Hello David Just a hint, check the lastlogs to see if any suspicious logins have occured.
If not, it might be helpful to make images of your box now, and store them for examination with Autopsy later. Especially if you're going to rebuild it. Also try running tripwire or aide for a while to see if anything weird is going on. Kind regards Guy On Sat, 2002-12-28 at 04:55, David Rankin wrote: > Thanks James, > > I think the consensus is that msec lost its mind after the network > errors. Weirdest $hit I've ever seen, but then again, I don't hold myself > out as knowing the intricasies of msec that well. I'm going to keep looking > at the snafu, but for now, I'm going to hold off rebuilding the box. > > Thanks again! > > -- > David C. Rankin, J.D., P.E. > Rankin * Bertin, PLLC > 510 Ochiltree Street > Nacogdoches, Texas 75961 > (936) 715-9333 > ----- Original Message ----- > From: "James Sparenberg" <[EMAIL PROTECTED]> > To: "Expert List" <[EMAIL PROTECTED]> > Sent: Friday, December 27, 2002 1:16 PM > Subject: Re: [expert] Possible Hack? -- Change in Suid Root files found > > > > I don't think you've been hacked.... but the box did go nuts when it > > couldn't access the NIC. I'd say that is your only problem. Chkrootkit > > is good. All (OK I only checked the first few) the ones mentioned are > > supposed to be suid root. (checked a few against an fairly new install > > that hasn't gone out to the net yet.) Noting that this box is a system > > in and of it's self it's not unusual for a box to show all kinds of > > "errors" when a part of the system crashes. Rule of thumb fix the first > > error on the list... retest. You'll be amazed how often all the errors > > are fixed. > > > > James > > > > On Fri, 2002-12-27 at 09:03, David Rankin wrote: > > > Well, > > > > > > I have now compiled and run chkrootkit and I need help interpreting > the > > > output. The thing I don't understand is the suspicious files output. I > would be > > > greatful if someone smarter than I would take a quick look at the output > and tell > > > me if you think I was hacked. Everything is working OK, but that's what > concers > > > me. My internet connect setup is a cable setup that goes through a > Linksys > > > Cable/DSL Router and the only ports forwarded are 22, 25, 80, 110, 143, > 1723 & > > > 10000. All others are closed. I thought I was fairly secure. Here is > what > > > chkrootkit said: > > > > > > [root@Nemesis chkrootkit-0.38]# ./chkrootkit > > > ROOTDIR is `/' > > > Checking `amd'... not infected > > > Checking `basename'... not infected > > > Checking `biff'... not infected > > > Checking `chfn'... not infected > > > Checking `chsh'... not infected > > > Checking `cron'... not infected > > > Checking `date'... not infected > > > Checking `du'... not infected > > > Checking `dirname'... not infected > > > Checking `echo'... not infected > > > Checking `egrep'... not infected > > > Checking `env'... not infected > > > Checking `find'... not infected > > > Checking `fingerd'... not infected > > > Checking `gpm'... not infected > > > Checking `grep'... not infected > > > Checking `hdparm'... not infected > > > Checking `su'... not infected > > > Checking `ifconfig'... not infected > > > Checking `inetd'... not tested > > > Checking `inetdconf'... not infected > > > Checking `identd'... not infected > > > Checking `killall'... not infected > > > Checking `ldsopreload'... not infected > > > Checking `login'... not infected > > > Checking `ls'... not infected > > > Checking `lsof'... not found > > > Checking `mail'... not infected > > > Checking `mingetty'... not infected > > > Checking `netstat'... not infected > > > Checking `named'... not infected > > > Checking `passwd'... not infected > > > Checking `pidof'... not infected > > > Checking `pop2'... not found > > > Checking `pop3'... not found > > > Checking `ps'... not infected > > > Checking `pstree'... not infected > > > Checking `rpcinfo'... not infected > > > Checking `rlogind'... not infected > > > Checking `rshd'... not infected > > > Checking `slogin'... not infected > > > Checking `sendmail'... not infected > > > Checking `sshd'... not infected > > > Checking `syslogd'... not infected > > > Checking `tar'... not infected > > > Checking `tcpd'... not infected > > > Checking `tcpdump'... not infected > > > Checking `top'... not infected > > > Checking `telnetd'... not infected > > > Checking `timed'... not infected > > > Checking `traceroute'... not infected > > > Checking `w'... not infected > > > Checking `write'... not infected > > > Checking `aliens'... no suspect files > > > Searching for sniffer's logs, it may take a while... nothing found > > > Searching for HiDrootkit's default dir... nothing found > > > Searching for t0rn's default files and dirs... nothing found > > > Searching for t0rn's v8 defaults... nothing found > > > Searching for Lion Worm default files and dirs... nothing found > > > Searching for RSHA's default files and dir... nothing found > > > Searching for RH-Sharpe's default files... nothing found > > > Searching for Ambient's rootkit (ark) default files and dirs... nothing > found > > > Searching for suspicious files and dirs, it may take a while... > > > /usr/lib/qt2/tools/designer/designer/.obj > > > /usr/lib/qt2/tools/designer/designer/.tmp > /usr/lib/qt2/tools/designer/util/.tmp > > > /usr/lib/libDrakX/auto/Newt/.exists > /usr/lib/libDrakX/auto/c/stuff/.exists > > > /usr/lib/libDrakX/auto/resize_fat/c_rewritten/.exists > > > /lib/modules/2.2.19-4.1mdk/.rhkmvtag > > > /usr/lib/qt2/tools/designer/designer/.obj > > > /usr/lib/qt2/tools/designer/designer/.tmp > /usr/lib/qt2/tools/designer/util/.tmp > > > Searching for LPD Worm files and dirs... nothing found > > > Searching for Ramen Worm files and dirs... nothing found > > > Searching for Maniac files and dirs... nothing found > > > Searching for RK17 files and dirs... nothing found > > > Searching for Ducoci rootkit... nothing found > > > Searching for Adore Worm... nothing found > > > Searching for ShitC Worm... nothing found > > > Searching for Omega Worm... nothing found > > > Searching for Sadmind/IIS Worm... nothing found > > > Searching for MonKit... nothing found > > > Searching for Showtee... nothing found > > > Searching for OpticKit... nothing found > > > Searching for T.R.K... nothing found > > > Searching for Mithra... nothing found > > > Searching for OBSD rk v1... nothing found > > > Searching for LOC rootkit ... nothing found > > > Searching for Romanian rootkit ... nothing found > > > Searching for anomalies in shell history files... nothing found > > > Checking `asp'... not infected > > > Checking `bindshell'... not infected > > > Checking `lkm'... nothing detected > > > Checking `rexedcs'... not found > > > Checking `sniffer'... > > > eth0 is not promisc > > > Checking `wted'... nothing deleted > > > Checking `scalper'... not infected > > > Checking `slapper'... not infected > > > Checking `z2'... > > > nothing deleted > > > [root@Nemesis chkrootkit-0.38]# > > > > > > What do you think? > > > > > > > > > Lorne wrote: > > > > > > > I'm sure you have downloaded the chkroot kit by now, but it sure looks > to me > > > > like your system is compromised! It looks like he has managed to > replace some > > > > files with modified ones and your system caught the permissions. I'm > overly > > > > paranoid, but I'd sure rebuild the box. Do NOT take the chance. It > isn't > > > > worth it. I highly recomend snort. I want to do tripwire but haven't > had the > > > > time. > > > > > > > > On Thursday 26 December 2002 12:20 pm, David Rankin wrote: > > > > > Guy & Gals, > > > > > > > > > > I need help. Something went whacko with eth0 and with my system > just > > > > > before my nightly cron job ran and I got a lot of weird messages in > my > > > > > log files. I don't know if this was a successful hack or if it was > just > > > > > a noral response from the system after eth0 went bonkers. The log > > > > > entries are as follows: > > > > > > > > > > Dec 26 03:54:01 Nemesis kernel: eth0: Tx hung, 2256843 vs. 2256833. > > > > > Dec 26 03:54:01 Nemesis kernel: eth0: PNIC2 transmit timed out, > status > > > > > e4000000, CSR6/7 0100c000 / effffbff CSR12 000090ce, > > > > > resetting... > > > > > Dec 26 04:00:00 Nemesis CROND[22621]: (root) CMD ( > > > > > /usr/share/msec/security.sh) > > > > > Dec 26 04:00:00 Nemesis CROND[22622]: (root) CMD ( > /sbin/rmmod -as) > > > > > Dec 26 04:00:00 Nemesis kernel: smb_get_length: recv error = 5 > > > > > Dec 26 04:00:00 Nemesis kernel: smb_request: result -5, setting > invalid > > > > > Dec 26 04:00:15 Nemesis : > > > > > Dec 26 04:00:15 Nemesis : Security Warning: Change in Suid Root > files > > > > > found : > > > > > Dec 26 04:00:15 Nemesis : - Removed suid root files : /bin/mount > > > > > Dec 26 04:00:15 Nemesis : - Removed suid root files : /bin/ping > > > > > Dec 26 04:00:15 Nemesis : - Removed suid root files : /bin/su > > > > > Dec 26 04:00:15 Nemesis : - Removed suid root files : /bin/umount > > > > > Dec 26 04:00:15 Nemesis : - Removed suid root files : /sbin/dump > > > > > Dec 26 04:00:15 Nemesis : - Removed suid root files : > /sbin/linuxconf > > > > > Dec 26 04:00:15 Nemesis : - Removed suid root files : > /sbin/pwdb_chkpwd > > > > > Dec 26 04:00:15 Nemesis : - Removed suid root files : /sbin/restore > > > > > Dec 26 04:00:15 Nemesis : - Removed suid root files : > /sbin/unix_chkpwd > > > > > Dec 26 04:00:15 Nemesis : > > > > > Dec 26 04:00:15 Nemesis : Security Warning: Changes in Suid Group > files > > > > > found : > > > > > Dec 26 04:00:15 Nemesis : - Removed suid group files : /sbin/dump > > > > > Dec 26 04:00:15 Nemesis : - Removed suid group files : > /sbin/netreport > > > > > Dec 26 04:00:15 Nemesis : - Removed suid group files : /sbin/restore > > > > > Dec 26 04:00:15 Nemesis : > > > > > Dec 26 04:00:15 Nemesis : Security Warning: Change in World > Writeable > > > > > Files found : > > > > > Dec 26 04:00:15 Nemesis : - Removed writables files : /tmp > > > > > Dec 26 04:00:15 Nemesis : - Removed writables files : /tmp/.ICE-unix > > > > > Dec 26 04:00:15 Nemesis : - Removed writables files : /tmp/.X11-unix > > > > > Dec 26 04:00:15 Nemesis : - Removed writables files : > /tmp/.font-unix > > > > > Dec 26 04:00:15 Nemesis : - Removed writables files : > > > > > /tmp/.font-unix/fs-1 > > > > > Dec 26 04:00:15 Nemesis : - Removed writables files : > /tmp/.s.PGSQL.5432 > > > > > > > > > > Dec 26 04:00:15 Nemesis : > > > > > > > > > > I understand that the eth0 PNIC2 error is from my tulip driver, but > I > > > > > haven't seen this error in the 2 years this box has been running. I > have > > > > > never seen the kernel smb errors. > > > > > > > > > > What concerns me is the Change in Suid Root files found. I haven't > > > > > changed a thing on this LM 7.2 box for a long time. This is the firs > t > > > > > time I have seen this Security Warning and I am concerned I may have > > > > > been hacked. Has anyone else seen something like this? Does it look > like > > > > > a hack? Where can I get a good check root kit package? > > > > > > > > > > Any help will be greatly appreciated. > > > > > > > > ------------------------------------------------------------------------ > > > > Want to buy your Pack or Services from MandrakeSoft? > > > > Go to http://www.mandrakestore.com > > > > > > -- > > > David C. Rankin, J.D., P.E. > > > RANKIN * BERTIN, PLLC > > > 510 Ochiltree Street > > > Nacogdoches, Texas 75961 > > > (936) 715-9333 > > > (936) 715-9339 fax > > > > > > > > > > > > > > > ______________________________________________________________________ > > > > > > Want to buy your Pack or Services from MandrakeSoft? > > > Go to http://www.mandrakestore.com > > > > > > > > > ---------------------------------------------------------------------------- > ---- > > > > Want to buy your Pack or Services from MandrakeSoft? > > Go to http://www.mandrakestore.com > > > > > > ______________________________________________________________________ > > Want to buy your Pack or Services from MandrakeSoft? > Go to http://www.mandrakestore.com -- Guy Van Sanden <[EMAIL PROTECTED]>
signature.asc
Description: This is a digitally signed message part
