[olug] breakin?

Andrew Embury drazak at materiamagica.com
Thu Aug 31 15:47:29 UTC 2000 

That looks mighty suspicious to me.  I would look into running tripwire
since you have it installed and see if the checksums on any files are
different.

Usually when rooted, the attacker runs a "root kit" which changes many
system files making it easier for the attacker to regain access.  The only
thing that dosen't make sense is that most root kits clean up the messages
file as a first order of business, so I'm not sure why this didn't happen
here..

If you think you have been compromised, you really have no choice but to
re-install from origonal media and then harden the system before going
back on the net.

Don't get discouraged, lots of people have been rooted, especially when
starting out.

_Drew

On Thu, 31 Aug 2000, mesc wrote:

> I think I may have found something to really worry about.This was in my
> /var/log/messages>                         Jul 25 22:22:01 omhan1
> PAM_pwdb[969]: (su) session opened for user news by (uid=0)
> Jul 25 22:22:02 omhan1 PAM_pwdb[969]: (su) session closed for user news
> Jul 25 22:25:27 omhan1 PAM_pwdb[1259]: (su) session opened for user root
> by mesc(uid=501)
> Jul 26 00:09:16 omhan1 :
> Jul 26 00:09:16 omhan1 : Security Warning: Change in Suid Root files
> found :
> Jul 26 00:09:16 omhan1 : - Added suid root files : /bin/mount
> Jul 26 00:09:16 omhan1 : - Added suid root files : /bin/ping
> Jul 26 00:09:16 omhan1 : - Added suid root files : /bin/su
> Jul 26 00:09:16 omhan1 : - Added suid root files : /bin/umount
> Jul 26 00:09:16 omhan1 : - Added suid root files : /sbin/pwdb_chkpwd
> Jul 26 00:09:16 omhan1 : - Added suid root files :
> /usr/X11R6/bin/Xwrapper
> Jul 26 00:09:16 omhan1 : - Added suid root files :
> /usr/X11R6/bin/imwheel-solo
> Jul 26 00:09:16 omhan1 : - Added suid root files : /usr/X11R6/bin/xlock
> Jul 26 00:09:16 omhan1 : - Added suid root files : /usr/bin/at
> Jul 26 00:09:16 omhan1 : - Added suid root files : /usr/bin/atitv
> Jul 26 00:09:16 omhan1 : - Added suid root files : /usr/bin/atitvout
> Jul 26 00:09:16 omhan1 : - Added suid root files : /usr/bin/chage
> Jul 26 00:09:16 omhan1 : - Added suid root files : /usr/bin/chfn
> Jul 26 00:09:16 omhan1 : - Added suid root files : /usr/bin/chsh
> Jul 26 00:09:16 omhan1 : - Added suid root files : /usr/bin/crontab
> Jul 26 00:09:16 omhan1 : - Added suid root files : /usr/bin/dos
> 
>                 Jul 26 00:09:16 omhan1 : - Added suid root files :
> /usr/bin/gpasswd
> Jul 26 00:09:16 omhan1 : - Added suid root files : /usr/bin/kppp
> Jul 26 00:09:16 omhan1 : - Added suid root files : /usr/bin/lpq
> Jul 26 00:09:16 omhan1 : - Added suid root files : /usr/bin/lpr
> Jul 26 00:09:16 omhan1 : - Added suid root files : /usr/bin/lprm
> Jul 26 00:09:16 omhan1 : - Added suid root files : /usr/bin/newgrp
> Jul 26 00:09:16 omhan1 : - Added suid root files : /usr/bin/passwd
> Jul 26 00:09:17 omhan1 : - Added suid root files : /usr/bin/procmail
> Jul 26 00:09:17 omhan1 : - Added suid root files : /usr/bin/rcp
> Jul 26 00:09:17 omhan1 : - Added suid root files : /usr/bin/rlogin
> Jul 26 00:09:17 omhan1 : - Added suid root files : /usr/bin/rsh
> Jul 26 00:09:17 omhan1 : - Added suid root files : /usr/bin/sperl5.00503
> Jul 26 00:09:17 omhan1 : - Added suid root files : /usr/bin/suidperl
> Jul 26 00:09:17 omhan1 : - Added suid root files : /usr/bin/urpmi
> Jul 26 00:09:17 omhan1 : - Added suid root files : /usr/bin/vboxbeep
> Jul 26 00:09:17 omhan1 : - Added suid root files : /usr/bin/xatitv
> Jul 26 00:09:17 omhan1 : - Added suid root files : /usr/bin/xatitvc
> Jul 26 00:09:17 omhan1 : - Added suid root files : /usr/bin/xativ
> Jul 26 00:09:17 omhan1 : - Added suid root files : /usr/bin/xcdroast
> Jul 26 00:09:17 omhan1 : - Added suid root files : /usr/bin/zgv
> Jul 26 00:09:17 omhan1 : - Added suid root files : /usr/lib/telnetd/login
> 
> Jul 26 00:09:17 omhan1 : - Added suid root files : /usr/libexec/pt_chown
> Jul 26 00:09:17 omhan1 : - Added suid root files : /usr/sbin/sendmail
> Jul 26 00:09:17 omhan1 : - Added suid root files : /usr/sbin/traceroute
> Jul 26 00:09:17 omhan1 : - Added suid root files : /usr/sbin/userhelper
> Jul 26 00:09:17 omhan1 : - Added suid root files : /usr/sbin/usernetctl
> Jul 26 00:09:17 omhan1 :
> Jul 26 00:09:17 omhan1 : Security Warning: Changes in Suid Group files
> found :
> Jul 26 00:09:17 omhan1 : - Added suid group files : /sbin/netreport
> Jul 26 00:09:17 omhan1 : - Added suid group files : /usr/X11R6/bin/xbill
> 
> 
> Jul 26 00:09:17 omhan1 : - Added suid group files :
> /usr/X11R6/bin/xhextris
> Jul 26 00:09:17 omhan1 : - Added suid group files : /usr/X11R6/bin/xkobo
> Jul 26 00:09:17 omhan1 : - Added suid group files : /usr/X11R6/bin/xman
> Jul 26 00:09:17 omhan1 : - Added suid group files : /usr/bin/cdrecord
> Jul 26 00:09:17 omhan1 : - Added suid group files : /usr/bin/gnibbles
> Jul 26 00:09:17 omhan1 : - Added suid group files : /usr/bin/gnobots2
> Jul 26 00:09:17 omhan1 : - Added suid group files : /usr/bin/gnome-stones
> 
> Jul 26 00:09:17 omhan1 : - Added suid group files : /usr/bin/gnomine
> Jul 26 00:09:17 omhan1 : - Added suid group files : /usr/bin/gnotravex
> Jul 26 00:09:17 omhan1 : - Added suid group files : /usr/bin/gtali
> Jul 26 00:09:17 omhan1 : - Added suid group files : /usr/bin/gturing
> Jul 26 00:09:17 omhan1 : - Added suid group files : /usr/bin/iagno
> Jul 26 00:09:17 omhan1 : - Added suid group files : /usr/bin/kdesud
> Jul 26 00:09:17 omhan1 : - Added suid group files : /usr/bin/lockfile
> Jul 26 00:09:17 omhan1 : - Added suid group files : /usr/bin/lpq
> Jul 26 00:09:17 omhan1 : - Added suid group files : /usr/bin/lpr
> Jul 26 00:09:17 omhan1 : - Added suid group files : /usr/bin/lprm
> Jul 26 00:09:17 omhan1 : - Added suid group files : /usr/bin/mahjongg
> Jul 26 00:09:17 omhan1 : - Added suid group files : /usr/bin/man
> Jul 26 00:09:17 omhan1 : - Added suid group files : /usr/bin/minicom
> Jul 26 00:09:17 omhan1 : - Added suid group files : /usr/bin/procmail
> Jul 26 00:09:17 omhan1 : - Added suid group files : /usr/bin/same-gnome
> Jul 26 00:09:17 omhan1 : - Added suid group files : /usr/bin/slocate
> Jul 26 00:09:17 omhan1 : - Added suid group files : /usr/bin/wall
> Jul 26 00:09:17 omhan1 : - Added suid group files : /usr/bin/write
> Jul 26 00:09:17 omhan1 : - Added suid group files : /usr/bin/xmonisdn
> Jul 26 00:09:17 omhan1 : - Added suid group files : /usr/games/xsoldier
> Jul 26 00:09:17 omhan1 : - Added suid group files :
> /usr/lib/emacs/20.5/i386-mandrake-linux/movemail
> Jul 26 00:09:17 omhan1 : - Added suid group files :
> /usr/lib/netscape/movemail
> Jul 26 00:09:17 omhan1 : - Added suid group files :
> /usr/lib/xemacs-21.1.8/i386-mandrake-linux/movemail
> 
> -mandrake-linux/movemail
> Jul 26 00:09:17 omhan1 : - Added suid group files :
> /usr/sbin/gnome-pty-helper
> Jul 26 00:09:17 omhan1 : - Added suid group files : /usr/sbin/lpc
> Jul 26 00:09:17 omhan1 : - Added suid group files : /usr/sbin/sendmail
> Jul 26 00:09:17 omhan1 : - Added suid group files : /usr/sbin/utempter
> Jul 26 00:09:17 omhan1 :
> Jul 26 00:09:17 omhan1 : Security Warning: There is modifications for
> port listening on your machine :
> and I also checked the permissions on /var/log/messages and they too were
> changed from -r------- to -rw-r--r- so this guy (I'm assuming its the
> same guy)apparently got in (through  the news server?) suid'ed a bunch of
> files and  changed permissions on at least one file that  I know of and
> I'm sure there's more I haven't found  yet.I have tripwire installed but
> being a relative newbie I'm unsure  how to restore  with it besides the
> fact that he/she may have  a backdoor on my box now.I worked hard getting
> my  box the way I  liked it  but would I be  better off starting over
> with a clean install or should I try  restoring it with tripwire and if
> so where would I start?
> 
>             Thank you,Gary Martin
> 
> 
>             mesc wrote:
> 
> > I was looking through /var/log/secure when  I saw  Jul 23 10:55:38
> > omhan1 in.telnetd[1049]: connect from 207.114.4.46 and Jul 27 14:29:03
> > omhan1 in.ftpd[1917]: connect from 203.233.199.252 (yes from last
> > month,I need to watch my logs better).Now I just have telnet and ftp
> > enabled on my box so I can telnet out or ftp for files,I'm trying to
> > figure out SSH so I can do away with these but what I need to know is
> > are these 2 connections just attempts to connect to my box or did
> > someone infact connect and login to my box.If  so how can I keep these
> > ppl  out assuming they are the coming back?
> >
> >         Thank you,Gary Martin
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: olug-unsubscribe at bstc.net
> > For additional commands, e-mail: olug-help at bstc.net
> 
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: olug-unsubscribe at bstc.net
> For additional commands, e-mail: olug-help at bstc.net
> 


---------------------------------------------------------------------
To unsubscribe, e-mail: olug-unsubscribe at bstc.net
For additional commands, e-mail: olug-help at bstc.net

More information about the OLUG mailing list