[olug] breakin?
mesc
mescie at home.com
Thu Aug 31 05:10:43 UTC 2000
I think I may have found something to really worry about.This was in my
/var/log/messages> Jul 25 22:22:01 omhan1
PAM_pwdb[969]: (su) session opened for user news by (uid=0)
Jul 25 22:22:02 omhan1 PAM_pwdb[969]: (su) session closed for user news
Jul 25 22:25:27 omhan1 PAM_pwdb[1259]: (su) session opened for user root
by mesc(uid=501)
Jul 26 00:09:16 omhan1 :
Jul 26 00:09:16 omhan1 : Security Warning: Change in Suid Root files
found :
Jul 26 00:09:16 omhan1 : - Added suid root files : /bin/mount
Jul 26 00:09:16 omhan1 : - Added suid root files : /bin/ping
Jul 26 00:09:16 omhan1 : - Added suid root files : /bin/su
Jul 26 00:09:16 omhan1 : - Added suid root files : /bin/umount
Jul 26 00:09:16 omhan1 : - Added suid root files : /sbin/pwdb_chkpwd
Jul 26 00:09:16 omhan1 : - Added suid root files :
/usr/X11R6/bin/Xwrapper
Jul 26 00:09:16 omhan1 : - Added suid root files :
/usr/X11R6/bin/imwheel-solo
Jul 26 00:09:16 omhan1 : - Added suid root files : /usr/X11R6/bin/xlock
Jul 26 00:09:16 omhan1 : - Added suid root files : /usr/bin/at
Jul 26 00:09:16 omhan1 : - Added suid root files : /usr/bin/atitv
Jul 26 00:09:16 omhan1 : - Added suid root files : /usr/bin/atitvout
Jul 26 00:09:16 omhan1 : - Added suid root files : /usr/bin/chage
Jul 26 00:09:16 omhan1 : - Added suid root files : /usr/bin/chfn
Jul 26 00:09:16 omhan1 : - Added suid root files : /usr/bin/chsh
Jul 26 00:09:16 omhan1 : - Added suid root files : /usr/bin/crontab
Jul 26 00:09:16 omhan1 : - Added suid root files : /usr/bin/dos
Jul 26 00:09:16 omhan1 : - Added suid root files :
/usr/bin/gpasswd
Jul 26 00:09:16 omhan1 : - Added suid root files : /usr/bin/kppp
Jul 26 00:09:16 omhan1 : - Added suid root files : /usr/bin/lpq
Jul 26 00:09:16 omhan1 : - Added suid root files : /usr/bin/lpr
Jul 26 00:09:16 omhan1 : - Added suid root files : /usr/bin/lprm
Jul 26 00:09:16 omhan1 : - Added suid root files : /usr/bin/newgrp
Jul 26 00:09:16 omhan1 : - Added suid root files : /usr/bin/passwd
Jul 26 00:09:17 omhan1 : - Added suid root files : /usr/bin/procmail
Jul 26 00:09:17 omhan1 : - Added suid root files : /usr/bin/rcp
Jul 26 00:09:17 omhan1 : - Added suid root files : /usr/bin/rlogin
Jul 26 00:09:17 omhan1 : - Added suid root files : /usr/bin/rsh
Jul 26 00:09:17 omhan1 : - Added suid root files : /usr/bin/sperl5.00503
Jul 26 00:09:17 omhan1 : - Added suid root files : /usr/bin/suidperl
Jul 26 00:09:17 omhan1 : - Added suid root files : /usr/bin/urpmi
Jul 26 00:09:17 omhan1 : - Added suid root files : /usr/bin/vboxbeep
Jul 26 00:09:17 omhan1 : - Added suid root files : /usr/bin/xatitv
Jul 26 00:09:17 omhan1 : - Added suid root files : /usr/bin/xatitvc
Jul 26 00:09:17 omhan1 : - Added suid root files : /usr/bin/xativ
Jul 26 00:09:17 omhan1 : - Added suid root files : /usr/bin/xcdroast
Jul 26 00:09:17 omhan1 : - Added suid root files : /usr/bin/zgv
Jul 26 00:09:17 omhan1 : - Added suid root files : /usr/lib/telnetd/login
Jul 26 00:09:17 omhan1 : - Added suid root files : /usr/libexec/pt_chown
Jul 26 00:09:17 omhan1 : - Added suid root files : /usr/sbin/sendmail
Jul 26 00:09:17 omhan1 : - Added suid root files : /usr/sbin/traceroute
Jul 26 00:09:17 omhan1 : - Added suid root files : /usr/sbin/userhelper
Jul 26 00:09:17 omhan1 : - Added suid root files : /usr/sbin/usernetctl
Jul 26 00:09:17 omhan1 :
Jul 26 00:09:17 omhan1 : Security Warning: Changes in Suid Group files
found :
Jul 26 00:09:17 omhan1 : - Added suid group files : /sbin/netreport
Jul 26 00:09:17 omhan1 : - Added suid group files : /usr/X11R6/bin/xbill
Jul 26 00:09:17 omhan1 : - Added suid group files :
/usr/X11R6/bin/xhextris
Jul 26 00:09:17 omhan1 : - Added suid group files : /usr/X11R6/bin/xkobo
Jul 26 00:09:17 omhan1 : - Added suid group files : /usr/X11R6/bin/xman
Jul 26 00:09:17 omhan1 : - Added suid group files : /usr/bin/cdrecord
Jul 26 00:09:17 omhan1 : - Added suid group files : /usr/bin/gnibbles
Jul 26 00:09:17 omhan1 : - Added suid group files : /usr/bin/gnobots2
Jul 26 00:09:17 omhan1 : - Added suid group files : /usr/bin/gnome-stones
Jul 26 00:09:17 omhan1 : - Added suid group files : /usr/bin/gnomine
Jul 26 00:09:17 omhan1 : - Added suid group files : /usr/bin/gnotravex
Jul 26 00:09:17 omhan1 : - Added suid group files : /usr/bin/gtali
Jul 26 00:09:17 omhan1 : - Added suid group files : /usr/bin/gturing
Jul 26 00:09:17 omhan1 : - Added suid group files : /usr/bin/iagno
Jul 26 00:09:17 omhan1 : - Added suid group files : /usr/bin/kdesud
Jul 26 00:09:17 omhan1 : - Added suid group files : /usr/bin/lockfile
Jul 26 00:09:17 omhan1 : - Added suid group files : /usr/bin/lpq
Jul 26 00:09:17 omhan1 : - Added suid group files : /usr/bin/lpr
Jul 26 00:09:17 omhan1 : - Added suid group files : /usr/bin/lprm
Jul 26 00:09:17 omhan1 : - Added suid group files : /usr/bin/mahjongg
Jul 26 00:09:17 omhan1 : - Added suid group files : /usr/bin/man
Jul 26 00:09:17 omhan1 : - Added suid group files : /usr/bin/minicom
Jul 26 00:09:17 omhan1 : - Added suid group files : /usr/bin/procmail
Jul 26 00:09:17 omhan1 : - Added suid group files : /usr/bin/same-gnome
Jul 26 00:09:17 omhan1 : - Added suid group files : /usr/bin/slocate
Jul 26 00:09:17 omhan1 : - Added suid group files : /usr/bin/wall
Jul 26 00:09:17 omhan1 : - Added suid group files : /usr/bin/write
Jul 26 00:09:17 omhan1 : - Added suid group files : /usr/bin/xmonisdn
Jul 26 00:09:17 omhan1 : - Added suid group files : /usr/games/xsoldier
Jul 26 00:09:17 omhan1 : - Added suid group files :
/usr/lib/emacs/20.5/i386-mandrake-linux/movemail
Jul 26 00:09:17 omhan1 : - Added suid group files :
/usr/lib/netscape/movemail
Jul 26 00:09:17 omhan1 : - Added suid group files :
/usr/lib/xemacs-21.1.8/i386-mandrake-linux/movemail
-mandrake-linux/movemail
Jul 26 00:09:17 omhan1 : - Added suid group files :
/usr/sbin/gnome-pty-helper
Jul 26 00:09:17 omhan1 : - Added suid group files : /usr/sbin/lpc
Jul 26 00:09:17 omhan1 : - Added suid group files : /usr/sbin/sendmail
Jul 26 00:09:17 omhan1 : - Added suid group files : /usr/sbin/utempter
Jul 26 00:09:17 omhan1 :
Jul 26 00:09:17 omhan1 : Security Warning: There is modifications for
port listening on your machine :
and I also checked the permissions on /var/log/messages and they too were
changed from -r------- to -rw-r--r- so this guy (I'm assuming its the
same guy)apparently got in (through the news server?) suid'ed a bunch of
files and changed permissions on at least one file that I know of and
I'm sure there's more I haven't found yet.I have tripwire installed but
being a relative newbie I'm unsure how to restore with it besides the
fact that he/she may have a backdoor on my box now.I worked hard getting
my box the way I liked it but would I be better off starting over
with a clean install or should I try restoring it with tripwire and if
so where would I start?
Thank you,Gary Martin
mesc wrote:
> I was looking through /var/log/secure when I saw Jul 23 10:55:38
> omhan1 in.telnetd[1049]: connect from 207.114.4.46 and Jul 27 14:29:03
> omhan1 in.ftpd[1917]: connect from 203.233.199.252 (yes from last
> month,I need to watch my logs better).Now I just have telnet and ftp
> enabled on my box so I can telnet out or ftp for files,I'm trying to
> figure out SSH so I can do away with these but what I need to know is
> are these 2 connections just attempts to connect to my box or did
> someone infact connect and login to my box.If so how can I keep these
> ppl out assuming they are the coming back?
>
> Thank you,Gary Martin
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: olug-unsubscribe at bstc.net
> For additional commands, e-mail: olug-help at bstc.net
---------------------------------------------------------------------
To unsubscribe, e-mail: olug-unsubscribe at bstc.net
For additional commands, e-mail: olug-help at bstc.net
More information about the OLUG
mailing list