[olug] breakin?

Tim Russell russell at probe.net
Thu Aug 31 14:13:19 UTC 2000 

Um, yes, that would tend to indicate a problem, to say the least.  You
should yank the plug on that machine immediately, and at this point you'd
better reload it completely.

Just out of curiosity, what generated those security warning messages?
That's pretty cool.

Tim #1

----- Original Message -----
From: "mesc" <mescie at home.com>
To: <olug at bstc.net>
Sent: Thursday, August 31, 2000 12:10 AM
Subject: Re: [olug] breakin?


> I think I may have found something to really worry about.This was in my
> /var/log/messages>                         Jul 25 22:22:01 omhan1
> PAM_pwdb[969]: (su) session opened for user news by (uid=0)
> Jul 25 22:22:02 omhan1 PAM_pwdb[969]: (su) session closed for user news
> Jul 25 22:25:27 omhan1 PAM_pwdb[1259]: (su) session opened for user root
> by mesc(uid=501)
> Jul 26 00:09:16 omhan1 :
> Jul 26 00:09:16 omhan1 : Security Warning: Change in Suid Root files
> found :
> Jul 26 00:09:16 omhan1 : - Added suid root files : /bin/mount
> Jul 26 00:09:16 omhan1 : - Added suid root files : /bin/ping
> Jul 26 00:09:16 omhan1 : - Added suid root files : /bin/su
> Jul 26 00:09:16 omhan1 : - Added suid root files : /bin/umount
> Jul 26 00:09:16 omhan1 : - Added suid root files : /sbin/pwdb_chkpwd
> Jul 26 00:09:16 omhan1 : - Added suid root files :
> /usr/X11R6/bin/Xwrapper
> Jul 26 00:09:16 omhan1 : - Added suid root files :
> /usr/X11R6/bin/imwheel-solo
> Jul 26 00:09:16 omhan1 : - Added suid root files : /usr/X11R6/bin/xlock
> Jul 26 00:09:16 omhan1 : - Added suid root files : /usr/bin/at
> Jul 26 00:09:16 omhan1 : - Added suid root files : /usr/bin/atitv
> Jul 26 00:09:16 omhan1 : - Added suid root files : /usr/bin/atitvout
> Jul 26 00:09:16 omhan1 : - Added suid root files : /usr/bin/chage
> Jul 26 00:09:16 omhan1 : - Added suid root files : /usr/bin/chfn
> Jul 26 00:09:16 omhan1 : - Added suid root files : /usr/bin/chsh
> Jul 26 00:09:16 omhan1 : - Added suid root files : /usr/bin/crontab
> Jul 26 00:09:16 omhan1 : - Added suid root files : /usr/bin/dos
>
>                 Jul 26 00:09:16 omhan1 : - Added suid root files :
> /usr/bin/gpasswd
> Jul 26 00:09:16 omhan1 : - Added suid root files : /usr/bin/kppp
> Jul 26 00:09:16 omhan1 : - Added suid root files : /usr/bin/lpq
> Jul 26 00:09:16 omhan1 : - Added suid root files : /usr/bin/lpr
> Jul 26 00:09:16 omhan1 : - Added suid root files : /usr/bin/lprm
> Jul 26 00:09:16 omhan1 : - Added suid root files : /usr/bin/newgrp
> Jul 26 00:09:16 omhan1 : - Added suid root files : /usr/bin/passwd
> Jul 26 00:09:17 omhan1 : - Added suid root files : /usr/bin/procmail
> Jul 26 00:09:17 omhan1 : - Added suid root files : /usr/bin/rcp
> Jul 26 00:09:17 omhan1 : - Added suid root files : /usr/bin/rlogin
> Jul 26 00:09:17 omhan1 : - Added suid root files : /usr/bin/rsh
> Jul 26 00:09:17 omhan1 : - Added suid root files : /usr/bin/sperl5.00503
> Jul 26 00:09:17 omhan1 : - Added suid root files : /usr/bin/suidperl
> Jul 26 00:09:17 omhan1 : - Added suid root files : /usr/bin/urpmi
> Jul 26 00:09:17 omhan1 : - Added suid root files : /usr/bin/vboxbeep
> Jul 26 00:09:17 omhan1 : - Added suid root files : /usr/bin/xatitv
> Jul 26 00:09:17 omhan1 : - Added suid root files : /usr/bin/xatitvc
> Jul 26 00:09:17 omhan1 : - Added suid root files : /usr/bin/xativ
> Jul 26 00:09:17 omhan1 : - Added suid root files : /usr/bin/xcdroast
> Jul 26 00:09:17 omhan1 : - Added suid root files : /usr/bin/zgv
> Jul 26 00:09:17 omhan1 : - Added suid root files : /usr/lib/telnetd/login
>
> Jul 26 00:09:17 omhan1 : - Added suid root files : /usr/libexec/pt_chown
> Jul 26 00:09:17 omhan1 : - Added suid root files : /usr/sbin/sendmail
> Jul 26 00:09:17 omhan1 : - Added suid root files : /usr/sbin/traceroute
> Jul 26 00:09:17 omhan1 : - Added suid root files : /usr/sbin/userhelper
> Jul 26 00:09:17 omhan1 : - Added suid root files : /usr/sbin/usernetctl
> Jul 26 00:09:17 omhan1 :
> Jul 26 00:09:17 omhan1 : Security Warning: Changes in Suid Group files
> found :
> Jul 26 00:09:17 omhan1 : - Added suid group files : /sbin/netreport
> Jul 26 00:09:17 omhan1 : - Added suid group files : /usr/X11R6/bin/xbill
>
>
> Jul 26 00:09:17 omhan1 : - Added suid group files :
> /usr/X11R6/bin/xhextris
> Jul 26 00:09:17 omhan1 : - Added suid group files : /usr/X11R6/bin/xkobo
> Jul 26 00:09:17 omhan1 : - Added suid group files : /usr/X11R6/bin/xman
> Jul 26 00:09:17 omhan1 : - Added suid group files : /usr/bin/cdrecord
> Jul 26 00:09:17 omhan1 : - Added suid group files : /usr/bin/gnibbles
> Jul 26 00:09:17 omhan1 : - Added suid group files : /usr/bin/gnobots2
> Jul 26 00:09:17 omhan1 : - Added suid group files : /usr/bin/gnome-stones
>
> Jul 26 00:09:17 omhan1 : - Added suid group files : /usr/bin/gnomine
> Jul 26 00:09:17 omhan1 : - Added suid group files : /usr/bin/gnotravex
> Jul 26 00:09:17 omhan1 : - Added suid group files : /usr/bin/gtali
> Jul 26 00:09:17 omhan1 : - Added suid group files : /usr/bin/gturing
> Jul 26 00:09:17 omhan1 : - Added suid group files : /usr/bin/iagno
> Jul 26 00:09:17 omhan1 : - Added suid group files : /usr/bin/kdesud
> Jul 26 00:09:17 omhan1 : - Added suid group files : /usr/bin/lockfile
> Jul 26 00:09:17 omhan1 : - Added suid group files : /usr/bin/lpq
> Jul 26 00:09:17 omhan1 : - Added suid group files : /usr/bin/lpr
> Jul 26 00:09:17 omhan1 : - Added suid group files : /usr/bin/lprm
> Jul 26 00:09:17 omhan1 : - Added suid group files : /usr/bin/mahjongg
> Jul 26 00:09:17 omhan1 : - Added suid group files : /usr/bin/man
> Jul 26 00:09:17 omhan1 : - Added suid group files : /usr/bin/minicom
> Jul 26 00:09:17 omhan1 : - Added suid group files : /usr/bin/procmail
> Jul 26 00:09:17 omhan1 : - Added suid group files : /usr/bin/same-gnome
> Jul 26 00:09:17 omhan1 : - Added suid group files : /usr/bin/slocate
> Jul 26 00:09:17 omhan1 : - Added suid group files : /usr/bin/wall
> Jul 26 00:09:17 omhan1 : - Added suid group files : /usr/bin/write
> Jul 26 00:09:17 omhan1 : - Added suid group files : /usr/bin/xmonisdn
> Jul 26 00:09:17 omhan1 : - Added suid group files : /usr/games/xsoldier
> Jul 26 00:09:17 omhan1 : - Added suid group files :
> /usr/lib/emacs/20.5/i386-mandrake-linux/movemail
> Jul 26 00:09:17 omhan1 : - Added suid group files :
> /usr/lib/netscape/movemail
> Jul 26 00:09:17 omhan1 : - Added suid group files :
> /usr/lib/xemacs-21.1.8/i386-mandrake-linux/movemail
>
> -mandrake-linux/movemail
> Jul 26 00:09:17 omhan1 : - Added suid group files :
> /usr/sbin/gnome-pty-helper
> Jul 26 00:09:17 omhan1 : - Added suid group files : /usr/sbin/lpc
> Jul 26 00:09:17 omhan1 : - Added suid group files : /usr/sbin/sendmail
> Jul 26 00:09:17 omhan1 : - Added suid group files : /usr/sbin/utempter
> Jul 26 00:09:17 omhan1 :
> Jul 26 00:09:17 omhan1 : Security Warning: There is modifications for
> port listening on your machine :
> and I also checked the permissions on /var/log/messages and they too were
> changed from -r------- to -rw-r--r- so this guy (I'm assuming its the
> same guy)apparently got in (through  the news server?) suid'ed a bunch of
> files and  changed permissions on at least one file that  I know of and
> I'm sure there's more I haven't found  yet.I have tripwire installed but
> being a relative newbie I'm unsure  how to restore  with it besides the
> fact that he/she may have  a backdoor on my box now.I worked hard getting
> my  box the way I  liked it  but would I be  better off starting over
> with a clean install or should I try  restoring it with tripwire and if
> so where would I start?
>
>             Thank you,Gary Martin
>
>
>             mesc wrote:
>
> > I was looking through /var/log/secure when  I saw  Jul 23 10:55:38
> > omhan1 in.telnetd[1049]: connect from 207.114.4.46 and Jul 27 14:29:03
> > omhan1 in.ftpd[1917]: connect from 203.233.199.252 (yes from last
> > month,I need to watch my logs better).Now I just have telnet and ftp
> > enabled on my box so I can telnet out or ftp for files,I'm trying to
> > figure out SSH so I can do away with these but what I need to know is
> > are these 2 connections just attempts to connect to my box or did
> > someone infact connect and login to my box.If  so how can I keep these
> > ppl  out assuming they are the coming back?
> >
> >         Thank you,Gary Martin
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: olug-unsubscribe at bstc.net
> > For additional commands, e-mail: olug-help at bstc.net
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: olug-unsubscribe at bstc.net
> For additional commands, e-mail: olug-help at bstc.net
>
>


---------------------------------------------------------------------
To unsubscribe, e-mail: olug-unsubscribe at bstc.net
For additional commands, e-mail: olug-help at bstc.net

More information about the OLUG mailing list