got rooted

classic Classic list List threaded Threaded
10 messages Options
Reply | Threaded
Open this post in threaded view
|

got rooted

Eben King
I got rooted, and not in a good way.  I did "nethogs" to watch a process,
and I saw these strange connections:

192.168.1.10:51000-23.247.232.26:54089
192.168.1.10:51000-70.70.134.186:60560
192.168.1.10:51000-70.77.181.64:49609
192.168.1.10:51000-83.248.240.28:57078
192.168.1.10:51000-121.244.55.55:51020
192.168.1.10:51000-174.17.166.165:51633
192.168.1.10:51000-188.243.20.191:47423

etc., 1-2 at a time.  These connections didn't show up in netstat.
Sometimes it would connect to a host again on a different port.  I didn't
recognize the addresses and they were all over the place numerically so I
looked them up: webmail.cadestech.com, 174-17-166-165.phnx.qwest.net,
S0106bcee7bdd9f28.ca.shawcable.net, and most tellingly
188.243.20.191.pool.sknt.ru.  All of these are sites I have nothing to do
with (TTBOMK).

First thing I did was add a rule on the router to disallow connections
anywhere from my TCP port 51000.  It didn't like that -- I saw a connection
to the router, but apparently it only knew the default password because the
ruleset was unchanged.

I'd been leaning toward upgrading my distro for a while, and this was a
prime opportunity.  I went from Ubuntu 12.04 LTS to 14.04 LTS.  / and /usr
got formatted.

So anyhow, the rule's still in place.  Unfortunately, the infection is back,
which is pretty bloody bizarre.  The only software I didn't install through
the apt* system was a Nvidia driver (that one didn't work, I ended up using
the latest Synaptic showed).  You can see the rule's working because the
router has log entries like

TCP 192.168.1.10:51000 <-->71.243.244.110:41921 [121.244.55.55:56009]
CLOSED/SYN_SENT clink1 NAPT Incoming STATIC UNSECURED

So, how do I track this thing down?  Now that it's impotent I don't have to
worry about it distributing spam.

--
-eben    [hidden email]    ebmanda.redirectme.net:81
LIBRA:  A big promotion is just around the corner for someone
much more talented than you.  Laughter is the very best medicine,
remember that when your appendix bursts next week.  -- Weird Al
_______________________________________________
slug mailing list
[hidden email]
https://www.suncoastlug.org/mailman/listinfo/slug
Reply | Threaded
Open this post in threaded view
|

Re: got rooted

Pete Theisen
On 11/23/2014 03:52 AM, Eben King wrote:

> So, how do I track this thing down?  Now that it's impotent I don't have
> to worry about it distributing spam.


Hi Eben,

What would happen if you got a clean copy of the distro from a different
machine and full formatted, including the Master Boot Record?
--
Regards,

Pete
http://elect-pete-theisen.com/
https://www.facebook.com/pete.theisen.5
_______________________________________________
slug mailing list
[hidden email]
https://www.suncoastlug.org/mailman/listinfo/slug
Reply | Threaded
Open this post in threaded view
|

Re: got rooted

Eben King
On Sun, 23 Nov 2014, Pete Theisen wrote:

> On 11/23/2014 03:52 AM, Eben King wrote:
>
>> So, how do I track this thing down?  Now that it's impotent I don't have
>> to worry about it distributing spam.
>
> What would happen if you got a clean copy of the distro from a different
> machine and full formatted, including the Master Boot Record?

I dunno.  I'll try to make a list of the installations and changes I've
done, so I can do them all at once instead of putting out fires for a few
weeks.  The rule in the router seems to be doing its job.  Obviously, there
are some changed binaries, and I don't know what all of them are.  Is there
any harm to going through all the installed packages and reinstalling them
from presumably-unhacked repositories?

--
-eben    [hidden email]    ebmanda.redirectme.net:81
LIBRA:  A big promotion is just around the corner for someone
much more talented than you.  Laughter is the very best medicine,
remember that when your appendix bursts next week.  -- Weird Al
_______________________________________________
slug mailing list
[hidden email]
https://www.suncoastlug.org/mailman/listinfo/slug
Reply | Threaded
Open this post in threaded view
|

Re: got rooted

Pete Theisen
On 11/23/2014 08:39 AM, Eben King wrote:

> On Sun, 23 Nov 2014, Pete Theisen wrote:
>
>> On 11/23/2014 03:52 AM, Eben King wrote:
>>
>>> So, how do I track this thing down?  Now that it's impotent I don't have
>>> to worry about it distributing spam.
>>
>> What would happen if you got a clean copy of the distro from a
>> different machine and full formatted, including the Master Boot Record?
>
> I dunno.  I'll try to make a list of the installations and changes I've
> done, so I can do them all at once instead of putting out fires for a
> few weeks.  The rule in the router seems to be doing its job.
> Obviously, there are some changed binaries, and I don't know what all of
> them are.

> Is there any harm to going through all the installed packages
> and reinstalling them from presumably-unhacked repositories?

Well, this last thing, installed packages might be where the trouble
could be lurking. If you are copying ANYTHING from an infected source it
could bring the nasty with it.

If you know what all you have, get it ALL from a different source, one
at a time and observe in between. If there is something particular to
you that no one else has, go to an earlier back-up, if you have one.
Then, the stuff that exists only on that hard drive, copy to a
quarantine and watch it for a while.
--
Regards,

Pete
http://elect-pete-theisen.com/
https://www.facebook.com/pete.theisen.5
_______________________________________________
slug mailing list
[hidden email]
https://www.suncoastlug.org/mailman/listinfo/slug
Reply | Threaded
Open this post in threaded view
|

Re: got rooted

Eben King
On Sun, 23 Nov 2014, Pete Theisen wrote:

> On 11/23/2014 08:39 AM, Eben King wrote:
>> On Sun, 23 Nov 2014, Pete Theisen wrote:
>>
>>> On 11/23/2014 03:52 AM, Eben King wrote:
>>>
>>>> So, how do I track this thing down?  Now that it's impotent I don't
>>>> have
>>>> to worry about it distributing spam.
>>>
>>> What would happen if you got a clean copy of the distro from a
>>> different machine and full formatted, including the Master Boot Record?
>>
>> I dunno.  I'll try to make a list of the installations and changes I've
>> done, so I can do them all at once instead of putting out fires for a
>> few weeks.  The rule in the router seems to be doing its job.
>> Obviously, there are some changed binaries, and I don't know what all of
>> them are.
>
>> Is there any harm to going through all the installed packages
>> and reinstalling them from presumably-unhacked repositories?
>
> Well, this last thing, installed packages might be where the trouble could
> be lurking. If you are copying ANYTHING from an infected source it could
> bring the nasty with it.

Well, neither chkrootkit nor rkhunter found any nasties, but I kept getting
unusual connections that nethogs could see but netstat couldn't.  I figured
out how to parse the data in /proc/*/net/tcp, and those weird connections
were attributed to every process under the sun.  So I reinstalled, being
careful not to install ANYTHING from local media, nor to allow execution of
downloaded stuffo

All was good until I ran deluge.  While it's running, you expect lots of
connections to places you don't recognize.  They should stop appearing when
you quit it, but they didn't.  I looked in the router, and there were
several new port-forwarding rules for the ports the connections were on.
Disable them, the connections stop.  OK, delete.  Obviously deluge put them
there.  How did it do that, and how do I stop it, or at least make it clean
up after itself?  No, the router doesn't have the default password.  That's
the first thing I changed.  I'm guessing the router's running a service that
can add rules on demand.

--
-eben    [hidden email]    ebmanda.redirectme.net:81
LIBRA:  A big promotion is just around the corner for someone
much more talented than you.  Laughter is the very best medicine,
remember that when your appendix bursts next week.  -- Weird Al
_______________________________________________
slug mailing list
[hidden email]
https://www.suncoastlug.org/mailman/listinfo/slug
Reply | Threaded
Open this post in threaded view
|

Re: got rooted

Eben King
On Sun, 30 Nov 2014, Eben King wrote:

> All was good until I ran deluge. ... I looked in the router, and there
> were several new port-forwarding rules for the ports the connections were
> on. Disable them, the connections stop.  OK, delete.  Obviously deluge put
> them there.  How did it do that, and how do I stop it, or at least make it
> clean up after itself? ...  I'm guessing the router's running a service
> that can add rules on demand.

It's UPnP, and according to

http://forums.verizon.com/t5/FiOS-Internet/No-UPnP-setting-in-MI424WR-Router/td-p/513501

there's no way to disable it, as a firmware update Verizon pushed out
disabled access to it.  So, the best I can do is block its port.  I think it
runs on TCP port 2555.

--
-eben    [hidden email]    ebmanda.redirectme.net:81
LIBRA:  A big promotion is just around the corner for someone
much more talented than you.  Laughter is the very best medicine,
remember that when your appendix bursts next week.  -- Weird Al
_______________________________________________
slug mailing list
[hidden email]
https://www.suncoastlug.org/mailman/listinfo/slug
Reply | Threaded
Open this post in threaded view
|

Re: got rooted

Jeff
On Sun, 2014-11-30 at 19:36 -0500, Eben King wrote:

> there's no way to disable it

Sure there is. Since you do not have full control over the router,
consider it as an untrusted device. Put your own router between it and
your network. Run OpenWRT or DD-WRT on it, and you can have whatever
rules that you wish. And Verizon can do whatever they like to their
router without affecting your setup.
_______________________________________________
slug mailing list
[hidden email]
https://www.suncoastlug.org/mailman/listinfo/slug
Reply | Threaded
Open this post in threaded view
|

Re: got rooted

Pete Theisen
In reply to this post by Eben King
On 11/30/2014 07:36 PM, Eben King wrote:

> On Sun, 30 Nov 2014, Eben King wrote:
>
>> All was good until I ran deluge. ... I looked in the router, and there
>> were several new port-forwarding rules for the ports the connections
>> were on. Disable them, the connections stop.  OK, delete.  Obviously
>> deluge put them there.  How did it do that, and how do I stop it, or
>> at least make it clean up after itself? ...  I'm guessing the router's
>> running a service that can add rules on demand.
>
> It's UPnP, and according to
>
> http://forums.verizon.com/t5/FiOS-Internet/No-UPnP-setting-in-MI424WR-Router/td-p/513501
>
>
> there's no way to disable it, as a firmware update Verizon pushed out
> disabled access to it.  So, the best I can do is block its port.  I
> think it runs on TCP port 2555.
>

What is deluge and do you need it?
--
Regards,

Pete
http://elect-pete-theisen.com/
https://www.facebook.com/pete.theisen.5
_______________________________________________
slug mailing list
[hidden email]
https://www.suncoastlug.org/mailman/listinfo/slug
Reply | Threaded
Open this post in threaded view
|

Re: got rooted

Bryan Lee
In reply to this post by Eben King
Eben,

I'm starting to wonder if you actually have a problem or if this is the
expected behavior.

Try running, as root:
        netstat -anlp

-a all, -n numeric, -l include listening, -t TCP ports, -p show program name/PID

Under State, you'll see LISTEN, ESTABLISHED, TIME_WAIT, or CLOSE_WAIT.
Possibly some others.  You can look up the definition of these  States in
"man portmap".

nethogs probably probably shows more connection types than default netstat (-a, -l?).


In the scenario you're describing where you run your bit-torrent client,
then quit it, then add firewall rules, I would not be surprised if
connections remain in a TIME_WAIT or CLOSE_WAIT state.  Typically this
means that the program has exited abnormally (or been blocked) but both
ends of the network connection were not able to properly close.   The
connection will remain in  a WAIT state for a while.  Possibly until:
  the network stack times it out; a reset is sent to the port, or reboot.

It sounded like adding the firewall rules sent a RESET to the port.



Regarding the newly appearing rules, some firewalls (routers?) have
an option for UPnP (Universal Plug and Play) support,
        "UPnP is a set of networking protocols that permits networked
        devices ... to seamlessly discover each other's presence
        on the network and establish functional network services
        for data sharing, communications, and entertainment."
        [http://en.wikipedia.org/wiki/Universal_Plug_and_Play]

I turn it of on firewalls I'm responsible for.  You'll have to create a new
rule allowing any connections a service needs if you turn it off.  I'm not
sure how this will affect a bit torrent client.



Thus Eben King hast written on Sun, Nov 30, 2014 at 06:48:21PM -0500, and, according to prophecy, it shall come to pass that:

> Well, neither chkrootkit nor rkhunter found any nasties, but I kept
> getting unusual connections that nethogs could see but netstat
> couldn't.  I figured out how to parse the data in /proc/*/net/tcp,
> and those weird connections were attributed to every process under
> the sun.  So I reinstalled, being careful not to install ANYTHING
> from local media, nor to allow execution of downloaded stuffo
>
> All was good until I ran deluge.  While it's running, you expect
> lots of connections to places you don't recognize.  They should stop
> appearing when you quit it, but they didn't.  I looked in the
> router, and there were several new port-forwarding rules for the
> ports the connections were on. Disable them, the connections stop.
> OK, delete.  Obviously deluge put them there.  How did it do that,
> and how do I stop it, or at least make it clean up after itself?
> No, the router doesn't have the default password.  That's the first
> thing I changed.  I'm guessing the router's running a service that
> can add rules on demand.
_______________________________________________
slug mailing list
[hidden email]
https://www.suncoastlug.org/mailman/listinfo/slug
Reply | Threaded
Open this post in threaded view
|

Re: got rooted

Eben King
In reply to this post by Pete Theisen
On Sun, 30 Nov 2014, Pete Theisen wrote:

> On 11/30/2014 07:36 PM, Eben King wrote:
>> On Sun, 30 Nov 2014, Eben King wrote:
>>
>>> All was good until I ran deluge. ... I looked in the router, and there
>>> were several new port-forwarding rules for the ports the connections
>>> were on. Disable them, the connections stop.  OK, delete.  Obviously
>>> deluge put them there.  How did it do that, and how do I stop it, or
>>> at least make it clean up after itself? ...  I'm guessing the router's
>>> running a service that can add rules on demand.
>>
>> It's UPnP, and according to
>>
>> http://forums.verizon.com/t5/FiOS-Internet/No-UPnP-setting-in-MI424WR-Router/td-p/513501
>>
>> there's no way to disable it, as a firmware update Verizon pushed out
>> disabled access to it.  So, the best I can do is block its port.  I
>> think it runs on TCP port 2555.
>
> What is deluge and do you need it?

It's a bittorrent client (deluge, torrent, ha ha).  I could use a different
one, if there's a problem specific to it.  Why do I need it?  Mostly
downloading TV shows (no digital TV tuner).

--
-eben    [hidden email]    ebmanda.redirectme.net:81
LIBRA:  A big promotion is just around the corner for someone
much more talented than you.  Laughter is the very best medicine,
remember that when your appendix bursts next week.  -- Weird Al
_______________________________________________
slug mailing list
[hidden email]
https://www.suncoastlug.org/mailman/listinfo/slug