On Thursday 26 December 2002 02:20 pm, you wrote: > Guy & Gals, > > I need help. Something went whacko with eth0 and with my system just > before my nightly cron job ran and I got a lot of weird messages in my > log files. I don't know if this was a successful hack or if it was just > a noral response from the system after eth0 went bonkers. The log > entries are as follows: > > Dec 26 03:54:01 Nemesis kernel: eth0: Tx hung, 2256843 vs. 2256833. > Dec 26 03:54:01 Nemesis kernel: eth0: PNIC2 transmit timed out, status > e4000000, CSR6/7 0100c000 / effffbff CSR12 000090ce, > resetting... > Dec 26 04:00:00 Nemesis CROND[22621]: (root) CMD ( > /usr/share/msec/security.sh) > Dec 26 04:00:00 Nemesis CROND[22622]: (root) CMD ( /sbin/rmmod -as) > Dec 26 04:00:00 Nemesis kernel: smb_get_length: recv error = 5 > Dec 26 04:00:00 Nemesis kernel: smb_request: result -5, setting invalid > Dec 26 04:00:15 Nemesis : > Dec 26 04:00:15 Nemesis : Security Warning: Change in Suid Root files > found : > Dec 26 04:00:15 Nemesis : - Removed suid root files : /bin/mount > Dec 26 04:00:15 Nemesis : - Removed suid root files : /bin/ping > Dec 26 04:00:15 Nemesis : - Removed suid root files : /bin/su > Dec 26 04:00:15 Nemesis : - Removed suid root files : /bin/umount > Dec 26 04:00:15 Nemesis : - Removed suid root files : /sbin/dump > Dec 26 04:00:15 Nemesis : - Removed suid root files : /sbin/linuxconf > Dec 26 04:00:15 Nemesis : - Removed suid root files : /sbin/pwdb_chkpwd > Dec 26 04:00:15 Nemesis : - Removed suid root files : /sbin/restore > Dec 26 04:00:15 Nemesis : - Removed suid root files : /sbin/unix_chkpwd > Dec 26 04:00:15 Nemesis : > Dec 26 04:00:15 Nemesis : Security Warning: Changes in Suid Group files > found : > Dec 26 04:00:15 Nemesis : - Removed suid group files : /sbin/dump > Dec 26 04:00:15 Nemesis : - Removed suid group files : /sbin/netreport > Dec 26 04:00:15 Nemesis : - Removed suid group files : /sbin/restore > Dec 26 04:00:15 Nemesis : > Dec 26 04:00:15 Nemesis : Security Warning: Change in World Writeable > Files found : > Dec 26 04:00:15 Nemesis : - Removed writables files : /tmp > Dec 26 04:00:15 Nemesis : - Removed writables files : /tmp/.ICE-unix > Dec 26 04:00:15 Nemesis : - Removed writables files : /tmp/.X11-unix > Dec 26 04:00:15 Nemesis : - Removed writables files : /tmp/.font-unix > Dec 26 04:00:15 Nemesis : - Removed writables files : > /tmp/.font-unix/fs-1 > Dec 26 04:00:15 Nemesis : - Removed writables files : /tmp/.s.PGSQL.5432 > > Dec 26 04:00:15 Nemesis : > > I understand that the eth0 PNIC2 error is from my tulip driver, but I > haven't seen this error in the 2 years this box has been running. I have > never seen the kernel smb errors. > > What concerns me is the Change in Suid Root files found. I haven't > changed a thing on this LM 7.2 box for a long time. This is the first > time I have seen this Security Warning and I am concerned I may have > been hacked. Has anyone else seen something like this? Does it look like > a hack? Where can I get a good check root kit package? > > Any help will be greatly appreciated.
You can get the latest version of chkrootkit here: http://www.chkrootkit.org/ Good Luck Mike ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Mandrake 8.2 Kernel-2.4.18-8.1mdk Linux user #298896 Thu Dec 26 14:36:21 EST 2002 2:36pm up 1 day, 18:01, 1 user, load average: 0.14, 0.10, 0.02 Homepage: http://micronuke.tripod.com/ Email: [EMAIL PROTECTED] ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
