K
KrishnaR
Guest
I've got this message today:
Please inspect this machine, because it may be infected.
I've looked at the log error and this is what it came out:
Checking for string 'psniff' [ Not found ]
Checking for string '/var/lock/subsys/...datafile...' [ Not found ]
Checking for string '/dev/ptyxx' [ Not found ]
Checking for string '/dev/xdta' [ Not found ]
Checking for string '/usr/lib/.tbd' [ Not found ]
Checking for string 'in.inetd' [ Not found ]
Checking for string '#<HIDE_.*>' [ Not found ]
Checking for string 'bin/xchk' [ Not found ]
Checking for string 'bin/xsf' [ Not found ]
Checking for possible rootkit strings [ None found ]
Performing malware checks
Info: Starting test name 'malware'
Info: Test 'deleted_files' disabled at users request.
Info: Starting test name 'running_procs'
Checking running processes for suspicious files [ None found ]
Info: Test 'hidden_procs' disabled at users request.
Info: Test 'suspscan' disabled at users request.
Performing check for login backdoors
Info: Starting test name 'other_malware'
Checking for '/bin/.login' [ Not found ]
Checking for '/sbin/.login' [ Not found ]
Checking for login backdoors [ None found ]
Performing check for suspicious directories
Checking for directory '/usr/X11R6/bin/.,/copy' [ Not found ]
Checking for directory '/dev/rd/cdb' [ Not found ]
Checking for suspicious directories [ None found ]
Checking for software intrusions [ Skipped ]
Info: Check skipped - tripwire not installed
Performing check for sniffer log files
Checking for file '/usr/lib/libice.log' [ Not found ]
Checking for sniffer log files [ None found ]
Performing trojan specific checks
Info: Starting test name 'trojans'
Checking for enabled inetd services [ Skipped ]
Info: Check skipped - file '/etc/inetd.conf' does not exist.
Performing check for enabled xinetd services
Info: Using xinetd configuration file '/etc/xinetd.conf'
Checking '/etc/xinetd.conf' for enabled services [ None found ]
Found 'includedir /etc/xinetd.d' directive
Checking '/etc/xinetd.d/chargen-dgram' for enabled services [ None found ]
Checking '/etc/xinetd.d/chargen-stream' for enabled services [ None found ]
Checking '/etc/xinetd.d/cvs' for enabled services [ None found ]
Checking '/etc/xinetd.d/daytime-dgram' for enabled services [ None found ]
Checking '/etc/xinetd.d/daytime-stream' for enabled services [ None found ]
Checking '/etc/xinetd.d/discard-dgram' for enabled services [ None found ]
Checking '/etc/xinetd.d/discard-stream' for enabled services [ None found ]
Checking '/etc/xinetd.d/echo-dgram' for enabled services [ None found ]
Checking '/etc/xinetd.d/echo-stream' for enabled services [ None found ]
Checking '/etc/xinetd.d/ftp_psa' for enabled services [ Warning ]
Checking '/etc/xinetd.d/poppassd_psa' for enabled services [ Warning ]
Checking '/etc/xinetd.d/rsync' for enabled services [ None found ]
Checking '/etc/xinetd.d/tcpmux-server' for enabled services [ None found ]
Checking '/etc/xinetd.d/time-dgram' for enabled services [ None found ]
Checking '/etc/xinetd.d/time-stream' for enabled services [ None found ]
Checking for enabled xinetd services [ Warning ]
Warning: Found enabled xinetd service: /etc/xinetd.d/ftp_psa
Warning: Found enabled xinetd service: /etc/xinetd.d/poppassd_psa
Checking for Apache backdoor [ Not found ]
Performing Linux specific checks
Info: Starting test name 'os_specific'
Checking loaded kernel modules [ OK ]
Info: Using modules pathname of '/lib/modules/2.6.32-279.2.1.el6.x86_64'
Checking kernel module names [ OK ]
Checking the network...
Info: Starting test name 'network'
Info: Starting test name 'ports'
Performing check for backdoor ports
Checking for TCP port 1524 [ Not found ]
Checking for TCP port 1984 [ Not found ]
Checking for UDP port 2001 [ Not found ]
Checking for TCP port 2006 [ Not found ]
Checking for TCP port 2128 [ Not found ]
Checking for TCP port 6666 [ Not found ]
Checking for TCP port 6667 [ Not found ]
Checking for TCP port 6668 [ Not found ]
Checking for TCP port 6669 [ Not found ]
Checking for TCP port 7000 [ Not found ]
Checking for TCP port 13000 [ Not found ]
Checking for TCP port 14856 [ Not found ]
Checking for TCP port 25000 [ Not found ]
Checking for TCP port 29812 [ Not found ]
Checking for TCP port 31337 [ Not found ]
Checking for TCP port 32982 [ Not found ]
Checking for TCP port 33369 [ Not found ]
Checking for TCP port 47107 [ Not found ]
Checking for TCP port 47018 [ Not found ]
Checking for TCP port 60922 [ Not found ]
Checking for TCP port 62883 [ Not found ]
Checking for TCP port 65535 [ Not found ]
Performing checks on the network interfaces
Info: Starting test name 'promisc'
Checking for promiscuous interfaces [ None found ]
Info: Test 'packet_cap_apps' disabled at users request.
Checking the local host...
Info: Starting test name 'local_host'
Performing system boot checks
Info: Starting test name 'startup_files'
Checking for local host name [ Found ]
Info: Starting test name 'startup_malware'
Checking for system startup files [ Found ]
Checking system startup files for malware [ None found ]
Performing group and account checks
Info: Starting test name 'group_accounts'
Checking for passwd file [ Found ]
Info: Found password file: /etc/passwd
Checking for root equivalent (UID 0) accounts [ None found ]
Info: Found shadow file: /etc/shadow
Checking for passwordless accounts [ None found ]
Info: Starting test name 'passwd_changes'
Checking for passwd file changes [ Warning ]
Warning: Unable to check for passwd file differences: no copy of the passwd file exists.
Info: Starting test name 'group_changes'
Checking for group file changes [ Warning ]
Warning: Unable to check for group file differences: no copy of the group file exists.
Checking root account shell history files [ OK ]
Performing system configuration file checks
Info: Starting test name 'system_configs'
Checking for SSH configuration file [ Found ]
Info: Found SSH configuration file: /etc/ssh/sshd_config
Info: Rkhunter option ALLOW_SSH_ROOT_USER set to 'unset'.
Info: Rkhunter option ALLOW_SSH_PROT_V1 set to '2'.
Checking if SSH root access is allowed [ Not set ]
Checking if SSH protocol v1 is allowed [ Not allowed ]
Checking for running syslog daemon [ Found ]
Checking for syslog configuration file [ Found ]
Info: Found syslog configuration file: /etc/rsyslog.conf
Checking if syslog remote logging is allowed [ Not allowed ]
Performing filesystem checks
Info: Starting test name 'filesystem'
Info: SCAN_MODE_DEV set to 'THOROUGH'
Checking /dev for suspicious file types [ Warning ]
Warning: Suspicious file types found in /dev:
/dev/md/md-device-map: ASCII text
Checking for hidden files and directories [ Warning ]
Warning: Hidden directory found: /dev/.mdadm
Warning: Hidden directory found: /dev/.udev
Warning: Hidden file found: /usr/share/man/man5/.k5login.5.gz: gzip compressed data, from Unix, max compression
Warning: Hidden file found: /usr/share/man/man1/..1.gz: gzip compressed data, from Unix, max compression
Warning: Hidden file found: /usr/bin/.fipscheck.hmac: ASCII text
Warning: Hidden file found: /usr/bin/.ssh.hmac: ASCII text
Warning: Hidden file found: /usr/sbin/.sshd.hmac: ASCII text
Checking application versions...
Info: Starting test name 'apps'
Info: Application 'exim' not found.
Checking version of GnuPG [ OK ]
Info: Application 'gpg' version '2.0.14' found.
Checking version of Apache [ Warning ]
Warning: Application 'httpd', version '2.2.15', is out of date, and possibly a security risk.
Checking version of Bind DNS [ OK ]
Info: Application 'named' version '9.8.2rc1' found.
Checking version of OpenSSL [ OK ]
Info: Application 'openssl' version '1.0.0-fips' found.
Checking version of PHP [ OK ]
Info: Application 'php' version '5.3.3' found.
Checking version of Procmail MTA [ OK ]
Info: Application 'procmail' version '3.22' found.
Checking version of ProFTPd [ Skipped ]
Info: Unable to obtain version number for 'proftpd': version option gives: ProFTPD Version 1.3.3e
Checking version of OpenSSH [ OK ]
Info: Application 'sshd' version '5.3p1' found.
Info: Applications checked: 8 out of 9
System checks summary
Required commands check failed
Files checked: 124
Suspect files: 3
Rootkit checks...
Rootkits checked : 112
Possible rootkits: 0
Applications checks...
Applications checked: 8
Suspect applications: 1
The system checks took: 1 minute and 12 seconds
Please advice.
Please inspect this machine, because it may be infected.
I've looked at the log error and this is what it came out:
Checking for string 'psniff' [ Not found ]
Checking for string '/var/lock/subsys/...datafile...' [ Not found ]
Checking for string '/dev/ptyxx' [ Not found ]
Checking for string '/dev/xdta' [ Not found ]
Checking for string '/usr/lib/.tbd' [ Not found ]
Checking for string 'in.inetd' [ Not found ]
Checking for string '#<HIDE_.*>' [ Not found ]
Checking for string 'bin/xchk' [ Not found ]
Checking for string 'bin/xsf' [ Not found ]
Checking for possible rootkit strings [ None found ]
Performing malware checks
Info: Starting test name 'malware'
Info: Test 'deleted_files' disabled at users request.
Info: Starting test name 'running_procs'
Checking running processes for suspicious files [ None found ]
Info: Test 'hidden_procs' disabled at users request.
Info: Test 'suspscan' disabled at users request.
Performing check for login backdoors
Info: Starting test name 'other_malware'
Checking for '/bin/.login' [ Not found ]
Checking for '/sbin/.login' [ Not found ]
Checking for login backdoors [ None found ]
Performing check for suspicious directories
Checking for directory '/usr/X11R6/bin/.,/copy' [ Not found ]
Checking for directory '/dev/rd/cdb' [ Not found ]
Checking for suspicious directories [ None found ]
Checking for software intrusions [ Skipped ]
Info: Check skipped - tripwire not installed
Performing check for sniffer log files
Checking for file '/usr/lib/libice.log' [ Not found ]
Checking for sniffer log files [ None found ]
Performing trojan specific checks
Info: Starting test name 'trojans'
Checking for enabled inetd services [ Skipped ]
Info: Check skipped - file '/etc/inetd.conf' does not exist.
Performing check for enabled xinetd services
Info: Using xinetd configuration file '/etc/xinetd.conf'
Checking '/etc/xinetd.conf' for enabled services [ None found ]
Found 'includedir /etc/xinetd.d' directive
Checking '/etc/xinetd.d/chargen-dgram' for enabled services [ None found ]
Checking '/etc/xinetd.d/chargen-stream' for enabled services [ None found ]
Checking '/etc/xinetd.d/cvs' for enabled services [ None found ]
Checking '/etc/xinetd.d/daytime-dgram' for enabled services [ None found ]
Checking '/etc/xinetd.d/daytime-stream' for enabled services [ None found ]
Checking '/etc/xinetd.d/discard-dgram' for enabled services [ None found ]
Checking '/etc/xinetd.d/discard-stream' for enabled services [ None found ]
Checking '/etc/xinetd.d/echo-dgram' for enabled services [ None found ]
Checking '/etc/xinetd.d/echo-stream' for enabled services [ None found ]
Checking '/etc/xinetd.d/ftp_psa' for enabled services [ Warning ]
Checking '/etc/xinetd.d/poppassd_psa' for enabled services [ Warning ]
Checking '/etc/xinetd.d/rsync' for enabled services [ None found ]
Checking '/etc/xinetd.d/tcpmux-server' for enabled services [ None found ]
Checking '/etc/xinetd.d/time-dgram' for enabled services [ None found ]
Checking '/etc/xinetd.d/time-stream' for enabled services [ None found ]
Checking for enabled xinetd services [ Warning ]
Warning: Found enabled xinetd service: /etc/xinetd.d/ftp_psa
Warning: Found enabled xinetd service: /etc/xinetd.d/poppassd_psa
Checking for Apache backdoor [ Not found ]
Performing Linux specific checks
Info: Starting test name 'os_specific'
Checking loaded kernel modules [ OK ]
Info: Using modules pathname of '/lib/modules/2.6.32-279.2.1.el6.x86_64'
Checking kernel module names [ OK ]
Checking the network...
Info: Starting test name 'network'
Info: Starting test name 'ports'
Performing check for backdoor ports
Checking for TCP port 1524 [ Not found ]
Checking for TCP port 1984 [ Not found ]
Checking for UDP port 2001 [ Not found ]
Checking for TCP port 2006 [ Not found ]
Checking for TCP port 2128 [ Not found ]
Checking for TCP port 6666 [ Not found ]
Checking for TCP port 6667 [ Not found ]
Checking for TCP port 6668 [ Not found ]
Checking for TCP port 6669 [ Not found ]
Checking for TCP port 7000 [ Not found ]
Checking for TCP port 13000 [ Not found ]
Checking for TCP port 14856 [ Not found ]
Checking for TCP port 25000 [ Not found ]
Checking for TCP port 29812 [ Not found ]
Checking for TCP port 31337 [ Not found ]
Checking for TCP port 32982 [ Not found ]
Checking for TCP port 33369 [ Not found ]
Checking for TCP port 47107 [ Not found ]
Checking for TCP port 47018 [ Not found ]
Checking for TCP port 60922 [ Not found ]
Checking for TCP port 62883 [ Not found ]
Checking for TCP port 65535 [ Not found ]
Performing checks on the network interfaces
Info: Starting test name 'promisc'
Checking for promiscuous interfaces [ None found ]
Info: Test 'packet_cap_apps' disabled at users request.
Checking the local host...
Info: Starting test name 'local_host'
Performing system boot checks
Info: Starting test name 'startup_files'
Checking for local host name [ Found ]
Info: Starting test name 'startup_malware'
Checking for system startup files [ Found ]
Checking system startup files for malware [ None found ]
Performing group and account checks
Info: Starting test name 'group_accounts'
Checking for passwd file [ Found ]
Info: Found password file: /etc/passwd
Checking for root equivalent (UID 0) accounts [ None found ]
Info: Found shadow file: /etc/shadow
Checking for passwordless accounts [ None found ]
Info: Starting test name 'passwd_changes'
Checking for passwd file changes [ Warning ]
Warning: Unable to check for passwd file differences: no copy of the passwd file exists.
Info: Starting test name 'group_changes'
Checking for group file changes [ Warning ]
Warning: Unable to check for group file differences: no copy of the group file exists.
Checking root account shell history files [ OK ]
Performing system configuration file checks
Info: Starting test name 'system_configs'
Checking for SSH configuration file [ Found ]
Info: Found SSH configuration file: /etc/ssh/sshd_config
Info: Rkhunter option ALLOW_SSH_ROOT_USER set to 'unset'.
Info: Rkhunter option ALLOW_SSH_PROT_V1 set to '2'.
Checking if SSH root access is allowed [ Not set ]
Checking if SSH protocol v1 is allowed [ Not allowed ]
Checking for running syslog daemon [ Found ]
Checking for syslog configuration file [ Found ]
Info: Found syslog configuration file: /etc/rsyslog.conf
Checking if syslog remote logging is allowed [ Not allowed ]
Performing filesystem checks
Info: Starting test name 'filesystem'
Info: SCAN_MODE_DEV set to 'THOROUGH'
Checking /dev for suspicious file types [ Warning ]
Warning: Suspicious file types found in /dev:
/dev/md/md-device-map: ASCII text
Checking for hidden files and directories [ Warning ]
Warning: Hidden directory found: /dev/.mdadm
Warning: Hidden directory found: /dev/.udev
Warning: Hidden file found: /usr/share/man/man5/.k5login.5.gz: gzip compressed data, from Unix, max compression
Warning: Hidden file found: /usr/share/man/man1/..1.gz: gzip compressed data, from Unix, max compression
Warning: Hidden file found: /usr/bin/.fipscheck.hmac: ASCII text
Warning: Hidden file found: /usr/bin/.ssh.hmac: ASCII text
Warning: Hidden file found: /usr/sbin/.sshd.hmac: ASCII text
Checking application versions...
Info: Starting test name 'apps'
Info: Application 'exim' not found.
Checking version of GnuPG [ OK ]
Info: Application 'gpg' version '2.0.14' found.
Checking version of Apache [ Warning ]
Warning: Application 'httpd', version '2.2.15', is out of date, and possibly a security risk.
Checking version of Bind DNS [ OK ]
Info: Application 'named' version '9.8.2rc1' found.
Checking version of OpenSSL [ OK ]
Info: Application 'openssl' version '1.0.0-fips' found.
Checking version of PHP [ OK ]
Info: Application 'php' version '5.3.3' found.
Checking version of Procmail MTA [ OK ]
Info: Application 'procmail' version '3.22' found.
Checking version of ProFTPd [ Skipped ]
Info: Unable to obtain version number for 'proftpd': version option gives: ProFTPD Version 1.3.3e
Checking version of OpenSSH [ OK ]
Info: Application 'sshd' version '5.3p1' found.
Info: Applications checked: 8 out of 9
System checks summary
Required commands check failed
Files checked: 124
Suspect files: 3
Rootkit checks...
Rootkits checked : 112
Possible rootkits: 0
Applications checks...
Applications checked: 8
Suspect applications: 1
The system checks took: 1 minute and 12 seconds
Please advice.