Hi,
think, you are NOT hacked, because on one of my LM-Boxes, which is NOT
connected to the internet directly, I get the same mail-listing every night.
But I've NOT found any usefully explanation yet.
My msec-level is 3 on this box.
bye
Hans Schneidhofer
Am Die, 25 Apr 2000 schrieben Sie:
> I don't have /sbin/dump; /sbin/restore and /usr/bin/sperl5.6.0 installed. Other
> than that, all files in the following list are suid.
>
> > Subject: *** Diff Check, Thu Apr 20 00:02:50 EDT 2000 ***
> > Security Warning: Change in Suid Root files found :
> > - Added suid root files : /bin/mount
> > - Added suid root files : /bin/ping
> > - Added suid root files : /bin/su
> > - Added suid root files : /bin/umount
> > - Added suid root files : /sbin/dump
> > - Added suid root files : /sbin/pwdb_chkpwd
> > - Added suid root files : /sbin/restore
> > - Added suid root files : /usr/X11R6/bin/Xwrapper
> > - Added suid root files : /usr/bin/at
> > - Added suid root files : /usr/bin/chage
> > - Added suid root files : /usr/bin/chfn
> > - Added suid root files : /usr/bin/chsh
> > - Added suid root files : /usr/bin/crontab
> > - Added suid root files : /usr/bin/dos
> > - Added suid root files : /usr/bin/gpasswd
> > - Added suid root files : /usr/bin/lpq
> > - Added suid root files : /usr/bin/lpr
> > - Added suid root files : /usr/bin/lprm
> > - Added suid root files : /usr/bin/newgrp
> > - Added suid root files : /usr/bin/passwd
> > - Added suid root files : /usr/bin/procmail
> > - Added suid root files : /usr/bin/rcp
> > - Added suid root files : /usr/bin/rlogin
> > - Added suid root files : /usr/bin/rsh
> > - Added suid root files : /usr/bin/sperl5.6.0
> > - Added suid root files : /usr/bin/suidperl
> > - Added suid root files : /usr/bin/urpmi
> > - Added suid root files : /usr/lib/telnetd/login
> > - Added suid root files : /usr/libexec/pt_chown
> > - Added suid root files : /usr/sbin/sendmail
> > - Added suid root files : /usr/sbin/traceroute
> > - Added suid root files : /usr/sbin/userhelper
> > - Added suid root files : /usr/sbin/usernetctl
> >
>
> Yup, group suid also.
>
> > Security Warning: Changes in Suid Group files found :
> > - Added suid group files : /usr/sbin/sendmail
> >
>
> Nothing to worry about; world writable files in /tmp/ are pretty common. They're
> temp files anyway, so probably by the time you read the security check mail, the
> file doesn't exist anymore.
>
> > Security Warning: Change in World Writeable Files found :
> > - Removed writables files : /tmp/fileUcAjVM
> >
>
> Ok, I don't know why the hell this file would change checksum. Perhaps you
> reinstalled or perhaps the old checksum got corrupted.
>
> > Security Warning: the md5 checksum for one of your SUID files has changed,
> > maybe an intruder modified one of these suid binary in order to put in a
> > backdoor...
> > - Checksum changed files : /usr/bin/suidperl
> >
>
> I don't know which ports do what, but I always get this kind of crap also, so I
> don't really believe it's much to worry about. I just deleted my own security
> check mails, so I can't compare. And I don't really feel like running it right
> now since it takes ages on this nearly full harddrive of mine... If it really
> bothers you, I'll run the security check and send you the results.
>
> > Security Warning: There is modifications for port listening on your machine :
> > - Opened ports : tcp 0 0 *:6000 *:*
> > LISTEN 658/X
> > - Opened ports : tcp 0 0 *:1024 *:*
> > LISTEN 651/kdm
> > - Opened ports : tcp 0 0 *:10000 *:*
> > LISTEN 586/perl
> > - Opened ports : tcp 0 0 *:www *:*
> > LISTEN 520/httpd
> > - Opened ports : udp 0 0 *:xdmcp *:*
> > 651/kdm
> > - Opened ports : udp 0 0 *:10000 *:*
> > 586/perl
> > - Closed ports : tcp 0 0 *:www *:*
> > LISTEN 3244/httpd
> > - Closed ports : tcp 0 0 *:10000 *:*
> > LISTEN 1996/perl
> > - Closed ports : tcp 0 0 *:6000 *:*
> > LISTEN 660/X
> > - Closed ports : tcp 0 0 *:1024 *:*
> > LISTEN 653/kdm
> > - Closed ports : udp 0 0 *:10000 *:*
>
> Ok, this is strange... Perl listening on a port, or how do I interpret this? Add
> this to the fact that suidperl has changed md5 checksum, and here's a
> possibillity of something that isn't quite the way it should be...
>
> > 1996/perl
> > - Closed ports : udp 0 0 *:xdmcp *:*
> > 653/kdm
> >
> > ...I've been hacked! The questions, now, are: 1. How do I fix this? and 2. How
> > to I prevent it from happening again?
>
> Well, I don't think you've been hacked, but I can't completely rule out the
> possibillity. The perl-thing bugs me...
>
> Perhaps you _were_ hacked, the hacker changed the file /usr/bin/suidperl to
> something that listens on a port, or spawns a daemon to listen on a port, and in
> order to erase his traces deleted the security check file. This would explain
> why all these bogus errors appear in your mail. Perhaps he didn't realise that
> you'd get all those bogus error messages, alerting you something went wrong, or
> perhaps he counted on it that you'd believe it was nothing after all, since
> these files _should be_ suid, and that you'd overlook the /usr/bin/suidperl
> later on in the security report.
>
> I'm not sure what it is. If you want to play it on the safe side, reinstall. It
> might be nothing, but it's up to you to decide if you're willing to take that
> risk or not.
>
>
> --
>
> Rial Juan <http://nighty.ulyssis.org>
> e-mail: [EMAIL PROTECTED]
> Belgium tel: (++32) 89/856533
> ulyssis system admininstrator <http://www.ulyssis.org>
>
> The little critters in nature; they don't know they're ugly.
> That's very funny... A fly marying a bumble-bee...
>
> ------------------------------------------------------------
>
> Sign the petition at http://www.libranet.com/petition.html
> Help bring us more Linux Drivers