Re: [CentOS] Is there a Centos 3 around ?
Niccolas, I agree with John. rkhunter is your friend! I set up all my servers to run nightly with weekly updates. Peace, Allan John R Pierce wrote: > On 02/07/11 10:06 AM, Nicolas Ross wrote: >> I found some suspicious file in /bin and /usr/bin directories that are owned >> by user id 122, where this machine doesn't a userid 122. >> > > oh. get and run rkhunter. preferably do it on read only media via > another system. > > > ___ > CentOS mailing list > CentOS@centos.org > http://lists.centos.org/mailman/listinfo/centos > > ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Is there a Centos 3 around ?
On Mon, 2011-02-07 at 15:27 -0800, Benjamin Smith wrote: > A) Determine just how far they got in (did they get access to other systems?) All the bad stuff only resided in Volatile Memory and you Erased it when you shut down the machine and forgot to copy the Memory. :-) John ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Is there a Centos 3 around ?
On Monday, February 07, 2011 10:21:18 am Nicolas Ross wrote: > mds5um has been tempered with also... It return those expected values, but > a md5sum programm I took elsewhere was returning another value... Once you've been hacked, you can't trust the core utilities (ls / md5sum/cd/etc) You can't trust the kernel interfaces that these core utilities use, nor can you reliably remove the kernel modules used to interfere with normal operations, since the interfaces within the kernel may themselves be cloaking the hackinstall kernel modules! The only way to deal with this scenario and get anything resembling a correct answer is to mount the drive in userspace, noexec on another, trusted system. If downtime is a concern you *might* be able to use dd and copy the disk partition to another drive in the middle of the night and then check out the drive offline - that would probably work fine. But realize that until you do this, you can have no trust whatsoever in that computer, change passwords, delete/change private SSH keys, etc. and anything you do from here on out will be forensics to: A) Determine just how far they got in (did they get access to other systems?) B) Figure out how to best transfer services to a new, updated system and update security so that the bad guys can't just walk back in with prior knowledge. BTW: you should basically NEVER run an EOL'd system, regardless of the O/S. An unpatched server is a pretty much a guaranteed hack incident waiting to happen. Good luck! -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Is there a Centos 3 around ?
> On 02/07/11 10:06 AM, Nicolas Ross wrote: >> I found some suspicious file in /bin and /usr/bin directories that are >> owned >> by user id 122, where this machine doesn't a userid 122. >> > > oh. get and run rkhunter. preferably do it on read only media via > another system. Ok, good tool, and good call... I've took the chance to run it from that machine. So, it found some suspicious files and some parts of some rootkits, SHV5 namely. So, that machine was scheduled to be replaced soon, so It'll be sooner than later... In the mean time, I'll check what I can salvage from the 3.9 repos. Thanks, ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Is there a Centos 3 around ?
On Mon, Feb 07, 2011 at 01:06:56PM -0500, Nicolas Ross wrote: > Hi ! > > I think one of my machine got hacked, but I can figure out from where... > > I found some suspicious file in /bin and /usr/bin directories that are owned > by user id 122, where this machine doesn't a userid 122. > > So, does anyone hav a centos 3.9 install arround that can send me the info > about (filesize, md5, modification date) these file : 3.9 is still available on all the mirrors, you can rpm2cpio and compare (watch out for prelinked files) or try the rpm --verify flag (if the rpm database is not modified). Tru -- Tru Huynh (mirrors, CentOS i386/x86_64 Package Maintenance) http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xBEFA581B pgpR28h5XHgxD.pgp Description: PGP signature ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Is there a Centos 3 around ?
2011/2/7 Nicolas Ross > mds5um has been tempered with also... It return those expected values, but > a > md5sum programm I took elsewhere was returning another value... > > not all md5sum programs are the same, check several programs before deciding what's next. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Is there a Centos 3 around ?
John R Pierce wrote: > On 02/07/11 10:06 AM, Nicolas Ross wrote: >> So, does anyone hav a centos 3.9 install arround that can send me the >> info about (filesize, md5, modification date) these file : > > is that a 3.9 install that never got any updates afterwards? is that > x86_64 or i686?etc etc. > > that data is pretty worthless out of context. Good question. The box I got my data from had all updates applied until it went out of support late last fall. mark ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Is there a Centos 3 around ?
On 02/07/11 10:06 AM, Nicolas Ross wrote: > I found some suspicious file in /bin and /usr/bin directories that are owned > by user id 122, where this machine doesn't a userid 122. > oh. get and run rkhunter. preferably do it on read only media via another system. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Is there a Centos 3 around ?
On 02/07/11 10:06 AM, Nicolas Ross wrote: > So, does anyone hav a centos 3.9 install arround that can send me the info > about (filesize, md5, modification date) these file : > is that a 3.9 install that never got any updates afterwards? is that x86_64 or i686?etc etc. that data is pretty worthless out of context. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Is there a Centos 3 around ?
>> I think one of my machine got hacked, but I can figure out from where... >> >> I found some suspicious file in /bin and /usr/bin directories that are >> owned >> by user id 122, where this machine doesn't a userid 122. >> >> So, does anyone hav a centos 3.9 install arround that can send me the >> info > > One of our investigators has collaborators around the world, on old > machines, so we have this: > 2.4.21-63.ELsmp #1 SMP Tue Nov 3 18:48:49 EST 2009 i686 athlon i386 > GNU/Linux > Note they may be different on your machine. >> about (filesize, md5, modification date) these file : >> >> /bin : >> ls >> netstat >> ps > > -rwxr-xr-x1 root root67700 Jun 12 2007 /bin/ls > -rwxr-xr-x1 root root83800 May 22 2007 /bin/netstat > -r-xr-xr-x1 root root64076 Apr 19 2006 /bin/ps > > e102f6c3dde4043908ed001e1587b1d2 /bin/ls > bdfc76a24f59cc6cd8a70f771cc5cda4 /bin/netstat > fc3369b3564e00f877387a13bf3f467a /bin/ps Dammm... mds5um has been tempered with also... It return those expected values, but a md5sum programm I took elsewhere was returning another value... Dammm... ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Is there a Centos 3 around ?
On Feb 7, 2011, at 10:14 AM, m.r...@5-cent.us wrote: > Nicolas Ross wrote: >> Hi ! >> >> I think one of my machine got hacked, but I can figure out from where... >> >> I found some suspicious file in /bin and /usr/bin directories that are >> owned >> by user id 122, where this machine doesn't a userid 122. >> >> So, does anyone hav a centos 3.9 install arround that can send me the info > > One of our investigators has collaborators around the world, on old > machines, so we have this: > 2.4.21-63.ELsmp #1 SMP Tue Nov 3 18:48:49 EST 2009 i686 athlon i386 GNU/Linux > Note they may be different on your machine. >> about (filesize, md5, modification date) these file : >> >> /bin : >> ls >> netstat >> ps > > -rwxr-xr-x1 root root67700 Jun 12 2007 /bin/ls > -rwxr-xr-x1 root root83800 May 22 2007 /bin/netstat > -r-xr-xr-x1 root root64076 Apr 19 2006 /bin/ps > > e102f6c3dde4043908ed001e1587b1d2 /bin/ls > bdfc76a24f59cc6cd8a70f771cc5cda4 /bin/netstat > fc3369b3564e00f877387a13bf3f467a /bin/ps > >> >> /usr/bin/ >> dir >> find >> md5sum >> pstree >> slocate >> tee >> top > > -rwxr-xr-x1 root root67700 Jun 12 2007 /usr/bin/dir > -rwxr-xr-x1 root root51028 Jan 11 2006 /usr/bin/find > -rwxr-xr-x1 root root29184 Jun 12 2007 /usr/bin/md5sum > -rwxr-xr-x1 root root14048 Apr 28 2006 /usr/bin/pstree > > 0df0aafb355df40b1137355dd354f172 /usr/bin/dir > 2c5f4e789da1ad8d19ce5c68ecf8261d /usr/bin/find > 03174f884e7fc5fbc215780819679f6e /usr/bin/md5sum > 224f527255b2c8deb44f692eaadc873d /usr/bin/pstree > 0cee754c3981ba5f527bedc9a8cbea2a /usr/bin/slocate > 4ed536310a845f274f6a1611773789d8 /usr/bin/tee > 6b42bf37296861c657fcf6b8dba8f675 /usr/bin/top > > > > Hope this helps. > > mark Our internal, not internet connected fully patch Cent 3 box exactly matches what Mark posted. [dkrause@rigil bin]$ ls -lat ls netstat ps -rwxr-xr-x1 root root67700 Jun 12 2007 ls -rwxr-xr-x1 root root83800 May 22 2007 netstat -r-xr-xr-x1 root root64076 Apr 19 2006 ps e102f6c3dde4043908ed001e1587b1d2 /bin/ls bdfc76a24f59cc6cd8a70f771cc5cda4 /bin/netstat fc3369b3564e00f877387a13bf3f467a /bin/ps [dkrause@rigil bin]$ ls -la dir find md5sum pstree slocate tee top -rwxr-xr-x1 root root67700 Jun 12 2007 dir -rwxr-xr-x1 root root51028 Jan 11 2006 find -rwxr-xr-x1 root root29184 Jun 12 2007 md5sum -rwxr-xr-x1 root root14048 Apr 28 2006 pstree -rwxr-sr-x1 root slocate 32480 Sep 28 2005 slocate -rwxr-xr-x1 root root12220 Jun 12 2007 tee -r-xr-xr-x1 root root48052 Apr 19 2006 top 0df0aafb355df40b1137355dd354f172 dir 2c5f4e789da1ad8d19ce5c68ecf8261d find 03174f884e7fc5fbc215780819679f6e md5sum 224f527255b2c8deb44f692eaadc873d pstree 0cee754c3981ba5f527bedc9a8cbea2a slocate 4ed536310a845f274f6a1611773789d8 tee 6b42bf37296861c657fcf6b8dba8f675 top Good luck! -- Don Krause smime.p7s Description: S/MIME cryptographic signature ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Is there a Centos 3 around ?
Nicolas Ross wrote: > Hi ! > > I think one of my machine got hacked, but I can figure out from where... > > I found some suspicious file in /bin and /usr/bin directories that are > owned > by user id 122, where this machine doesn't a userid 122. > > So, does anyone hav a centos 3.9 install arround that can send me the info One of our investigators has collaborators around the world, on old machines, so we have this: 2.4.21-63.ELsmp #1 SMP Tue Nov 3 18:48:49 EST 2009 i686 athlon i386 GNU/Linux Note they may be different on your machine. > about (filesize, md5, modification date) these file : > > /bin : > ls > netstat > ps -rwxr-xr-x1 root root67700 Jun 12 2007 /bin/ls -rwxr-xr-x1 root root83800 May 22 2007 /bin/netstat -r-xr-xr-x1 root root64076 Apr 19 2006 /bin/ps e102f6c3dde4043908ed001e1587b1d2 /bin/ls bdfc76a24f59cc6cd8a70f771cc5cda4 /bin/netstat fc3369b3564e00f877387a13bf3f467a /bin/ps > > /usr/bin/ > dir > find > md5sum > pstree > slocate > tee > top -rwxr-xr-x1 root root67700 Jun 12 2007 /usr/bin/dir -rwxr-xr-x1 root root51028 Jan 11 2006 /usr/bin/find -rwxr-xr-x1 root root29184 Jun 12 2007 /usr/bin/md5sum -rwxr-xr-x1 root root14048 Apr 28 2006 /usr/bin/pstree 0df0aafb355df40b1137355dd354f172 /usr/bin/dir 2c5f4e789da1ad8d19ce5c68ecf8261d /usr/bin/find 03174f884e7fc5fbc215780819679f6e /usr/bin/md5sum 224f527255b2c8deb44f692eaadc873d /usr/bin/pstree 0cee754c3981ba5f527bedc9a8cbea2a /usr/bin/slocate 4ed536310a845f274f6a1611773789d8 /usr/bin/tee 6b42bf37296861c657fcf6b8dba8f675 /usr/bin/top Hope this helps. mark ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos