Is there a chance that this wtmp entry: xL ****@******* Wed Dec 31 17:00 - down (11605+01:26 1) Is caused by a 2.4.x kernel or system issue? or 2) Is a half-failed login attempt? 3) An artifact of hitting the OOM wall and my kernel and killing the box? I know it certainly looks like a hacker is logged in and trying to patch up wtmp, but I can't find other signs of trouble. I have several suse 7.0 and 6.x boxes (various place in networks) that don't have this sign of problems. The person who first pointed this symptom out was on a suse 7.1 box running a 2.4.7 kernel. One other person noticed it on 7.2 boxes. My box was 2.4.8pre4 on suse 7.2. I did a check of all /usr/bin /bin/ /sbin files. They all still have the same checksum as these files on a box in another safer world. (I used rsync -cnR -av -e ssh $SRC $DST to check these dirs) I did a manual scp/diff of netstat/ps/ls/strings. I did a tcpdump for 12hrs and checked all the packets. I don't see odd stuff. I'll start another tcpdump. This box is behind a firewall set to deny all but 22,25,80. It is a farily new install and I ran YOU when it was first installed (Sep 1) and installed all security patches for 7.2. eric Boris Lorenz wrote:
Yup,
On 11-Oct-01 Stefan Suurmeijer wrote:
Disconnect it from the internet, but don't wipe it until you are sure what happened. I wouldn't even power it down until you have checked it for running daemons etc. Check http://www.cert.org/tech_tips/root_compromise.html for steps to take to find out if you were indeed hacked.
yeah, I agree with you, first the analysis, then the scratching. But think of this: Would this post "Am I hacked???" appear in this list if the sender had skills in forensic-/post mortem system analysis? I guess not.
Those wtmp entries are indeed strange. Are you logging failed attempts as well (lastb)? If so do you see strangeness there as well? As for the connect from root@ etc: those are not local users, those are the remote users connecting to your system. Oct 8 10:56:13 main in.ftpd[17131]: connect from root@203.90.83.203 (203.90.83.203) means the root user of 203.90.83.203 connected to your ftp port. As you obviously don't know this machine, this may have been an attempt to gain illegal access, but from the log entries you provide we can't see if it was successful. Once you've found out exactly what happened, THEN wipe the machine. If you re-install without knowing how (and if) they got in, chances are you will leave the same hole open again and they will just get back on after you've reinstalled.
A post mortem analysis of a host believed to be cracked is a MUCH, MUCH more complicated process than ANY secure installation of a Linux system could ever be. It takes YEARS for professional analysts before they're able to do their work properly, so personally I would not recommend that to a newbieish-to-security lifeform ;) (NO puns intended!)...
On the other hand, securely installing a Linux box is no trivial, but manageable task; install, switch off any unwanted services, install all relevant security patches, firewall it, go online, and keep up-to-date with the latest vulnerabilites. One finds a helluva lot more info about that than about system analysis, for obvious reasons.
However, the link you provided to CERT's got-root'ed tips really is a good place to start; I have put a more compact version of this topic into the SuSE FAQ at http://www.susesecurity.com/faq ("One of my servers has been cracked open and overtaken by intruders. What now?") as well.
Sorry for my rant ;)
Happy hunting!
HTH
Stefan
Boris Lorenz
--- -- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com