I am hoping someone here can help shed some light on some strange system events that I saw between snort and logcheck on my firewall/router.
After seeing the following log, I opened my logcheck.sh file and saw the garbage in the file that shows up in my log. I closed it and went to my other box to try to do some research, and when I went back and opened the file again it was fine. I hadn't even saved it, much less fixed it. I've checked all of the files involved against known good copies and all are currently fine. I rebooted and nmapped the router's IP and it showed 25 smtp and 1417 timbuktu (- a Mac remote control program?) open. I closed 25 and nmapped again and 1417 was closed without my doing anything. I just wondered if anyone had any thoughts on whether this looks like a file/disk corruption could have caused all of this, or if it looks like an exploit of some sort. Thanks very much to anyone for any input or references to further investigate. Steve log snip******************** Unusual System Events =-=-=-=-=-=-=-=-=-=-= Jun 1 06:25:03 router su[31003]: + ??? root-nobody Jun 1 06:25:03 router PAM_unix[31003]: (su) session opened for user nobody by (uid=0) From [EMAIL PROTECTED] Sat Jun 02 06:25:12 2001 Envelope-to: [EMAIL PROTECTED] Received: from root by router with local (Exim 3.12 #1 (Debian)) id 1569Wg-0008F8-00 for <[EMAIL PROTECTED]>; Sat, 02 Jun 2001 06:25:12 -0500 From: [EMAIL PROTECTED] (Cron Daemon) To: [EMAIL PROTECTED] Subject: Cron <[EMAIL PROTECTED]> test -e /usr/sbin/anacron // run-parts --report /etc/cron.daily X-Cron-Env: <SHELL=/bin/sh> X-Cron-Env: <PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin> X-Cron-Env: <HOME=/root> X-Cron-Env: <LOGNAME=root> Message-Id: <[EMAIL PROTECTED]> Date: Sat, 02 Jun 2001 06:25:12 -0500 /etc/cron.daily/5snort: Useless use of a constant in void context at /usr/sbin/snort-stat line 135. run-parts: /etc/cron.daily/find exited with return code 2 /etc/cron.daily/standard: /usr/sbin/checksecurity: /bin/rm: cannot execute binary file /etc/cron.daily/sysklogd: /usr/bin/savelog: line 151: syntax error near unexpected token `&' /usr/bin/savelog: line 151: `5F(Y,4F?Ä&¾o¾üè8½¾oôV ¢þÿ ¢ÿÿ:¾' /usr/bin/savelog: line 151: syntax error near unexpected token `&' /usr/bin/savelog: line 151: `5F(Y,4F?Ä&¾o¾üè8½¾oôV ¢þÿ ¢ÿÿ:¾' /usr/bin/savelog: line 151: syntax error near unexpected token `&' /usr/bin/savelog: line 151: `5F(Y,4F?Ä&¾o¾üè8½¾oôV ¢þÿ ¢ÿÿ:¾' From [EMAIL PROTECTED] Sat Jun 02 07:02:01 2001 Envelope-to: [EMAIL PROTECTED] Received: from root by router with local (Exim 3.12 #1 (Debian)) id 156A6T-0008Hj-00 for <[EMAIL PROTECTED]>; Sat, 02 Jun 2001 07:02:01 -0500 From: [EMAIL PROTECTED] (Cron Daemon) To: [EMAIL PROTECTED] Subject: Cron <[EMAIL PROTECTED]> test -x /usr/sbin/logcheck.sh && nice -n10 /usr/sbin/logcheck.sh X-Cron-Env: <SHELL=/bin/sh> X-Cron-Env: <HOME=/root> X-Cron-Env: <PATH=/usr/bin:/bin> X-Cron-Env: <LOGNAME=root> Message-Id: <[EMAIL PROTECTED]> Date: Sat, 02 Jun 2001 07:02:01 -0500 /usr/sbin/logcheck.sh: p??´C¯I?{{??swz??b4fÃ: command not found /usr/sbin/logcheck.sh: n,±¥g?vz: command not found /usr/sbin/logcheck.sh: ?b4fÃ: command not found /usr/sbin/logcheck.sh: }??rt: command not found /usr/sbin/logcheck.sh: o?£´¥?{z?~wu??b4?Ã: command not found /usr/sbin/logcheck.sh: n? ¥S°W?x?x£?h{??b4?Ã: command not found /usr/sbin/logcheck.sh: o-Y´T©N?ufz??oxS?b4?Ã: command not found /usr/sbin/logcheck.sh: n ª´W¯N??}-*ov: command not found /usr/sbin/logcheck.sh: ~?b4?Ã: command not found /usr/sbin/logcheck.sh: n?£¥TµS^}e{??xw}?b4fÃ: command not found /usr/sbin/logcheck.sh: o?¡´O¿F?z?¢Sj?w^?b4fÃ: command not found /usr/sbin/logcheck.sh: n: command not found /usr/sbin/logcheck.sh: ©¥b?hf?z*?pyw??b4^Ã: command not found /usr/sbin/logcheck.sh: m*¨-G¹S: command not found /usr/sbin/logcheck.sh: *v-?tu~?b4?Ã: command not found /usr/sbin/logcheck.sh: m?§-V«[??X??~wr~?b4?Ã: command not found /usr/sbin/logcheck.sh: os¡ÃJÅ:*lyY?hzy?: command not found /usr/sbin/logcheck.sh: ?b4?Ã: command not found /usr/sbin/logcheck.sh: n? ´Q¯Q-t???nx{??b4?Ã: command not found /usr/sbin/logcheck.sh: m?¨´V®Z??,~?ox}? ?b4?Ã: command not found /usr/sbin/logcheck.sh: m?¦´T¶N?y??vu{f ?b4?Ã: command not found /usr/sbin/logcheck.sh: m: command not found /usr/sbin/logcheck.sh: ®¥V¥^f^r,¡Sl{? ?b4?Ã: command not found /usr/sbin/logcheck.sh: ny«Ã[«U*h?}~??p? ?b4^Ã: command not found /usr/sbin/logcheck.sh: k?¯xL cvSk~s?px? Yb4?Ã: command not found /usr/sbin/logcheck.sh: m*§ÃTÀD?,rz-?mx??b4?Ã: command not found /usr/sbin/logcheck.sh: n?¥ÒPÂO?ww~??oz??b*?Ã: command not found /usr/sbin/logcheck.sh: k?¨?J?q???~?kxy? ?b*^Ã: command not found /usr/sbin/logcheck.sh: kª?M£d?k??qu}? ?b*?Ã: command not found /usr/sbin/logcheck.sh: m?¡Ò_ÂF?p^}?-ru??b*^Ã: command not found /usr/sbin/logcheck.sh: l^§¥OÀO??u¥?h{y-?b*^Ã: command not found /usr/sbin/logcheck.sh: l?¦¥V£b???~?mzys?b*^Ã: command not found /usr/sbin/logcheck.sh: l?¢ÃVÀD¡tY?ny???b*^Ã: command not found /usr/sbin/logcheck.sh: k?¬-O³M?{mz~?vx??b*?Ã: command not found /usr/sbin/logcheck.sh: ¡l?b/?Ã: No such file or directory /usr/sbin/logcheck.sh: m^¬´J»P^?k?£yo: command not found /usr/sbin/logcheck.sh: m?¬´R«]fSf: command not found /usr/sbin/logcheck.sh: ???o¤o?b/?Ã: No such file or directory /usr/sbin/logcheck.sh: k?®´Y£h??j? }n}?o?b/?Ã: No such file or directory /usr/sbin/logcheck.sh: m-¯ÒQÆC*{p???p{~i?b/?Ã: No such file or directory /usr/sbin/logcheck.sh: line 134: syntax error near unexpected token `/' /usr/sbin/logcheck.sh: line 134: ` m?¥´H»P?/}/¦?h/¦j?b/?Ã' *********the above repeats every hour until I discovered it************************** From [EMAIL PROTECTED] Sat Jun 02 21:02:05 2001 Envelope-to: [EMAIL PROTECTED] Received: from root by router with local (Exim 3.12 #1 (Debian)) id 156NDQ-0008UI-00 for <[EMAIL PROTECTED]>; Sat, 02 Jun 2001 21:02:04 -0500 To: [EMAIL PROTECTED] Subject: router 06/02/01:21.02 system check Message-Id: <[EMAIL PROTECTED]> From: root <[EMAIL PROTECTED]> Date: Sat, 02 Jun 2001 21:02:04 -0500 Unusual System Events =-=-=-=-=-=-=-=-=-=-= Jun 2 19:59:32 router /usr/sbin/gpm[290]: Skipping a data packet (?) Jun 2 19:59:32 router /usr/sbin/gpm[290]: Skipping a data packet (?) From [EMAIL PROTECTED] Sun Jun 03 07:02:03 2001 Envelope-to: [EMAIL PROTECTED] Received: from root by router with local (Exim 3.12 #1 (Debian)) id 156Wa3-0001s5-00 for <[EMAIL PROTECTED]>; Sun, 03 Jun 2001 07:02:03 -0500 To: [EMAIL PROTECTED] Subject: router 06/03/01:07.02 system check Message-Id: <[EMAIL PROTECTED]> From: root <[EMAIL PROTECTED]> Date: Sun, 03 Jun 2001 07:02:03 -0500 Unusual System Events =-=-=-=-=-=-=-=-=-=-= *************** *** WARNING ***: Log file /var/log/messages is smaller than last time checked! *************** This could indicate tampering.=-=-=-=-=-=-=-=-=-=-=