Mailinglist Archive: opensuse-security (757 mails)

< Previous Next >
Re: [suse-security] user ***** - am I hacked?
  • From: Praise <praisetazio@xxxxxxxxxxxxx>
  • Date: Thu, 3 Jan 2002 23:12:21 +0100
  • Message-id: <20020103221122.C74D2E635E@xxxxxxxxxxxx>
Il 18:02, giovedì 3 gennaio 2002, Guido Tschakert ha scritto:
> Am Mittwoch, 2. Januar 2002 13:32 schrieb Marc Wiesenhütter:
> > Praise wrote:
> > > Il 12:52, domenica 30 dicembre 2001, Marc Wiesenhütter ha scritto:
> > > > Hi,
> > > > wenn i just checked users login with last, i found this entry
> > > >
> > > > ***** p*******p*** Thu Jan 1 01:00 still
> > > > logged in
> > > >
> > > > and user ***** is not known to me. the prozess table didn't show any
> > > > strange thing so am I hacked or what does it mean?
> > > > Any ideas welcome!
> > > >
> > > > bye
> > > > Marc
> > >
> > > I have been told this is a reiserFS corruption problem... do you use
> > > it?
> > >
> > > Praise
> >
> > Hi Praise,
> > yes i did, but i changed it about 1 month ago. Are you really sure or
> > where can i get some informations about it? It would be too great.
> > thanks
> > Marc
>
> I have a lot of silly things in the output of last:
> low.html ver.tcl *tions Tue May 20 20:14 - crash
> (-10781+-5:- *mime.so log_agent.so so Sun Jun 16 06:51 -
> crash (-8251+-15:- -include s.h h Wed Oct 17 08:26
> - crash (-10200+-17: ****0*** 0*******0*** ****0*******0*** Sun Apr 7
> 02:39 still logged in cb.o ohci1394_cb. gic_cs.o Thu May 7
> 23:13 - crash (-8920+-12:- llowfin. o rnal Sun Oct
> 4 08:57 - crash (-6878+-22:- *i5010.o kiss.o Thu Oct
> 11 13:47 - crash (-10173+-3:-
>
> and for what praise said: I'm using reiserfs.
> Seems to me a problem with the filesystem and the format of wtmp, have
> there been a new version of reiserfs or last between SuSE7.2 and SuSE7.3? I
> couldn't find that sort of entries on my boxes with SuSE <= 7.2. and also
> not on all 7.3 (but most)
>
> Is there anyone having some more ideas.
>
> Another possibility is: the rootkit of the cracker is a little bit rotten,
> in particular the part for last.

I had logs similar to those of Marc, only on my one ReiserFS machine and Suse
7.1
But I have not found any information about bugs like this, it should have
been noticed by someone at namesys, isn't it?

Praise

< Previous Next >