rkhunter detectou rootkit. O que fazer agora?

cabruca · 10 de Setembro de 2010, 12:39

Pessoal,

Sempre acompanho o Planeta Ubuntu Brasil para me tentar manter atualizado.

Hoje vi um post lá falando de rootkits usando o rkhunter.

O log (vejam abaixo) deu algumas warnings (apaguei alguns "oks" por causa do tamanho da msg).

Estou com medo, pois uso esse note no Banco do Brasil. O que devo fazer? Rodei o lsof -i, mas não entendi nada.

Citar[10:13:41] Running Rootkit Hunter version 1.3.6 on laptop
[10:13:41]
[10:13:41] Info: Start date is Sex Set 10 10:13:41 BRT 2010
[10:13:41]
[10:13:41] Checking configuration file and command-line options...
[10:13:41] Info: Detected operating system is 'Linux'
[10:13:41] Info: Found O/S name: Ubuntu 10.04.1 LTS
[10:13:41] Info: Command line is /usr/bin/rkhunter -c
[10:13:41] Info: Environment shell is /bin/bash; rkhunter is using dash
[10:13:41] Info: Using configuration file '/etc/rkhunter.conf'
[10:13:41] Info: Installation directory is '/usr'
[10:13:41] Info: Using language 'en'
[10:13:41] Info: Using '/var/lib/rkhunter/db' as the database directory
[10:13:41] Info: Using '/usr/share/rkhunter/scripts' as the support script directory
[10:13:41] Info: Using '/usr/local/sbin /usr/local/bin /usr/sbin /usr/bin /sbin /bin /usr/X11R6/bin /bin /usr/bin /sbin /usr/sbin /usr/local/bin /usr/local/sbin /usr/libexec /usr/local/libexec' as the command directories
[10:13:41] Info: Using '/' as the root directory by default
[10:13:41] Info: Using '/var/lib/rkhunter/tmp' as the temporary directory
[10:13:41] Info: No mail-on-warning address configured
[10:13:41] Info: X will be automatically detected
[10:13:41] Info: Using second color set
[10:13:41] Info: Found the 'basename' command: /usr/bin/basename
[10:13:41] Info: Found the 'diff' command: /usr/bin/diff
[10:13:41] Info: Found the 'dirname' command: /usr/bin/dirname
[10:13:41] Info: Found the 'file' command: /usr/bin/file
[10:13:41] Info: Found the 'find' command: /usr/bin/find
[10:13:41] Info: Found the 'ifconfig' command: /sbin/ifconfig
[10:13:41] Info: Found the 'ip' command: /sbin/ip
[10:13:41] Info: Found the 'ldd' command: /usr/bin/ldd
[10:13:41] Info: Found the 'lsattr' command: /usr/bin/lsattr
[10:13:42] Info: Found the 'lsmod' command: /sbin/lsmod
[10:13:42] Info: Found the 'lsof' command: /usr/bin/lsof
[10:13:42] Info: Found the 'mktemp' command: /bin/mktemp
[10:13:42] Info: Found the 'netstat' command: /bin/netstat
[10:13:42] Info: Found the 'perl' command: /usr/bin/perl
[10:13:42] Info: Found the 'pgrep' command: /usr/bin/pgrep
[10:13:42] Info: Found the 'ps' command: /bin/ps
[10:13:42] Info: Found the 'pwd' command: /bin/pwd
[10:13:42] Info: Found the 'readlink' command: /bin/readlink
[10:13:42] Info: Found the 'sort' command: /usr/bin/sort
[10:13:42] Info: Found the 'stat' command: /usr/bin/stat
[10:13:42] Info: Found the 'strings' command: /usr/bin/strings
[10:13:42] Info: Found the 'uniq' command: /usr/bin/uniq
[10:13:42] Info: System is not using prelinking
[10:13:42] Info: Using the '/usr/bin/sha1sum' command for the file hash checks
[10:13:42] Info: Stored hash values used hash function '/usr/bin/sha1sum'
[10:13:42] Info: Stored hash values did not use a package manager
[10:13:42] Info: The hash function field index is set to 1
[10:13:42] Info: No package manager specified: using hash function '/usr/bin/sha1sum'
[10:13:42] Info: Previous file attributes were stored
[10:13:42] Info: Enabled tests are: all
[10:13:42] Info: Disabled tests are: suspscan hidden_procs deleted_files packet_cap_apps apps
[10:13:42] Info: Found ksym file '/proc/kallsyms'
[10:13:42] Info: Using 'date' to process epoch second times.
[10:13:42]
[10:13:42] Checking if the O/S has changed since last time...
[10:13:42] Info: Nothing seems to have changed
[10:13:42] Info: Locking is not being used
[10:13:42]
[10:13:46] Performing file properties checks
[10:13:46] Info: Starting test name 'properties'
[10:13:47] /bin/egrep [ OK ]
[10:13:47] Info: Found file '/bin/egrep': it is whitelisted for the 'script replacement' check.
[10:13:48] /bin/fgrep [ OK ]
[10:13:48] Info: Found file '/bin/fgrep': it is whitelisted for the 'script replacement' check.
[10:13:50] /bin/which [ OK ]
[10:13:50] Info: Found file '/bin/which': it is whitelisted for the 'script replacement' check.
[10:13:52] /usr/bin/groups [ OK ]
[10:13:52] Info: Found file '/usr/bin/groups': it is whitelisted for the 'script replacement' check.
[10:13:52] /usr/bin/head [ OK ]
[10:13:53] /usr/bin/ldd [ OK ]
[10:13:53] Info: Found file '/usr/bin/ldd': it is whitelisted for the 'script replacement' check.
[10:13:53] /usr/bin/less [ OK ]
[10:13:57] /usr/bin/gawk [ OK ]
[10:13:57] /usr/bin/lwp-request [ OK ]
[10:13:57] Info: Found file '/usr/bin/lwp-request': it is whitelisted for the 'script replacement' check.
[10:13:57] /usr/bin/bsd-mailx [ OK ]
[10:13:57] /usr/bin/w.procps [ OK ]
[10:14:00] /sbin/sysctl [ OK ]
[10:14:00] /usr/sbin/adduser [ OK ]
[10:14:00] Info: Found file '/usr/sbin/adduser': it is whitelisted for the 'script replacement' check.
[10:14:00] /usr/sbin/chroot [ OK ]
[10:14:00] /usr/sbin/cron [ OK ]
[10:14:09]
[10:14:50] Checking for possible rootkit files and directories [ None found ]
[10:14:50]
[10:14:50] Performing check for possible rootkit strings
[10:14:50] Info: Starting test name 'possible_rkt_strings'
[10:14:50] Info: Using system startup paths: /etc/rc.local /etc/init.d
[10:14:50] Checking for string 'phalanx' [ Not found ]
[10:14:50] Checking for string '/dev/proc/fuckit' [ Not found ]
[10:15:00]
[10:15:00] Performing malware checks
[10:15:00] Info: Starting test name 'malware'
[10:15:00]
[10:15:00] Info: Test 'deleted_files' disabled at users request.
[10:15:00] Info: Starting test name 'running_procs'
[10:15:01] Checking running processes for suspicious files [ None found ]
[10:15:01]
[10:15:01] Info: Test 'hidden_procs' disabled at users request.
[10:15:01]
[10:15:01] Info: Test 'suspscan' disabled at users request.
[10:15:01]
[10:15:01] Performing check for login backdoors
[10:15:01] Info: Starting test name 'other_malware'
[10:15:01] Checking for '/bin/.login' [ Not found ]
[10:15:01] Checking for '/sbin/.login' [ Not found ]
[10:15:01] Checking for login backdoors [ None found ]
[10:15:01]
[10:15:01] Performing check for suspicious directories
[10:15:01] Checking for directory '/usr/X11R6/bin/.,/copy' [ Not found ]
[10:15:01] Checking for directory '/dev/rd/cdb' [ Not found ]
[10:15:01] Checking for suspicious directories [ None found ]
[10:15:01]
[10:15:01] Checking for software intrusions [ Skipped ]
[10:15:01] Info: Check skipped - tripwire not installed
[10:15:01]
[10:15:01] Performing check for sniffer log files
[10:15:01] Checking for file '/usr/lib/libice.log' [ Not found ]
[10:15:01] Checking for file '/dev/prom/sn.l' [ Not found ]
[10:15:01] Checking for file '/dev/fd/.88/zxsniff.log' [ Not found ]
[10:15:01] Checking for sniffer log files [ None found ]
[10:15:01]
[10:15:01] Performing trojan specific checks
[10:15:01] Info: Starting test name 'trojans'
[10:15:01] Info: Using inetd configuration file '/etc/inetd.conf'
[10:15:01] Checking for enabled inetd services [ OK ]
[10:15:02]
[10:15:02] Performing check for enabled xinetd services
[10:15:02] Checking for enabled xinetd services [ Skipped ]
[10:15:02] Info: Check skipped - file '/etc/xinetd.conf' does not exist.
[10:15:02] Info: Apache backdoor check skipped: Apache modules and configuration directories not found.
[10:15:02]
[10:15:02] Performing Linux specific checks
[10:15:02] Info: Starting test name 'os_specific'
[10:15:02] Checking loaded kernel modules [ OK ]
[10:15:02] Info: Using modules pathname of '/lib/modules/2.6.32-25-generic'
[10:15:02] Checking kernel module names [ OK ]
[10:15:05]
[10:15:05] Checking the network...
[10:15:05] Info: Starting test name 'network'
[10:15:05] Info: Starting test name 'ports'
[10:15:05]
[10:15:05] Performing check for backdoor ports
[10:15:05] Checking for TCP port 1524 [ Not found ]
[10:15:05] Checking for TCP port 1984 [ Warning ]
[10:15:05] Warning: Network TCP port 1984 is being used by /usr/lib/hobbit/server/bin/hobbitd. Possible rootkit: Fuckit Rootkit
Use the 'lsof -i' or 'netstat -an' command to check this.
[10:15:06] Checking for UDP port 2001 [ Not found ]
[10:15:06] Checking for TCP port 2006 [ Not found ]
[10:15:06] Checking for TCP port 2128 [ Not found ]
[10:15:06] Checking for TCP port 6666 [ Not found ]
[10:15:06] Checking for TCP port 6667 [ Not found ]
[10:15:06] Checking for TCP port 6668 [ Not found ]
[10:15:06] Checking for TCP port 6669 [ Not found ]
[10:15:06] Checking for TCP port 7000 [ Not found ]
[10:15:06] Checking for TCP port 13000 [ Not found ]
[10:15:07] Checking for TCP port 14856 [ Not found ]
[10:15:07] Checking for TCP port 25000 [ Not found ]
[10:15:07] Checking for TCP port 29812 [ Not found ]
[10:15:07] Checking for TCP port 31337 [ Not found ]
[10:15:07] Checking for TCP port 33369 [ Not found ]
[10:15:07] Checking for TCP port 47107 [ Not found ]
[10:15:07] Checking for TCP port 47018 [ Not found ]
[10:15:07] Checking for TCP port 60922 [ Not found ]
[10:15:07] Checking for TCP port 62883 [ Not found ]
[10:15:07] Checking for TCP port 65535 [ Not found ]
[10:15:08]
[10:15:08] Performing checks on the network interfaces
[10:15:08] Info: Starting test name 'promisc'
[10:15:08] Checking for promiscuous interfaces [ None found ]
[10:15:08]
[10:15:08] Info: Test 'packet_cap_apps' disabled at users request.
[10:15:10]
[10:15:10] Checking the local host...
[10:15:10] Info: Starting test name 'local_host'
[10:15:10]
[10:15:10] Performing system boot checks
[10:15:10] Info: Starting test name 'startup_files'
[10:15:10] Checking for local host name [ Found ]
[10:15:10] Info: Starting test name 'startup_malware'
[10:15:10] Checking for system startup files [ Found ]
[10:15:11] Checking system startup files for malware [ None found ]
[10:15:11]
[10:15:11] Performing group and account checks
[10:15:11] Info: Starting test name 'group_accounts'
[10:15:11] Checking for passwd file [ Found ]
[10:15:11] Info: Found password file: /etc/passwd
[10:15:11] Checking for root equivalent (UID 0) accounts [ None found ]
[10:15:11] Info: Found shadow file: /etc/shadow
[10:15:11] Checking for passwordless accounts [ None found ]
[10:15:11] Info: Starting test name 'passwd_changes'
[10:15:11] Checking for passwd file changes [ None found ]
[10:15:11] Info: Starting test name 'group_changes'
[10:15:11] Checking for group file changes [ None found ]
[10:15:11] Checking root account shell history files [ OK ]
[10:15:11]
[10:15:11] Performing system configuration file checks
[10:15:11] Info: Starting test name 'system_configs'
[10:15:11] Checking for SSH configuration file [ Not found ]
[10:15:11] Checking for running syslog daemon [ Found ]
[10:15:12] Checking for syslog configuration file [ Found ]
[10:15:12] Info: Found syslog configuration file: /etc/rsyslog.conf
[10:15:12] Checking if syslog remote logging is allowed [ Not allowed ]
[10:15:12]
[10:15:12] Performing filesystem checks
[10:15:12] Info: Starting test name 'filesystem'
[10:15:12] Info: SCAN_MODE_DEV set to 'THOROUGH'
[10:15:12] Checking /dev for suspicious file types [ Warning ]
[10:15:12] Warning: Suspicious file types found in /dev:
[10:15:12] /dev/shm/pulse-shm-964867388: data
[10:15:12] /dev/shm/pulse-shm-3254404705: data
[10:15:12] /dev/shm/pulse-shm-2686149009: data
[10:15:12] /dev/shm/pulse-shm-1250689112: data
[10:15:12] /dev/shm/pulse-shm-4252587511: data
[10:15:12] /dev/shm/pulse-shm-3062087144: data
[10:15:12] /dev/shm/pulse-shm-626431627: data
[10:15:12] /dev/shm/pulse-shm-3243965924: data
[10:15:12] /dev/shm/pulse-shm-940053923: data
[10:15:12] /dev/shm/pulse-shm-3932353201: data
[10:15:12] /dev/shm/pulse-shm-3464165182: data
[10:15:12] /dev/shm/pulse-shm-2615631603: data
[10:15:12] /dev/shm/pulse-shm-48704082: data
[10:15:12] /dev/shm/pulse-shm-934514492: data
[10:15:12] /dev/shm/pulse-shm-3105371466: data
[10:15:12] /dev/shm/pulse-shm-4000336937: data
[10:15:13] /dev/shm/pulse-shm-1941758434: data
[10:15:13] /dev/shm/pulse-shm-3795843953: data
[10:15:13] Checking for hidden files and directories [ Warning ]
[10:15:13] Warning: Hidden directory found: /etc/.java
[10:15:13] Warning: Hidden directory found: /dev/.udev
[10:15:13] Warning: Hidden directory found: /dev/.initramfs
[10:15:19]
[10:15:19] Info: Test 'apps' disabled at users request.
[10:15:19]
[10:15:19] System checks summary
[10:15:19] =====================
[10:15:19]
[10:15:19] File properties checks...
[10:15:19] Files checked: 133
[10:15:19] Suspect files: 0
[10:15:19]
[10:15:19] Rootkit checks...
[10:15:19] Rootkits checked : 242
[10:15:19] Possible rootkits: 0
[10:15:19]
[10:15:19] Applications checks...
[10:15:19] All checks skipped
[10:15:19]
[10:15:19] The system checks took: 1 minute and 37 seconds
[10:15:19]
[10:15:19] Info: End date is Sex Set 10 10:15:19 BRT 2010

zekkerj · 10 de Setembro de 2010, 14:10

Das linhas que você destacou, a única que representa uma situação real a ser analisada é a do daemon hobbitd. As outras não têm nada demais.

Citar[10:15:05] Checking for TCP port 1984 [ Warning ]
[10:15:05] Warning: Network TCP port 1984 is being used by /usr/lib/hobbit/server/bin/hobbitd. Possible rootkit: Fuckit Rootkit
Use the 'lsof -i' or 'netstat -an' command to check this.

vc executou o "lsof -i" ou o "netstat -an", como foi sugerido? Viu se o pacote "hobbit" ou "xymon" está instalado?

dtomadon · 10 de Setembro de 2010, 15:33

Pesquisando a porta saiu isso :

1984 TCP Big Brother System and Network Monitor

Big Brother : direciona para esse, que vende esse produto :

Big Brother Professional Edition (BBPE) é uma forma simples de medir a saúde de seu ambiente de TI heterogêneo em-um olhar. É fácil de implementar, acessível, baseada em solução web para monitoramento de infra-estrutura de TI e de diagnósticos. Obter monitoramento em tempo real para qualquer servidor (Windows, UNIX, Linux) ou dispositivo, em qualquer rede, a partir de qualquer navegador web em qualquer lugar do mundo. Simplesmente siga a luz vermelha "para detectar, diagnosticar e resolver qualquer alerta - antes que se torne um problema

Esse sistema usa essa porta, vc instalou algo assim ou será se for rootkit usa essa porta

rkhunter detectou rootkit. O que fazer agora?

cabruca

zekkerj

dtomadon