Guy & Gals,
I need help. Something went whacko with eth0 and with my system just
before my nightly cron job ran and I got a lot of weird messages in my
log files. I don't know if this was a successful hack or if it was just
a noral response from the system after eth0 went bonkers. The log
entries are as follows:
Dec 26 03:54:01 Nemesis kernel: eth0: Tx hung, 2256843 vs. 2256833.
Dec 26 03:54:01 Nemesis kernel: eth0: PNIC2 transmit timed out, status
e4000000, CSR6/7 0100c000 / effffbff CSR12 000090ce,
resetting...
Dec 26 04:00:00 Nemesis CROND[22621]: (root) CMD (
/usr/share/msec/security.sh)
Dec 26 04:00:00 Nemesis CROND[22622]: (root) CMD ( /sbin/rmmod -as)
Dec 26 04:00:00 Nemesis kernel: smb_get_length: recv error = 5
Dec 26 04:00:00 Nemesis kernel: smb_request: result -5, setting invalid
Dec 26 04:00:15 Nemesis :
Dec 26 04:00:15 Nemesis : Security Warning: Change in Suid Root files
found :
Dec 26 04:00:15 Nemesis : - Removed suid root files : /bin/mount
Dec 26 04:00:15 Nemesis : - Removed suid root files : /bin/ping
Dec 26 04:00:15 Nemesis : - Removed suid root files : /bin/su
Dec 26 04:00:15 Nemesis : - Removed suid root files : /bin/umount
Dec 26 04:00:15 Nemesis : - Removed suid root files : /sbin/dump
Dec 26 04:00:15 Nemesis : - Removed suid root files : /sbin/linuxconf
Dec 26 04:00:15 Nemesis : - Removed suid root files : /sbin/pwdb_chkpwd
Dec 26 04:00:15 Nemesis : - Removed suid root files : /sbin/restore
Dec 26 04:00:15 Nemesis : - Removed suid root files : /sbin/unix_chkpwd
Dec 26 04:00:15 Nemesis :
Dec 26 04:00:15 Nemesis : Security Warning: Changes in Suid Group files
found :
Dec 26 04:00:15 Nemesis : - Removed suid group files : /sbin/dump
Dec 26 04:00:15 Nemesis : - Removed suid group files : /sbin/netreport
Dec 26 04:00:15 Nemesis : - Removed suid group files : /sbin/restore
Dec 26 04:00:15 Nemesis :
Dec 26 04:00:15 Nemesis : Security Warning: Change in World Writeable
Files found :
Dec 26 04:00:15 Nemesis : - Removed writables files : /tmp
Dec 26 04:00:15 Nemesis : - Removed writables files : /tmp/.ICE-unix
Dec 26 04:00:15 Nemesis : - Removed writables files : /tmp/.X11-unix
Dec 26 04:00:15 Nemesis : - Removed writables files : /tmp/.font-unix
Dec 26 04:00:15 Nemesis : - Removed writables files :
/tmp/.font-unix/fs-1
Dec 26 04:00:15 Nemesis : - Removed writables files : /tmp/.s.PGSQL.5432
Dec 26 04:00:15 Nemesis :
I understand that the eth0 PNIC2 error is from my tulip driver, but I
haven't seen this error in the 2 years this box has been running. I have
never seen the kernel smb errors.
What concerns me is the Change in Suid Root files found. I haven't
changed a thing on this LM 7.2 box for a long time. This is the first
time I have seen this Security Warning and I am concerned I may have
been hacked. Has anyone else seen something like this? Does it look like
a hack? Where can I get a good check root kit package?
Any help will be greatly appreciated.
--
David C. Rankin, J.D., P.E.
RANKIN * BERTIN, PLLC
510 Ochiltree Street
Nacogdoches, Texas 75961
(936) 715-9333
(936) 715-9339 fax
Want to buy your Pack or Services from MandrakeSoft?
Go to http://www.mandrakestore.com
