Skip to main content

Thread: rootkit found system compromised

-

http://ubuntuforums.org/showthread.php?t=510812

security log file huge.... 400+ pages

seems can upload file 150 kb mega uploaded it

(megaupload link removed due system insecurity)


tiger system security scanner

tiger security scripts *** 3.2.2, 2007.08.28.00.00 ***
html generator developed advanced research corporation (r)
sun jun 26 21:49:48 mst 2011
21:49> beginning security report julio-thinkcentre-m52 (i686 linux 2.6.35-28-generic).

# performing check of passwd files...
# checking entries /etc/passwd.
warn [pass014w]login (backup) disabled, has valid shell.
warn [pass014w]login (bin) disabled, has valid shell.
warn [pass014w]login (couchdb) disabled, has valid shell.
warn [pass014w]login (daemon) disabled, has valid shell.
warn [pass014w]login (games) disabled, has valid shell.
warn [pass014w]login (gnats) disabled, has valid shell.
warn [pass014w]login (irc) disabled, has valid shell.
warn [pass014w]login (julio) disabled, has valid shell.
warn [pass016w]user kernoops has / home directory
warn [pass014w]login (libuuid) disabled, has valid shell.
warn [pass014w]login (list) disabled, has valid shell.
warn [pass014w]login (lp) disabled, has valid shell.
warn [pass014w]login (mail) disabled, has valid shell.
warn [pass014w]login (man) disabled, has valid shell.
warn [pass014w]login (news) disabled, has valid shell.
warn [pass014w]login (nobody) disabled, has valid shell.
warn [pass014w]login (proxy) disabled, has valid shell.
warn [pass014w]login (root) disabled, has valid shell.
warn [pass014w]login (speech-dispatcher) disabled, has valid shell.
warn [pass015w]login id sync not have valid shell (/bin/sync).
warn [pass014w]login (sys) disabled, has valid shell.
warn [pass014w]login (uucp) disabled, has valid shell.
warn [pass014w]login (www-data) disabled, has valid shell.
warn [pass006w]integrity of password files questionable (/usr/sbin/pwck -r). # performing check of group files... # performing check of user accounts... # checking accounts /etc/passwd.
warn [acc021w]login id avahi-autoipd appears dormant account.
warn [acc021w]login id libuuid appears dormant account.
warn [acc022w]login id nobody home directory (/nonexistent) not accessible. # performing check of /etc/hosts.equiv , .rhosts files... # checking accounts /etc/passwd... # performing check of .netrc files... # checking accounts /etc/passwd... # performing common access checks root (in /etc/default/login, /securetty, , /etc/ttytab...
warn [root003w]root user has message capability turned on. # performing check of path components...
warn [path009w]/etc/profile not export initial setting path. # checking user 'root' # performing check of anonymous ftp... # performing checks of mail aliases... # checking aliases /etc/aliases. # performing check of `cron' entries...
warn [cron004w]root crontab not exist
warn [cron005w]use of cron not restricted # performing check of 'services' ... # checking services /etc/services.
warn [inet003w]the port service sieve assigned service cisco-sccp.
warn [inet003w]the port service ndtp assigned service pipe_server.
warn [inet003w]the port service ndtp assigned service search.
warn [inet003w]the port service postgres assigned service postgresql.
warn [inet003w]the port service postgres assigned service postgresql.
warn [inet003w]the port service sane assigned service sane-port.
warn [inet003w]the port service webcache assigned service http-alt.
warn [inet003w]the port service webcache assigned service http-alt. # performing nfs exports check... # performing check of system file permissions...
alert [perm023a]/bin/su setuid `root'.
alert [perm023a]/usr/bin/at setuid `daemon'.
alert [perm024a]/usr/bin/at setgid `daemon'.
warn [perm001w]the owner of /usr/bin/at should root (owned daemon).
warn [perm002w]the group owner of /usr/bin/at should root.
alert [perm023a]/usr/bin/passwd setuid `root'.
alert [perm024a]/usr/bin/wall setgid `tty'. # checking known intrusion signs... # testing promiscuous interfaces /bin/ip # testing backdoors in inetd.conf # performing check of files in system mail spool... # performing check rookits... # running chkrootkit (/usr/sbin/chkrootkit) perform further checks...
alert [rootkit005a]chkrootkit has found file seems infected because of rootkit
alert [rootkit009a]a rootkit seems installed in system infected (ports: 1524 6667 31337) # performing system specific checks... # performing checks linux/2... # checking single user-mode password... # checking boot loader file permissions...
warn [boot03w]could not access lilo's or grub's configuration file # checking vulnerabilities in inittab configuration... # checking correct umask settings init scripts...
warn [misc021w]there no umask entries in /etc/init.d/rcs # checking logins not used on system ... # checking network configuration
warn [lin012w]the system accepts icmp redirection messages
warn [lin017w]the system not configured log suspicious (martian) packets # verifying system specific password checks... # checking os release...
warn [osv004w]unreleased debian gnu/linux version `squeeze/sid' # checking installed packages vs debian security advisories... # checking md5sums of installed files # checking installed files against packages...

it seem appear have root kit. guess ambient's root kit (ark)

can't give more information without seeing logs. if want me read them post them in plain text format ; not openoffice, sorry not opening rooted box , in fact mod may wish remove download link until reposted plain text.


Forum The Ubuntu Forum Community Ubuntu Specialised Support Security [ubuntu] rootkit found system compromised


Ubuntu

Comments

Post a Comment

Popular posts from this blog

How to change text Component easybook reloaded *newbee* - Joomla! Forum - community, help and support

-
Image
hi all, i started building websites joomla not long ago, can use help.. for got problem guestbook. i have installed easybook. , running on following website http://odoorn321.nl/ (under gastenboek) i want change text: waardering website (is dutch valuate website) waardering. idea rid of word website, because have valuate vacation home, not website. i have made screenshot of text want change. where , how going find css file change text? your appreciated! thanks no one? Board index Joomla! Older Version Support Joomla! 2.5 General Questions/New to Joomla! 2.5
Read more

After Effect warning: A problem occurred when processing OpenGL commands

-
i have after effects cs6 in computer cs5.5 installed. 64bit windows 7 ultimate 20gb memory , 2 amd radeon hd 6900 series display adapters drivers updated hour ago (driver date 27.7.2012, version 8.982.0.0).   when trying use after ecffects, error message " after effect warning: problem occurred when processing opengl commands " when clicking composition window.   what done? not much, i'm afraid. need older graphics driver. other disable second card or play configuration. unfortunately not smart person decided cs6 no longer need manual opengl control user, there's no way suppress within program force-revert software-only modes in case of such issues...   mylenium More discussions in After Effects adobe
Read more

Preconditions Failed. - Joomla! Forum - community, help and support

-
hello! i'm having problem; every time click save&close button, or save button, or close button module; following message appears: "precondition failed the precondition on request url /administrator/index.php evaluated false. additionally, 404 not found error encountered while trying use errordocument handle request." it happens modules. thanks in advance. problem description :: forum post assistant (v1.2.3) : 13th november 2012 wrote: can\'t save changes or close module. log/error message :: forum post assistant (v1.2.3) : 13th november 2012 wrote: precondition failed precondition on request url /administrator/index.php evaluated false. additionally, 404 not found error encountered while trying use errordocument handle request. last php error(s) reported :: forum post assistant (v1.2.3) : 13th november 2012 wrote: [04-mar-2012 01:25:56] php fatal error: call member function get() on non-object in /home/joommmy1/addon/youngstaer/sub/teenace/public_html/templates/...
Read more