I'm sure you have downloaded the chkroot kit by now, but it sure looks to me like your system is compromised! It looks like he has managed to replace some files with modified ones and your system caught the permissions. I'm overly paranoid, but I'd sure rebuild the box. Do NOT take the chance. It isn't worth it. I highly recomend snort. I want to do tripwire but haven't had the time.
On Thursday 26 December 2002 12:20 pm, David Rankin wrote: > Guy & Gals, > > I need help. Something went whacko with eth0 and with my system just > before my nightly cron job ran and I got a lot of weird messages in my > log files. I don't know if this was a successful hack or if it was just > a noral response from the system after eth0 went bonkers. The log > entries are as follows: > > Dec 26 03:54:01 Nemesis kernel: eth0: Tx hung, 2256843 vs. 2256833. > Dec 26 03:54:01 Nemesis kernel: eth0: PNIC2 transmit timed out, status > e4000000, CSR6/7 0100c000 / effffbff CSR12 000090ce, > resetting... > Dec 26 04:00:00 Nemesis CROND[22621]: (root) CMD ( > /usr/share/msec/security.sh) > Dec 26 04:00:00 Nemesis CROND[22622]: (root) CMD ( /sbin/rmmod -as) > Dec 26 04:00:00 Nemesis kernel: smb_get_length: recv error = 5 > Dec 26 04:00:00 Nemesis kernel: smb_request: result -5, setting invalid > Dec 26 04:00:15 Nemesis : > Dec 26 04:00:15 Nemesis : Security Warning: Change in Suid Root files > found : > Dec 26 04:00:15 Nemesis : - Removed suid root files : /bin/mount > Dec 26 04:00:15 Nemesis : - Removed suid root files : /bin/ping > Dec 26 04:00:15 Nemesis : - Removed suid root files : /bin/su > Dec 26 04:00:15 Nemesis : - Removed suid root files : /bin/umount > Dec 26 04:00:15 Nemesis : - Removed suid root files : /sbin/dump > Dec 26 04:00:15 Nemesis : - Removed suid root files : /sbin/linuxconf > Dec 26 04:00:15 Nemesis : - Removed suid root files : /sbin/pwdb_chkpwd > Dec 26 04:00:15 Nemesis : - Removed suid root files : /sbin/restore > Dec 26 04:00:15 Nemesis : - Removed suid root files : /sbin/unix_chkpwd > Dec 26 04:00:15 Nemesis : > Dec 26 04:00:15 Nemesis : Security Warning: Changes in Suid Group files > found : > Dec 26 04:00:15 Nemesis : - Removed suid group files : /sbin/dump > Dec 26 04:00:15 Nemesis : - Removed suid group files : /sbin/netreport > Dec 26 04:00:15 Nemesis : - Removed suid group files : /sbin/restore > Dec 26 04:00:15 Nemesis : > Dec 26 04:00:15 Nemesis : Security Warning: Change in World Writeable > Files found : > Dec 26 04:00:15 Nemesis : - Removed writables files : /tmp > Dec 26 04:00:15 Nemesis : - Removed writables files : /tmp/.ICE-unix > Dec 26 04:00:15 Nemesis : - Removed writables files : /tmp/.X11-unix > Dec 26 04:00:15 Nemesis : - Removed writables files : /tmp/.font-unix > Dec 26 04:00:15 Nemesis : - Removed writables files : > /tmp/.font-unix/fs-1 > Dec 26 04:00:15 Nemesis : - Removed writables files : /tmp/.s.PGSQL.5432 > > Dec 26 04:00:15 Nemesis : > > I understand that the eth0 PNIC2 error is from my tulip driver, but I > haven't seen this error in the 2 years this box has been running. I have > never seen the kernel smb errors. > > What concerns me is the Change in Suid Root files found. I haven't > changed a thing on this LM 7.2 box for a long time. This is the first > time I have seen this Security Warning and I am concerned I may have > been hacked. Has anyone else seen something like this? Does it look like > a hack? Where can I get a good check root kit package? > > Any help will be greatly appreciated.
Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
