Urgent!!! My computer seems to be hacked, pls HELP!!! - SSH

This is a discussion on Urgent!!! My computer seems to be hacked, pls HELP!!! - SSH ; Dear groups, My computer was told that it sent unusual packets from port 60609 to some computer with IP 61.50.138.237 port 22. (more than 20 flows per second!!!) I am running Fedora Core 5 plus "OpenSSH_4.3p2, OpenSSL 0.9.8a 11 Oct ...

+ Reply to Thread
Page 1 of 2 1 2 LastLast
Results 1 to 20 of 35

Thread: Urgent!!! My computer seems to be hacked, pls HELP!!!

  1. Urgent!!! My computer seems to be hacked, pls HELP!!!

    Dear groups,

    My computer was told that it sent unusual packets from port 60609 to
    some computer with IP 61.50.138.237 port 22. (more than 20 flows per
    second!!!)

    I am running Fedora Core 5 plus "OpenSSH_4.3p2, OpenSSL 0.9.8a 11 Oct
    2005", I use netstat to check services I open, only mysql, samba,
    vsftp, ssh, http.

    I check /var/log, message and security. I can't find any successful
    logging from others. But I do find many many attacks from 61.50.138.*
    (not including the one 61.50.138.237 which my computer attacked!!!),
    and none of them successes.

    I have some questions to ask all of you, please help me!!!

    1. is my computer hacked? if no, then why my computer sends packets
    from port 60609 to some computer port 22 ?

    2. if my computer is hacked, then what can I do? reinstalling the
    system is the only way???


    THANK YOU VERY MUCH!!!


    Jenny


  2. Re: Urgent!!! My computer seems to be hacked, pls HELP!!!

    "Jenny" writes:
    > Dear groups,
    >
    > My computer was told that it sent unusual packets from port 60609 to
    > some computer with IP 61.50.138.237 port 22. (more than 20 flows per
    > second!!!)
    >
    > I am running Fedora Core 5 plus "OpenSSH_4.3p2, OpenSSL 0.9.8a 11 Oct
    > 2005", I use netstat to check services I open, only mysql, samba,
    > vsftp, ssh, http.
    >
    > I check /var/log, message and security. I can't find any successful
    > logging from others. But I do find many many attacks from 61.50.138.*
    > (not including the one 61.50.138.237 which my computer attacked!!!),
    > and none of them successes.
    >
    > I have some questions to ask all of you, please help me!!!
    >
    > 1. is my computer hacked? if no, then why my computer sends packets
    > from port 60609 to some computer port 22 ?


    If neither you nor any authorized user to your knowledge is using the
    machine then this ssh connection to an IP in china is very likely a
    compromise.

    > 2. if my computer is hacked, then what can I do? reinstalling the
    > system is the only way???


    Yup. It's the only way to get back to a known state. Wiping and
    reinstalling from original media.

    --
    Todd H.
    http://www.toddh.net/

  3. Re: Urgent!!! My computer seems to be hacked, pls HELP!!!


    Todd H. wrote:
    > "Jenny" writes:
    > > Dear groups,
    > >
    > > My computer was told that it sent unusual packets from port 60609 to
    > > some computer with IP 61.50.138.237 port 22. (more than 20 flows per
    > > second!!!)
    > >
    > > I am running Fedora Core 5 plus "OpenSSH_4.3p2, OpenSSL 0.9.8a 11 Oct
    > > 2005", I use netstat to check services I open, only mysql, samba,
    > > vsftp, ssh, http.
    > >
    > > I check /var/log, message and security. I can't find any successful
    > > logging from others. But I do find many many attacks from 61.50.138.*
    > > (not including the one 61.50.138.237 which my computer attacked!!!),
    > > and none of them successes.
    > >
    > > I have some questions to ask all of you, please help me!!!
    > >
    > > 1. is my computer hacked? if no, then why my computer sends packets
    > > from port 60609 to some computer port 22 ?

    >
    > If neither you nor any authorized user to your knowledge is using the
    > machine then this ssh connection to an IP in china is very likely a
    > compromise.
    >


    do you mean that my computer is hacked???
    well, is it possible that the computer is not hacked, but itself sends
    packets to some other computer automatically?

    sorry, i think i am asking stupid question, but this really confuses
    me!


    > > 2. if my computer is hacked, then what can I do? reinstalling the
    > > system is the only way???

    >
    > Yup. It's the only way to get back to a known state. Wiping and
    > reinstalling from original media.
    >
    > --
    > Todd H.
    > http://www.toddh.net/



  4. Re: Urgent!!! My computer seems to be hacked, pls HELP!!!

    "Jenny" writes:

    > do you mean that my computer is hacked???


    If you are the only authorized user of this machine, yes.

    > well, is it possible that the computer is not hacked, but itself sends
    > packets to some other computer automatically?


    I'm afraid this would fall into the wishful thinking category. I wish
    I had better news.

    If you weren't hyper vigilant about keeping up with patches/updates on
    your machine, you can be pretty sure you were hacked I'm afraid.


    --
    Todd H.
    http://www.toddh.net/

  5. Re: Urgent!!! My computer seems to be hacked, pls HELP!!!

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1


    Jenny wrote:
    > Dear groups,
    >
    > My computer was told that it sent unusual packets from port 60609 to
    > some computer with IP 61.50.138.237 port 22. (more than 20 flows per
    > second!!!)
    >
    > I am running Fedora Core 5 plus "OpenSSH_4.3p2, OpenSSL 0.9.8a 11 Oct
    > 2005", I use netstat to check services I open, only mysql, samba,
    > vsftp, ssh, http.
    >
    > I check /var/log, message and security. I can't find any successful
    > logging from others. But I do find many many attacks from 61.50.138.*
    > (not including the one 61.50.138.237 which my computer attacked!!!),
    > and none of them successes.
    >
    > I have some questions to ask all of you, please help me!!!
    >
    > 1. is my computer hacked? if no, then why my computer sends packets
    > from port 60609 to some computer port 22 ?


    Maybe, maybe not.
    Port 60609 is one of those ports your user processes is permitted to
    use
    So, on your side, you have a user process calling out on port 60609

    On the other side, port 22 is the port for that SSH listens on.

    So, you have someone on your side running an SSH client that's talking
    to the SSH server on the 138.237 machine. Does anyone on your machine
    SSH into that outside machine? If so, then you may not have been
    "hacked".

    > 2. if my computer is hacked, then what can I do? reinstalling the
    > system is the only way???


    Take your machine off the network.

    (Optional) take a copy of your hd so that the criminal investigation
    has something to run forensics on

    Save any user data you feel necessary - note that it may be corrupt or
    suspect, as the intruder may have altered or corrupted your data.

    Delete everything, and reinstall from known good sources

    (Important) Secure your machine (firewalls, passwords, IDS apps, etc.)

    /Then/ you may consider putting the machine back on the network

    HTH

    - --
    Lew Pitcher

    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.4.3 (MingW32) - WinPT 0.11.12

    iD8DBQFFCCjvagVFX4UWr64RAkCtAKDBplBNLUFsLavf4sSe7M 7pVVo3tgCfV599
    of7z12hNlUXGIljl6osXdnc=
    =nupL
    -----END PGP SIGNATURE-----


  6. Re: Urgent!!! My computer seems to be hacked, pls HELP!!!

    Lew Pitcher wrote:
    > -----BEGIN PGP SIGNED MESSAGE-----
    > Hash: SHA1
    >
    >
    > Jenny wrote:
    > > Dear groups,
    > >
    > > My computer was told that it sent unusual packets from port 60609 to
    > > some computer with IP 61.50.138.237 port 22. (more than 20 flows per
    > > second!!!)
    > >
    > > I am running Fedora Core 5 plus "OpenSSH_4.3p2, OpenSSL 0.9.8a 11 Oct
    > > 2005", I use netstat to check services I open, only mysql, samba,
    > > vsftp, ssh, http.
    > >
    > > I check /var/log, message and security. I can't find any successful
    > > logging from others. But I do find many many attacks from 61.50.138.*
    > > (not including the one 61.50.138.237 which my computer attacked!!!),
    > > and none of them successes.
    > >
    > > I have some questions to ask all of you, please help me!!!
    > >
    > > 1. is my computer hacked? if no, then why my computer sends packets
    > > from port 60609 to some computer port 22 ?

    >
    > Maybe, maybe not.
    > Port 60609 is one of those ports your user processes is permitted to
    > use
    > So, on your side, you have a user process calling out on port 60609
    >
    > On the other side, port 22 is the port for that SSH listens on.
    >
    > So, you have someone on your side running an SSH client that's talking
    > to the SSH server on the 138.237 machine. Does anyone on your machine
    > SSH into that outside machine? If so, then you may not have been
    > "hacked".
    >
    > > 2. if my computer is hacked, then what can I do? reinstalling the
    > > system is the only way???

    >
    > Take your machine off the network.
    >
    > (Optional) take a copy of your hd so that the criminal investigation
    > has something to run forensics on
    >
    > Save any user data you feel necessary - note that it may be corrupt or
    > suspect, as the intruder may have altered or corrupted your data.
    >
    > Delete everything, and reinstall from known good sources
    >
    > (Important) Secure your machine (firewalls, passwords, IDS apps, etc.)
    >
    > /Then/ you may consider putting the machine back on the network
    >
    > HTH
    >
    > - --
    > Lew Pitcher
    >
    > -----BEGIN PGP SIGNATURE-----
    > Version: GnuPG v1.4.3 (MingW32) - WinPT 0.11.12
    >
    > iD8DBQFFCCjvagVFX4UWr64RAkCtAKDBplBNLUFsLavf4sSe7M 7pVVo3tgCfV599
    > of7z12hNlUXGIljl6osXdnc=
    > =nupL
    > -----END PGP SIGNATURE-----


    Thank you all of you!!!

    Now I conclude that my computer is hacked....


  7. Re: Urgent!!! My computer seems to be hacked, pls HELP!!!


    Todd H. wrote:

    > "Jenny" writes:
    > > Dear groups,
    > >
    > > My computer was told that it sent unusual packets from port 60609 to
    > > some computer with IP 61.50.138.237 port 22. (more than 20 flows per
    > > second!!!)
    > >
    > > I am running Fedora Core 5 plus "OpenSSH_4.3p2, OpenSSL 0.9.8a 11 Oct
    > > 2005", I use netstat to check services I open, only mysql, samba,
    > > vsftp, ssh, http.
    > >
    > > I check /var/log, message and security. I can't find any successful
    > > logging from others. But I do find many many attacks from 61.50.138.*
    > > (not including the one 61.50.138.237 which my computer attacked!!!),
    > > and none of them successes.
    > >
    > > I have some questions to ask all of you, please help me!!!
    > >
    > > 1. is my computer hacked? if no, then why my computer sends packets
    > > from port 60609 to some computer port 22 ?

    >
    > If neither you nor any authorized user to your knowledge is using the
    > machine then this ssh connection to an IP in china is very likely a
    > compromise.
    >
    > > 2. if my computer is hacked, then what can I do? reinstalling the
    > > system is the only way???

    >
    > Yup. It's the only way to get back to a known state. Wiping and
    > reinstalling from original media.


    But that's not needed, you can find which process is using that
    particular port and kill it (use lsof). Then run a rootkit detection
    and/or anti-virus detection to try to find out where that process came
    from (there are several to choose from). Before that I would harden
    ssh access, no access except your user.

    HTH
    --
    René Berber


  8. Re: Urgent!!! My computer seems to be hacked, pls HELP!!!

    "René Berber" writes:

    > Todd H. wrote:
    > > Yup. It's the only way to get back to a known state. Wiping and
    > > reinstalling from original media.

    >
    > But that's not needed, you can find which process is using that
    > particular port and kill it (use lsof).


    BUT, that assumes lsof hasn't been replaced.

    If someone has compromised your box, all bets are off. Rootkits and
    kernel mode rootkits are sufficiently advanced, (many impossible to
    detect), that if you've been owned, especially if your admin account
    has been compromised, that's why you have to flatten and rebuild from
    original media.

    > Then run a rootkit detection and/or anti-virus detection to try to
    > find out where that process came from (there are several to choose
    > from).


    Good luck with that. There's plenty of malware out there that evades
    AV detection and rootkit detection. All your detectors can tell you
    is whether you have malware that they know about. There's plenty they
    don't know about (or which has been repacked in order to evade
    detection).

    Flatten and rebuild from original media. As I stated, it's the only
    way to get back to a known state.

    --
    Todd H.
    http://www.toddh.net/

  9. Re: Urgent!!! My computer seems to be hacked, pls HELP!!!

    On 2006-09-13 16:52:59 +0200, "Jenny" said:

    > Dear groups,
    >
    > My computer was told that it sent unusual packets from port 60609 to
    > some computer with IP 61.50.138.237 port 22. (more than 20 flows per
    > second!!!) [...]


    As almost anybody told you here, I'd wipe out the OS, you cannot trust
    *ANY* binary in that system anomore.

    --
    Sensei

    Research (n.): a discovery already published by a chinese guy one month
    before you, copying a russian who did it in the 60s.


  10. Re: Urgent!!! My computer seems to be hacked, pls HELP!!!

    "René Berber" typed:
    > Todd H. wrote:
    >> Yup. It's the only way to get back to a known state. Wiping and
    >> reinstalling from original media.

    >
    > But that's not needed, you can find which process is using that
    > particular port and kill it (use lsof). Then run a rootkit
    > detection and/or anti-virus detection to try to find out where that
    > process came from (there are several to choose from). Before that I
    > would harden ssh access, no access except your user.


    Reinstalling (and rebuilding) a system is far easier and quicker than
    figuring out how deep and thorough the compromise is and cleaning the
    system to some reasonable extent.

    --
    Ayaz Ahmed Khan

    Then, gently touching my face, she hesitated for a moment as her
    incredible eyes poured forth into mine love, joy, pain, tragedy,
    acceptance, and peace. "'Bye for now," she said warmly.
    -- Thea Alexander, "2150 A.D."


  11. Re: Urgent!!! My computer seems to be hacked, pls HELP!!!

    Ayaz Ahmed Khan writes:

    > "René Berber" typed:
    >> Todd H. wrote:
    >>> Yup. It's the only way to get back to a known state. Wiping and
    >>> reinstalling from original media.

    >>
    >> But that's not needed, you can find which process is using that
    >> particular port and kill it (use lsof). Then run a rootkit
    >> detection and/or anti-virus detection to try to find out where that
    >> process came from (there are several to choose from). Before that I
    >> would harden ssh access, no access except your user.

    >
    > Reinstalling (and rebuilding) a system is far easier and quicker than
    > figuring out how deep and thorough the compromise is and cleaning the
    > system to some reasonable extent.


    If the OP's like me, they are loathe to do this not for the basic OS
    install, but for the dozens or perhaps hundreds of other
    upgrades/applications/tweaks that they've performed since they first
    installed their OS. If i had to re-install, it would probably chew
    up a week of my time to reconfigure everything back just the way it
    was.
    --
    % Randy Yates % "How's life on earth?
    %% Fuquay-Varina, NC % ... What is it worth?"
    %%% 919-577-9882 % 'Mission (A World Record)',
    %%%% % *A New World Record*, ELO
    http://home.earthlink.net/~yatescr

  12. Re: Urgent!!! My computer seems to be hacked, pls HELP!!!


    Todd H. wrote:

    > René Berber writes:
    >
    > > Todd H. wrote:
    > > > Yup. It's the only way to get back to a known state. Wiping and
    > > > reinstalling from original media.

    > >
    > > But that's not needed, you can find which process is using that
    > > particular port and kill it (use lsof).

    >
    > BUT, that assumes lsof hasn't been replaced.


    Are we geting paranoid? So what if it was replaced, is it going to lie
    and you are not going to catch the lie? Granted you need some
    experience, knowledge and/or outside help.

    > If someone has compromised your box, all bets are off. Rootkits and
    > kernel mode rootkits are sufficiently advanced, (many impossible to
    > detect), that if you've been owned, especially if your admin account
    > has been compromised, that's why you have to flatten and rebuild from
    > original media.
    >
    > > Then run a rootkit detection and/or anti-virus detection to try to
    > > find out where that process came from (there are several to choose
    > > from).

    >
    > Good luck with that. There's plenty of malware out there that evades
    > AV detection and rootkit detection. All your detectors can tell you
    > is whether you have malware that they know about. There's plenty they
    > don't know about (or which has been repacked in order to evade
    > detection).


    Do you have any experience at all?

    "Evade detection", you must be kidding. FYI most rootkits are very
    simple, they install a modified telnet or ssh and some scripts, that's
    it; and any good anti-virus detects those and you have the option of
    using things like tripwire so you don't even need anti-virus.

    If you really want to do things carefully, you can boot from a CD and
    check your drive from there. There are several options for the CD, I
    have "System Rescue CD".

    > Flatten and rebuild from original media. As I stated, it's the only
    > way to get back to a known state.

    --
    R.Berber


  13. Re: Urgent!!! My computer seems to be hacked, pls HELP!!!

    On Thu, 14 Sep 2006 23:20:22 GMT, Randy Yates wrote:

    >Ayaz Ahmed Khan writes:
    >
    >> "René Berber" typed:
    >>> Todd H. wrote:
    >>>> Yup. It's the only way to get back to a known state. Wiping and
    >>>> reinstalling from original media.
    >>>
    >>> But that's not needed, you can find which process is using that
    >>> particular port and kill it (use lsof). Then run a rootkit
    >>> detection and/or anti-virus detection to try to find out where that
    >>> process came from (there are several to choose from). Before that I
    >>> would harden ssh access, no access except your user.

    >>
    >> Reinstalling (and rebuilding) a system is far easier and quicker than
    >> figuring out how deep and thorough the compromise is and cleaning the
    >> system to some reasonable extent.

    >
    >If the OP's like me, they are loathe to do this not for the basic OS
    >install, but for the dozens or perhaps hundreds of other
    >upgrades/applications/tweaks that they've performed since they first
    >installed their OS.


    So?

    tar cvzf .../backup-config.tar.gz /etc /boot/config-*

    Wipe OS partition (6Ps) re-install OS, unpack backup-config to /tmp
    and cherry pick custom .conf files --> take me less than an hour to
    reinstall router with this technique.

    Reminds me, take a backup now

    > If i had to re-install, it would probably chew
    >up a week of my time to reconfigure everything back just the way it
    >was.


    That's just plain pessimistic or bad planning. If you have separate
    /home and /usr/local partitions, replacing the OS is a snap...

    Grant.
    --
    http://bugsplatter.mine.nu/

  14. Re: Urgent!!! My computer seems to be hacked, pls HELP!!!

    "René Berber" writes:
    > Todd H. wrote:
    >
    > > René Berber writes:
    > >
    > > > Todd H. wrote:
    > > > > Yup. It's the only way to get back to a known state. Wiping and
    > > > > reinstalling from original media.
    > > >
    > > > But that's not needed, you can find which process is using that
    > > > particular port and kill it (use lsof).

    > >
    > > BUT, that assumes lsof hasn't been replaced.

    >
    > Are we geting paranoid? So what if it was replaced, is it going to
    > lie and you are not going to catch the lie? Granted you need some
    > experience, knowledge and/or outside help.


    Rene have you ever done forensic analysis on a system that had been
    infected with a kernel mode rootkit installed? Do you work with folks
    in a security operations center, or have a team at your company that
    responds to incidents? You may need to widen your circle of
    colleagues.

    > Do you have any experience at all?


    Honestly, I was just wondering the same about you.

    If you think that there aren't stealth malware out there and kernel
    mode rootkits that can't be detected, I think you need to figure out
    what exactly "0day" code is, why its prized in the black hat
    community, and just how much of it is out there that AV and IDS
    vendors don't yet know about.

    Your mentality may get you cleaned up from a script kiddie attack, but
    for all you know, you're probably working right now on a machine owned
    by someone with just a little more knowledge than a script kiddie.

    > "Evade detection", you must be kidding.


    Nope.

    Arguing against flattening and rebuilding a compromised system? You
    must be kidding.

    > FYI most rootkits are very simple, they install a modified telnet or
    > ssh and some scripts, that's it;


    Most are. It's the rest your method is gonna screw ya hard if you
    think you can use bandaids to patch up a compromised machine with
    cancer.

    > and any good anti-virus detects those and you have the option of
    > using things like tripwire so you don't even need anti-virus.


    Antivirus? Oh dear god--are you a windows drone?

    Tripwire is great if you're using it already. But reread the original
    post--what are the odds that the OP is a) using it and b) monitoring
    changed files on a regular basis and c) able to undo anything that's
    done? And here's the deal, if someone owns your system with a kernel
    mode rootkit and can intercept library calls coming from a program
    like tripwire, tripwire can be made to hum along like nothing is the
    matter. That of course you could get around running the analysis from
    a bootable CD.

    > If you really want to do things carefully, you can boot from a CD
    > and check your drive from there. There are several options for the
    > CD, I have "System Rescue CD".


    Did you get a Hello Kitty sticker when you burned that CD?
    If you think it's gonna clean you up from anything more than script
    kiddie stuff, you have got a lot of learning to do.

    Auditor and Helix would be better choices.

    Sorry, I don't mean to shred you but you are strenuously clinging to
    an assinine position on this one.

    Best Regards,
    --
    Todd H.
    http://www.toddh.net/

  15. Re: Urgent!!! My computer seems to be hacked, pls HELP!!!

    Grant writes:

    > On Thu, 14 Sep 2006 23:20:22 GMT, Randy Yates wrote:
    >
    >>Ayaz Ahmed Khan writes:
    >>
    >>> "René Berber" typed:
    >>>> Todd H. wrote:
    >>>>> Yup. It's the only way to get back to a known state. Wiping and
    >>>>> reinstalling from original media.
    >>>>
    >>>> But that's not needed, you can find which process is using that
    >>>> particular port and kill it (use lsof). Then run a rootkit
    >>>> detection and/or anti-virus detection to try to find out where that
    >>>> process came from (there are several to choose from). Before that I
    >>>> would harden ssh access, no access except your user.
    >>>
    >>> Reinstalling (and rebuilding) a system is far easier and quicker than
    >>> figuring out how deep and thorough the compromise is and cleaning the
    >>> system to some reasonable extent.

    >>
    >>If the OP's like me, they are loathe to do this not for the basic OS
    >>install, but for the dozens or perhaps hundreds of other
    >>upgrades/applications/tweaks that they've performed since they first
    >>installed their OS.

    >
    > So?
    >
    > tar cvzf .../backup-config.tar.gz /etc /boot/config-*


    Ha! And you think that's all there is to it? What about
    all the libraries and sym links strung all over heck?

    > Wipe OS partition (6Ps)


    6Ps?

    > re-install OS, unpack backup-config to /tmp
    > and cherry pick custom .conf files


    Oh yeah - that's going to be a picnic. I just
    did a count in my /etc and I have 405 configuration
    files.

    --> take me less than an hour to
    > reinstall router with this technique.


    I'm happy for you, Grant. Really. But I don't think that
    would be the case for me.

    > Reminds me, take a backup now


    Always a good idea.

    >> If i had to re-install, it would probably chew
    >>up a week of my time to reconfigure everything back just the way it
    >>was.

    >
    > That's just plain pessimistic or bad planning.


    And I think you're being optimistic.

    > If you have separate
    > /home and /usr/local partitions, replacing the OS is a snap...


    Although I couldn't name a specific one, I bet there are more than a
    few local apps that install themselves in /usr/bin and whatever other
    non-standard locations, and they don't ask the installers permission
    for it.

    I've been wondering lately if there's some God-send utility that would
    track installs for the purpose of alleviating the pain of such
    reinstalls.
    --
    % Randy Yates % "She's sweet on Wagner-I think she'd die for Beethoven.
    %% Fuquay-Varina, NC % She love the way Puccini lays down a tune, and
    %%% 919-577-9882 % Verdi's always creepin' from her room."
    %%%% % "Rockaria", *A New World Record*, ELO
    http://home.earthlink.net/~yatescr

  16. Re: Urgent!!! My computer seems to be hacked, pls HELP!!!

    René Berber wrote:

    >> > Then run a rootkit detection and/or anti-virus detection to try to
    >> > find out where that process came from (there are several to choose
    >> > from).

    >>
    >> Good luck with that. There's plenty of malware out there that evades
    >> AV detection and rootkit detection. All your detectors can tell you
    >> is whether you have malware that they know about. There's plenty they
    >> don't know about (or which has been repacked in order to evade
    >> detection).


    > Do you have any experience at all?


    > "Evade detection", you must be kidding. FYI most rootkits are very
    > simple, they install a modified telnet or ssh and some scripts, that's
    > it; and any good anti-virus detects those and you have the option of
    > using things like tripwire so you don't even need anti-virus.


    Ouch. So now you're assuming no one has ever used a basically
    unmodified rootkit and additionally placed a 'stealth' component on the
    target. It'll make you feel nice and happy when you find and "remove"
    the rootkit, but you won't be any less vulnerable.

    > If you really want to do things carefully, you can boot from a CD and
    > check your drive from there. There are several options for the CD, I
    > have "System Rescue CD".


    Unless the CD nukes any unknown (read non-OS) executable on the drive or
    you have some known state to compare against (a la tripwire), I don't
    see how you can effectively check a drive. It's certainly possible, but
    requires you've done work before the attack. Afterward is too late.

    --
    Darren Dunham ddunham@taos.com
    Senior Technical Consultant TAOS http://www.taos.com/
    Got some Dr Pepper? San Francisco, CA bay area
    < This line left intentionally blank to confuse you. >

  17. Re: Urgent!!! My computer seems to be hacked, pls HELP!!!

    Randy Yates writes:

    > I've been wondering lately if there's some God-send utility that would
    > track installs for the purpose of alleviating the pain of such
    > reinstalls.


    The intricacies you cite are among the reasons manual compile and
    installation is troublesome.

    On the linux platform anyway, Package managers (emerge, yum, rpm, apt)
    attempt to be the god-send utility. A Gentoo linux user would hardly
    stop himself from yelling "Emerge!" and running down the street as a
    solution. In Gentoo, you can emerge almost anything you might want to
    run. Of course you have to wait for it to compile which is painful
    for large pacakages. But the source code basis of it all makes the
    dependencies work remarkably nicely for rebuilding.

    If you have a distro with a nice enough package manager, reinstalling
    becomes a task of running a script of package manager commands to get
    all the packages you want, restoring a known good backup of /home, and
    a known-good backup of /etc.

    But folks struggling with their first linux systems and navigating a
    confusing mess of documentation on the net all referring to different
    distributions and older versions of software are unlikely to have a
    clean, easy to restore system, it's true! And windows users... oy.
    Unless you have a slipstream installation CD made or a Ghost image
    backup that you can absolutely trust, reinstalling and transferring
    data is a royal PITA and well beyond the knowledge of the users who
    are most in need to doing such a reinstall.

    Best Regards,
    --
    Todd H.
    http://www.toddh.net/

  18. Re: Urgent!!! My computer seems to be hacked, pls HELP!!!


    Darren Dunham wrote:
    > René Berber wrote:
    >
    > >> > Then run a rootkit detection and/or anti-virus detection to try to
    > >> > find out where that process came from (there are several to choose
    > >> > from).
    > >>
    > >> Good luck with that. There's plenty of malware out there that evades
    > >> AV detection and rootkit detection. All your detectors can tell you
    > >> is whether you have malware that they know about. There's plenty they
    > >> don't know about (or which has been repacked in order to evade
    > >> detection).

    >
    > > Do you have any experience at all?

    >
    > > "Evade detection", you must be kidding. FYI most rootkits are very
    > > simple, they install a modified telnet or ssh and some scripts, that's
    > > it; and any good anti-virus detects those and you have the option of
    > > using things like tripwire so you don't even need anti-virus.

    >
    > Ouch. So now you're assuming no one has ever used a basically
    > unmodified rootkit and additionally placed a 'stealth' component on the
    > target. It'll make you feel nice and happy when you find and "remove"
    > the rootkit, but you won't be any less vulnerable.


    Assuming? Do you see any assumptions above? Basically unmodified
    rootkit? A rootkit is a class not a singleton.

    > > If you really want to do things carefully, you can boot from a CD and
    > > check your drive from there. There are several options for the CD, I
    > > have "System Rescue CD".

    >
    > Unless the CD nukes any unknown (read non-OS) executable on the drive or
    > you have some known state to compare against (a la tripwire), I don't
    > see how you can effectively check a drive. It's certainly possible, but
    > requires you've done work before the attack. Afterward is too late.


    Not true, and it really makes no sense continuing to discuss this.
    --
    R.Berber


  19. Re: Urgent!!! My computer seems to be hacked, pls HELP!!!


    Todd H. wrote:
    > René Berber writes:
    > > Todd H. wrote:
    > >
    > > > René Berber writes:
    > > >
    > > > > Todd H. wrote:
    > > > > > Yup. It's the only way to get back to a known state. Wiping and
    > > > > > reinstalling from original media.
    > > > >
    > > > > But that's not needed, you can find which process is using that
    > > > > particular port and kill it (use lsof).
    > > >
    > > > BUT, that assumes lsof hasn't been replaced.

    > >
    > > Are we geting paranoid? So what if it was replaced, is it going to
    > > lie and you are not going to catch the lie? Granted you need some
    > > experience, knowledge and/or outside help.

    >
    > Rene have you ever done forensic analysis on a system that had been
    > infected with a kernel mode rootkit installed? Do you work with folks
    > in a security operations center, or have a team at your company that
    > responds to incidents? You may need to widen your circle of
    > colleagues.
    >
    > > Do you have any experience at all?

    >
    > Honestly, I was just wondering the same about you.


    Yes I do.

    > If you think that there aren't stealth malware out there and kernel
    > mode rootkits that can't be detected, I think you need to figure out
    > what exactly "0day" code is, why its prized in the black hat
    > community, and just how much of it is out there that AV and IDS
    > vendors don't yet know about.
    >
    > Your mentality may get you cleaned up from a script kiddie attack, but
    > for all you know, you're probably working right now on a machine owned
    > by someone with just a little more knowledge than a script kiddie.
    >
    > > "Evade detection", you must be kidding.

    >
    > Nope.
    >
    > Arguing against flattening and rebuilding a compromised system? You
    > must be kidding.
    >
    > > FYI most rootkits are very simple, they install a modified telnet or
    > > ssh and some scripts, that's it;

    >
    > Most are. It's the rest your method is gonna screw ya hard if you
    > think you can use bandaids to patch up a compromised machine with
    > cancer.


    So, you kill the patient in case he has cancer, if he didn't, oh too
    bad. In other words, don't you think you should at least try to see
    how bad the computer was hacked, hey it is even possible that it was
    one of those "script kiddies" that you mention.

    On the practical side, as mentioned in other message, how much time
    will it take to diagnose the problem? how much to re-install?

    Bottom line, I do agree that there will be situations where you are
    better off installing from scratch but, if you know what you are doing,
    that will not be 100% of the time.

    > > and any good anti-virus detects those and you have the option of
    > > using things like tripwire so you don't even need anti-virus.

    >
    > Antivirus? Oh dear god--are you a windows drone?


    Who mentioned Windows? Oh, I see, your famous kernel mode rootkits
    seem to affect Windows mostly, no wonder I've never seen one of those.

    > Tripwire is great if you're using it already. But reread the original
    > post--what are the odds that the OP is a) using it and b) monitoring
    > changed files on a regular basis and c) able to undo anything that's
    > done? And here's the deal, if someone owns your system with a kernel
    > mode rootkit and can intercept library calls coming from a program
    > like tripwire, tripwire can be made to hum along like nothing is the
    > matter. That of course you could get around running the analysis from
    > a bootable CD.
    >
    > > If you really want to do things carefully, you can boot from a CD
    > > and check your drive from there. There are several options for the
    > > CD, I have "System Rescue CD".

    >
    > Did you get a Hello Kitty sticker when you burned that CD?


    Is that supposed to be funny? Is this thread amusing to you?

    > If you think it's gonna clean you up from anything more than script
    > kiddie stuff, you have got a lot of learning to do.
    >
    > Auditor and Helix would be better choices.
    >
    > Sorry, I don't mean to shred you but you are strenuously clinging to
    > an assinine position on this one.


    So, do you have any experience or just FUD?
    --
    R.Berber


  20. Re: Urgent!!! My computer seems to be hacked, pls HELP!!!

    "René Berber" writes:

    > So, you kill the patient in case he has cancer, if he didn't, oh too
    > bad.


    Nah, you don't kill it--you reincarnate it. We have that luxury with
    computers.

    > In other words, don't you think you should at least try to see
    > how bad the computer was hacked, hey it is even possible that it was
    > one of those "script kiddies" that you mention.


    Once you see that someone got in, got access to an account and started
    establishing ssh connections to China, (as in this case), yeah, I'm
    saying "It's time to crack out the intallation media and fdisk."

    > Bottom line, I do agree that there will be situations where you are
    > better off installing from scratch but, if you know what you are
    > doing, that will not be 100% of the time.


    I agree that you can make a calculated risk mitigated decision that
    says "well, if I am still owned through a toehold that I cannot
    presently detect with the system rescue CD I got in my box of
    Cheerios, I'm willing to live with that if the cost of my rebuild is
    this much. I'll take some time and try to get rid of the low hanging
    fruit I can find and hope for the best." These are business
    realities.

    But, if you want to be certain you got everything, you flatten and
    reinstall from original media. A lot of businesses and individuals
    are fairly risk averse, and if they are not, perhaps they should be.

    > > Antivirus? Oh dear god--are you a windows drone?

    >
    > Who mentioned Windows?


    Is anti-virus a required piece of software on machines other than
    Windows?

    > > Did you get a Hello Kitty sticker when you burned that CD?

    >
    > Is that supposed to be funny? Is this thread amusing to you?


    You mean, let me understand this cause, ya know maybe it's me, I'm a
    little fscked up maybe, but I'm funny how, I mean funny like I'm a
    clown, I amuse you? I make you laugh, I'm here to fsckin' amuse you?
    What do you mean funny, funny how? How am I funny?

    > So, do you have any experience or just FUD?


    Nah, it's all just FUD. I'm a college student who rented a copy of
    Hackers last weekend and my mind's been abuzz ever since. ;-)

    --
    Todd H.
    http://www.toddh.net/

+ Reply to Thread
Page 1 of 2 1 2 LastLast