ce serveur est-il compromis ?

**fourchette** · 17/02/2014, 19h02

Depuis 3 semaines environ j'ai un serveur (ubuntu 12.04) connecté à internet derrière une livebox que j'opère par ssh (auth par clé ssh exclusivement). j'applique les maj du systeme plusieurs fois par semaine (apt-get update && apt-get upgrade -y)

Ce serveur résoud des requetes DNS. Principalement pour des raisons de debug, j'ai commencé à logguer les requetes DNS qui m'étaient effectuées

je vais bientot monitorer sa configuration réseau pour le moment je n'ai pas d'image de sa consommation "normale" (je ne sais pas si je spamme quoi)

j'ai observé auj 8 requetes qui ne me plaisent pas, comme par exemple
client 127.0.0.1#46486: query: 200.51.174.61.dial.wz.zj.dynamic.163data.com.cn IN A + (127.0.0.1)
client 127.0.0.1#54843: query: 207.51.174.61.dial.wz.zj.dynamic.163data.com.cn IN A + (127.0.0.1)

parmi les noms d'hotes que j'ai vu dans le log dns sur les autres jours

195.51.174.61.dial.wz.zj.dynamic.163data.com.cn
196.51.174.61.dial.wz.zj.dynamic.163data.com.cn
197.49.174.61.dial.wz.zj.dynamic.163data.com.cn
200.51.174.61.dial.wz.zj.dynamic.163data.com.cn
207.51.174.61.dial.wz.zj.dynamic.163data.com.cn
208.51.174.61.dial.wz.zj.dynamic.163data.com.cn
211.51.174.61.dial.wz.zj.dynamic.163data.com.cn
214.51.174.61.dial.wz.zj.dynamic.163data.com.cn
218.51.174.61.dial.wz.zj.dynamic.163data.com.cn
245.90.85.222.broad.zz.ha.dynamic.163data.com.cn

je n'explique pas que mon serveur (localhost) ait légitimement besoin de résoudre un nom vers ce qui ressemble bcp à un serveur virtuel low cost chinois

je l'ai passé au chkrootkit pour voir. visiblement il ne m'a rien trouvé

Ce serveur est-il compromis ?

Code :

Sélectionner tout - Visualiser dans une fenêtre à part

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
root:~# chkrootkit
ROOTDIR is `/'
Checking `amd'... not found
Checking `basename'... not infected
Checking `biff'... not found
Checking `chfn'... not infected
Checking `chsh'... not infected
Checking `cron'... not infected
Checking `crontab'... not infected
Checking `date'... not infected
Checking `du'... not infected
Checking `dirname'... not infected
Checking `echo'... not infected
Checking `egrep'... not infected
Checking `env'... not infected
Checking `find'... not infected
Checking `fingerd'... not found
Checking `gpm'... not found
Checking `grep'... not infected
Checking `hdparm'... not infected
Checking `su'... not infected
Checking `ifconfig'... not infected
Checking `inetd'... not infected
Checking `inetdconf'... not found
Checking `identd'... not found
Checking `init'... not infected
Checking `killall'... not infected
Checking `ldsopreload'... not infected
Checking `login'... not infected
Checking `ls'... not infected
Checking `lsof'... not infected
Checking `mail'... not found
Checking `mingetty'... not found
Checking `netstat'... not infected
Checking `named'... not infected
Checking `passwd'... not infected
Checking `pidof'... not infected
Checking `pop2'... not found
Checking `pop3'... not found
Checking `ps'... not infected
Checking `pstree'... not infected
Checking `rpcinfo'... not found
Checking `rlogind'... not found
Checking `rshd'... not found
Checking `slogin'... not infected
Checking `sendmail'... not found
Checking `sshd'... not infected
Checking `syslogd'... not tested
Checking `tar'... not infected
Checking `tcpd'... not infected
Checking `tcpdump'... not infected
Checking `top'... not infected
Checking `telnetd'... not found
Checking `timed'... not found
Checking `traceroute'... not found
Checking `vdir'... not infected
Checking `w'... not infected
Checking `write'... not infected
Checking `aliens'... no suspect files
Searching for sniffer's logs, it may take a while... nothing found
Searching for rootkit HiDrootkit's default files... nothing found
Searching for rootkit t0rn's default files... nothing found
Searching for t0rn's v8 defaults... nothing found
Searching for rootkit Lion's default files... nothing found
Searching for rootkit RSHA's default files... nothing found
Searching for rootkit RH-Sharpe's default files... nothing found
Searching for Ambient's rootkit (ark) default files and dirs... nothing found
Searching for suspicious files and dirs, it may take a while... The following suspicious files and directories were found:
/usr/lib/pymodules/python2.7/.path
Searching for LPD Worm files and dirs... nothing found
Searching for Ramen Worm files and dirs... nothing found
Searching for Maniac files and dirs... nothing found
Searching for RK17 files and dirs... nothing found
Searching for Ducoci rootkit... nothing found
Searching for Adore Worm... nothing found
Searching for ShitC Worm... nothing found
Searching for Omega Worm... nothing found
Searching for Sadmind/IIS Worm... nothing found
Searching for MonKit... nothing found
Searching for Showtee... nothing found
Searching for OpticKit... nothing found
Searching for T.R.K... nothing found
Searching for Mithra... nothing found
Searching for LOC rootkit... nothing found
Searching for Romanian rootkit... nothing found
Searching for Suckit rootkit... nothing found
Searching for Volc rootkit... nothing found
Searching for Gold2 rootkit... nothing found
Searching for TC2 Worm default files and dirs... nothing found
Searching for Anonoying rootkit default files and dirs... nothing found
Searching for ZK rootkit default files and dirs... nothing found
Searching for ShKit rootkit default files and dirs... nothing found
Searching for AjaKit rootkit default files and dirs... nothing found
Searching for zaRwT rootkit default files and dirs... nothing found
Searching for Madalin rootkit default files... nothing found
Searching for Fu rootkit default files... nothing found
Searching for ESRK rootkit default files... nothing found
Searching for rootedoor... nothing found
Searching for ENYELKM rootkit default files... nothing found
Searching for common ssh-scanners default files... nothing found
Searching for suspect PHP files...
/tmp/monitoring/index.php
Searching for anomalies in shell history files... nothing found
Checking `asp'... not infected
Checking `bindshell'... not infected
Checking `lkm'... chkproc: nothing detected
chkdirs: nothing detected
Checking `rexedcs'... not found
Checking `sniffer'... lo: not promisc and no packet sniffer sockets
eth1: not promisc and no packet sniffer sockets
eth0: PACKET SNIFFER(/usr/sbin/dhcpd[2218])
Checking `w55808'... not infected
Checking `wted'... 1 deletion(s) between Wed Feb 5 08:01:28 2014 and Wed Feb 5 08:40:06 2014
Checking `scalper'... not infected
Checking `slapper'... not infected
Checking `z2'... chklastlog: nothing deleted
Checking `chkutmp'... chkutmp: nothing deleted
Checking `OSX_RSPLUG'... not infected
root:~#