Hacker attack through Skype
I have just suffered a hacker attack on Linux. Yes, on Linux. I was relying too much on it’s security and I didn’t have a firewall set up.
The only symptom I noticed was when everything suddenly stopped responding and the keyboard light began flashing. I restarted the computer, installed firestarter and two rootkit detectors, chkrootkit and rkhunter.
The RK detectors found no known rootkits, but they discovered the following suspicious hidden folders:
/usr/lib/firefox/.autoreg
/usr/lib/jvm/.java-6-sun.jinfo
/usr/lib/jvm/java-6-sun-1.6.0.03/.systemPrefs
/lib/modules/2.6.22-14-386/volatile/.mounted
/etc/.java
/dev/.udev
/dev/.tmp-2-0
/dev/.static
/dev/.initframes
Googling for them showed no results, so I suppose neither is a part of the distribution. I removed some of them, while the other couldn’t be removed, with rm returning “Device or resource busy”.
Edit: Other users have found them too, however no official response was given. I am currently not sure whether these folders are a part of the distro or the rootkit is so widespread, but some look very suspicious.
The next step was to fire up Firestarter. It showed a large number of connection attempts on port 52621 from a bunch of hosts, which I blocked. The bunch of host was really huge, it even included my girlfirend’s computer.
Then I discovered what I believe is the root of the problem: Skype. The firewall allows connection from trusted programs, including Firefox, Kopete the MSN client, and Skype. However, the services Skype’s connections used included traceroute and portscanning, both used by hackers to gain information.
Also, I haven’t received a connection attempt to port 52621 from my girlfriend since she deleted Skype (I told her to do so). So it was definately Skype’s fault. She also told me she had no idea there is anything going on her computer, and neither did I untill it froze. Neither Maja nor I have got any weird things from Skype, Messenger or anywhere else, to the worm apparently works without user’s help.
There is almost no way to detect it, since every firewall has to allow skype’s connections, and most user don’t actively monitor their web traffic.
So, my dear readers: beware of Skype. There is a large botnet of rootkited computers, running either Windows or Linux, connected through skype’s protocol. If you can get your firewall to selectively filter skype’s traffic, you should enably only the ones used for talking. Otherwise, if you look for alternatives, you can use wengophone. It’s not as good as skype, but it’s open-source.
Stumble it!
anonymous coward:
Skype uses your bandwidth in a p2p fashion.If you had actually read about skype you would know to expect traffic from it on your machine.Having said that I don’t personally use it because of this.You really haven’t discovered anything unless you provide more details.
7 January 2008, 6:12 amThe Nomad:
Maybe I overreacted a little. But still my comp suddenly broke down in a very rootkit-like manner, and hundreds of connection on the same port while I only have 2 skype contacts seemed frightening.
8 January 2008, 3:17 pm