I looked into my logfiles and found out that there
had not been any sign of life for the last hour i.e. no MARK, ippl, snort, xntpd entries at all! The last message was produced by fetchmail and even there everything seemed to be ok. I feared, that somebody had made it into my system and I had disturbed him while placing a rootkit, so the hd activity was due to his sudden cleanup.
So what ? You wrote your system crashed - the logfile was not closed properly.
I looked for rootkits (chkrootkit-0.35) but found nothing of interest and posted my experiences to a newsgroup. A few hours later I found
Feb 6 22:48:23 nephilim kernel: Packet log: input DENY eth0 PROTO=1 212.60.6.125:8 134.169.145.147:0 L=84 S=0x60 I=0 F=0x4000 T=45 (#113) Feb 6 22:48:29 nephilim last message repeated 5 times Feb 6 22:49:38 nephilim sshd[11226]: Connection closed by 212.60.6.125
in my syslog and became even more anxious. But I found out, that if you try to login to my box but give ssh a Ctrl-C instead of a password, exactly this message will be produced. Perhaps somebody read my posting and felt curious enough to drop in for a second.
ACK - thatswhy you should mask your ip even when you post logs into a list
After that I changed the "Protocol" in sshd_config to 2 (was 2,1 before), even though it is said here, that this ssh-version is as
Too late !
secure as openssh-3.0. Additionally, I searched for directories beginning with ..* but found nothing. I did an "rpm --verify" on each installed packet and lo got e.g. for openssh
S.5....T c /etc/pam.d/sshd S.5....T c /etc/ssh/ssh_config SM5....T c /etc/ssh/sshd_config .M...... /usr/bin/ssh
my guesses: pam.d/sshd was changed when activating md5 passwords (>8 characters) ssh*_config were changed by myself ssh hmmm... as one can change file permissions (easy,local,secure), is it possible, that after an installation default permissions and groups are overriden by a script that sets the chosen values?
My guesses for ssh - you installed an update with rpm -i instead of of rpm -u or a script such as harden_suse changed attributes. By the way - its ssh not sshd. An attacker would exchange the daemon to get in.
So what do you think what could have happened? What should be done next? How can I check, whether new users/groups were created? How can I verify files on my discs against RPMs and not against a potentially corrupted rpm-database? Could this be also explained in a way, that KDE or X had an internal problem, perhaps due to some network errors within our LAN (it does not work that perfect now) and made my system freeze? What will happen, if the dhclient does not get appropriate data form the server (or even does not find him)? Could this confuse other programs?
If you think its not only paranoia thank check this url 4 forensic analysis. http://project.honeynet.org/challenge/results/submissions/roessler/evidence.... This docs describes techniques methods to seek hidden information post mortem You may want to see other examples 2 http://project.honeynet.org/challenge/results/index.html#rankings See the winners :O) Michael Appeldorn