Have I been hacked? [Archive]

megadave

03-11-2003, 02:17 AM

Hi all:

I just had Mozilla take a spaz and balloon up to 100 MB in memory when I tried to compose an email, so I drop to a console, ps-aux so I can find the pid and kill it.

Well, I notice a bunch of stuff running that I don't recall seeing before.

nfsd 10 times. I look it up and it's a network file system damoen. Sort of odd, since I'm not sharing anything, nor mounting anything.

I also see rpc.mountd I'm assuming remove procedure call mount daemon. Doesn't sound like it needs to be running, and I don't recall seeing it before.

Also see statd which is reboot notification for file locks on nfs mounts, run by the rpc user.

So I'm feeling a little vulnerable right now seeing all this, not knowing if I am comprimised.

system is Redhat 8. Here's my process listing off of a fresh reboot.

USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND
root 1 4.7 0.1 1336 480 ? S 01:08 0:04 init
root 2 0.0 0.0 0 0 ? SW 01:08 0:00 [keventd]
root 3 0.0 0.0 0 0 ? SW 01:08 0:00 [kapmd]
root 4 0.0 0.0 0 0 ? SWN 01:08 0:00 [ksoftirqd_CPU0]
root 5 0.0 0.0 0 0 ? SW 01:08 0:00 [kswapd]
root 6 0.0 0.0 0 0 ? SW 01:08 0:00 [bdflush]
root 7 0.0 0.0 0 0 ? SW 01:08 0:00 [kupdated]
root 8 0.0 0.0 0 0 ? SW 01:08 0:00 [mdrecoveryd]
root 12 0.0 0.0 0 0 ? SW 01:08 0:00 [kjournald]
root 68 0.0 0.0 0 0 ? SW 01:08 0:00 [khubd]
root 270 0.0 0.0 0 0 ? SW 01:08 0:00 [kjournald]
root 273 0.0 0.0 0 0 ? SW 01:08 0:00 [kjournald]
root 274 0.0 0.0 0 0 ? SW 01:08 0:00 [kjournald]
root 613 0.0 0.4 2056 1028 ? S 01:08 0:00 /sbin/dhclient -1
root 668 0.0 0.2 1400 540 ? S 01:08 0:00 syslogd -m 0
root 672 0.0 0.1 1336 428 ? S 01:08 0:00 klogd -x
rpc 689 0.0 0.2 1484 532 ? S 01:08 0:00 portmap
rpcuser 708 0.0 0.2 1528 728 ? S 01:08 0:00 rpc.statd
root 800 0.3 0.5 3276 1468 ? S 01:08 0:00 /usr/sbin/sshd
root 814 0.0 0.3 2088 896 ? S 01:08 0:00 xinetd -stayalive
root 832 0.0 0.2 3272 548 ? S 01:08 0:00 rpc.rquotad
root 837 0.0 0.0 0 0 ? SW 01:08 0:00 [nfsd]
root 838 0.0 0.0 0 0 ? SW 01:08 0:00 [nfsd]
root 839 0.0 0.0 0 0 ? SW 01:08 0:00 [nfsd]
root 840 0.0 0.0 0 0 ? SW 01:08 0:00 [nfsd]
root 841 0.0 0.0 0 0 ? SW 01:08 0:00 [nfsd]
root 842 0.0 0.0 0 0 ? SW 01:08 0:00 [nfsd]
root 843 0.0 0.0 0 0 ? SW 01:08 0:00 [nfsd]
root 844 0.0 0.0 0 0 ? SW 01:08 0:00 [nfsd]
root 845 0.0 0.0 0 0 ? SW 01:08 0:00 [lockd]
root 846 0.0 0.0 0 0 ? SW 01:08 0:00 [rpciod]
root 852 0.0 0.1 1456 484 ? S 01:08 0:00 rpc.mountd
root 870 0.0 0.8 5040 2264 ? S 01:08 0:00 sendmail: accepti
smmsp 880 0.0 0.8 4856 2048 ? S 01:08 0:00 sendmail: Queue r
root 890 0.0 0.1 1372 432 ? S 01:08 0:00 gpm -t imps2 -m /
root 899 0.0 0.2 1512 612 ? S 01:08 0:00 crond
xfs 930 0.0 1.2 4424 3108 ? S 01:08 0:00 xfs -droppriv -da
root 939 0.0 0.2 1360 576 ? SN 01:08 0:00 anacron -s
daemon 948 0.0 0.2 1368 520 ? S 01:08 0:00 /usr/sbin/atd
root 960 0.0 0.2 3108 540 ? S 01:08 0:00 rhnsd --interval
root 974 0.0 0.1 1316 404 tty1 S 01:09 0:00 /sbin/mingetty tt
root 975 0.0 0.1 1316 404 tty2 S 01:09 0:00 /sbin/mingetty tt
root 976 0.0 0.1 1316 404 tty3 S 01:09 0:00 /sbin/mingetty tt
root 977 0.0 0.1 1316 404 tty4 S 01:09 0:00 /sbin/mingetty tt
root 978 0.0 0.1 1316 404 tty5 S 01:09 0:00 /sbin/mingetty tt
root 979 0.0 0.1 1316 404 tty6 S 01:09 0:00 /sbin/mingetty tt
root 980 0.1 1.1 12752 2936 ? S 01:09 0:00 /usr/bin/gdm-bina
root 1025 0.3 1.4 13524 3688 ? S 01:09 0:00 /usr/bin/gdm-bina
root 1026 1.5 6.6 28312 17104 ? S<L 01:09 0:00 /usr/X11R6/bin/X
dave 1040 0.5 3.1 16296 8096 ? S 01:09 0:00 /usr/bin/gnome-se
dave 1083 0.0 0.3 2900 992 ? S 01:09 0:00 /usr/bin/ssh-agen
dave 1088 0.7 1.8 8300 4852 ? S 01:09 0:00 /usr/libexec/gcon
dave 1090 0.1 0.8 5588 2176 ? S 01:09 0:00 /usr/libexec/bono
dave 1092 0.3 2.3 11664 6092 ? S 01:09 0:00 /usr/bin/metacity
dave 1095 1.2 2.7 16080 7100 ? S 01:09 0:00 gnome-settings-da
dave 1098 0.0 0.5 2644 1296 ? S 01:09 0:00 fam
dave 1103 0.0 0.1 1668 432 ? S 01:09 0:00 esd -terminate -n
dave 1110 0.1 0.6 3592 1656 ? S 01:09 0:00 xscreensaver -nos
dave 1113 1.4 3.9 17740 10204 ? S 01:09 0:00 gnome-panel --sm-
dave 1115 2.7 5.9 40168 15320 ? S 01:09 0:00 nautilus --no-def
dave 1117 0.3 2.1 14232 5560 ? S 01:09 0:00 magicdev --sm-cli
dave 1120 0.0 1.4 10328 3756 ? S 01:09 0:00 pam-panel-icon --
dave 1122 1.4 4.9 22056 12612 ? S 01:09 0:00 /usr/bin/python /
root 1123 0.0 0.1 1364 476 ? S 01:09 0:00 /sbin/pam_timesta
dave 1134 1.4 3.2 16880 8228 ? S 01:09 0:00 gnome-terminal
dave 1135 0.1 0.5 4184 1492 pts/0 S 01:09 0:00 bash
root 1161 0.0 0.3 3832 1016 pts/0 S 01:09 0:00 su
root 1164 0.2 0.5 4152 1460 pts/0 S 01:09 0:00 bash
root 1190 0.0 0.3 2740 772 pts/0 R 01:09 0:00 ps -aux

chrism01

03-11-2003, 09:35 AM

well, that's the NFS daemons alright (rpc =remote procedure call)
Try eg chkconfig/ntsysv/tksysv to stop it starting at boot time.
Check firewall and block the port(s); see /etc/services file for port/name pairs.
Check /etc/fstab and /etc/exports.
HTH

bwkaz

03-11-2003, 10:34 AM

You probably also want to look at stopping the "portmap" program (the RPC portmapper) as well.

And if you want to see more of the command line for some of those programs, ps ax will help. FYI. ;)

At a guess, I'd say that it's possible you've been cracked, but for some reason I doubt it. More likely is that RH's setup thought that you'd want NFS on, so it turned on all these services for you. Turn them off (with chkconfig/tksysv/ntsysv, as chrism01 said) and keep watching for them. If they come back, then yeah, you may have been hacked.

/etc/exports is the file that lists which directories to make available via NFS.