Hi, wenn i just checked users login with last, i found this entry ***** p*******p*** Thu Jan 1 01:00 still logged in and user ***** is not known to me. the prozess table didn't show any strange thing so am I hacked or what does it mean? Any ideas welcome! bye Marc
Hi, first I would get for instance chkrootkit from http://www.chkrootkit.org - unzip/untar type 'make sense' in ./chkrootkit-0.34 and then run ./chkrootkit This will probably detect the most basic infections/trojans etc. Read the README file - it explains what it will do for you. With lsof|grep IPv4 you will be able to see alot of info on listening programs and open connections - this might show you if your system is running any servers that you actually dont know of. I say 'might' because the smarter hacker will hide his presence by replacing important commands like ls, ps, netstat and maybe also lsof - in which case you cannot trust the results anymore. I have found attacks by also checking for suspicious files in dirs like /tmp and so on. Some silly script kiddies leave enough info to make it possible to identify most of their activity - at least thats what I have experienced. Hope this will give you a start. Erwin --- Marc Wiesenhütter wrote:
Hi, wenn i just checked users login with last, i found this entry
***** p*******p*** Thu Jan 1 01:00 still logged in
and user ***** is not known to me. the prozess table didn't show any strange thing so am I hacked or what does it mean? Any ideas welcome!
bye Marc
-- Erwin Zierler | web- / host- / postmaster - stubainet.at | erwin.zierler@stubainet.at / webmaster@stubainet.at | Tel.: 0 5225 - 64325 Fax 99 Mobil: 0664 - 130 67 91
"Erwin Zierler - stubainet.at" wrote:
Hi,
first I would get for instance chkrootkit from http://www.chkrootkit.org - unzip/untar type 'make sense' in ./chkrootkit-0.34 and then run ./chkrootkit
This will probably detect the most basic infections/trojans etc. Read the README file - it explains what it will do for you.
With lsof|grep IPv4 you will be able to see alot of info on listening programs and open connections - this might show you if your system is running any servers that you actually dont know of. I say 'might' because the smarter hacker will hide his presence by replacing important commands like ls, ps, netstat and maybe also lsof - in which case you cannot trust the results anymore. I have found attacks by also checking for suspicious files in dirs like /tmp and so on. Some silly script kiddies leave enough info to make it possible to identify most of their activity - at least thats what I have experienced.
Hope this will give you a start.
Erwin
---
Hi, thanks for your advise, i checked the 3 things, but there is nothing strange at all. Everything looks normal but this user. Where can I get any infos in my logs where ***** comes from?
On Sun, 30 Dec 2001 the mental interface of Marc Wiesenhütter told:
"Erwin Zierler - stubainet.at" wrote:
Hi,
first I would get for instance chkrootkit from http://www.chkrootkit.org - unzip/untar type 'make sense' in ./chkrootkit-0.34 and then run ./chkrootkit
This will probably detect the most basic infections/trojans etc. Read the README file - it explains what it will do for you.
With lsof|grep IPv4 you will be able to see alot of info on listening programs and open connections - this might show you if your system is running any servers that you actually dont know of. I say 'might' because the smarter hacker will hide his presence by replacing important commands like ls, ps, netstat and maybe also lsof - in which case you cannot trust the results anymore. I have found attacks by also checking for suspicious files in dirs like /tmp and so on. Some silly script kiddies leave enough info to make it possible to identify most of their activity - at least thats what I have experienced.
Hope this will give you a start.
Erwin
---
Hi, thanks for your advise, i checked the 3 things, but there is nothing strange at all. Everything looks normal but this user. Where can I get any infos in my logs where ***** comes from? Hi Erwin,
did you checked your /etc/passwd | grep ***** ? Ciao Elimar -- It's a good thing we don't get all the government we pay for. --
Il 12:52, domenica 30 dicembre 2001, Marc Wiesenhütter ha scritto:
Hi, wenn i just checked users login with last, i found this entry
***** p*******p*** Thu Jan 1 01:00 still logged in
and user ***** is not known to me. the prozess table didn't show any strange thing so am I hacked or what does it mean? Any ideas welcome!
bye Marc
I have been told this is a reiserFS corruption problem... do you use it? Praise
Praise wrote:
Il 12:52, domenica 30 dicembre 2001, Marc Wiesenhütter ha scritto:
Hi, wenn i just checked users login with last, i found this entry
***** p*******p*** Thu Jan 1 01:00 still logged in
and user ***** is not known to me. the prozess table didn't show any strange thing so am I hacked or what does it mean? Any ideas welcome!
bye Marc
I have been told this is a reiserFS corruption problem... do you use it?
Praise
Hi Praise, yes i did, but i changed it about 1 month ago. Are you really sure or where can i get some informations about it? It would be too great. thanks Marc
Am Mittwoch, 2. Januar 2002 13:32 schrieb Marc Wiesenhütter:
Praise wrote:
Il 12:52, domenica 30 dicembre 2001, Marc Wiesenhütter ha scritto:
Hi, wenn i just checked users login with last, i found this entry
***** p*******p*** Thu Jan 1 01:00 still logged in
and user ***** is not known to me. the prozess table didn't show any strange thing so am I hacked or what does it mean? Any ideas welcome!
bye Marc
I have been told this is a reiserFS corruption problem... do you use it?
Praise
Hi Praise, yes i did, but i changed it about 1 month ago. Are you really sure or where can i get some informations about it? It would be too great. thanks Marc I have a lot of silly things in the output of last: low.html ver.tcl *tions Tue May 20 20:14 - crash (-10781+-5:- *mime.so log_agent.so so Sun Jun 16 06:51 - crash (-8251+-15:- -include s.h h Wed Oct 17 08:26 - crash (-10200+-17: ****0*** 0*******0*** ****0*******0*** Sun Apr 7 02:39 still logged in cb.o ohci1394_cb. gic_cs.o Thu May 7 23:13 - crash (-8920+-12:- llowfin. o rnal Sun Oct 4 08:57 - crash (-6878+-22:- *i5010.o kiss.o Thu Oct 11 13:47 - crash (-10173+-3:-
and for what praise said: I'm using reiserfs. Seems to me a problem with the filesystem and the format of wtmp, have there been a new version of reiserfs or last between SuSE7.2 and SuSE7.3? I couldn't find that sort of entries on my boxes with SuSE <= 7.2. and also not on all 7.3 (but most) Is there anyone having some more ideas. Another possibility is: the rootkit of the cracker is a little bit rotten, in particular the part for last. -- ------------------ Guido Tschakert Sys-Ad, SRC ------------------
Il 18:02, giovedì 3 gennaio 2002, Guido Tschakert ha scritto:
Am Mittwoch, 2. Januar 2002 13:32 schrieb Marc Wiesenhütter:
Praise wrote:
Il 12:52, domenica 30 dicembre 2001, Marc Wiesenhütter ha scritto:
Hi, wenn i just checked users login with last, i found this entry
***** p*******p*** Thu Jan 1 01:00 still logged in
and user ***** is not known to me. the prozess table didn't show any strange thing so am I hacked or what does it mean? Any ideas welcome!
bye Marc
I have been told this is a reiserFS corruption problem... do you use it?
Praise
Hi Praise, yes i did, but i changed it about 1 month ago. Are you really sure or where can i get some informations about it? It would be too great. thanks Marc
I have a lot of silly things in the output of last: low.html ver.tcl *tions Tue May 20 20:14 - crash (-10781+-5:- *mime.so log_agent.so so Sun Jun 16 06:51 - crash (-8251+-15:- -include s.h h Wed Oct 17 08:26 - crash (-10200+-17: ****0*** 0*******0*** ****0*******0*** Sun Apr 7 02:39 still logged in cb.o ohci1394_cb. gic_cs.o Thu May 7 23:13 - crash (-8920+-12:- llowfin. o rnal Sun Oct 4 08:57 - crash (-6878+-22:- *i5010.o kiss.o Thu Oct 11 13:47 - crash (-10173+-3:-
and for what praise said: I'm using reiserfs. Seems to me a problem with the filesystem and the format of wtmp, have there been a new version of reiserfs or last between SuSE7.2 and SuSE7.3? I couldn't find that sort of entries on my boxes with SuSE <= 7.2. and also not on all 7.3 (but most)
Is there anyone having some more ideas.
Another possibility is: the rootkit of the cracker is a little bit rotten, in particular the part for last.
I had logs similar to those of Marc, only on my one ReiserFS machine and Suse 7.1 But I have not found any information about bugs like this, it should have been noticed by someone at namesys, isn't it? Praise
Am Donnerstag, 3. Januar 2002 18:02 schrieb Guido Tschakert:
Am Mittwoch, 2. Januar 2002 13:32 schrieb Marc Wiesenhütter:
Praise wrote:
I have been told this is a reiserFS corruption problem... do you use it?
Hi Praise, yes i did, but i changed it about 1 month ago. Are you really sure or where can i get some informations about it? It would be too great.
I have a lot of silly things in the output of last: <...> and for what praise said: I'm using reiserfs. Seems to me a problem with the filesystem and the format of wtmp, have
No, AFAIK it is that reiserfs has a journal for metadata but no journal for data, so that when your server crashes while making changes to wtmp the inode data goes in the journal and is replayed on reboot but the data in those inodes has not been written and contains in your case perhaps a deleted directory. read this: http://people.spoiled.org/jha/ext3-faq.html Q: I updated ext3 today. Got all of my mounts converted. Now on boot, I see: "EXT3-fs: mounted filesystem with ordered data mode". Is this normal? Here is an explanation of different journal modes for ext3 where you can chose between data-integrity and performance. reiserfs must have made this choice for you. I found this page while regarding benchmark result between ext3 and reiserfs and found some comments to the ext3 journal mode. I guess this is not a reiserfs bug, but a data inconsistency which may happen if you run a journaling fs.
Another possibility is: the rootkit of the cracker is a little bit rotten, in particular the part for last.
This is another possibility. ( It would by my last guess ) Peter
Hi everybody, well I noticed this behavior on some machines which had a vulnerable version of SSH-v1 - different versions of SuSE (6.4, 7.1) and NO reiserfs - please see (and notice the date of login is the same - maybe this is random but it looks strange for me...): axelm pts/0 bogart Tue Dec 11 13:59 - 15:11 (01:12) ****p*** p*******p*** ****p*******p*** Sun Apr 7 02:48 - down (10139+16:19 .... .... ****p*** p*******p*** ****p*******p*** Sun Apr 7 02:48 - 02:48 (00:00) root tty2 Wed Aug 29 14:59 - 15:01 (00:01) I changes the SSHs and rebooted the machine and then the entries did not appear again. My first guess was that the rootkit was a little bit buggy... BTW: I did not notice any changes in the filesystem or some unknown processes in the /proc dir... Some more experiences?!? Christoph Guido Tschakert wrote:
Am Mittwoch, 2. Januar 2002 13:32 schrieb Marc Wiesenhütter:
Praise wrote:
Il 12:52, domenica 30 dicembre 2001, Marc Wiesenhütter ha scritto:
Hi, wenn i just checked users login with last, i found this entry
***** p*******p*** Thu Jan 1 01:00 still logged in
and user ***** is not known to me. the prozess table didn't show any strange thing so am I hacked or what does it mean? Any ideas welcome!
bye Marc
I have been told this is a reiserFS corruption problem... do you use it?
Praise
Hi Praise, yes i did, but i changed it about 1 month ago. Are you really sure or where can i get some informations about it? It would be too great. thanks Marc I have a lot of silly things in the output of last: low.html ver.tcl *tions Tue May 20 20:14 - crash (-10781+-5:- *mime.so log_agent.so so Sun Jun 16 06:51 - crash (-8251+-15:- -include s.h h Wed Oct 17 08:26 - crash (-10200+-17: ****0*** 0*******0*** ****0*******0*** Sun Apr 7 02:39 still logged in cb.o ohci1394_cb. gic_cs.o Thu May 7 23:13 - crash (-8920+-12:- llowfin. o rnal Sun Oct 4 08:57 - crash (-6878+-22:- *i5010.o kiss.o Thu Oct 11 13:47 - crash (-10173+-3:-
and for what praise said: I'm using reiserfs. Seems to me a problem with the filesystem and the format of wtmp, have there been a new version of reiserfs or last between SuSE7.2 and SuSE7.3? I couldn't find that sort of entries on my boxes with SuSE <= 7.2. and also not on all 7.3 (but most)
Is there anyone having some more ideas.
Another possibility is: the rootkit of the cracker is a little bit rotten, in particular the part for last. -- ------------------ Guido Tschakert Sys-Ad, SRC ------------------
-- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com
-- .-. Ruhr-Universitaet Bochum /v\ L I N U X Lehrstuhl fuer Biophysik // \\ >Penguin Computing< c/o Christoph Wegener /( )\ Gebaeude ND 04/Nord ^^-^^ D-44780 Bochum, GERMANY Tel: +49 (234) 32-25754 Fax: +49 (234) 32-14626 mailto:cwe@bph.ruhr-uni-bochum.de http://www.bph.ruhr-uni-bochum.de
participants (8)
-
Christoph Wegener -
Elimar Riesebieter -
Erwin Zierler - stubainet.at -
Guido Tschakert -
Marc Wiesenhütter -
Marc Wiesenhütter
-
Peter Wiersig -
Praise