Mailinglist Archive: opensuse-security (757 mails)

< Previous Next >
Re: [suse-security] user ***** - am I hacked?
  • From: Christoph Wegener <cwe@xxxxxxxxxxxxxxxxxxxxxx>
  • Date: Thu, 10 Jan 2002 11:46:02 +0100
  • Message-id: <3C3D70E9.129E0496@xxxxxxxxxxxxxxxxxxxxxx>
Hi everybody,
well I noticed this behavior on some machines which had a vulnerable version of
SSH-v1 - different versions of SuSE (6.4, 7.1) and NO reiserfs - please see (and
notice the date of login is the same - maybe this is random but it looks strange
for me...):

axelm pts/0 bogart Tue Dec 11 13:59
- 15:11 (01:12)
****p*** p*******p*** ****p*******p*** Sun Apr 7 02:48 - down (10139+16:19
....
....
****p*** p*******p*** ****p*******p*** Sun Apr 7 02:48 - 02:48 (00:00)
root tty2 Wed Aug 29
14:59 - 15:01 (00:01)

I changes the SSHs and rebooted the machine and then the entries did not appear
again. My first guess was that the rootkit was a little bit buggy... BTW: I did
not notice any changes in the filesystem or some unknown processes in the /proc
dir...

Some more experiences?!?
Christoph

Guido Tschakert wrote:

> Am Mittwoch, 2. Januar 2002 13:32 schrieb Marc Wiesenhütter:
> > Praise wrote:
> > > Il 12:52, domenica 30 dicembre 2001, Marc Wiesenhütter ha scritto:
> > > > Hi,
> > > > wenn i just checked users login with last, i found this entry
> > > >
> > > > ***** p*******p*** Thu Jan 1 01:00 still logged
> > > > in
> > > >
> > > > and user ***** is not known to me. the prozess table didn't show any
> > > > strange thing so am I hacked or what does it mean?
> > > > Any ideas welcome!
> > > >
> > > > bye
> > > > Marc
> > >
> > > I have been told this is a reiserFS corruption problem... do you use it?
> > >
> > > Praise
> >
> > Hi Praise,
> > yes i did, but i changed it about 1 month ago. Are you really sure or
> > where can i get some informations about it? It would be too great.
> > thanks
> > Marc
> I have a lot of silly things in the output of last:
> low.html ver.tcl *tions Tue May 20 20:14 - crash (-10781+-5:-
> *mime.so log_agent.so so Sun Jun 16 06:51 - crash (-8251+-15:-
> -include s.h h Wed Oct 17 08:26 - crash (-10200+-17:
> ****0*** 0*******0*** ****0*******0*** Sun Apr 7 02:39 still logged in
> cb.o ohci1394_cb. gic_cs.o Thu May 7 23:13 - crash (-8920+-12:-
> llowfin. o rnal Sun Oct 4 08:57 - crash (-6878+-22:-
> *i5010.o kiss.o Thu Oct 11 13:47 - crash (-10173+-3:-
>
> and for what praise said: I'm using reiserfs.
> Seems to me a problem with the filesystem and the format of wtmp, have there
> been a new version of reiserfs or last between SuSE7.2 and SuSE7.3?
> I couldn't find that sort of entries on my boxes with SuSE <= 7.2. and also
> not on all 7.3 (but most)
>
> Is there anyone having some more ideas.
>
> Another possibility is: the rootkit of the cracker is a little bit rotten, in
> particular the part for last.
> --
> ------------------
> Guido Tschakert
> Sys-Ad, SRC
> ------------------
>
> --
> To unsubscribe, e-mail: suse-security-unsubscribe@xxxxxxxx
> For additional commands, e-mail: suse-security-help@xxxxxxxx

--
.-. Ruhr-Universitaet Bochum
/v\ L I N U X Lehrstuhl fuer Biophysik
// \\ >Penguin Computing< c/o Christoph Wegener
/( )\ Gebaeude ND 04/Nord
^^-^^ D-44780 Bochum, GERMANY

Tel: +49 (234) 32-25754 Fax: +49 (234) 32-14626
mailto:cwe@xxxxxxxxxxxxxxxxxxxxxx http://www.bph.ruhr-uni-bochum.de



< Previous Next >