The easiest & fastest way to fix it is to re-install the O/S (not an
upgrade, an install). This might not be a big deal if you have /home
and /usr/local on separate partitions and you've not customized
elsewhere much and/or if you keep frequent backups, orit might be a big
deal.
Nothing short of re-installing and restoring from backup is really safe,
though.
For preventing this in the future, what sort of internet hookup do you
have? What sort of firewall setup? What sort of security level are you
running? What version of Mandrake?
Andrew Vogel wrote:
>
> I woke up this morning to find this email in my system:
>
> Subject: *** Diff Check, Thu Apr 20 00:02:50 EDT 2000 ***
> Security Warning: Change in Suid Root files found :
> - Added suid root files : /bin/mount
> - Added suid root files : /bin/ping
> - Added suid root files : /bin/su
> - Added suid root files : /bin/umount
> - Added suid root files : /sbin/dump
> - Added suid root files : /sbin/pwdb_chkpwd
> - Added suid root files : /sbin/restore
> - Added suid root files : /usr/X11R6/bin/Xwrapper
> - Added suid root files : /usr/bin/at
> - Added suid root files : /usr/bin/chage
> - Added suid root files : /usr/bin/chfn
> - Added suid root files : /usr/bin/chsh
> - Added suid root files : /usr/bin/crontab
> - Added suid root files : /usr/bin/dos
> - Added suid root files : /usr/bin/gpasswd
> - Added suid root files : /usr/bin/lpq
> - Added suid root files : /usr/bin/lpr
> - Added suid root files : /usr/bin/lprm
> - Added suid root files : /usr/bin/newgrp
> - Added suid root files : /usr/bin/passwd
> - Added suid root files : /usr/bin/procmail
> - Added suid root files : /usr/bin/rcp
> - Added suid root files : /usr/bin/rlogin
> - Added suid root files : /usr/bin/rsh
> - Added suid root files : /usr/bin/sperl5.6.0
> - Added suid root files : /usr/bin/suidperl
> - Added suid root files : /usr/bin/urpmi
> - Added suid root files : /usr/lib/telnetd/login
> - Added suid root files : /usr/libexec/pt_chown
> - Added suid root files : /usr/sbin/sendmail
> - Added suid root files : /usr/sbin/traceroute
> - Added suid root files : /usr/sbin/userhelper
> - Added suid root files : /usr/sbin/usernetctl
>
> Security Warning: Changes in Suid Group files found :
> - Added suid group files : /usr/sbin/sendmail
>
> Security Warning: Change in World Writeable Files found :
> - Removed writables files : /tmp/fileUcAjVM
>
> Security Warning: the md5 checksum for one of your SUID files has changed,
> maybe an intruder modified one of these suid binary in order to put in a
> backdoor...
> - Checksum changed files : /usr/bin/suidperl
>
> Security Warning: There is modifications for port listening on your machine :
> - Opened ports : tcp 0 0 *:6000 *:*
> LISTEN 658/X
> - Opened ports : tcp 0 0 *:1024 *:*
> LISTEN 651/kdm
> - Opened ports : tcp 0 0 *:10000 *:*
> LISTEN 586/perl
> - Opened ports : tcp 0 0 *:www *:*
> LISTEN 520/httpd
> - Opened ports : udp 0 0 *:xdmcp *:*
> 651/kdm
> - Opened ports : udp 0 0 *:10000 *:*
> 586/perl
> - Closed ports : tcp 0 0 *:www *:*
> LISTEN 3244/httpd
> - Closed ports : tcp 0 0 *:10000 *:*
> LISTEN 1996/perl
> - Closed ports : tcp 0 0 *:6000 *:*
> LISTEN 660/X
> - Closed ports : tcp 0 0 *:1024 *:*
> LISTEN 653/kdm
> - Closed ports : udp 0 0 *:10000 *:*
> 1996/perl
> - Closed ports : udp 0 0 *:xdmcp *:*
> 653/kdm
>
> ...I've been hacked! The questions, now, are: 1. How do I fix this? and 2. How
> to I prevent it from happening again?
>
> ===========================================================================
> Andrew Vogel: Program Manager at the University of Cincinnati College of
> Pharmacy. Actor, director, dog (JRT) lover, Miata owner, & much, much more!
> My homepage: "http://www.drewvogel.com". Play I-War, FF7PC, & BC3K!
> Offical BC3K Tester. Linux! "The only way OUT is THROUGH."
> -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
> dug: you da man! you da man! "Drew Vogel is its own reward."
> ric: isn't "the man" the guy who's always bringing everyone down?
> dug: nope! 'cause YOU da man!! Email: [EMAIL PROTECTED]
> =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
--
"Brian, the man from babble-on" [EMAIL PROTECTED]
Brian T. Schellenberger http://www.babbleon.org
Support http://www.eff.org. Support decss defendents.
Support http://www.programming-freedom.org. Boycott amazon.com.
