I think this is a bug in Mandrake's msec checker, as every Mandrake box with this function that I've ever used will occasionally lose its records and start over in just this way. I ignore them. I get concerned if it's just a few files, or some strategic files like login and ps.
On Fri, 2002-12-27 at 09:08, David Rankin wrote: > Now things are getting weird! > > Remember when this all started, I got the Change in Suid Root files found > messages where it (removed) the Suid files shown in the original message below. > Today, after cron ran I now get the same files (added). Here is the new output: > > Subject: *** Diff Check, Fri Dec 27 04:00:14 CST 2002 *** > > > Security Warning: Change in Suid Root files found : > - Added suid root files : /bin/mount > - Added suid root files : /bin/ping > - Added suid root files : /bin/su > - Added suid root files : /bin/umount > - Added suid root files : /sbin/dump > - Added suid root files : /sbin/linuxconf > - Added suid root files : /sbin/pwdb_chkpwd > - Added suid root files : /sbin/restore > - Added suid root files : /sbin/unix_chkpwd > > Security Warning: Changes in Suid Group files found : > - Added suid group files : /sbin/dump > - Added suid group files : /sbin/netreport > - Added suid group files : /sbin/restore > > Security Warning: Change in World Writeable Files found : > - Added writables files : /tmp > - Added writables files : /tmp/.ICE-unix > - Added writables files : /tmp/.X11-unix > - Added writables files : /tmp/.font-unix > - Added writables files : /tmp/.font-unix/fs-1 > - Added writables files : /tmp/.s.PGSQL.5432 > > Security Warning: There is modifications for port listening on your machine : > - Opened ports : udp 0 0 *:ntp > *:* 7387/xntpd > - Closed ports : udp 0 112 *:ntp > *:* 7387/xntpd > - Closed ports : udp 0 0 *:631 > *:* 633/cupsd > > I still don't know what to make of this. All words of wisdom are > welcome....... > > Lorne wrote: > > > I'm sure you have downloaded the chkroot kit by now, but it sure looks to me > > like your system is compromised! It looks like he has managed to replace some > > files with modified ones and your system caught the permissions. I'm overly > > paranoid, but I'd sure rebuild the box. Do NOT take the chance. It isn't > > worth it. I highly recomend snort. I want to do tripwire but haven't had the > > time. > > > > On Thursday 26 December 2002 12:20 pm, David Rankin wrote: > > > Guy & Gals, > > > > > > I need help. Something went whacko with eth0 and with my system just > > > before my nightly cron job ran and I got a lot of weird messages in my > > > log files. I don't know if this was a successful hack or if it was just > > > a noral response from the system after eth0 went bonkers. The log > > > entries are as follows: > > > > > > Dec 26 03:54:01 Nemesis kernel: eth0: Tx hung, 2256843 vs. 2256833. > > > Dec 26 03:54:01 Nemesis kernel: eth0: PNIC2 transmit timed out, status > > > e4000000, CSR6/7 0100c000 / effffbff CSR12 000090ce, > > > resetting... > > > Dec 26 04:00:00 Nemesis CROND[22621]: (root) CMD ( > > > /usr/share/msec/security.sh) > > > Dec 26 04:00:00 Nemesis CROND[22622]: (root) CMD ( /sbin/rmmod -as) > > > Dec 26 04:00:00 Nemesis kernel: smb_get_length: recv error = 5 > > > Dec 26 04:00:00 Nemesis kernel: smb_request: result -5, setting invalid > > > Dec 26 04:00:15 Nemesis : > > > Dec 26 04:00:15 Nemesis : Security Warning: Change in Suid Root files > > > found : > > > Dec 26 04:00:15 Nemesis : - Removed suid root files : /bin/mount > > > Dec 26 04:00:15 Nemesis : - Removed suid root files : /bin/ping > > > Dec 26 04:00:15 Nemesis : - Removed suid root files : /bin/su > > > Dec 26 04:00:15 Nemesis : - Removed suid root files : /bin/umount > > > Dec 26 04:00:15 Nemesis : - Removed suid root files : /sbin/dump > > > Dec 26 04:00:15 Nemesis : - Removed suid root files : /sbin/linuxconf > > > Dec 26 04:00:15 Nemesis : - Removed suid root files : /sbin/pwdb_chkpwd > > > Dec 26 04:00:15 Nemesis : - Removed suid root files : /sbin/restore > > > Dec 26 04:00:15 Nemesis : - Removed suid root files : /sbin/unix_chkpwd > > > Dec 26 04:00:15 Nemesis : > > > Dec 26 04:00:15 Nemesis : Security Warning: Changes in Suid Group files > > > found : > > > Dec 26 04:00:15 Nemesis : - Removed suid group files : /sbin/dump > > > Dec 26 04:00:15 Nemesis : - Removed suid group files : /sbin/netreport > > > Dec 26 04:00:15 Nemesis : - Removed suid group files : /sbin/restore > > > Dec 26 04:00:15 Nemesis : > > > Dec 26 04:00:15 Nemesis : Security Warning: Change in World Writeable > > > Files found : > > > Dec 26 04:00:15 Nemesis : - Removed writables files : /tmp > > > Dec 26 04:00:15 Nemesis : - Removed writables files : /tmp/.ICE-unix > > > Dec 26 04:00:15 Nemesis : - Removed writables files : /tmp/.X11-unix > > > Dec 26 04:00:15 Nemesis : - Removed writables files : /tmp/.font-unix > > > Dec 26 04:00:15 Nemesis : - Removed writables files : > > > /tmp/.font-unix/fs-1 > > > Dec 26 04:00:15 Nemesis : - Removed writables files : /tmp/.s.PGSQL.5432 > > > > > > Dec 26 04:00:15 Nemesis : > > > > > > I understand that the eth0 PNIC2 error is from my tulip driver, but I > > > haven't seen this error in the 2 years this box has been running. I have > > > never seen the kernel smb errors. > > > > > > What concerns me is the Change in Suid Root files found. I haven't > > > changed a thing on this LM 7.2 box for a long time. This is the first > > > time I have seen this Security Warning and I am concerned I may have > > > been hacked. Has anyone else seen something like this? Does it look like > > > a hack? Where can I get a good check root kit package? > > > > > > Any help will be greatly appreciated. > > > > ------------------------------------------------------------------------ > > Want to buy your Pack or Services from MandrakeSoft? > > Go to http://www.mandrakestore.com > > -- > David C. Rankin, J.D., P.E. > RANKIN * BERTIN, PLLC > 510 Ochiltree Street > Nacogdoches, Texas 75961 > (936) 715-9333 > (936) 715-9339 fax > > > > ---- > > Want to buy your Pack or Services from MandrakeSoft? > Go to http://www.mandrakestore.com -- Jack Coates Monkeynoodle: A Scientific Venture...
Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
