[olug] breakin?
mesc
mescie at home.com
Thu Aug 31 15:49:46 UTC 2000
The security warnings were generated by logcheck.What might I run (with
tripwire) to see if any files have been changed?
Thank you,Gary Martin
Tim Russell wrote:
> Um, yes, that would tend to indicate a problem, to say the least. You
> should yank the plug on that machine immediately, and at this point you'd
> better reload it completely.
>
> Just out of curiosity, what generated those security warning messages?
> That's pretty cool.
>
> Tim #1
>
> ----- Original Message -----
> From: "mesc" <mescie at home.com>
> To: <olug at bstc.net>
> Sent: Thursday, August 31, 2000 12:10 AM
> Subject: Re: [olug] breakin?
>
> > I think I may have found something to really worry about.This was in my
> > /var/log/messages> Jul 25 22:22:01 omhan1
> > PAM_pwdb[969]: (su) session opened for user news by (uid=0)
> > Jul 25 22:22:02 omhan1 PAM_pwdb[969]: (su) session closed for user news
> > Jul 25 22:25:27 omhan1 PAM_pwdb[1259]: (su) session opened for user root
> > by mesc(uid=501)
> > Jul 26 00:09:16 omhan1 :
> > Jul 26 00:09:16 omhan1 : Security Warning: Change in Suid Root files
> > found :
> > Jul 26 00:09:16 omhan1 : - Added suid root files : /bin/mount
> > Jul 26 00:09:16 omhan1 : - Added suid root files : /bin/ping
> > Jul 26 00:09:16 omhan1 : - Added suid root files : /bin/su
> > Jul 26 00:09:16 omhan1 : - Added suid root files : /bin/umount
> > Jul 26 00:09:16 omhan1 : - Added suid root files : /sbin/pwdb_chkpwd
> > Jul 26 00:09:16 omhan1 : - Added suid root files :
> > /usr/X11R6/bin/Xwrapper
> > Jul 26 00:09:16 omhan1 : - Added suid root files :
> > /usr/X11R6/bin/imwheel-solo
> > Jul 26 00:09:16 omhan1 : - Added suid root files : /usr/X11R6/bin/xlock
> > Jul 26 00:09:16 omhan1 : - Added suid root files : /usr/bin/at
> > Jul 26 00:09:16 omhan1 : - Added suid root files : /usr/bin/atitv
> > Jul 26 00:09:16 omhan1 : - Added suid root files : /usr/bin/atitvout
> > Jul 26 00:09:16 omhan1 : - Added suid root files : /usr/bin/chage
> > Jul 26 00:09:16 omhan1 : - Added suid root files : /usr/bin/chfn
> > Jul 26 00:09:16 omhan1 : - Added suid root files : /usr/bin/chsh
> > Jul 26 00:09:16 omhan1 : - Added suid root files : /usr/bin/crontab
> > Jul 26 00:09:16 omhan1 : - Added suid root files : /usr/bin/dos
> >
> > Jul 26 00:09:16 omhan1 : - Added suid root files :
> > /usr/bin/gpasswd
> > Jul 26 00:09:16 omhan1 : - Added suid root files : /usr/bin/kppp
> > Jul 26 00:09:16 omhan1 : - Added suid root files : /usr/bin/lpq
> > Jul 26 00:09:16 omhan1 : - Added suid root files : /usr/bin/lpr
> > Jul 26 00:09:16 omhan1 : - Added suid root files : /usr/bin/lprm
> > Jul 26 00:09:16 omhan1 : - Added suid root files : /usr/bin/newgrp
> > Jul 26 00:09:16 omhan1 : - Added suid root files : /usr/bin/passwd
> > Jul 26 00:09:17 omhan1 : - Added suid root files : /usr/bin/procmail
> > Jul 26 00:09:17 omhan1 : - Added suid root files : /usr/bin/rcp
> > Jul 26 00:09:17 omhan1 : - Added suid root files : /usr/bin/rlogin
> > Jul 26 00:09:17 omhan1 : - Added suid root files : /usr/bin/rsh
> > Jul 26 00:09:17 omhan1 : - Added suid root files : /usr/bin/sperl5.00503
> > Jul 26 00:09:17 omhan1 : - Added suid root files : /usr/bin/suidperl
> > Jul 26 00:09:17 omhan1 : - Added suid root files : /usr/bin/urpmi
> > Jul 26 00:09:17 omhan1 : - Added suid root files : /usr/bin/vboxbeep
> > Jul 26 00:09:17 omhan1 : - Added suid root files : /usr/bin/xatitv
> > Jul 26 00:09:17 omhan1 : - Added suid root files : /usr/bin/xatitvc
> > Jul 26 00:09:17 omhan1 : - Added suid root files : /usr/bin/xativ
> > Jul 26 00:09:17 omhan1 : - Added suid root files : /usr/bin/xcdroast
> > Jul 26 00:09:17 omhan1 : - Added suid root files : /usr/bin/zgv
> > Jul 26 00:09:17 omhan1 : - Added suid root files : /usr/lib/telnetd/login
> >
> > Jul 26 00:09:17 omhan1 : - Added suid root files : /usr/libexec/pt_chown
> > Jul 26 00:09:17 omhan1 : - Added suid root files : /usr/sbin/sendmail
> > Jul 26 00:09:17 omhan1 : - Added suid root files : /usr/sbin/traceroute
> > Jul 26 00:09:17 omhan1 : - Added suid root files : /usr/sbin/userhelper
> > Jul 26 00:09:17 omhan1 : - Added suid root files : /usr/sbin/usernetctl
> > Jul 26 00:09:17 omhan1 :
> > Jul 26 00:09:17 omhan1 : Security Warning: Changes in Suid Group files
> > found :
> > Jul 26 00:09:17 omhan1 : - Added suid group files : /sbin/netreport
> > Jul 26 00:09:17 omhan1 : - Added suid group files : /usr/X11R6/bin/xbill
> >
> >
> > Jul 26 00:09:17 omhan1 : - Added suid group files :
> > /usr/X11R6/bin/xhextris
> > Jul 26 00:09:17 omhan1 : - Added suid group files : /usr/X11R6/bin/xkobo
> > Jul 26 00:09:17 omhan1 : - Added suid group files : /usr/X11R6/bin/xman
> > Jul 26 00:09:17 omhan1 : - Added suid group files : /usr/bin/cdrecord
> > Jul 26 00:09:17 omhan1 : - Added suid group files : /usr/bin/gnibbles
> > Jul 26 00:09:17 omhan1 : - Added suid group files : /usr/bin/gnobots2
> > Jul 26 00:09:17 omhan1 : - Added suid group files : /usr/bin/gnome-stones
> >
> > Jul 26 00:09:17 omhan1 : - Added suid group files : /usr/bin/gnomine
> > Jul 26 00:09:17 omhan1 : - Added suid group files : /usr/bin/gnotravex
> > Jul 26 00:09:17 omhan1 : - Added suid group files : /usr/bin/gtali
> > Jul 26 00:09:17 omhan1 : - Added suid group files : /usr/bin/gturing
> > Jul 26 00:09:17 omhan1 : - Added suid group files : /usr/bin/iagno
> > Jul 26 00:09:17 omhan1 : - Added suid group files : /usr/bin/kdesud
> > Jul 26 00:09:17 omhan1 : - Added suid group files : /usr/bin/lockfile
> > Jul 26 00:09:17 omhan1 : - Added suid group files : /usr/bin/lpq
> > Jul 26 00:09:17 omhan1 : - Added suid group files : /usr/bin/lpr
> > Jul 26 00:09:17 omhan1 : - Added suid group files : /usr/bin/lprm
> > Jul 26 00:09:17 omhan1 : - Added suid group files : /usr/bin/mahjongg
> > Jul 26 00:09:17 omhan1 : - Added suid group files : /usr/bin/man
> > Jul 26 00:09:17 omhan1 : - Added suid group files : /usr/bin/minicom
> > Jul 26 00:09:17 omhan1 : - Added suid group files : /usr/bin/procmail
> > Jul 26 00:09:17 omhan1 : - Added suid group files : /usr/bin/same-gnome
> > Jul 26 00:09:17 omhan1 : - Added suid group files : /usr/bin/slocate
> > Jul 26 00:09:17 omhan1 : - Added suid group files : /usr/bin/wall
> > Jul 26 00:09:17 omhan1 : - Added suid group files : /usr/bin/write
> > Jul 26 00:09:17 omhan1 : - Added suid group files : /usr/bin/xmonisdn
> > Jul 26 00:09:17 omhan1 : - Added suid group files : /usr/games/xsoldier
> > Jul 26 00:09:17 omhan1 : - Added suid group files :
> > /usr/lib/emacs/20.5/i386-mandrake-linux/movemail
> > Jul 26 00:09:17 omhan1 : - Added suid group files :
> > /usr/lib/netscape/movemail
> > Jul 26 00:09:17 omhan1 : - Added suid group files :
> > /usr/lib/xemacs-21.1.8/i386-mandrake-linux/movemail
> >
> > -mandrake-linux/movemail
> > Jul 26 00:09:17 omhan1 : - Added suid group files :
> > /usr/sbin/gnome-pty-helper
> > Jul 26 00:09:17 omhan1 : - Added suid group files : /usr/sbin/lpc
> > Jul 26 00:09:17 omhan1 : - Added suid group files : /usr/sbin/sendmail
> > Jul 26 00:09:17 omhan1 : - Added suid group files : /usr/sbin/utempter
> > Jul 26 00:09:17 omhan1 :
> > Jul 26 00:09:17 omhan1 : Security Warning: There is modifications for
> > port listening on your machine :
> > and I also checked the permissions on /var/log/messages and they too were
> > changed from -r------- to -rw-r--r- so this guy (I'm assuming its the
> > same guy)apparently got in (through the news server?) suid'ed a bunch of
> > files and changed permissions on at least one file that I know of and
> > I'm sure there's more I haven't found yet.I have tripwire installed but
> > being a relative newbie I'm unsure how to restore with it besides the
> > fact that he/she may have a backdoor on my box now.I worked hard getting
> > my box the way I liked it but would I be better off starting over
> > with a clean install or should I try restoring it with tripwire and if
> > so where would I start?
> >
> > Thank you,Gary Martin
> >
> >
> > mesc wrote:
> >
> > > I was looking through /var/log/secure when I saw Jul 23 10:55:38
> > > omhan1 in.telnetd[1049]: connect from 207.114.4.46 and Jul 27 14:29:03
> > > omhan1 in.ftpd[1917]: connect from 203.233.199.252 (yes from last
> > > month,I need to watch my logs better).Now I just have telnet and ftp
> > > enabled on my box so I can telnet out or ftp for files,I'm trying to
> > > figure out SSH so I can do away with these but what I need to know is
> > > are these 2 connections just attempts to connect to my box or did
> > > someone infact connect and login to my box.If so how can I keep these
> > > ppl out assuming they are the coming back?
> > >
> > > Thank you,Gary Martin
> > >
> > > ---------------------------------------------------------------------
> > > To unsubscribe, e-mail: olug-unsubscribe at bstc.net
> > > For additional commands, e-mail: olug-help at bstc.net
> >
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: olug-unsubscribe at bstc.net
> > For additional commands, e-mail: olug-help at bstc.net
> >
> >
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: olug-unsubscribe at bstc.net
> For additional commands, e-mail: olug-help at bstc.net
---------------------------------------------------------------------
To unsubscribe, e-mail: olug-unsubscribe at bstc.net
For additional commands, e-mail: olug-help at bstc.net
More information about the OLUG
mailing list