As I noted earlier they are supposed to be suid root. This verifies at least in my mind that you are clean. Monitor you logs ... Check login's size against another box. if you'd like. But again ... since the OS/Hardware on a computer is a system the loss of one component can and does have a cascading affect on other componets causing weird and quite often scary errors to appear. I had a sound card that was bad on a FreeBSD box a few years ago. When you were in X it actually would cause random windows to open, duplicating the programs running. Removal of the sound card fixed the problem. If you put the sound card in another box it would start doing equally weird stuff. After I removed the sound card one of the roomates spent 3 weeks "trouble shooting" the box and it's OS. (I told him it was a waste.) He just couldn't get the concept of system and it's symbiotic nature into his head.
James On Fri, 2002-12-27 at 09:08, David Rankin wrote: > Now things are getting weird! > > Remember when this all started, I got the Change in Suid Root files found > messages where it (removed) the Suid files shown in the original message below. > Today, after cron ran I now get the same files (added). Here is the new output: > > Subject: *** Diff Check, Fri Dec 27 04:00:14 CST 2002 *** > > > Security Warning: Change in Suid Root files found : > - Added suid root files : /bin/mount > - Added suid root files : /bin/ping > - Added suid root files : /bin/su > - Added suid root files : /bin/umount > - Added suid root files : /sbin/dump > - Added suid root files : /sbin/linuxconf > - Added suid root files : /sbin/pwdb_chkpwd > - Added suid root files : /sbin/restore > - Added suid root files : /sbin/unix_chkpwd > > Security Warning: Changes in Suid Group files found : > - Added suid group files : /sbin/dump > - Added suid group files : /sbin/netreport > - Added suid group files : /sbin/restore > > Security Warning: Change in World Writeable Files found : > - Added writables files : /tmp > - Added writables files : /tmp/.ICE-unix > - Added writables files : /tmp/.X11-unix > - Added writables files : /tmp/.font-unix > - Added writables files : /tmp/.font-unix/fs-1 > - Added writables files : /tmp/.s.PGSQL.5432 > > Security Warning: There is modifications for port listening on your machine : > - Opened ports : udp 0 0 *:ntp > *:* 7387/xntpd > - Closed ports : udp 0 112 *:ntp > *:* 7387/xntpd > - Closed ports : udp 0 0 *:631 > *:* 633/cupsd > > I still don't know what to make of this. All words of wisdom are > welcome....... > > Lorne wrote: > > > I'm sure you have downloaded the chkroot kit by now, but it sure looks to me > > like your system is compromised! It looks like he has managed to replace some > > files with modified ones and your system caught the permissions. I'm overly > > paranoid, but I'd sure rebuild the box. Do NOT take the chance. It isn't > > worth it. I highly recomend snort. I want to do tripwire but haven't had the > > time. > > > > On Thursday 26 December 2002 12:20 pm, David Rankin wrote: > > > Guy & Gals, > > > > > > I need help. Something went whacko with eth0 and with my system just > > > before my nightly cron job ran and I got a lot of weird messages in my > > > log files. I don't know if this was a successful hack or if it was just > > > a noral response from the system after eth0 went bonkers. The log > > > entries are as follows: > > > > > > Dec 26 03:54:01 Nemesis kernel: eth0: Tx hung, 2256843 vs. 2256833. > > > Dec 26 03:54:01 Nemesis kernel: eth0: PNIC2 transmit timed out, status > > > e4000000, CSR6/7 0100c000 / effffbff CSR12 000090ce, > > > resetting... > > > Dec 26 04:00:00 Nemesis CROND[22621]: (root) CMD ( > > > /usr/share/msec/security.sh) > > > Dec 26 04:00:00 Nemesis CROND[22622]: (root) CMD ( /sbin/rmmod -as) > > > Dec 26 04:00:00 Nemesis kernel: smb_get_length: recv error = 5 > > > Dec 26 04:00:00 Nemesis kernel: smb_request: result -5, setting invalid > > > Dec 26 04:00:15 Nemesis : > > > Dec 26 04:00:15 Nemesis : Security Warning: Change in Suid Root files > > > found : > > > Dec 26 04:00:15 Nemesis : - Removed suid root files : /bin/mount > > > Dec 26 04:00:15 Nemesis : - Removed suid root files : /bin/ping > > > Dec 26 04:00:15 Nemesis : - Removed suid root files : /bin/su > > > Dec 26 04:00:15 Nemesis : - Removed suid root files : /bin/umount > > > Dec 26 04:00:15 Nemesis : - Removed suid root files : /sbin/dump > > > Dec 26 04:00:15 Nemesis : - Removed suid root files : /sbin/linuxconf > > > Dec 26 04:00:15 Nemesis : - Removed suid root files : /sbin/pwdb_chkpwd > > > Dec 26 04:00:15 Nemesis : - Removed suid root files : /sbin/restore > > > Dec 26 04:00:15 Nemesis : - Removed suid root files : /sbin/unix_chkpwd > > > Dec 26 04:00:15 Nemesis : > > > Dec 26 04:00:15 Nemesis : Security Warning: Changes in Suid Group files > > > found : > > > Dec 26 04:00:15 Nemesis : - Removed suid group files : /sbin/dump > > > Dec 26 04:00:15 Nemesis : - Removed suid group files : /sbin/netreport > > > Dec 26 04:00:15 Nemesis : - Removed suid group files : /sbin/restore > > > Dec 26 04:00:15 Nemesis : > > > Dec 26 04:00:15 Nemesis : Security Warning: Change in World Writeable > > > Files found : > > > Dec 26 04:00:15 Nemesis : - Removed writables files : /tmp > > > Dec 26 04:00:15 Nemesis : - Removed writables files : /tmp/.ICE-unix > > > Dec 26 04:00:15 Nemesis : - Removed writables files : /tmp/.X11-unix > > > Dec 26 04:00:15 Nemesis : - Removed writables files : /tmp/.font-unix > > > Dec 26 04:00:15 Nemesis : - Removed writables files : > > > /tmp/.font-unix/fs-1 > > > Dec 26 04:00:15 Nemesis : - Removed writables files : /tmp/.s.PGSQL.5432 > > > > > > Dec 26 04:00:15 Nemesis : > > > > > > I understand that the eth0 PNIC2 error is from my tulip driver, but I > > > haven't seen this error in the 2 years this box has been running. I have > > > never seen the kernel smb errors. > > > > > > What concerns me is the Change in Suid Root files found. I haven't > > > changed a thing on this LM 7.2 box for a long time. This is the first > > > time I have seen this Security Warning and I am concerned I may have > > > been hacked. Has anyone else seen something like this? Does it look like > > > a hack? Where can I get a good check root kit package? > > > > > > Any help will be greatly appreciated. > > > > ------------------------------------------------------------------------ > > Want to buy your Pack or Services from MandrakeSoft? > > Go to http://www.mandrakestore.com > > -- > David C. Rankin, J.D., P.E. > RANKIN * BERTIN, PLLC > 510 Ochiltree Street > Nacogdoches, Texas 75961 > (936) 715-9333 > (936) 715-9339 fax > > > > > > ______________________________________________________________________ > > Want to buy your Pack or Services from MandrakeSoft? > Go to http://www.mandrakestore.com
Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
