Quoting Ryan O'Rourke <tclug at ryanorourke.org>:
> I don't understand what good that does if your system has been rooted 
> though. Why can't an attacker just change those saved binaries as well?
> 
> Well, after booting from a Knoppix cd, mounting my drives, and running 
> chkrootkit on them I get "Checking 'su' ... INFECTED". Not a good sign.
> 
> Now the question is - how do I go about figuring out how it was done? 
> What kind of forensics can I do to turn this into a learning 
> experience before I reformat and reinstall?

First, I'm glad you realize the need to reload this machine. A lot of people
want to save a compromised machine, not recommended. As far as learning, check
to see if you have any unpatched services or an unpatched kernel. Also,
chkrootkit should give you an idea of what was used on your system. A lot of
those tools will target a specific vulnerability. Try checking the history file
for root. Check out the logs, you may see some sort of irregularity which can
help you identify when things went down, possibly even something letting you
know what happened.
The amount of learning that you will be able to do will be dependant on how good
the person who compromised your machine was. If they were clueful at all the
history file will be removed after they logout, the logs will be cleansed and
you will be lucky to figure out how they got in. In this case refer back to the
vulnerable services and make a best guess.

> I'm kind of suspecting that one of my Windows users may be at fault 
> here. Is it possible that one of them may have been compromised first 
> and then the attacker used a password or key found in WinSCP to 
> compromise my system? Or is it more likely the attack just came from 
> the Internet directly through my one open port, past my router, past 
> my firewall, and breached that way?

All things are possible, but a direct compromise is probably more likely. If you
are running anything with a vulnerabilty and a known remote exploit, look for a
direct compromise. If not, look for anything with a privelege escalation
vulnerability, including the kernel.

Josh

_______________________________________________
TCLUG Mailing List - Minneapolis/St. Paul, Minnesota
Help beta test TCLUG's potential new home: http://plone.mn-linux.org
Got pictures for TCLUG? Beta test http://plone.mn-linux.org/gallery
tclug-list at mn-linux.org
https://mailman.real-time.com/mailman/listinfo/tclug-list