Re: [expert] Possible Hack? -- Change in Suid Root files found

Mon, 30 Dec 2002 09:19:45 -0800 

Listmates,

    I need some help figuring out what netstat is telling me. I am still sorting out
just what exactly happened that started this whole mess. What I don't understand is
the path information that is output from netstat. Specifically the @0000003a, etc.
path information. Anyone know what this means? The output is as follows:

Active UNIX domain sockets (servers and established)
Proto RefCnt Flags       Type       State         I-Node Path
unix  0      [ ACC ]     STREAM     LISTENING     1925   private/cleanup
unix  0      [ ACC ]     STREAM     LISTENING     1932   private/rewrite
unix  0      [ ACC ]     STREAM     LISTENING     1936   private/bounce
unix  0      [ ACC ]     STREAM     LISTENING     1940   private/defer
unix  0      [ ACC ]     STREAM     LISTENING     1944   private/smtp
unix  0      [ ACC ]     STREAM     LISTENING     1952   private/error
unix  0      [ ACC ]     STREAM     LISTENING     1956   private/local
unix  0      [ ACC ]     STREAM     LISTENING     1960   private/cyrus
unix  0      [ ACC ]     STREAM     LISTENING     1964   private/uucp
unix  0      [ ACC ]     STREAM     LISTENING     1968   private/ifmail
unix  0      [ ACC ]     STREAM     LISTENING     1972   private/bsmtp
unix  0      [ ACC ]     STREAM     LISTENING     637    /var/run/ndc
unix  0      [ ]         STREAM     CONNECTED     465    @0000003a
unix  0      [ ]         STREAM     CONNECTED     474    @0000003b
unix  0      [ ACC ]     STREAM     LISTENING     3340   /tmp/.font-unix/fs-1
unix  0      [ ACC ]     STREAM     LISTENING     1948   public/showq
unix  0      [ ACC ]     STREAM     LISTENING     3357   /var/lib/mysql/mysql.sock
unix  0      [ ]         STREAM     CONNECTED     224    @00000023
unix  0      [ ACC ]     STREAM     LISTENING     3281   /tmp/.s.PGSQL.5432
unix  0      [ ACC ]     STREAM     LISTENING     718    /dev/printer
unix  20     [ ]         DGRAM                    528    /dev/log
unix  0      [ ACC ]     STREAM     LISTENING     1993   /dev/gpmctl
unix  1      [ W ]       STREAM     CONNECTED     486222
unix  1      [ ]         STREAM     CONNECTED     486221


Jack Coates wrote:

> I think this is a bug in Mandrake's msec checker, as every Mandrake box
> with this function that I've ever used will occasionally lose its
> records and start over in just this way. I ignore them. I get concerned
> if it's just a few files, or some strategic files like login and ps.
>
> On Fri, 2002-12-27 at 09:08, David Rankin wrote:
> > Now things are getting weird!
> >
> >     Remember when this all started, I got the Change in Suid Root files found
> > messages where it (removed) the Suid files shown in the original message below.
> > Today, after cron ran I now get the same files (added). Here is the new output:
> >
> > Subject: *** Diff Check, Fri Dec 27 04:00:14 CST 2002 ***
> >
> >
> > Security Warning: Change in Suid Root files found :
> >                 - Added suid root files : /bin/mount
> >                 - Added suid root files : /bin/ping
> >                 - Added suid root files : /bin/su
> >                 - Added suid root files : /bin/umount
> >                 - Added suid root files : /sbin/dump
> >                 - Added suid root files : /sbin/linuxconf
> >                 - Added suid root files : /sbin/pwdb_chkpwd
> >                 - Added suid root files : /sbin/restore
> >                 - Added suid root files : /sbin/unix_chkpwd
> >
> > Security Warning: Changes in Suid Group files found :
> >                 - Added suid group files : /sbin/dump
> >                 - Added suid group files : /sbin/netreport
> >                 - Added suid group files : /sbin/restore
> >
> > Security Warning: Change in World Writeable Files found :
> >                 - Added writables files : /tmp
> >                 - Added writables files : /tmp/.ICE-unix
> >                 - Added writables files : /tmp/.X11-unix
> >                 - Added writables files : /tmp/.font-unix
> >                 - Added writables files : /tmp/.font-unix/fs-1
> >                 - Added writables files : /tmp/.s.PGSQL.5432
> >
> > Security Warning: There is modifications for port listening on your machine :
> >                 -  Opened ports : udp        0      0 *:ntp
> > *:*                                 7387/xntpd
> >                 - Closed ports  : udp        0    112 *:ntp
> > *:*                                 7387/xntpd
> >                 - Closed ports  : udp        0      0 *:631
> > *:*                                 633/cupsd
> >
> >     I still don't know what to make of this. All words of wisdom are
> > welcome.......
> >
> > Lorne wrote:
> >
> > > I'm sure you have downloaded the chkroot kit by now, but it sure looks to me
> > > like your system is compromised! It looks like he has managed to replace some
> > > files with modified ones and your system caught the permissions. I'm overly
> > > paranoid, but I'd sure rebuild the box. Do NOT take the chance. It isn't
> > > worth it. I highly recomend snort. I want to do tripwire but haven't had the
> > > time.
> > >
> > > On Thursday 26 December 2002 12:20 pm, David Rankin wrote:
> > > > Guy & Gals,
> > > >
> > > >     I need help. Something went whacko with eth0 and with my system just
> > > > before my nightly cron job ran and I got a lot of weird messages in my
> > > > log files. I don't know if this was a successful hack or if it was just
> > > > a noral response from the system after eth0 went bonkers. The log
> > > > entries are as follows:
> > > >
> > > > Dec 26 03:54:01 Nemesis kernel: eth0: Tx hung, 2256843 vs. 2256833.
> > > > Dec 26 03:54:01 Nemesis kernel: eth0: PNIC2 transmit timed out, status
> > > > e4000000, CSR6/7 0100c000 / effffbff CSR12 000090ce,
> > > > resetting...
> > > > Dec 26 04:00:00 Nemesis CROND[22621]: (root) CMD (
> > > > /usr/share/msec/security.sh)
> > > > Dec 26 04:00:00 Nemesis CROND[22622]: (root) CMD (   /sbin/rmmod -as)
> > > > Dec 26 04:00:00 Nemesis kernel: smb_get_length: recv error = 5
> > > > Dec 26 04:00:00 Nemesis kernel: smb_request: result -5, setting invalid
> > > > Dec 26 04:00:15 Nemesis :
> > > > Dec 26 04:00:15 Nemesis : Security Warning: Change in Suid Root files
> > > > found :
> > > > Dec 26 04:00:15 Nemesis : - Removed suid root files : /bin/mount
> > > > Dec 26 04:00:15 Nemesis : - Removed suid root files : /bin/ping
> > > > Dec 26 04:00:15 Nemesis : - Removed suid root files : /bin/su
> > > > Dec 26 04:00:15 Nemesis : - Removed suid root files : /bin/umount
> > > > Dec 26 04:00:15 Nemesis : - Removed suid root files : /sbin/dump
> > > > Dec 26 04:00:15 Nemesis : - Removed suid root files : /sbin/linuxconf
> > > > Dec 26 04:00:15 Nemesis : - Removed suid root files : /sbin/pwdb_chkpwd
> > > > Dec 26 04:00:15 Nemesis : - Removed suid root files : /sbin/restore
> > > > Dec 26 04:00:15 Nemesis : - Removed suid root files : /sbin/unix_chkpwd
> > > > Dec 26 04:00:15 Nemesis :
> > > > Dec 26 04:00:15 Nemesis : Security Warning: Changes in Suid Group files
> > > > found :
> > > > Dec 26 04:00:15 Nemesis : - Removed suid group files : /sbin/dump
> > > > Dec 26 04:00:15 Nemesis : - Removed suid group files : /sbin/netreport
> > > > Dec 26 04:00:15 Nemesis : - Removed suid group files : /sbin/restore
> > > > Dec 26 04:00:15 Nemesis :
> > > > Dec 26 04:00:15 Nemesis : Security Warning: Change in World Writeable
> > > > Files found :
> > > > Dec 26 04:00:15 Nemesis : - Removed writables files : /tmp
> > > > Dec 26 04:00:15 Nemesis : - Removed writables files : /tmp/.ICE-unix
> > > > Dec 26 04:00:15 Nemesis : - Removed writables files : /tmp/.X11-unix
> > > > Dec 26 04:00:15 Nemesis : - Removed writables files : /tmp/.font-unix
> > > > Dec 26 04:00:15 Nemesis : - Removed writables files :
> > > > /tmp/.font-unix/fs-1
> > > > Dec 26 04:00:15 Nemesis : - Removed writables files : /tmp/.s.PGSQL.5432
> > > >
> > > > Dec 26 04:00:15 Nemesis :
> > > >
> > > > I understand that the eth0 PNIC2 error is from my tulip driver, but I
> > > > haven't seen this error in the 2 years this box has been running. I have
> > > > never seen the kernel smb errors.
> > > >
> > > > What concerns me is the Change in Suid Root files found. I haven't
> > > > changed a thing on this LM 7.2 box for a long time. This is the first
> > > > time I have seen this Security Warning and I am concerned I may have
> > > > been hacked. Has anyone else seen something like this? Does it look like
> > > > a hack? Where can I get a good check root kit package?
> > > >
> > > > Any help will be greatly appreciated.
> > >
> > >   ------------------------------------------------------------------------
> > > Want to buy your Pack or Services from MandrakeSoft?
> > > Go to http://www.mandrakestore.com
> >
> > --
> > David C. Rankin, J.D., P.E.
> > RANKIN * BERTIN, PLLC
> > 510 Ochiltree Street
> > Nacogdoches, Texas 75961
> > (936) 715-9333
> > (936) 715-9339 fax
> >
> >
> >
> > ----
> >
>
> > Want to buy your Pack or Services from MandrakeSoft?
> > Go to http://www.mandrakestore.com
> --
> Jack Coates
> Monkeynoodle: A Scientific Venture...
>
>   ------------------------------------------------------------------------
> Want to buy your Pack or Services from MandrakeSoft?
> Go to http://www.mandrakestore.com

--
David C. Rankin, J.D., P.E.
RANKIN * BERTIN, PLLC
510 Ochiltree Street
Nacogdoches, Texas 75961
(936) 715-9333
(936) 715-9339 fax




Want to buy your Pack or Services from MandrakeSoft? 
Go to http://www.mandrakestore.com

Reply via email to