Hi Simon, I have been the victim of hackers with my raq4. On that occasion I was denied the luxury of exploring what had happened myself, as my machine is leased. My host provider disconnected it, and did a little investigation themselves. They informed me that the /bin/login file had been changed (I notice that is in your list of modified files). They examined this file with the strings program, and claimed it allowed in a user called owned, with root priveleges, and no password. My only option was to pay to have them blank it and re-install the entire system. All the security patches were then applied (my vulnerability may have dated back to the bind exploit last february - that may be when one or more back doors were installed on my machine). I have now installed the tools mentioned, and in normal use my tripwire tends to report around 11 violations. These are mostly to do with the automatic log rotation (backing-up and starting new files), as well as changes to hosts.deny made by portsentry.
If you weren't expecting all those system binaries to have changed, then surely you must have been hacked. If your tripwire reports did not previously list those files, and nothing has happened to disturb the tripwire database, or the files (have you copied the binaries folder - that would modify them all I guess), then I would be suspicious. If you need to rebuild your system without starting from scratch, then you would need to recover the binaries from known good copies. Starting from scratch however is the only way to ensure there are no backdoors left in place. Cheers, Lew > > --__--__-- > > Message: 6 > From: "Simon Wilson" <[EMAIL PROTECTED]> > To: <[EMAIL PROTECTED]> > Subject: RE: [cobalt-security] Have I been hacked? > Date: Mon, 7 Jan 2002 15:30:27 -0000 > Reply-To: [EMAIL PROTECTED] > > We already run chkrootkit on a daily basis using cron (your advice I > believe) and it is reporting nothing unusual. > > I ran a netstat on the machine, nothing unusual. I can't run a portscan from > outside becase I only have a windows machine to connect from and I don't > know how to do that...yet (i'll try to find something) > > The restart I mentioned shows up as this in logcheck... > Unusual System Events > =-=-=-=-=-=-=-=-=-=-= > Jan 5 04:04:14 ns1 syslogd 1.3-3: restart. > Jan 5 04:05:03 ns1 syslogd 1.3-3: restart. > Jan 5 04:06:41 ns1 named[376]: Cleaned cache of 4 RRsets > > I can't tell you whether is is a server reboot or just a restart of the > logging > facility because I don't know what this means!!!I just mentioned it because > for it to appear twice is unusual. > > I hope this answers some of your questions and thankyou for your help so > far, it is very much appreciated. > > Simon > > > Full tripwire report. > Rule Summary: > ============================================================================ > === > > -------------------------------------------------------------------------- -- > --- > Section: Unix File System > -------------------------------------------------------------------------- -- > --- > > Rule Name Severity Level Added Removed > Modified > --------- -------------- ----- ------- ---- -- > -- > Invariant Directories 66 0 0 0 > Temporary directories 33 0 0 0 > Tripwire Data Files 100 0 0 0 > Critical devices 100 0 0 0 > User binaries 66 0 0 0 > Tripwire Binaries 100 0 0 0 > * Libraries 66 0 0 1 > * File System and Disk Administraton Programs > 100 0 0 34 > * Kernel Administration Programs 100 0 0 9 > * Networking Programs 100 0 0 14 > * System Administration Programs 100 0 0 16 > * Hardware and Device Control Programs > 100 0 0 3 > * System Information Programs 100 0 0 2 > * Application Information Programs > 100 0 0 2 > Critical Utility Sym-Links 100 0 0 0 > * Critical configuration files 100 0 1 4 > OS executables and libraries 100 0 0 0 > System boot changes 100 0 0 0 > * Security Control 100 0 0 7 > Login Scripts 100 0 0 0 > * Operating System Utilities 100 0 0 41 > Shell Binaries 100 0 0 0 > * Critical system boot files 100 0 0 5 > (/boot) > * Root config files 100 0 0 5 > > Total objects scanned: 7233 > Total violations found: 144 > _______________________________________________ cobalt-security mailing list [EMAIL PROTECTED] http://list.cobalt.com/mailman/listinfo/cobalt-security
