Solved

chkroot possible trojan message?

Posted on 2009-07-16
7
657 Views
Last Modified: 2013-11-08
Hi,
I'm running centos and just got this email today.  Can someone shed some light on this or tell me what I should do about it?

-----------

subj: Cron <root@hostname> /root/chkrootkit.sh | grep -v .packlist

/proc/31394/fd: No such file or directory
/proc/31395/fd: No such file or directory

/var/www/mrtg/tcp.log

/usr/lib/php/.registry /usr/lib/php/.registry/.channel.pecl.php.net /usr/lib/php/.registry/.channel.__uri /usr/lib/php/.channels /usr/lib/php/.channels/.alias INFECTED (PORTS:  465)
You have     2 process hidden for readdir command
You have     2 process hidden for ps command
chkproc: Warning: Possible LKM Trojan installed  The tty of the following user process(es) were not found  in /var/run/utmp !
! RUID          PID TTY    CMD
! root        10451 pts/1  /bin/bash
0
Comment
Question by:allwebnow
  • 4
  • 2
7 Comments
 
LVL 18

Expert Comment

by:hopeleonie
ID: 24871688
0
 
LVL 18

Expert Comment

by:hopeleonie
ID: 24871936
i forgot something:

install the add ins on a windows computer and scan the centos.

let me know
hopeleonie
0
 
LVL 30

Expert Comment

by:Kerem ERSOY
ID: 24874076
Hi,

It seems that you're infected with a rootkit. The process hid itself from regular processes so that you can't see it through system mangement tools such as ps.

465 port is generally used for internal delivery of the SMTP daemons sucha as sendmail and postfix. The application is listening that port.

I'll suggest you to get the system offline ASAP.
- If you need to later investigate it make a copy of the entire volume with a tool such as G4L (Ghost 4 Linux. This is a free open source tool to make images of hard disks. I'll suggest you not to skip this step because it might help you to understand how could the attacker got access to your system.
- Then boot CenTOS from the installation disk in rescue mode. In command prompt of ":" type:
 linux rescue <ENTER>
- Select mount volume
- Clean the rootkit. copy the data over your system to another system or overa removable drive
- Reinstall the complete system
- Apply all the recent patches
- Enable SELinux and Firewall. permit only the ports for necessary aplications
- Reinstall chkrootkit and set it to report over Cron
- Restore your backups

Only start to use your system again after this point. For the Ghost image. Keep a copy of the system handy for all times. If you want to further investigate make a copy and work over it don2t tamper with evidence. Investigate the sytem for traces og the hacker.

Cheers,
K.
 
0
What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

 
LVL 30

Expert Comment

by:Kerem ERSOY
ID: 24874205
To be on the safe side just issue this command:

netstat -anpt

post the output here and check if any legitimate software is listening the port. If you don't see any application on the list then probably you've infected with a rootkit.

> chkproc: Warning: Possible LKM Trojan installed  The tty of the following user process(es) were not > found  in /var/run/utmp !
> ! RUID          PID TTY    CMD
> ! root        10451 pts/1  /bin/bash

IT seems that /var/run/utmp was not updated when you've logon
0
 
LVL 30

Expert Comment

by:Kerem ERSOY
ID: 24874219
Are you running Cpanel or something like that ?
0
 

Author Comment

by:allwebnow
ID: 24874428
cpanel yes.

Here's my output..look like exim?

[~]# netstat -anpt
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address               Foreign Address             State       PID/Program name
tcp        0      0 127.0.0.1:11553             0.0.0.0:*                   LISTEN      23515/MailWatch SQL
tcp        0      0 0.0.0.0:2082                0.0.0.0:*                   LISTEN      18586/cpsrvd - wait
tcp        0      0 0.0.0.0:2083                0.0.0.0:*                   LISTEN      18586/cpsrvd - wait
tcp        0      0 0.0.0.0:2086                0.0.0.0:*                   LISTEN      18586/cpsrvd - wait
tcp        0      0 0.0.0.0:2087                0.0.0.0:*                   LISTEN      18586/cpsrvd - wait
tcp        0      0 0.0.0.0:3306                0.0.0.0:*                   LISTEN      4774/mysqld
tcp        0      0 0.0.0.0:587                 0.0.0.0:*                   LISTEN      12550/exim
tcp        0      0 0.0.0.0:2095                0.0.0.0:*                   LISTEN      18586/cpsrvd - wait
tcp        0      0 0.0.0.0:2096                0.0.0.0:*                   LISTEN      18586/cpsrvd - wait
tcp        0      0 0.0.0.0:80                  0.0.0.0:*                   LISTEN      12833/httpd
tcp        0      0 0.0.0.0:465                 0.0.0.0:*                   LISTEN      12588/exim
tcp        0      0 216.83.111.85:53            0.0.0.0:*                   LISTEN      25460/named
tcp        0      0 216.83.111.84:53            0.0.0.0:*                   LISTEN      25460/named
tcp        0      0 216.83.111.83:53            0.0.0.0:*                   LISTEN      25460/named
tcp        0      0 216.83.111.82:53            0.0.0.0:*                   LISTEN      25460/named
tcp        0      0 216.83.111.81:53            0.0.0.0:*                   LISTEN      25460/named
tcp        0      0 216.83.111.80:53            0.0.0.0:*                   LISTEN      25460/named
tcp        0      0 216.83.111.79:53            0.0.0.0:*                   LISTEN      25460/named
tcp        0      0 216.83.111.78:53            0.0.0.0:*                   LISTEN      25460/named
tcp        0      0 216.83.111.77:53            0.0.0.0:*                   LISTEN      25460/named
tcp        0      0 216.83.111.76:53            0.0.0.0:*                   LISTEN      25460/named
tcp        0      0 216.83.111.75:53            0.0.0.0:*                   LISTEN      25460/named
tcp        0      0 216.83.111.74:53            0.0.0.0:*                   LISTEN      25460/named
tcp        0      0 216.83.111.73:53            0.0.0.0:*                   LISTEN      25460/named
tcp        0      0 216.83.111.72:53            0.0.0.0:*                   LISTEN      25460/named
tcp        0      0 216.83.111.71:53            0.0.0.0:*                   LISTEN      25460/named
tcp        0      0 216.83.111.165:53           0.0.0.0:*                   LISTEN      25460/named
tcp        0      0 216.83.111.164:53           0.0.0.0:*                   LISTEN      25460/named
tcp        0      0 216.83.111.163:53           0.0.0.0:*                   LISTEN      25460/named
tcp        0      0 216.83.111.162:53           0.0.0.0:*                   LISTEN      25460/named
tcp        0      0 216.83.111.161:53           0.0.0.0:*                   LISTEN      25460/named
tcp        0      0 216.83.111.160:53           0.0.0.0:*                   LISTEN      25460/named
tcp        0      0 216.83.111.159:53           0.0.0.0:*                   LISTEN      25460/named
tcp        0      0 216.83.111.158:53           0.0.0.0:*                   LISTEN      25460/named
tcp        0      0 216.83.111.157:53           0.0.0.0:*                   LISTEN      25460/named
tcp        0      0 216.83.111.156:53           0.0.0.0:*                   LISTEN      25460/named
tcp        0      0 216.83.111.155:53           0.0.0.0:*                   LISTEN      25460/named
tcp        0      0 216.83.111.154:53           0.0.0.0:*                   LISTEN      25460/named
tcp        0      0 216.83.111.153:53           0.0.0.0:*                   LISTEN      25460/named
tcp        0      0 216.83.111.152:53           0.0.0.0:*                   LISTEN      25460/named
tcp        0      0 216.83.111.151:53           0.0.0.0:*                   LISTEN      25460/named
tcp        0      0 216.83.111.150:53           0.0.0.0:*                   LISTEN      25460/named
tcp        0      0 216.83.111.149:53           0.0.0.0:*                   LISTEN      25460/named
tcp        0      0 216.83.111.148:53           0.0.0.0:*                   LISTEN      25460/named
tcp        0      0 216.83.111.147:53           0.0.0.0:*                   LISTEN      25460/named
tcp        0      0 216.83.111.146:53           0.0.0.0:*                   LISTEN      25460/named
tcp        0      0 216.83.111.145:53           0.0.0.0:*                   LISTEN      25460/named
tcp        0      0 216.83.111.144:53           0.0.0.0:*                   LISTEN      25460/named
tcp        0      0 216.83.111.143:53           0.0.0.0:*                   LISTEN      25460/named
tcp        0      0 216.83.111.142:53           0.0.0.0:*                   LISTEN      25460/named
tcp        0      0 216.83.111.141:53           0.0.0.0:*                   LISTEN      25460/named
tcp        0      0 216.83.111.140:53           0.0.0.0:*                   LISTEN      25460/named
tcp        0      0 216.83.111.139:53           0.0.0.0:*                   LISTEN      25460/named
tcp        0      0 216.83.111.138:53           0.0.0.0:*                   LISTEN      25460/named
tcp        0      0 216.83.111.137:53           0.0.0.0:*                   LISTEN      25460/named
tcp        0      0 216.83.111.136:53           0.0.0.0:*                   LISTEN      25460/named
tcp        0      0 216.83.111.135:53           0.0.0.0:*                   LISTEN      25460/named
tcp        0      0 216.83.111.134:53           0.0.0.0:*                   LISTEN      25460/named
tcp        0      0 216.83.111.133:53           0.0.0.0:*                   LISTEN      25460/named
tcp        0      0 216.83.111.132:53           0.0.0.0:*                   LISTEN      25460/named
tcp        0      0 216.83.111.131:53           0.0.0.0:*                   LISTEN      25460/named
tcp        0      0 216.83.111.30:53            0.0.0.0:*                   LISTEN      25460/named
tcp        0      0 127.0.0.1:53                0.0.0.0:*                   LISTEN      25460/named
tcp        0      0 0.0.0.0:21                  0.0.0.0:*                   LISTEN      14487/pure-ftpd (SE
tcp        0      0 0.0.0.0:25                  0.0.0.0:*                   LISTEN      12565/exim
tcp        0      0 127.0.0.1:953               0.0.0.0:*                   LISTEN      25460/named
tcp        0      0 0.0.0.0:443                 0.0.0.0:*                   LISTEN      12833/httpd
tcp        0      0 0.0.0.0:2077                0.0.0.0:*                   LISTEN      21437/cpdavd - acce
tcp        0      0 0.0.0.0:2078                0.0.0.0:*                   LISTEN      21437/cpdavd - acce
tcp        0      0 216.83.111.30:25            95.75.34.249:62565          ESTABLISHED 24900/exim
tcp        0      0 127.0.0.1:11553             127.0.0.1:46684             CLOSE_WAIT  23515/MailWatch SQL
tcp        0      0 216.83.111.153:21           75.39.143.129:53768         ESTABLISHED 24461/pure-ftpd (UP
tcp        1      0 216.83.111.30:25            208.110.68.13:51089         CLOSE_WAIT  24815/exim
tcp        0      0 216.83.111.153:20           75.39.143.129:53794         TIME_WAIT   -
tcp        0      0 216.83.111.153:20           75.39.143.129:53795         ESTABLISHED 24461/pure-ftpd (UP
tcp        0      0 216.83.111.30:25            85.107.174.151:50498        TIME_WAIT   -
tcp        0      0 216.83.111.30:25            190.245.63.18:4876          TIME_WAIT   -
tcp        0      0 216.83.111.30:80            74.6.22.176:40038           TIME_WAIT   -
tcp        0      0 216.83.111.30:80            74.6.22.176:40013           TIME_WAIT   -
tcp        0      0 216.83.111.30:80            74.6.22.176:39961           TIME_WAIT   -
tcp        0      0 216.83.111.153:80           75.191.145.170:52364        ESTABLISHED 24752/httpd
tcp        0      0 216.83.111.30:80            74.6.22.176:40124           TIME_WAIT   -
tcp        0      0 216.83.111.30:80            74.6.22.176:39853           TIME_WAIT   -
tcp        0      0 216.83.111.30:80            74.6.22.176:40078           TIME_WAIT   -
tcp        0      0 216.83.111.30:25            173.11.126.70:4329          TIME_WAIT   -
tcp        0      0 216.83.111.30:80            74.6.22.176:39814           TIME_WAIT   -
tcp        0      0 :::993                      :::*                        LISTEN      5845/couriertcpd
tcp        0      0 :::1922                     :::*                        LISTEN      26938/java
tcp        0      0 :::995                      :::*                        LISTEN      5857/couriertcpd
tcp        0      0 ::ffff:127.0.0.1:8905       :::*                        LISTEN      26972/java
tcp        0      0 :::8009                     :::*                        LISTEN      25054/jsvc.exec
tcp        0      0 :::110                      :::*                        LISTEN      5851/couriertcpd
tcp        0      0 :::143                      :::*                        LISTEN      5838/couriertcpd
tcp        0      0 :::1935                     :::*                        LISTEN      25054/jsvc.exec
tcp        0      0 :::8080                     :::*                        LISTEN      25054/jsvc.exec
tcp        0      0 :::8722                     :::*                        LISTEN      24938/sshd
tcp        0      0 :::43731                    :::*                        LISTEN      26972/java
tcp        0      0 :::21                       :::*                        LISTEN      14487/pure-ftpd (SE
tcp        0      0 :::51993                    :::*                        LISTEN      26972/java
tcp        0      0 :::44410                    :::*                        LISTEN      26972/java
tcp        0      0 :::30                       :::*                        LISTEN      26972/java
tcp        1      0 ::ffff:216.83.111.81:30     ::ffff:64.12.116.198:55599  CLOSE_WAIT  26972/java
tcp        0      0 ::ffff:216.83.111.131:110   ::ffff:74.83.186.228:50868  TIME_WAIT   -
tcp        0      0 ::ffff:216.83.111.30:993    ::ffff:67.223.64.153:59103  ESTABLISHED 27584/couriertls
tcp        0      0 ::ffff:216.83.111.30:143    ::ffff:74.215.93.104:50121  ESTABLISHED 11357/imapd
tcp        1      0 ::ffff:216.83.111.81:30     ::ffff:64.12.112.42:55604   CLOSE_WAIT  26972/java
tcp        0      0 ::ffff:216.83.111.30:143    ::ffff:74.215.93.104:50385  ESTABLISHED 32681/imapd
tcp        0      0 ::ffff:216.83.111.136:143   ::ffff:166.137.134.13:43798 ESTABLISHED 10378/couriertls
tcp        1      0 ::ffff:216.83.111.81:30     ::ffff:64.12.112.42:44823   CLOSE_WAIT  26972/java
tcp        0      0 ::ffff:216.83.111.147:993   ::ffff:67.223.70.154:50051  ESTABLISHED 28454/couriertls
tcp        1      0 ::ffff:216.83.111.81:30     ::ffff:64.12.112.42:49277   CLOSE_WAIT  26972/java
tcp        1      0 ::ffff:216.83.111.81:30     ::ffff:64.12.116.198:46158  CLOSE_WAIT  26972/java
tcp        1      0 ::ffff:216.83.111.81:30     ::ffff:64.12.116.198:35907  CLOSE_WAIT  26972/java
tcp        0      0 ::ffff:216.83.111.30:993    ::ffff:67.223.77.238:34007  ESTABLISHED 29453/couriertls
tcp        0      0 ::ffff:216.83.111.30:8722   ::ffff:74.83.223.254:50691  ESTABLISHED 4495/sshd: root@not
tcp        0      0 ::ffff:216.83.111.30:993    ::ffff:67.223.67.196:53272  ESTABLISHED 8104/couriertls
tcp        0      0 ::ffff:216.83.111.30:143    ::ffff:74.215.93.104:50784  ESTABLISHED 24171/imapd
tcp        1      0 ::ffff:216.83.111.81:30     ::ffff:64.12.116.198:55168  CLOSE_WAIT  26972/java
tcp        1      0 ::ffff:216.83.111.81:30     ::ffff:64.12.116.198:45952  CLOSE_WAIT  26972/java
tcp        1      0 ::ffff:216.83.111.30:44177  ::ffff:216.83.111.30:30     CLOSE_WAIT  26938/java
tcp        1      0 ::ffff:216.83.111.30:44170  ::ffff:216.83.111.30:30     CLOSE_WAIT  26972/java
tcp        0      0 ::ffff:216.83.111.30:993    ::ffff:67.223.71.228:33296  ESTABLISHED 5177/couriertls
tcp        0      0 ::ffff:127.0.0.1:44408      ::ffff:127.0.0.1:21         CLOSE_WAIT  26972/java
tcp        0      0 ::ffff:216.83.111.30:993    ::ffff:67.223.79.150:36193  ESTABLISHED 17029/couriertls
tcp        0      0 ::ffff:216.83.111.30:110    ::ffff:74.83.223.254:50965  TIME_WAIT   -
tcp        0   2372 ::ffff:216.83.111.30:8722   ::ffff:74.83.223.254:50992  ESTABLISHED 24835/2
tcp        1      0 ::ffff:127.0.0.1:43731      ::ffff:127.0.0.1:20         CLOSE_WAIT  26972/java
tcp        0      0 ::ffff:216.83.111.131:993   ::ffff:67.223.69.45:39499   ESTABLISHED 8639/couriertls
tcp        1      0 ::ffff:127.0.0.1:43647      ::ffff:127.0.0.1:21         CLOSE_WAIT  26972/java
tcp        0      0 ::ffff:216.83.111.30:110    ::ffff:209.85.210.205:43094 TIME_WAIT   -
tcp        1      0 ::ffff:216.83.111.81:30     ::ffff:64.12.116.198:46823  CLOSE_WAIT  26972/java
tcp        0      0 ::ffff:216.83.111.30:143    ::ffff:74.215.93.104:50191  ESTABLISHED 848/imapd
tcp        0      0 ::ffff:216.83.111.132:110   ::ffff:74.83.210.77:50514   TIME_WAIT   -
tcp        1      0 ::ffff:216.83.111.81:30     ::ffff:64.12.116.198:59633  CLOSE_WAIT  26972/java
tcp        1      0 ::ffff:127.0.0.1:51971      ::ffff:127.0.0.1:21         CLOSE_WAIT  26972/java
tcp        0      0 ::ffff:216.83.111.30:993    ::ffff:67.223.76.183:45320  ESTABLISHED 7424/couriertls
tcp        1      0 ::ffff:216.83.111.81:30     ::ffff:64.12.112.42:37059   CLOSE_WAIT  26972/java
tcp        0      0 ::ffff:216.83.111.30:8722   ::ffff:74.83.223.254:50038  ESTABLISHED 31317/0
tcp        0      0 ::ffff:216.83.111.30:993    ::ffff:67.223.71.73:42465   ESTABLISHED 6482/couriertls
tcp        0      0 ::ffff:216.83.111.147:110   ::ffff:166.205.4.19:3988    TIME_WAIT   -
tcp        0      0 ::ffff:216.83.111.147:110   ::ffff:166.205.4.19:13730   ESTABLISHED 24905/pop3d
tcp        0      0 ::ffff:216.83.111.30:143    ::ffff:208.102.21.13:50032  ESTABLISHED 9491/imapd
tcp        0      0 ::ffff:216.83.111.30:993    ::ffff:71.67.100.132:49223  ESTABLISHED 21588/couriertls
tcp        0      0 ::ffff:216.83.111.30:993    ::ffff:67.223.68.74:60879   ESTABLISHED 7453/couriertls
tcp        0      0 ::ffff:216.83.111.30:110    ::ffff:166.205.5.11:46755   TIME_WAIT   -
tcp        0      0 ::ffff:216.83.111.30:110    ::ffff:166.205.5.11:46757   TIME_WAIT   -
tcp        0      0 ::ffff:216.83.111.30:110    ::ffff:166.205.5.11:46756   TIME_WAIT   -
tcp        0      0 ::ffff:216.83.111.30:143    ::ffff:166.137.132.16:29746 ESTABLISHED 19944/imapd
tcp        0      0 ::ffff:216.83.111.30:993    ::ffff:67.223.65.75:41641   ESTABLISHED 17020/couriertls
tcp        0      0 ::ffff:216.83.111.30:993    ::ffff:67.223.67.41:50922   ESTABLISHED 8536/couriertls
tcp        0      0 ::ffff:216.83.111.30:143    ::ffff:208.102.21.13:50654  ESTABLISHED 24837/imapd
tcp        0      0 ::ffff:216.83.111.30:143    ::ffff:208.102.21.13:50655  ESTABLISHED 24838/imapd
tcp        0      0 ::ffff:216.83.111.30:995    ::ffff:71.67.100.132:49346  ESTABLISHED 24829/couriertls
0
 
LVL 30

Accepted Solution

by:
Kerem ERSOY earned 500 total points
ID: 24874483
Ok then since the process is totally visible to your OS I guess this should be a false positive.

To verify this please try to telnet to your port 465:

telnet localhost 465

and observe if you can get Exim's prompt.

Then stop the exim and rerun the chktoolkit. If it does not detect the toolkit anymore it means that this is a false positive.
0

Featured Post

What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

Join & Write a Comment

Suggested Solutions

The purpose of this article is to fix the unknown display problem in Linux Mint operating system. After installing the OS if you see Display monitor is not recognized then we can install "MESA" utilities to fix this problem or we can install additio…
The article will include the best Data Recovery Tools along with their Features, Capabilities, and their Download Links. Hope you’ll enjoy it and will choose the one as required by you.
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
This demo shows you how to set up the containerized NetScaler CPX with NetScaler Management and Analytics System in a non-routable Mesos/Marathon environment for use with Micro-Services applications.

757 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now