I woke up this morning to find this email in my system:
Subject: *** Diff Check, Thu Apr 20 00:02:50 EDT 2000 ***
Security Warning: Change in Suid Root files found :
- Added suid root files : /bin/mount
- Added suid root files : /bin/ping
- Added suid root files : /bin/su
- Added suid root files : /bin/umount
- Added suid root files : /sbin/dump
- Added suid root files : /sbin/pwdb_chkpwd
- Added suid root files : /sbin/restore
- Added suid root files : /usr/X11R6/bin/Xwrapper
- Added suid root files : /usr/bin/at
- Added suid root files : /usr/bin/chage
- Added suid root files : /usr/bin/chfn
- Added suid root files : /usr/bin/chsh
- Added suid root files : /usr/bin/crontab
- Added suid root files : /usr/bin/dos
- Added suid root files : /usr/bin/gpasswd
- Added suid root files : /usr/bin/lpq
- Added suid root files : /usr/bin/lpr
- Added suid root files : /usr/bin/lprm
- Added suid root files : /usr/bin/newgrp
- Added suid root files : /usr/bin/passwd
- Added suid root files : /usr/bin/procmail
- Added suid root files : /usr/bin/rcp
- Added suid root files : /usr/bin/rlogin
- Added suid root files : /usr/bin/rsh
- Added suid root files : /usr/bin/sperl5.6.0
- Added suid root files : /usr/bin/suidperl
- Added suid root files : /usr/bin/urpmi
- Added suid root files : /usr/lib/telnetd/login
- Added suid root files : /usr/libexec/pt_chown
- Added suid root files : /usr/sbin/sendmail
- Added suid root files : /usr/sbin/traceroute
- Added suid root files : /usr/sbin/userhelper
- Added suid root files : /usr/sbin/usernetctl
Security Warning: Changes in Suid Group files found :
- Added suid group files : /usr/sbin/sendmail
Security Warning: Change in World Writeable Files found :
- Removed writables files : /tmp/fileUcAjVM
Security Warning: the md5 checksum for one of your SUID files has changed,
maybe an intruder modified one of these suid binary in order to put in a
backdoor...
- Checksum changed files : /usr/bin/suidperl
Security Warning: There is modifications for port listening on your machine :
- Opened ports : tcp 0 0 *:6000 *:*
LISTEN 658/X
- Opened ports : tcp 0 0 *:1024 *:*
LISTEN 651/kdm
- Opened ports : tcp 0 0 *:10000 *:*
LISTEN 586/perl
- Opened ports : tcp 0 0 *:www *:*
LISTEN 520/httpd
- Opened ports : udp 0 0 *:xdmcp *:*
651/kdm
- Opened ports : udp 0 0 *:10000 *:*
586/perl
- Closed ports : tcp 0 0 *:www *:*
LISTEN 3244/httpd
- Closed ports : tcp 0 0 *:10000 *:*
LISTEN 1996/perl
- Closed ports : tcp 0 0 *:6000 *:*
LISTEN 660/X
- Closed ports : tcp 0 0 *:1024 *:*
LISTEN 653/kdm
- Closed ports : udp 0 0 *:10000 *:*
1996/perl
- Closed ports : udp 0 0 *:xdmcp *:*
653/kdm
...I've been hacked! The questions, now, are: 1. How do I fix this? and 2. How
to I prevent it from happening again?
===========================================================================
Andrew Vogel: Program Manager at the University of Cincinnati College of
Pharmacy. Actor, director, dog (JRT) lover, Miata owner, & much, much more!
My homepage: "http://www.drewvogel.com". Play I-War, FF7PC, & BC3K!
Offical BC3K Tester. Linux! "The only way OUT is THROUGH."
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
dug: you da man! you da man! "Drew Vogel is its own reward."
ric: isn't "the man" the guy who's always bringing everyone down?
dug: nope! 'cause YOU da man!! Email: [EMAIL PROTECTED]
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
