Hi everybody, well I noticed this behavior on some machines which had a vulnerable version of SSH-v1 - different versions of SuSE (6.4, 7.1) and NO reiserfs - please see (and notice the date of login is the same - maybe this is random but it looks strange for me...): axelm pts/0 bogart Tue Dec 11 13:59 - 15:11 (01:12) ****p*** p*******p*** ****p*******p*** Sun Apr 7 02:48 - down (10139+16:19 .... .... ****p*** p*******p*** ****p*******p*** Sun Apr 7 02:48 - 02:48 (00:00) root tty2 Wed Aug 29 14:59 - 15:01 (00:01) I changes the SSHs and rebooted the machine and then the entries did not appear again. My first guess was that the rootkit was a little bit buggy... BTW: I did not notice any changes in the filesystem or some unknown processes in the /proc dir... Some more experiences?!? Christoph Guido Tschakert wrote:
Am Mittwoch, 2. Januar 2002 13:32 schrieb Marc Wiesenhütter:
Praise wrote:
Il 12:52, domenica 30 dicembre 2001, Marc Wiesenhütter ha scritto:
Hi, wenn i just checked users login with last, i found this entry
***** p*******p*** Thu Jan 1 01:00 still logged in
and user ***** is not known to me. the prozess table didn't show any strange thing so am I hacked or what does it mean? Any ideas welcome!
bye Marc
I have been told this is a reiserFS corruption problem... do you use it?
Praise
Hi Praise, yes i did, but i changed it about 1 month ago. Are you really sure or where can i get some informations about it? It would be too great. thanks Marc I have a lot of silly things in the output of last: low.html ver.tcl *tions Tue May 20 20:14 - crash (-10781+-5:- *mime.so log_agent.so so Sun Jun 16 06:51 - crash (-8251+-15:- -include s.h h Wed Oct 17 08:26 - crash (-10200+-17: ****0*** 0*******0*** ****0*******0*** Sun Apr 7 02:39 still logged in cb.o ohci1394_cb. gic_cs.o Thu May 7 23:13 - crash (-8920+-12:- llowfin. o rnal Sun Oct 4 08:57 - crash (-6878+-22:- *i5010.o kiss.o Thu Oct 11 13:47 - crash (-10173+-3:-
and for what praise said: I'm using reiserfs. Seems to me a problem with the filesystem and the format of wtmp, have there been a new version of reiserfs or last between SuSE7.2 and SuSE7.3? I couldn't find that sort of entries on my boxes with SuSE <= 7.2. and also not on all 7.3 (but most)
Is there anyone having some more ideas.
Another possibility is: the rootkit of the cracker is a little bit rotten, in particular the part for last. -- ------------------ Guido Tschakert Sys-Ad, SRC ------------------
-- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com
-- .-. Ruhr-Universitaet Bochum /v\ L I N U X Lehrstuhl fuer Biophysik // \\ >Penguin Computing< c/o Christoph Wegener /( )\ Gebaeude ND 04/Nord ^^-^^ D-44780 Bochum, GERMANY Tel: +49 (234) 32-25754 Fax: +49 (234) 32-14626 mailto:cwe@bph.ruhr-uni-bochum.de http://www.bph.ruhr-uni-bochum.de