfs | boot

           checkroot | boot

               clock | boot

         consolefont | boot

               cupsd |      default

                dbus |      default

                 gpm |      default

                hald |      default

            hostname | boot

             hotplug |      default

             keymaps | boot

          lm_sensors |      default

               local |      default nonetwork

          localmount | boot

             modules | boot

            net.eth1 |      default

              net.lo | boot

            netmount |      default

           rmnologin | boot

               samba |      default

           syslog-ng |      default

             urandom | boot

          vixie-cron |      default
```

these are the services i run on my pc...no ssh,no ftp...

----------

## lesourbe

Paranoid freaks : format everything, both boxes

moderate : format your windows box

less than moderate : run antispy / anti virus on your windows box

less than less : do not care, recreate an account, or change your password.

NB : I'll go for the moderate.

----------

## dpetka2001

thank you for your reply...i'll go with the moderate option for the time being...

----------

## jomen

suggestion:

AND change your passwords   :Wink: 

----------

## dpetka2001

already did that!!   :Wink: 

----------

## ebasedsecurity

It could be that your account was hacked from the other side. Maybe someone hacked your account and others at rapidshare.

Since your tests seem to show no infection, I would think that might be a possible scenario.

----------

## lesourbe

google says there's a bunch of results about "hack rapidshare account"

----------

