When I run the "last" command I find out this output: dbuffoni pts/0 62.98.75.83 Sun Sep 23 19:03 - 19:08 (00:05) leofire ftp ppp-4-10.27-151. Sun Sep 23 15:45 - 19:45 (04:00) leofire ftp ppp-4-10.27-151. Sun Sep 23 15:44 - 15:44 (00:00) fraghi pts/0 151.17.72.243 Sun Sep 23 15:43 - 15:50 (00:06) pB ************ Thu Jan 1 01:00 - 01:00 (00:00) leofire pts/0 ppp-4-10.27-151. Sun Sep 23 04:49 - 04:54 (00:04) fraghi pts/0 151.17.128.9 Sat Sep 22 15:37 - 15:50 (00:13) guybrush ftp flat-p01-m224.ar Sat Sep 22 14:53 still logged in fraghi pts/0 151.17.128.9 Sat Sep 22 14:51 - 15:37 (00:45) dbuffoni ftp 62.98.76.173 Sat Sep 22 12:43 - 12:57 (00:13) dbuffoni pts/0 62.98.76.173 Sat Sep 22 12:31 - 12:57 (00:25) 5 ************ Thu Jan 1 01:00 - 01:00 (00:00) praise pts/0 62.98.133.24 Sat Sep 22 01:53 - 03:12 (01:19) leofire ftp ppp-227-6.27-151 Sat Sep 22 00:30 still logged in leofire ftp ppp-227-6.27-151 Sat Sep 22 00:30 still logged in guybrush ftp flat-p07-m022.ar Sat Sep 22 00:17 - 00:27 (00:10) Everything is working fine on my system. At least it looks like that. But what does the "pB" and "5" strange users mean? And the dates are not so true. The /var/log/messages is regular, except for: Oct 8 05:10:03 main in.ftpd[16381]: connect from rg@217.128.174.129 (217.128.174.129) rg is not an user in my system! Just checked Oct 8 10:56:13 main in.ftpd[17131]: connect from root@203.90.83.203 (203.90.83.203) and root cant connect to ftp when I try it. What does these entries could mean? I have brought down my pc and I have checked passwd and log files with the suse rescue system. Everything looks as regular as when I did that with the compromised (?) system. My system is a Suse 7.1, the only open ports are the 22 (ssh) and the one with ftp (21). I use in.ftpd (the standard type in inetd.conf). last gives me the same problem with a laptop pc, which is not directly connected to the internet, but it is often in the same network as the other compromised system. Anybody can tell me that I am not hacked and there are only common bugs??? Praise
I saw a similar thing in my log yesterday. ewhiting pts/0 laptop Tue Oct 9 19:22 - down (00:04) xL ****@******* Wed Dec 31 17:00 - down (11605+01:26 I checked messages, /usr/sbin, /sbin, netstat. I did a 12 hr tcpdump to watch for unexpected traffic. I did not find anything that looked bad. I'm still a little uncertain about it. My box is a suse 7.2. It sits behind a simple HW firewall. Only open ports on the FW are 22, 25, and 80. Could this be a case of reiserfs corruption of the wtmp file? eric Praise wrote:
When I run the "last" command I find out this output:
dbuffoni pts/0 62.98.75.83 Sun Sep 23 19:03 - 19:08 (00:05) leofire ftp ppp-4-10.27-151. Sun Sep 23 15:45 - 19:45 (04:00) leofire ftp ppp-4-10.27-151. Sun Sep 23 15:44 - 15:44 (00:00) fraghi pts/0 151.17.72.243 Sun Sep 23 15:43 - 15:50 (00:06) pB ************ Thu Jan 1 01:00 - 01:00 (00:00) leofire pts/0 ppp-4-10.27-151. Sun Sep 23 04:49 - 04:54 (00:04) fraghi pts/0 151.17.128.9 Sat Sep 22 15:37 - 15:50 (00:13) guybrush ftp flat-p01-m224.ar Sat Sep 22 14:53 still logged in fraghi pts/0 151.17.128.9 Sat Sep 22 14:51 - 15:37 (00:45) dbuffoni ftp 62.98.76.173 Sat Sep 22 12:43 - 12:57 (00:13) dbuffoni pts/0 62.98.76.173 Sat Sep 22 12:31 - 12:57 (00:25) 5 ************ Thu Jan 1 01:00 - 01:00 (00:00) praise pts/0 62.98.133.24 Sat Sep 22 01:53 - 03:12 (01:19) leofire ftp ppp-227-6.27-151 Sat Sep 22 00:30 still logged in leofire ftp ppp-227-6.27-151 Sat Sep 22 00:30 still logged in guybrush ftp flat-p07-m022.ar Sat Sep 22 00:17 - 00:27 (00:10)
Everything is working fine on my system. At least it looks like that. But what does the "pB" and "5" strange users mean? And the dates are not so true.
The /var/log/messages is regular, except for:
Oct 8 05:10:03 main in.ftpd[16381]: connect from rg@217.128.174.129 (217.128.174.129)
rg is not an user in my system! Just checked
Oct 8 10:56:13 main in.ftpd[17131]: connect from root@203.90.83.203 (203.90.83.203)
and root cant connect to ftp when I try it. What does these entries could mean?
I have brought down my pc and I have checked passwd and log files with the suse rescue system. Everything looks as regular as when I did that with the compromised (?) system.
My system is a Suse 7.1, the only open ports are the 22 (ssh) and the one with ftp (21). I use in.ftpd (the standard type in inetd.conf). last gives me the same problem with a laptop pc, which is not directly connected to the internet, but it is often in the same network as the other compromised system.
Anybody can tell me that I am not hacked and there are only common bugs???
Praise
-- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com
Il 16:00, giovedì 11 ottobre 2001, hai scritto:
I saw a similar thing in my log yesterday.
ewhiting pts/0 laptop Tue Oct 9 19:22 - down (00:04) xL ****@******* Wed Dec 31 17:00 - down (11605+01:26
I checked messages, /usr/sbin, /sbin, netstat. I did a 12 hr tcpdump to watch for unexpected traffic. I did not find anything that looked bad. I'm still a little uncertain about it.
My box is a suse 7.2. It sits behind a simple HW firewall. Only open ports on the FW are 22, 25, and 80.
Could this be a case of reiserfs corruption of the wtmp file?
eric
It could be corruption of the wtmp file, but I am using ext2. Maybe this is caused by some power failure, but some "errors" happened after the last power failure. So I dont believe this path. Praise
In several suse 7.2 prof ( 4 machines), i have the same problem
----- Original Message -----
From: "Eric Whiting"
I saw a similar thing in my log yesterday.
ewhiting pts/0 laptop Tue Oct 9 19:22 - down (00:04) xL ****@******* Wed Dec 31 17:00 - down (11605+01:26
I checked messages, /usr/sbin, /sbin, netstat. I did a 12 hr tcpdump to watch for unexpected traffic. I did not find anything that looked bad. I'm still a little uncertain about it.
My box is a suse 7.2. It sits behind a simple HW firewall. Only open ports on the FW are 22, 25, and 80.
Could this be a case of reiserfs corruption of the wtmp file?
eric
Praise wrote:
When I run the "last" command I find out this output:
dbuffoni pts/0 62.98.75.83 Sun Sep 23 19:03 - 19:08 (00:05) leofire ftp ppp-4-10.27-151. Sun Sep 23 15:45 - 19:45 (04:00) leofire ftp ppp-4-10.27-151. Sun Sep 23 15:44 - 15:44 (00:00) fraghi pts/0 151.17.72.243 Sun Sep 23 15:43 - 15:50 (00:06) pB ************ Thu Jan 1 01:00 - 01:00 (00:00) leofire pts/0 ppp-4-10.27-151. Sun Sep 23 04:49 - 04:54 (00:04) fraghi pts/0 151.17.128.9 Sat Sep 22 15:37 - 15:50 (00:13) guybrush ftp flat-p01-m224.ar Sat Sep 22 14:53 still logged
in
fraghi pts/0 151.17.128.9 Sat Sep 22 14:51 - 15:37 (00:45) dbuffoni ftp 62.98.76.173 Sat Sep 22 12:43 - 12:57 (00:13) dbuffoni pts/0 62.98.76.173 Sat Sep 22 12:31 - 12:57 (00:25) 5 ************ Thu Jan 1 01:00 - 01:00 (00:00) praise pts/0 62.98.133.24 Sat Sep 22 01:53 - 03:12 (01:19) leofire ftp ppp-227-6.27-151 Sat Sep 22 00:30 still logged in leofire ftp ppp-227-6.27-151 Sat Sep 22 00:30 still logged in guybrush ftp flat-p07-m022.ar Sat Sep 22 00:17 - 00:27 (00:10)
Everything is working fine on my system. At least it looks like that. But what does the "pB" and "5" strange users mean? And the dates are not so true.
The /var/log/messages is regular, except for:
Oct 8 05:10:03 main in.ftpd[16381]: connect from rg@217.128.174.129 (217.128.174.129)
rg is not an user in my system! Just checked
Oct 8 10:56:13 main in.ftpd[17131]: connect from root@203.90.83.203 (203.90.83.203)
and root cant connect to ftp when I try it. What does these entries could mean?
I have brought down my pc and I have checked passwd and log files with the suse rescue system. Everything looks as regular as when I did that with the compromised (?) system.
My system is a Suse 7.1, the only open ports are the 22 (ssh) and the one with ftp (21). I use in.ftpd (the standard type in inetd.conf). last gives me the same problem with a laptop pc, which is not directly connected to the internet, but it is often in the same network as the other compromised system.
Anybody can tell me that I am not hacked and there are only common bugs???
Praise
-- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com
-- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com
Yup... On 11-Oct-01 Praise wrote:
When I run the "last" command I find out this output:
dbuffoni pts/0 62.98.75.83 Sun Sep 23 19:03 - 19:08 (00:05) leofire ftp ppp-4-10.27-151. Sun Sep 23 15:45 - 19:45 (04:00) leofire ftp ppp-4-10.27-151. Sun Sep 23 15:44 - 15:44 (00:00) fraghi pts/0 151.17.72.243 Sun Sep 23 15:43 - 15:50 (00:06) pB ************ Thu Jan 1 01:00 - 01:00 (00:00) leofire pts/0 ppp-4-10.27-151. Sun Sep 23 04:49 - 04:54 (00:04) fraghi pts/0 151.17.128.9 Sat Sep 22 15:37 - 15:50 (00:13) guybrush ftp flat-p01-m224.ar Sat Sep 22 14:53 still logged in fraghi pts/0 151.17.128.9 Sat Sep 22 14:51 - 15:37 (00:45) dbuffoni ftp 62.98.76.173 Sat Sep 22 12:43 - 12:57 (00:13) dbuffoni pts/0 62.98.76.173 Sat Sep 22 12:31 - 12:57 (00:25) 5 ************ Thu Jan 1 01:00 - 01:00 (00:00) praise pts/0 62.98.133.24 Sat Sep 22 01:53 - 03:12 (01:19) leofire ftp ppp-227-6.27-151 Sat Sep 22 00:30 still logged in leofire ftp ppp-227-6.27-151 Sat Sep 22 00:30 still logged in guybrush ftp flat-p07-m022.ar Sat Sep 22 00:17 - 00:27 (00:10)
Everything is working fine on my system. At least it looks like that. But what does the "pB" and "5" strange users mean? And the dates are not so true.
Hmm... Doesn't look too good. First of all, is this a home system or some kind of productively used host? Does it reside in a LAN, and if so, how's the LAN connected to the internet? What types of OSs do you run on your boxes (Win, Linux...)? The "pB" and "5" lastlog entries may point to a partly unsuccessful attempt to phog (hide) the (would-be-)intruder's traces.
The /var/log/messages is regular, except for:
Oct 8 05:10:03 main in.ftpd[16381]: connect from rg@217.128.174.129 (217.128.174.129)
rg is not an user in my system! Just checked
Oct 8 10:56:13 main in.ftpd[17131]: connect from root@203.90.83.203 (203.90.83.203)
and root cant connect to ftp when I try it. What does these entries could mean?
Uhm... "rg" brakes weak security of your box...rg uploads root kits and logs in...rg (locally) overflows some vulnerable demons, or setuid apps, or rg installed a sniffer...rg got root pass...rg installs root kit...rg installs bots...etc... That's *not* an analysis of your log entries above, it's just the way it goes quite often. It may be different in your case.
I have brought down my pc and I have checked passwd and log files with the suse rescue system. Everything looks as regular as when I did that with the compromised (?) system.
How did you check it?
My system is a Suse 7.1, the only open ports are the 22 (ssh) and the one with ftp (21). I use in.ftpd (the standard type in inetd.conf). last gives me the same problem with a laptop pc, which is not directly connected to the internet, but it is often in the same network as the other compromised system.
Anybody can tell me that I am not hacked and there are only common bugs???
From the sparse data you provided, it's not easy to tell wether you've been visited by system crackers.
If this is not a production box, take it offline (you did that already - good), save some files you'll need later and *wipe* the box. Install a fresh new Linux and step forth by securing your system. Start from the SuSE Security FAQ ( http://www.susesecurity.com/faq ). The same goes for other boxes in your net. Prolly some of your boxes (Win?!) is inherently insecure and gave way after being hit by CodeRed(II) and relatives. However, all that are just guesses. It's hard to tell without the proper data.
Praise
Boris Lorenz
Disconnect it from the internet, but don't wipe it until you are sure what happened. I wouldn't even power it down until you have checked it for running daemons etc. Check http://www.cert.org/tech_tips/root_compromise.html for steps to take to find out if you were indeed hacked. Those wtmp entries are indeed strange. Are you logging failed attempts as well (lastb)? If so do you see strangeness there as well? As for the connect from root@ etc: those are not local users, those are the remote users connecting to your system. Oct 8 10:56:13 main in.ftpd[17131]: connect from root@203.90.83.203 (203.90.83.203) means the root user of 203.90.83.203 connected to your ftp port. As you obviously don't know this machine, this may have been an attempt to gain illegal access, but from the log entries you provide we can't see if it was successful. Once you've found out exactly what happened, THEN wipe the machine. If you re-install without knowing how (and if) they got in, chances are you will leave the same hole open again and they will just get back on after you've reinstalled. HTH Stefan
Yup...
On 11-Oct-01 Praise wrote:
When I run the "last" command I find out this output:
dbuffoni pts/0 62.98.75.83 Sun Sep 23 19:03 - 19:08 (00:05) leofire ftp ppp-4-10.27-151. Sun Sep 23 15:45 - 19:45 (04:00) leofire ftp ppp-4-10.27-151. Sun Sep 23 15:44 - 15:44 (00:00) fraghi pts/0 151.17.72.243 Sun Sep 23 15:43 - 15:50 (00:06) pB ************ Thu Jan 1 01:00 - 01:00 (00:00) leofire pts/0 ppp-4-10.27-151. Sun Sep 23 04:49 - 04:54 (00:04) fraghi pts/0 151.17.128.9 Sat Sep 22 15:37 - 15:50 (00:13) guybrush ftp flat-p01-m224.ar Sat Sep 22 14:53 still logged in fraghi pts/0 151.17.128.9 Sat Sep 22 14:51 - 15:37 (00:45) dbuffoni ftp 62.98.76.173 Sat Sep 22 12:43 - 12:57 (00:13) dbuffoni pts/0 62.98.76.173 Sat Sep 22 12:31 - 12:57 (00:25) 5 ************ Thu Jan 1 01:00 - 01:00 (00:00) praise pts/0 62.98.133.24 Sat Sep 22 01:53 - 03:12 (01:19) leofire ftp ppp-227-6.27-151 Sat Sep 22 00:30 still logged in leofire ftp ppp-227-6.27-151 Sat Sep 22 00:30 still logged in guybrush ftp flat-p07-m022.ar Sat Sep 22 00:17 - 00:27 (00:10)
Everything is working fine on my system. At least it looks like that. But what does the "pB" and "5" strange users mean? And the dates are not so true.
Hmm... Doesn't look too good. First of all, is this a home system or some kind of productively used host? Does it reside in a LAN, and if so, how's the LAN connected to the internet? What types of OSs do you run on your boxes (Win, Linux...)?
The "pB" and "5" lastlog entries may point to a partly unsuccessful attempt to phog (hide) the (would-be-)intruder's traces.
The /var/log/messages is regular, except for:
Oct 8 05:10:03 main in.ftpd[16381]: connect from rg@217.128.174.129 (217.128.174.129)
rg is not an user in my system! Just checked
Oct 8 10:56:13 main in.ftpd[17131]: connect from root@203.90.83.203 (203.90.83.203)
and root cant connect to ftp when I try it. What does these entries could mean?
Uhm... "rg" brakes weak security of your box...rg uploads root kits and logs in...rg (locally) overflows some vulnerable demons, or setuid apps, or rg installed a sniffer...rg got root pass...rg installs root kit...rg installs bots...etc...
That's *not* an analysis of your log entries above, it's just the way it goes quite often. It may be different in your case.
I have brought down my pc and I have checked passwd and log files with the suse rescue system. Everything looks as regular as when I did that with the compromised (?) system.
How did you check it?
My system is a Suse 7.1, the only open ports are the 22 (ssh) and the one with ftp (21). I use in.ftpd (the standard type in inetd.conf). last gives me the same problem with a laptop pc, which is not directly connected to the internet, but it is often in the same network as the other compromised system.
Anybody can tell me that I am not hacked and there are only common bugs???
From the sparse data you provided, it's not easy to tell wether you've been visited by system crackers.
If this is not a production box, take it offline (you did that already - good), save some files you'll need later and *wipe* the box. Install a fresh new Linux and step forth by securing your system. Start from the SuSE Security FAQ ( http://www.susesecurity.com/faq ).
The same goes for other boxes in your net. Prolly some of your boxes (Win?!) is inherently insecure and gave way after being hit by CodeRed(II) and relatives.
However, all that are just guesses. It's hard to tell without the proper data.
Praise
Boris Lorenz
--- -- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com
Yup, On 11-Oct-01 Stefan Suurmeijer wrote:
Disconnect it from the internet, but don't wipe it until you are sure what happened. I wouldn't even power it down until you have checked it for running daemons etc. Check http://www.cert.org/tech_tips/root_compromise.html for steps to take to find out if you were indeed hacked.
yeah, I agree with you, first the analysis, then the scratching. But think of this: Would this post "Am I hacked???" appear in this list if the sender had skills in forensic-/post mortem system analysis? I guess not.
Those wtmp entries are indeed strange. Are you logging failed attempts as well (lastb)? If so do you see strangeness there as well? As for the connect from root@ etc: those are not local users, those are the remote users connecting to your system. Oct 8 10:56:13 main in.ftpd[17131]: connect from root@203.90.83.203 (203.90.83.203) means the root user of 203.90.83.203 connected to your ftp port. As you obviously don't know this machine, this may have been an attempt to gain illegal access, but from the log entries you provide we can't see if it was successful. Once you've found out exactly what happened, THEN wipe the machine. If you re-install without knowing how (and if) they got in, chances are you will leave the same hole open again and they will just get back on after you've reinstalled.
A post mortem analysis of a host believed to be cracked is a MUCH, MUCH more complicated process than ANY secure installation of a Linux system could ever be. It takes YEARS for professional analysts before they're able to do their work properly, so personally I would not recommend that to a newbieish-to-security lifeform ;) (NO puns intended!)... On the other hand, securely installing a Linux box is no trivial, but manageable task; install, switch off any unwanted services, install all relevant security patches, firewall it, go online, and keep up-to-date with the latest vulnerabilites. One finds a helluva lot more info about that than about system analysis, for obvious reasons. However, the link you provided to CERT's got-root'ed tips really is a good place to start; I have put a more compact version of this topic into the SuSE FAQ at http://www.susesecurity.com/faq ("One of my servers has been cracked open and overtaken by intruders. What now?") as well. Sorry for my rant ;) Happy hunting!
HTH
Stefan
Boris Lorenz
* Boris Lorenz;
A post mortem analysis of a host believed to be cracked is a MUCH, MUCH more complicated process than ANY secure installation of a Linux system could ever be. It takes YEARS for professional analysts before they're able to do their work properly, so personally I would not recommend that to a newbieish-to-security lifeform ;) (NO puns intended!)...
Well I think that was one of the reasons for the http://project.honeynet.org by going over the scans of the previous months I think you can learn a lot information which one day may be helpfull. Do not misunderstand me. It is also dangerous when the person is not ready to learn knowledgewise yet new information is provided, that person may mistakenly believe that he has acquired the knowledge and the skills while the reality he has not. This is also something not wanted. At least the above mentioned site by giving examples helps the novice or the experienced to practice and see his limitations. First of all the site says a default install Redhat 6.2 has maximum 72 hrs. before it is rooted and it is more often it takes only 8 . Good that I started with SuSE :-) -- Togan Muftuoglu
Is there a chance that this wtmp entry: xL ****@******* Wed Dec 31 17:00 - down (11605+01:26 1) Is caused by a 2.4.x kernel or system issue? or 2) Is a half-failed login attempt? 3) An artifact of hitting the OOM wall and my kernel and killing the box? I know it certainly looks like a hacker is logged in and trying to patch up wtmp, but I can't find other signs of trouble. I have several suse 7.0 and 6.x boxes (various place in networks) that don't have this sign of problems. The person who first pointed this symptom out was on a suse 7.1 box running a 2.4.7 kernel. One other person noticed it on 7.2 boxes. My box was 2.4.8pre4 on suse 7.2. I did a check of all /usr/bin /bin/ /sbin files. They all still have the same checksum as these files on a box in another safer world. (I used rsync -cnR -av -e ssh $SRC $DST to check these dirs) I did a manual scp/diff of netstat/ps/ls/strings. I did a tcpdump for 12hrs and checked all the packets. I don't see odd stuff. I'll start another tcpdump. This box is behind a firewall set to deny all but 22,25,80. It is a farily new install and I ran YOU when it was first installed (Sep 1) and installed all security patches for 7.2. eric Boris Lorenz wrote:
Yup,
On 11-Oct-01 Stefan Suurmeijer wrote:
Disconnect it from the internet, but don't wipe it until you are sure what happened. I wouldn't even power it down until you have checked it for running daemons etc. Check http://www.cert.org/tech_tips/root_compromise.html for steps to take to find out if you were indeed hacked.
yeah, I agree with you, first the analysis, then the scratching. But think of this: Would this post "Am I hacked???" appear in this list if the sender had skills in forensic-/post mortem system analysis? I guess not.
Those wtmp entries are indeed strange. Are you logging failed attempts as well (lastb)? If so do you see strangeness there as well? As for the connect from root@ etc: those are not local users, those are the remote users connecting to your system. Oct 8 10:56:13 main in.ftpd[17131]: connect from root@203.90.83.203 (203.90.83.203) means the root user of 203.90.83.203 connected to your ftp port. As you obviously don't know this machine, this may have been an attempt to gain illegal access, but from the log entries you provide we can't see if it was successful. Once you've found out exactly what happened, THEN wipe the machine. If you re-install without knowing how (and if) they got in, chances are you will leave the same hole open again and they will just get back on after you've reinstalled.
A post mortem analysis of a host believed to be cracked is a MUCH, MUCH more complicated process than ANY secure installation of a Linux system could ever be. It takes YEARS for professional analysts before they're able to do their work properly, so personally I would not recommend that to a newbieish-to-security lifeform ;) (NO puns intended!)...
On the other hand, securely installing a Linux box is no trivial, but manageable task; install, switch off any unwanted services, install all relevant security patches, firewall it, go online, and keep up-to-date with the latest vulnerabilites. One finds a helluva lot more info about that than about system analysis, for obvious reasons.
However, the link you provided to CERT's got-root'ed tips really is a good place to start; I have put a more compact version of this topic into the SuSE FAQ at http://www.susesecurity.com/faq ("One of my servers has been cracked open and overtaken by intruders. What now?") as well.
Sorry for my rant ;)
Happy hunting!
HTH
Stefan
Boris Lorenz
--- -- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com
* Eric Whiting;
I did a check of all /usr/bin /bin/ /sbin files. They all still have the same checksum as these files on a box in another safer world. (I used rsync -cnR -av -e ssh $SRC $DST to check these dirs) I did a manual scp/diff of netstat/ps/ls/strings. ^^^^^^^^^^^^^^^^
These would be the first to be replaced by an attacker AFAIK inorder to hide the files/directories he has installed. So unless you are using these utilities from a safe source I would not have trusted them. -- Togan Muftuoglu
On Friday 12 October 2001 06:41, Togan Muftuoglu wrote:
* Eric Whiting;
on 11 Oct, 2001 wrote: I did a check of all /usr/bin /bin/ /sbin files. They all still have the same checksum as these files on a box in another safer world. (I used rsync -cnR -av -e ssh $SRC $DST to check these dirs) I did a manual scp/diff of netstat/ps/ls/strings.
^^^^^^^^^^^^^^^^
These would be the first to be replaced by an attacker AFAIK inorder to hide the files/directories he has installed. So unless you are using these utilities from a safe source I would not have trusted them.
For what it's worth... give 'chkrootkit' a try. It already works remarkably well IMHO, even(!) when it runs directly from a compromised system. If (much, much better!) you run it from safe media it will probably find [close to] any and all scriptkiddie(*) rootkits that are in common use today. Of course, YMMV, and all disclaimers apply etc etc... http://www.chkrootkit.org/ (*) Unlike scriptkiddies, good crackers/hackers can hide from just about anything but that's another story. Just pray you don't get to deal with one of those people. ;-) Good luck, Maarten -- brick (brik) n. (4) pl. Another item that can be used to crash windows. Maarten J. H. van den Berg ~~//~~ network administrator van Boetzelaer van Bemmel - Amsterdam - The Netherlands http://vbvb.nl T+31204233288 F+31204233286 G+31651994273
Is there a chance that this wtmp entry:
xL ****@******* Wed Dec 31 17:00 - down (11605+01:26
1) Is caused by a 2.4.x kernel or system issue? or
It could very well be a hardware flaw. I think an acquaintance of mine had something pretty similar once and it turned out his cpu fan was defective and the cpu overheated. System crash on OS issues is possible as well. Without further inspection you can't be sure of what it is.
2) Is a half-failed login attempt? 3) An artifact of hitting the OOM wall and my kernel and killing the box?
I know it certainly looks like a hacker is logged in and trying to patch up wtmp, but I can't find other signs of trouble.
I have several suse 7.0 and 6.x boxes (various place in networks) that don't have this sign of problems. The person who first pointed this symptom out was on a suse 7.1 box running a 2.4.7 kernel. One other person noticed it on 7.2 boxes. My box was 2.4.8pre4 on suse 7.2.
I did a check of all /usr/bin /bin/ /sbin files. They all still have the same checksum as these files on a box in another safer world. (I used rsync -cnR -av -e ssh $SRC $DST to check these dirs) I did a manual scp/diff of netstat/ps/ls/strings.
I did a tcpdump for 12hrs and checked all the packets. I don't see odd stuff. I'll start another tcpdump.
This box is behind a firewall set to deny all but 22,25,80.
It is a farily new install and I ran YOU when it was first installed (Sep 1) and installed all security patches for 7.2.
Personally, I think it's likely you are dealing with some kind of hardware/software problem, especially since you sound like you know what you are doing. I'd look into that first. That's the whole point of this thread I think: if you are unsure of what happened there isn't much use in just taking action (re-installing or otherwise).
eric
hth Stefan
participants (7)
-
Boris Lorenz
-
Carlos
-
Eric Whiting
-
Maarten J H van den Berg
-
Praise
-
Stefan Suurmeijer
-
Togan Muftuoglu