I've found a similar emails in my system. It's impossible that someone hacked
into my system, because I connect to the internet via dialup, I don't stay
connected enough time connected for someone to hack in and my internet logins
are at random times during the day. I guess these messages are just routinary,
and are caused by MDK7's new security levels. I think there's no reason to
panic.
Andrew Vogel, escribió:
> I woke up this morning to find this email in my system:
>
> Subject: *** Diff Check, Thu Apr 20 00:02:50 EDT 2000 ***
> Security Warning: Change in Suid Root files found :
> - Added suid root files : /bin/mount
> - Added suid root files : /bin/ping
> - Added suid root files : /bin/su
> - Added suid root files : /bin/umount
> - Added suid root files : /sbin/dump
> - Added suid root files : /sbin/pwdb_chkpwd
> - Added suid root files : /sbin/restore
> - Added suid root files : /usr/X11R6/bin/Xwrapper
> - Added suid root files : /usr/bin/at
> - Added suid root files : /usr/bin/chage
> - Added suid root files : /usr/bin/chfn
> - Added suid root files : /usr/bin/chsh
> - Added suid root files : /usr/bin/crontab
> - Added suid root files : /usr/bin/dos
> - Added suid root files : /usr/bin/gpasswd
> - Added suid root files : /usr/bin/lpq
> - Added suid root files : /usr/bin/lpr
> - Added suid root files : /usr/bin/lprm
> - Added suid root files : /usr/bin/newgrp
> - Added suid root files : /usr/bin/passwd
> - Added suid root files : /usr/bin/procmail
> - Added suid root files : /usr/bin/rcp
> - Added suid root files : /usr/bin/rlogin
> - Added suid root files : /usr/bin/rsh
> - Added suid root files : /usr/bin/sperl5.6.0
> - Added suid root files : /usr/bin/suidperl
> - Added suid root files : /usr/bin/urpmi
> - Added suid root files : /usr/lib/telnetd/login
> - Added suid root files : /usr/libexec/pt_chown
> - Added suid root files : /usr/sbin/sendmail
> - Added suid root files : /usr/sbin/traceroute
> - Added suid root files : /usr/sbin/userhelper
> - Added suid root files : /usr/sbin/usernetctl
>
> Security Warning: Changes in Suid Group files found :
> - Added suid group files : /usr/sbin/sendmail
>
> Security Warning: Change in World Writeable Files found :
> - Removed writables files : /tmp/fileUcAjVM
>
> Security Warning: the md5 checksum for one of your SUID files has changed,
> maybe an intruder modified one of these suid binary in order to put in a
> backdoor...
> - Checksum changed files : /usr/bin/suidperl
>
> Security Warning: There is modifications for port listening on your machine :
> - Opened ports : tcp 0 0 *:6000 *:*
> LISTEN 658/X
> - Opened ports : tcp 0 0 *:1024 *:*
> LISTEN 651/kdm
> - Opened ports : tcp 0 0 *:10000 *:*
> LISTEN 586/perl
> - Opened ports : tcp 0 0 *:www *:*
> LISTEN 520/httpd
> - Opened ports : udp 0 0 *:xdmcp *:*
> 651/kdm
> - Opened ports : udp 0 0 *:10000 *:*
> 586/perl
> - Closed ports : tcp 0 0 *:www *:*
> LISTEN 3244/httpd
> - Closed ports : tcp 0 0 *:10000 *:*
> LISTEN 1996/perl
> - Closed ports : tcp 0 0 *:6000 *:*
> LISTEN 660/X
> - Closed ports : tcp 0 0 *:1024 *:*
> LISTEN 653/kdm
> - Closed ports : udp 0 0 *:10000 *:*
> 1996/perl
> - Closed ports : udp 0 0 *:xdmcp *:*
> 653/kdm
>
> ...I've been hacked! The questions, now, are: 1. How do I fix this? and 2. How
> tto I prevent it from happening again?
>
> ===========================================================================
> Andrew Vogel: Program Manager at the University of Cincinnati College of
> Pharmacy. Actor, director, dog (JRT) lover, Miata owner, & much, much more!
> My homepage: "http://www.drewvogel.com". Play I-War, FF7PC, & BC3K!
> Offical BC3K Tester. Linux! "The only way OUT is THROUGH."
> -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
> dug: you da man! you da man! "Drew Vogel is its own reward."
> ric: isn't "the man" the guy who's always bringing everyone down?
> dug: nope! 'cause YOU da man!! Email: [EMAIL PROTECTED]
> =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
--
****************************************************
*Guillermo Belli - Linux User #121340*
* ICQ #38321312 *
*http://sites.netscape.net/memo81 (en construccion)*
****************************************************