Listmates, I need some help figuring out what netstat is telling me. I am still sorting out just what exactly happened that started this whole mess. What I don't understand is the path information that is output from netstat. Specifically the @0000003a, etc. path information. Anyone know what this means? The output is as follows:
Active UNIX domain sockets (servers and established) Proto RefCnt Flags Type State I-Node Path unix 0 [ ACC ] STREAM LISTENING 1925 private/cleanup unix 0 [ ACC ] STREAM LISTENING 1932 private/rewrite unix 0 [ ACC ] STREAM LISTENING 1936 private/bounce unix 0 [ ACC ] STREAM LISTENING 1940 private/defer unix 0 [ ACC ] STREAM LISTENING 1944 private/smtp unix 0 [ ACC ] STREAM LISTENING 1952 private/error unix 0 [ ACC ] STREAM LISTENING 1956 private/local unix 0 [ ACC ] STREAM LISTENING 1960 private/cyrus unix 0 [ ACC ] STREAM LISTENING 1964 private/uucp unix 0 [ ACC ] STREAM LISTENING 1968 private/ifmail unix 0 [ ACC ] STREAM LISTENING 1972 private/bsmtp unix 0 [ ACC ] STREAM LISTENING 637 /var/run/ndc unix 0 [ ] STREAM CONNECTED 465 @0000003a unix 0 [ ] STREAM CONNECTED 474 @0000003b unix 0 [ ACC ] STREAM LISTENING 3340 /tmp/.font-unix/fs-1 unix 0 [ ACC ] STREAM LISTENING 1948 public/showq unix 0 [ ACC ] STREAM LISTENING 3357 /var/lib/mysql/mysql.sock unix 0 [ ] STREAM CONNECTED 224 @00000023 unix 0 [ ACC ] STREAM LISTENING 3281 /tmp/.s.PGSQL.5432 unix 0 [ ACC ] STREAM LISTENING 718 /dev/printer unix 20 [ ] DGRAM 528 /dev/log unix 0 [ ACC ] STREAM LISTENING 1993 /dev/gpmctl unix 1 [ W ] STREAM CONNECTED 486222 unix 1 [ ] STREAM CONNECTED 486221 Jack Coates wrote: > I think this is a bug in Mandrake's msec checker, as every Mandrake box > with this function that I've ever used will occasionally lose its > records and start over in just this way. I ignore them. I get concerned > if it's just a few files, or some strategic files like login and ps. > > On Fri, 2002-12-27 at 09:08, David Rankin wrote: > > Now things are getting weird! > > > > Remember when this all started, I got the Change in Suid Root files found > > messages where it (removed) the Suid files shown in the original message below. > > Today, after cron ran I now get the same files (added). Here is the new output: > > > > Subject: *** Diff Check, Fri Dec 27 04:00:14 CST 2002 *** > > > > > > Security Warning: Change in Suid Root files found : > > - Added suid root files : /bin/mount > > - Added suid root files : /bin/ping > > - Added suid root files : /bin/su > > - Added suid root files : /bin/umount > > - Added suid root files : /sbin/dump > > - Added suid root files : /sbin/linuxconf > > - Added suid root files : /sbin/pwdb_chkpwd > > - Added suid root files : /sbin/restore > > - Added suid root files : /sbin/unix_chkpwd > > > > Security Warning: Changes in Suid Group files found : > > - Added suid group files : /sbin/dump > > - Added suid group files : /sbin/netreport > > - Added suid group files : /sbin/restore > > > > Security Warning: Change in World Writeable Files found : > > - Added writables files : /tmp > > - Added writables files : /tmp/.ICE-unix > > - Added writables files : /tmp/.X11-unix > > - Added writables files : /tmp/.font-unix > > - Added writables files : /tmp/.font-unix/fs-1 > > - Added writables files : /tmp/.s.PGSQL.5432 > > > > Security Warning: There is modifications for port listening on your machine : > > - Opened ports : udp 0 0 *:ntp > > *:* 7387/xntpd > > - Closed ports : udp 0 112 *:ntp > > *:* 7387/xntpd > > - Closed ports : udp 0 0 *:631 > > *:* 633/cupsd > > > > I still don't know what to make of this. All words of wisdom are > > welcome....... > > > > Lorne wrote: > > > > > I'm sure you have downloaded the chkroot kit by now, but it sure looks to me > > > like your system is compromised! It looks like he has managed to replace some > > > files with modified ones and your system caught the permissions. I'm overly > > > paranoid, but I'd sure rebuild the box. Do NOT take the chance. It isn't > > > worth it. I highly recomend snort. I want to do tripwire but haven't had the > > > time. > > > > > > On Thursday 26 December 2002 12:20 pm, David Rankin wrote: > > > > Guy & Gals, > > > > > > > > I need help. Something went whacko with eth0 and with my system just > > > > before my nightly cron job ran and I got a lot of weird messages in my > > > > log files. I don't know if this was a successful hack or if it was just > > > > a noral response from the system after eth0 went bonkers. The log > > > > entries are as follows: > > > > > > > > Dec 26 03:54:01 Nemesis kernel: eth0: Tx hung, 2256843 vs. 2256833. > > > > Dec 26 03:54:01 Nemesis kernel: eth0: PNIC2 transmit timed out, status > > > > e4000000, CSR6/7 0100c000 / effffbff CSR12 000090ce, > > > > resetting... > > > > Dec 26 04:00:00 Nemesis CROND[22621]: (root) CMD ( > > > > /usr/share/msec/security.sh) > > > > Dec 26 04:00:00 Nemesis CROND[22622]: (root) CMD ( /sbin/rmmod -as) > > > > Dec 26 04:00:00 Nemesis kernel: smb_get_length: recv error = 5 > > > > Dec 26 04:00:00 Nemesis kernel: smb_request: result -5, setting invalid > > > > Dec 26 04:00:15 Nemesis : > > > > Dec 26 04:00:15 Nemesis : Security Warning: Change in Suid Root files > > > > found : > > > > Dec 26 04:00:15 Nemesis : - Removed suid root files : /bin/mount > > > > Dec 26 04:00:15 Nemesis : - Removed suid root files : /bin/ping > > > > Dec 26 04:00:15 Nemesis : - Removed suid root files : /bin/su > > > > Dec 26 04:00:15 Nemesis : - Removed suid root files : /bin/umount > > > > Dec 26 04:00:15 Nemesis : - Removed suid root files : /sbin/dump > > > > Dec 26 04:00:15 Nemesis : - Removed suid root files : /sbin/linuxconf > > > > Dec 26 04:00:15 Nemesis : - Removed suid root files : /sbin/pwdb_chkpwd > > > > Dec 26 04:00:15 Nemesis : - Removed suid root files : /sbin/restore > > > > Dec 26 04:00:15 Nemesis : - Removed suid root files : /sbin/unix_chkpwd > > > > Dec 26 04:00:15 Nemesis : > > > > Dec 26 04:00:15 Nemesis : Security Warning: Changes in Suid Group files > > > > found : > > > > Dec 26 04:00:15 Nemesis : - Removed suid group files : /sbin/dump > > > > Dec 26 04:00:15 Nemesis : - Removed suid group files : /sbin/netreport > > > > Dec 26 04:00:15 Nemesis : - Removed suid group files : /sbin/restore > > > > Dec 26 04:00:15 Nemesis : > > > > Dec 26 04:00:15 Nemesis : Security Warning: Change in World Writeable > > > > Files found : > > > > Dec 26 04:00:15 Nemesis : - Removed writables files : /tmp > > > > Dec 26 04:00:15 Nemesis : - Removed writables files : /tmp/.ICE-unix > > > > Dec 26 04:00:15 Nemesis : - Removed writables files : /tmp/.X11-unix > > > > Dec 26 04:00:15 Nemesis : - Removed writables files : /tmp/.font-unix > > > > Dec 26 04:00:15 Nemesis : - Removed writables files : > > > > /tmp/.font-unix/fs-1 > > > > Dec 26 04:00:15 Nemesis : - Removed writables files : /tmp/.s.PGSQL.5432 > > > > > > > > Dec 26 04:00:15 Nemesis : > > > > > > > > I understand that the eth0 PNIC2 error is from my tulip driver, but I > > > > haven't seen this error in the 2 years this box has been running. I have > > > > never seen the kernel smb errors. > > > > > > > > What concerns me is the Change in Suid Root files found. I haven't > > > > changed a thing on this LM 7.2 box for a long time. This is the first > > > > time I have seen this Security Warning and I am concerned I may have > > > > been hacked. Has anyone else seen something like this? Does it look like > > > > a hack? Where can I get a good check root kit package? > > > > > > > > Any help will be greatly appreciated. > > > > > > ------------------------------------------------------------------------ > > > Want to buy your Pack or Services from MandrakeSoft? > > > Go to http://www.mandrakestore.com > > > > -- > > David C. Rankin, J.D., P.E. > > RANKIN * BERTIN, PLLC > > 510 Ochiltree Street > > Nacogdoches, Texas 75961 > > (936) 715-9333 > > (936) 715-9339 fax > > > > > > > > ---- > > > > > Want to buy your Pack or Services from MandrakeSoft? > > Go to http://www.mandrakestore.com > -- > Jack Coates > Monkeynoodle: A Scientific Venture... > > ------------------------------------------------------------------------ > Want to buy your Pack or Services from MandrakeSoft? > Go to http://www.mandrakestore.com -- David C. Rankin, J.D., P.E. RANKIN * BERTIN, PLLC 510 Ochiltree Street Nacogdoches, Texas 75961 (936) 715-9333 (936) 715-9339 fax
Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com