Mailinglist Archive: opensuse-security (685 mails)

< Previous Next >
compromised SuSE7.3?
  • From: Torsten Wolf <t.wolf@xxxxxxxx>
  • Date: Thu, 7 Feb 2002 12:28:18 +0100
  • Message-id: <200202071128.MAA10435@xxxxxxxxxxxxxxxxxxx>
Hi,

yesterday, strange things happened but let me start form the beginning:
I'm running a PC under SuSE7.3 and kernel 2.4.16(preempt-patch).
openssh-2.9.9p2-74 is the only service listening to the outer world.

Well, I returned home yesterday, switched on the monitor and noticed,
that the network in our LAN (which itself is connected to the internet)
seemed to be down. As this happens quite often, I wasn't that amazed,
but when I tried to switch on kwintv via remote-control (lirc) nothing
happened. A further mouse-click freezed the screen immediately, one of
the harddrives became busy for approx. 15sec. I managed to reboot the
computer via the magic sysrq-keys and when it was back again, there
popped up an error message about the dcopserver (perhaps he didn't like
it to be killed). Everything seemed to work fine, but nevertheless I
was heavily puzzled! I looked into my logfiles and found out that there
had not been any sign of life for the last hour i.e. no MARK, ippl,
snort, xntpd entries at all! The last message was produced by fetchmail
and even there everything seemed to be ok. I feared, that somebody had
made it into my system and I had disturbed him while placing a rootkit,
so the hd activity was due to his sudden cleanup. I looked for rootkits
(chkrootkit-0.35) but found nothing of interest and posted my
experiences to a newsgroup. A few hours later I found

Feb 6 22:48:23 nephilim kernel: Packet log: input DENY eth0 PROTO=1
212.60.6.125:8 134.169.145.147:0 L=84 S=0x60 I=0 F=0x4000 T=45 (#113)
Feb 6 22:48:29 nephilim last message repeated 5 times
Feb 6 22:49:38 nephilim sshd[11226]: Connection closed by 212.60.6.125

in my syslog and became even more anxious. But I found out, that if you
try to login to my box but give ssh a Ctrl-C instead of a password,
exactly this message will be produced. Perhaps somebody read my posting
and felt curious enough to drop in for a second.

After that I changed the "Protocol" in sshd_config to 2 (was 2,1
before), even though it is said here, that this ssh-version is as
secure as openssh-3.0. Additionally, I searched for directories
beginning with ..* but found nothing. I did an "rpm --verify" on each
installed packet and lo got e.g. for openssh

S.5....T c /etc/pam.d/sshd
S.5....T c /etc/ssh/ssh_config
SM5....T c /etc/ssh/sshd_config
.M...... /usr/bin/ssh

my guesses:
pam.d/sshd was changed when activating md5 passwords (>8 characters)
ssh*_config were changed by myself
ssh hmmm... as one can change file permissions (easy,local,secure), is
it possible, that after an installation default permissions and groups
are overriden by a script that sets the chosen values?

The other packets only showed md5-failures in connection with
configuration files, but there were quite a lot with M and G (see my
last guess above)

So what do you think what could have happened? What should be done
next? How can I check, whether new users/groups were created? How can I
verify files on my discs against RPMs and not against a potentially
corrupted rpm-database? Could this be also explained in a way, that KDE
or X had an internal problem, perhaps due to some network errors within
our LAN (it does not work that perfect now) and made my system freeze?
What will happen, if the dhclient does not get appropriate data form
the server (or even does not find him)? Could this confuse other
programs?

Really confused greetings
Torsten

< Previous Next >
Follow Ups