Users losing KDE [SOLVED]

[crazyspongebob]

Hi all,

I have a family box with the following specs

System Specs

AMD Athlon 800

384 MB

6 gb hard disk

Voodoo 3 16MB

3Com network card.

 

The box has 6 users on it. Two of them lost KDE during the weekend. When they log in, the only thing appears on the screen is the console. It is just like generic X-window, no menus or anything. In the console, when I type exit, the users exit their sessions. When I type icewm-session, ICE starts. The following is partial log that says the box might be compromised.

 

 

Nov 7 04:04:17 a : Security Warning: Change in World Writable Files found :

Nov 7 04:04:17 a : - No longer present writable file : /tmp/.ICE-unix/dcop3494-

1099008396

Nov 7 04:04:17 a :

Nov 7 04:04:17 a : Security Warning: the md5 checksum for one of your SUID file

s has changed,

Nov 7 04:04:17 a : maybe an intruder modified one of these suid binary in order

to put in a backdoor...

Nov 7 04:04:17 a : - Checksum changed file : /usr/bin/chage

Nov 7 04:04:17 a : - Checksum changed file : /usr/bin/expiry

Nov 7 04:04:17 a : - Checksum changed file : /usr/bin/gpasswd

Nov 7 04:04:17 a : - Checksum changed file : /usr/bin/newgrp

Nov 7 04:04:17 a : - Checksum changed file : /usr/bin/sperl5.8.3

Nov 7 04:04:17 a : - Checksum changed file : /usr/bin/suidperl

Nov 7 04:04:17 a :

Nov 7 04:04:17 a : Security Warning: World Writable files found :

Nov 7 04:04:17 a : - /lib/dev-state/dri/card0

Nov 7 04:04:17 a : - /tmp/.ICE-unix

Nov 7 04:04:17 a : - /tmp/.X11-unix

Nov 7 04:04:17 a : - /tmp/.X11-unix/X0

Nov 7 04:04:17 a : - /tmp/.font-unix

Nov 7 04:04:17 a : - /tmp/.font-unix/fs-1

Nov 7 04:04:17 a : - /var/spool/postfix/dev/log

Nov 7 04:04:17 a : - /var/spool/postfix/private/anvil

Nov 7 04:04:17 a : - /var/spool/postfix/private/bounce

Nov 7 04:04:17 a : - /var/spool/postfix/private/cyrus

Nov 7 04:04:17 a : - /var/spool/postfix/private/cyrus-chroot

Nov 7 04:04:17 a : - /var/spool/postfix/private/cyrus-deliver

Nov 7 04:04:17 a : - /var/spool/postfix/private/cyrus-inet

Nov 7 04:04:17 a : - /var/spool/postfix/private/defer

Nov 7 04:04:17 a : - /var/spool/postfix/private/error

Nov 7 04:04:17 a : - /var/spool/postfix/private/lmtp

Nov 7 04:04:17 a : - /var/spool/postfix/private/lmtp-filter

Nov 7 04:04:17 a : - /var/spool/postfix/private/local

Nov 7 04:04:17 a : - /var/spool/postfix/private/maildrop

Nov 7 04:04:17 a : - /var/spool/postfix/private/proxymap

Nov 7 04:04:17 a : - /var/spool/postfix/private/relay

Nov 7 04:04:17 a : - /var/spool/postfix/private/rewrite

Nov 7 04:04:17 a : - /var/spool/postfix/private/smtp

Nov 7 04:04:17 a : - /var/spool/postfix/private/smtp-filter

Nov 7 04:04:17 a : - /var/spool/postfix/private/tlsmgr

Nov 7 04:04:17 a : - /var/spool/postfix/private/trace

Nov 7 04:04:17 a : - /var/spool/postfix/private/uucp

Nov 7 04:04:17 a : - /var/spool/postfix/private/verify

Nov 7 04:04:17 a : - /var/spool/postfix/private/virtual

Nov 7 04:04:17 a : - /var/spool/postfix/public/cleanup

Nov 7 04:04:17 a : - /var/spool/postfix/public/flush

Nov 7 04:04:17 a : - /var/spool/postfix/public/pickup

Nov 7 04:04:17 a : - /var/spool/postfix/public/qmgr

Nov 7 04:22:00 a CROND[7860]: (root) CMD (nice -n 19 run-parts /etc/cron.weekly)

Nov 7 05:01:00 a CROND[13467]: (root) CMD (nice -n 19 run-parts /etc/cron.hourly)

Nov 7 05:01:01 a msec: changed mode of /var/log/security/open_port.today from 644 to 640

Nov 7 05:01:01 a msec: changed mode of /var/log/security/sgid.today from 644 to 640

Nov 7 05:01:01 a msec: changed mode of /var/log/security/suid_root.today from 644 to 640

Nov 7 05:01:01 a msec: changed mode of /var/log/security/suid_md5.today from 644 to 640

Nov 7 05:01:01 a msec: changed mode of /var/log/security/suid_md5.today from 644 to 640

Nov 7 05:01:01 a msec: changed mode of /var/log/security.log from 644 to 640 Nov 7 05:01:01 a msec: changed group of /var/log/security.log from root to adm

Nov 7 05:01:01 a msec: changed mode of /var/log/wtmp from 664 to 640 Nov 7 05:01:01 a msec: changed group of /var/log/wtmp from utmp to adm

Nov 7 05:01:01 a msec: changed mode of /var/log/security/unowned_group.today from 644 to 640

Nov 7 05:01:01 a msec: changed mode of /var/log/security/writable.today from 644 to 640

Nov 7 05:01:01 a msec: changed mode of /var/log/security/unowned_user.today from 644 to 640

Nov 7 06:01:00 a CROND[13549]: (root) CMD (nice -n 19 run-parts /etc/cron.hourly)

Nov 7 07:01:00 a CROND[13612]: (root) CMD (nice -n 19 run-parts /etc/cron.hourly)

Nov 7 08:01:00 a CROND[13675]: (root) CMD (nice -n 19 run-parts /etc/cron.hourly)

 

I have uninstalled postfix since I just installed it for a test run.

Suggestions?

 

Thanx

JT

 

[moved from Installing Mandrake by spinynorman]

[arctic]

Nov 7 04:04:17 a : Security Warning: the md5 checksum for one of your SUID file

s has changed,

Nov 7 04:04:17 a : maybe an intruder modified one of these suid binary in order

to put in a backdoor...

this is what sounds most alarming to me, because it is very hard to break into a linux-system. have you activated your firewall?

Nov 7 04:04:17 a : - No longer present writable file : /tmp/.ICE-unix/dcop3494-

1099008396

did the affected users tweak anything? have they installed/deleted anything during the last days?

[durvish]

I don't like the look of those security/suid changes on there !

 

you look like you may be compromised

[arctic]

i forgot to suggest some stuff:

 

1) change ALL passwords on your box. root and user and whaddoiknowwhatyouhave

2) create new /home directories and move the compromised users "sensitive" data to there. do not move any crap to there (it might cause trouble again!), then delete the compromised users /home directories.

3) when you set up new passwords, make sure that they are hard to guess. e.g. "Jkl23TP8n" would be some good password. do not use passwords that look like this: "tuxiscool".

4) make sure that your firewall is activated. in case you have a router, activate its firewall, too (if it has one).

[Guest anon]

You might also want to install something like this: http://www.chkrootkit.org/

Or read this: http://www.cs.wright.edu/people/faculty/pm...ion/obrien.html

[bvc]

run msec (SEE FAQ)

and as anon said, chkrootkit

[crazyspongebob]

Thanks for your fast reply.

Currently, I have ADSL and an IPCop box sits in front of all of my internal boxes. The two users that are affected have no login password. I also have shorewall activated on this Mandrake 10.0 box. I don't know what they did to their account. I check with them soon. This box is not permanently on, so I am not too worried about. However, I have to investigate.

 

Thanx again.

 

JT

[crazyspongebob]

I am the only power user of the system. My other two users just know to login the system to surf the web, chat, and play internet game. They don't know anything else, so I guess they did not delete or change anything. I wonder if they got compromised by using yahoo! messenger. They have nagged me to install it for them. It's just convenient for them not to have passwords. For my account, I do have password. I look into my Explanations log and it says that MandrakeUpdate was run on Nov 7 yet way later. I wonder if I can use live CD like ubuntu to fix the problem.

Here is the content of the security.log:

 

*** Diff Check, Sun Nov 7 04:04:17 EST 2004 ***

 

 

Security Warning: Change in World Writable Files found :

- No longer present writable file : /tmp/.ICE-unix/dcop3494-1099008396

 

Security Warning: the md5 checksum for one of your SUID files has changed,

maybe an intruder modified one of these suid binary in order to put in a backdoor...

- Checksum changed file : /usr/bin/chage

- Checksum changed file : /usr/bin/expiry

- Checksum changed file : /usr/bin/gpasswd

- Checksum changed file : /usr/bin/newgrp

- Checksum changed file : /usr/bin/sperl5.8.3

- Checksum changed file : /usr/bin/suidperl

 

 

*** Security Check, Sun Nov 7 04:04:17 EST 2004 ***

 

 

Security Warning: World Writable files found :

- /lib/dev-state/dri/card0

- /tmp/.ICE-unix

- /tmp/.X11-unix

- /tmp/.X11-unix/X0

- /tmp/.font-unix

- /tmp/.font-unix/fs-1

- /var/spool/postfix/dev/log

- /var/spool/postfix/private/anvil

- /var/spool/postfix/private/bounce

- /var/spool/postfix/private/cyrus

- /var/spool/postfix/private/cyrus-chroot

- /var/spool/postfix/private/cyrus-deliver

- /var/spool/postfix/private/cyrus-inet

- /var/spool/postfix/private/defer

- /var/spool/postfix/private/error

- /var/spool/postfix/private/lmtp

- /var/spool/postfix/private/lmtp-filter

- /var/spool/postfix/private/local

- /var/spool/postfix/private/maildrop

- /var/spool/postfix/private/proxymap

- /var/spool/postfix/private/relay

- /var/spool/postfix/private/rewrite

- /var/spool/postfix/private/smtp

- /var/spool/postfix/private/smtp-filter

- /var/spool/postfix/private/tlsmgr

- /var/spool/postfix/private/trace

- /var/spool/postfix/private/uucp

- /var/spool/postfix/private/verify

- /var/spool/postfix/private/virtual

- /var/spool/postfix/public/cleanup

- /var/spool/postfix/public/flush

- /var/spool/postfix/public/pickup

- /var/spool/postfix/public/qmgr

- /var/spool/postfix/public/showq

 

 

*** Diff Check, Wed Nov 10 04:04:32 EST 2004 ***

 

 

Security Warning: Change in World Writable Files found :

- Newly added writable file : /tmp/.ICE-unix/dcop2877-1100059156

 

 

*** Security Check, Wed Nov 10 04:04:33 EST 2004 ***

 

 

Security Warning: World Writable files found :

- /lib/dev-state/dri/card0

- /tmp/.ICE-unix

- /tmp/.ICE-unix/dcop2877-1100059156

- /tmp/.X11-unix

- /tmp/.X11-unix/X0

- /tmp/.font-unix

- /tmp/.font-unix/fs-1

- /var/spool/postfix/dev/log

- /var/spool/postfix/private/anvil

- /var/spool/postfix/private/bounce

- /var/spool/postfix/private/cyrus

- /var/spool/postfix/private/cyrus-chroot

- /var/spool/postfix/private/cyrus-deliver

- /var/spool/postfix/private/cyrus-inet

- /var/spool/postfix/private/defer

- /var/spool/postfix/private/error

- /var/spool/postfix/private/lmtp

- /var/spool/postfix/private/lmtp-filter

- /var/spool/postfix/private/local

- /var/spool/postfix/private/maildrop

- /var/spool/postfix/private/proxymap

- /var/spool/postfix/private/relay

- /var/spool/postfix/private/rewrite

- /var/spool/postfix/private/smtp

- /var/spool/postfix/private/smtp-filter

- /var/spool/postfix/private/tlsmgr

- /var/spool/postfix/private/trace

- /var/spool/postfix/private/uucp

- /var/spool/postfix/private/verify

- /var/spool/postfix/private/virtual

- /var/spool/postfix/public/cleanup

- /var/spool/postfix/public/flush

- /var/spool/postfix/public/pickup

- /var/spool/postfix/public/qmgr

- /var/spool/postfix/public/showq

 

I wonder if these files need to be world writable for Mandrake 10 to function. Postfix was uninstalled this morning as I mentioned before.

 

Thanx

J.T.

[arctic]

The two users that are affected have no login password.

ARGH!!!!!!!!!!!

[crazyspongebob]

The two users that are affected have no login password.

ARGH!!!!!!!!!!!

<{POST_SNAPBACK}>

 

 

It's just that they are used to window$. So password is such an annoyance for them, and if they had a password, it would be very easy to guess. But writing this down, I think having password is better than none. So I will ask them to put passwords on their accounts then. I am thinking of using either knoppix or ubuntu live CD to delete those two accounts and creat new ones with password protection.

 

Thanx

J.T.

[AussieJohn]

How can creating new accounts this time with passwords help to correct the situation ???

 

It would appear to me that these two users are either careless and irresponsible about what they connect to, or unknowingly have connected to contaminated sites.

Surely the best response is to insist on blocking them from Yahoo crap and to educate them about what kind of sites to NOT connect to. Wanting to play games is not a really smart reason for justifying putting a computers integrity at risk regardless of player arguments.

 

John.

[Guest anon]

John,

Having a computer connected to the net that you can login to without a password, is asking for trouble.

 

As for the sites they visit, its highly unlikely Linux systems could get affected by any malicious content or viruses on websites. That kind of stuff is always aimed it windoze users with their .exe file extentions etc.

[AussieJohn]

Hello Anon.

I simply phrased badly. You are right about the password aspect, I wasn't meaning to not use passwords. It seemed to me that this not using of passwords surely wouldn't be the cause of the problem. The problem was caused after getting into and being in the account and I felt that would still be the case even if they had passworded in. Do you see the point I am getting at ??

Then I maybe missing something here. Ah well.

 

Cheers. John.

[crazyspongebob]

Thanx all for your help.

I'm thinking of wiping the box clean and reinstalling Mandrake 10. This time there will be passwords for every accounts. Other than the two users losing KDE, other users still get their KDE and their stuff. I just wonder if it is just the two affected users' accounts got compromised but not the whole system. I don't know that for sure. What do you think if I should install Yahoo! Messenger again or do away with it? Since I have young kids come to my place and want to use it, plus Kopete is no longer working with Yahoo!

 

Thanks again.

J.T.

[b]

Hi

"I'm thinking of wiping the box clean and reinstalling Mandrake 10."

Go for it for "best" peace of mind.

"I just wonder if it is just the two affected users' accounts got compromised but not the whole system."

As far as I know an updated firewalled linux is not trivial to break into.

More checking and snooping before wiping?

-rpm -V all shadow related installed packages

(rpm -qa | grep -i shadow)

-chkrootkit -q

-rkhunter --checkall

(HOMEPAGE="http://www.rootkit.org/")

(new for me rootkit checker)

-output of last and lastlog commands

-files in /var/log/

-root's .bash_history

-"compromised" users .bash_history

Hope it's not a wipe but a fix and keep since I find it's much more fun!