Possible security breach? System behaving in very odd manners

Nicolas Ouellette nicolas.ouellette at sympatico.ca
Wed Dec 5 05:30:55 UTC 2007 

Hi there. I've been using Kubuntu for some time now, and been experimenting 
very, VERY weird stuff recently (sorry if this mail is long: right now I want 
to connect to the net as breifly as possible, so I put as many info I can in 
it):

1. On two or three occasions (specially at night or when I left my box alone 
for long periods and when I came back to use it again), I turn on the screen 
and KDE would no longer respond. Kwin seemed dead. Nothing would work anymore 
and I had to reboot. At first I thought it was just some problem related to 
the nvidia proprietary driver (I had problems a few time ago with it).

2. Yesterday, the problem got worse: when I turned on the screen, I was logged 
off KDE. I had the kdm login screen waiting for me. I NEVER log off my 
session, so I figured this was not a very good sign.

3. I tried running clamscan on my whole system, because, hey!, you never know. 
Nothing very exciting showed up though. I also ran rkhunter, which is a 
rootkit detection tool. Few things showed up, but I could not take the time 
to investigate them thoroughly. (Will post the results upon request).

4. Afterwards, I read through the various system logs but found nothing of 
interest. 

5. I began to feel a little bit paranoid, so I changed my password. But 
afterwards I thought : "Hey is it possible someone installed a keylogger on 
my system, and would have access to the new root's password that way?

6. Feeling a bit more frightened, I installed snort (I thought it was already 
installed, but I forgot I had it uninstalled prior to upgrading to Gutsy), 
and let it run for the day.

7. After a hard day's work, I looked at /var/log/snort/alert and saw horrible 
things: 

[**] [119:7:1] (http_inspect) IIS UNICODE CODEPOINT ENCODING [**]
[Priority: 3]
12/04-06:57:10.447880 69.157.135.148:33057 -> 66.230.200.228:80
TCP TTL:64 TOS:0x0 ID:17911 IpLen:20 DgmLen:479 DF
***AP*** Seq: 0xCD91DADD  Ack: 0x51982DB0  Win: 0x16B0  TcpLen: 20

[**] [122:1:0] (portscan) TCP Portscan [**]
[Priority: 3]
12/04-07:30:50.509573 69.157.133.27 -> 69.157.135.148
PROTO:255 TTL:0 TOS:0x0 ID:0 IpLen:20 DgmLen:165 DF

[**] [119:2:1] (http_inspect) DOUBLE DECODING ATTACK [**]
[Priority: 3]
12/04-09:49:38.656213 69.157.135.148:47804 -> 68.142.207.53:80
TCP TTL:64 TOS:0x0 ID:28435 IpLen:20 DgmLen:608 DF
***AP*** Seq: 0x4D4E83DE  Ack: 0x5C9A46D8  Win: 0x16B0  TcpLen: 20

[**] [119:15:1] (http_inspect) OVERSIZE REQUEST-URI DIRECTORY [**]
[Priority: 3]
12/04-09:59:28.488445 69.157.135.148:38203 -> 68.142.207.53:80
TCP TTL:64 TOS:0x0 ID:58292 IpLen:20 DgmLen:1492 DF
***A**** Seq: 0xA351CCE2  Ack: 0x64CCD558  Win: 0x16B0  TcpLen: 20

[**] [122:1:0] (portscan) TCP Portscan [**]
[Priority: 3]
12/04-11:25:49.636553 69.157.133.27 -> 69.157.135.148
PROTO:255 TTL:0 TOS:0x0 ID:38044 IpLen:20 DgmLen:161 DF

[**] [119:2:1] (http_inspect) DOUBLE DECODING ATTACK [**]
[Priority: 3]
12/04-15:40:35.567394 69.157.135.148:40999 -> 68.142.207.53:80
TCP TTL:64 TOS:0x0 ID:44415 IpLen:20 DgmLen:1492 DF
***A**** Seq: 0x44AFC713  Ack: 0x7219DAF8  Win: 0x16B0  TcpLen: 20

[**] [119:15:1] (http_inspect) OVERSIZE REQUEST-URI DIRECTORY [**]
[Priority: 3]
12/04-15:41:14.663931 69.157.135.148:41070 -> 68.142.207.53:80
TCP TTL:64 TOS:0x0 ID:4762 IpLen:20 DgmLen:1492 DF
***A**** Seq: 0x5F228EE2  Ack: 0xAA9F6372  Win: 0x16B0  TcpLen: 20

If I understand correctly, someone hat tried a double-decoding attack, after a 
portscan. (I'm no geek here, I don't fully understand the meaning of those 
entries...:()

8. Now, I feel very, VERY frightened, because I think a malicious person might 
have hacked into my system and may gain control over my box and data.

I want to say that I'm not an übergeek, but I'm aware of the many dangers 
lurking on the net and how to protect my system from them as best as I can 
(firewall, IDS, virus scan, rootkit detector, no easy-cheesy passwords, and 
so on...).

The 1G $ questions are: what are the chances I've been hacked? Could there 
really be a trojan, rootkit, keylogger, etc. installed on my system? If so, 
how could I find it and get rid of it?  How do you guys make your system 
secure? Was anybody hacked on this list? If so, what did you do? In the end, 
am I really too much paranoid? 

Any help is welcome. Now I have to go to bed, so I will disconnect, and see 
your answers tomorrow morning. Thank you for your time, and sorry again for 
this LOOOOONG post.

Cheers,
-- 
Nicolas Ouellette
Étudiant au M.A, philosophie
Registered linux user #368073

More information about the kubuntu-users mailing list