crazyspongebob Posted November 10, 2004 Report Share Posted November 10, 2004 Hi all, I have a family box with the following specs System Specs AMD Athlon 800 384 MB 6 gb hard disk Voodoo 3 16MB 3Com network card. The box has 6 users on it. Two of them lost KDE during the weekend. When they log in, the only thing appears on the screen is the console. It is just like generic X-window, no menus or anything. In the console, when I type exit, the users exit their sessions. When I type icewm-session, ICE starts. The following is partial log that says the box might be compromised. Nov 7 04:04:17 a : Security Warning: Change in World Writable Files found : Nov 7 04:04:17 a : - No longer present writable file : /tmp/.ICE-unix/dcop3494- 1099008396 Nov 7 04:04:17 a : Nov 7 04:04:17 a : Security Warning: the md5 checksum for one of your SUID file s has changed, Nov 7 04:04:17 a : maybe an intruder modified one of these suid binary in order to put in a backdoor... Nov 7 04:04:17 a : - Checksum changed file : /usr/bin/chage Nov 7 04:04:17 a : - Checksum changed file : /usr/bin/expiry Nov 7 04:04:17 a : - Checksum changed file : /usr/bin/gpasswd Nov 7 04:04:17 a : - Checksum changed file : /usr/bin/newgrp Nov 7 04:04:17 a : - Checksum changed file : /usr/bin/sperl5.8.3 Nov 7 04:04:17 a : - Checksum changed file : /usr/bin/suidperl Nov 7 04:04:17 a : Nov 7 04:04:17 a : Security Warning: World Writable files found : Nov 7 04:04:17 a : - /lib/dev-state/dri/card0 Nov 7 04:04:17 a : - /tmp/.ICE-unix Nov 7 04:04:17 a : - /tmp/.X11-unix Nov 7 04:04:17 a : - /tmp/.X11-unix/X0 Nov 7 04:04:17 a : - /tmp/.font-unix Nov 7 04:04:17 a : - /tmp/.font-unix/fs-1 Nov 7 04:04:17 a : - /var/spool/postfix/dev/log Nov 7 04:04:17 a : - /var/spool/postfix/private/anvil Nov 7 04:04:17 a : - /var/spool/postfix/private/bounce Nov 7 04:04:17 a : - /var/spool/postfix/private/cyrus Nov 7 04:04:17 a : - /var/spool/postfix/private/cyrus-chroot Nov 7 04:04:17 a : - /var/spool/postfix/private/cyrus-deliver Nov 7 04:04:17 a : - /var/spool/postfix/private/cyrus-inet Nov 7 04:04:17 a : - /var/spool/postfix/private/defer Nov 7 04:04:17 a : - /var/spool/postfix/private/error Nov 7 04:04:17 a : - /var/spool/postfix/private/lmtp Nov 7 04:04:17 a : - /var/spool/postfix/private/lmtp-filter Nov 7 04:04:17 a : - /var/spool/postfix/private/local Nov 7 04:04:17 a : - /var/spool/postfix/private/maildrop Nov 7 04:04:17 a : - /var/spool/postfix/private/proxymap Nov 7 04:04:17 a : - /var/spool/postfix/private/relay Nov 7 04:04:17 a : - /var/spool/postfix/private/rewrite Nov 7 04:04:17 a : - /var/spool/postfix/private/smtp Nov 7 04:04:17 a : - /var/spool/postfix/private/smtp-filter Nov 7 04:04:17 a : - /var/spool/postfix/private/tlsmgr Nov 7 04:04:17 a : - /var/spool/postfix/private/trace Nov 7 04:04:17 a : - /var/spool/postfix/private/uucp Nov 7 04:04:17 a : - /var/spool/postfix/private/verify Nov 7 04:04:17 a : - /var/spool/postfix/private/virtual Nov 7 04:04:17 a : - /var/spool/postfix/public/cleanup Nov 7 04:04:17 a : - /var/spool/postfix/public/flush Nov 7 04:04:17 a : - /var/spool/postfix/public/pickup Nov 7 04:04:17 a : - /var/spool/postfix/public/qmgr Nov 7 04:22:00 a CROND[7860]: (root) CMD (nice -n 19 run-parts /etc/cron.weekly) Nov 7 05:01:00 a CROND[13467]: (root) CMD (nice -n 19 run-parts /etc/cron.hourly) Nov 7 05:01:01 a msec: changed mode of /var/log/security/open_port.today from 644 to 640 Nov 7 05:01:01 a msec: changed mode of /var/log/security/sgid.today from 644 to 640 Nov 7 05:01:01 a msec: changed mode of /var/log/security/suid_root.today from 644 to 640 Nov 7 05:01:01 a msec: changed mode of /var/log/security/suid_md5.today from 644 to 640 Nov 7 05:01:01 a msec: changed mode of /var/log/security/suid_md5.today from 644 to 640 Nov 7 05:01:01 a msec: changed mode of /var/log/security.log from 644 to 640 Nov 7 05:01:01 a msec: changed group of /var/log/security.log from root to adm Nov 7 05:01:01 a msec: changed mode of /var/log/wtmp from 664 to 640 Nov 7 05:01:01 a msec: changed group of /var/log/wtmp from utmp to adm Nov 7 05:01:01 a msec: changed mode of /var/log/security/unowned_group.today from 644 to 640 Nov 7 05:01:01 a msec: changed mode of /var/log/security/writable.today from 644 to 640 Nov 7 05:01:01 a msec: changed mode of /var/log/security/unowned_user.today from 644 to 640 Nov 7 06:01:00 a CROND[13549]: (root) CMD (nice -n 19 run-parts /etc/cron.hourly) Nov 7 07:01:00 a CROND[13612]: (root) CMD (nice -n 19 run-parts /etc/cron.hourly) Nov 7 08:01:00 a CROND[13675]: (root) CMD (nice -n 19 run-parts /etc/cron.hourly) I have uninstalled postfix since I just installed it for a test run. Suggestions? Thanx JT [moved from Installing Mandrake by spinynorman] Quote Link to comment Share on other sites More sharing options...
arctic Posted November 10, 2004 Report Share Posted November 10, 2004 Nov 7 04:04:17 a : Security Warning: the md5 checksum for one of your SUID files has changed, Nov 7 04:04:17 a : maybe an intruder modified one of these suid binary in order to put in a backdoor... this is what sounds most alarming to me, because it is very hard to break into a linux-system. have you activated your firewall? Nov 7 04:04:17 a : - No longer present writable file : /tmp/.ICE-unix/dcop3494-1099008396 did the affected users tweak anything? have they installed/deleted anything during the last days? Quote Link to comment Share on other sites More sharing options...
durvish Posted November 10, 2004 Report Share Posted November 10, 2004 I don't like the look of those security/suid changes on there ! you look like you may be compromised Quote Link to comment Share on other sites More sharing options...
arctic Posted November 10, 2004 Report Share Posted November 10, 2004 i forgot to suggest some stuff: 1) change ALL passwords on your box. root and user and whaddoiknowwhatyouhave 2) create new /home directories and move the compromised users "sensitive" data to there. do not move any crap to there (it might cause trouble again!), then delete the compromised users /home directories. 3) when you set up new passwords, make sure that they are hard to guess. e.g. "Jkl23TP8n" would be some good password. do not use passwords that look like this: "tuxiscool". 4) make sure that your firewall is activated. in case you have a router, activate its firewall, too (if it has one). Quote Link to comment Share on other sites More sharing options...
Guest anon Posted November 10, 2004 Report Share Posted November 10, 2004 You might also want to install something like this: http://www.chkrootkit.org/ Or read this: http://www.cs.wright.edu/people/faculty/pm...ion/obrien.html Quote Link to comment Share on other sites More sharing options...
bvc Posted November 10, 2004 Report Share Posted November 10, 2004 run msec (SEE FAQ) and as anon said, chkrootkit Quote Link to comment Share on other sites More sharing options...
crazyspongebob Posted November 11, 2004 Author Report Share Posted November 11, 2004 Thanks for your fast reply. Currently, I have ADSL and an IPCop box sits in front of all of my internal boxes. The two users that are affected have no login password. I also have shorewall activated on this Mandrake 10.0 box. I don't know what they did to their account. I check with them soon. This box is not permanently on, so I am not too worried about. However, I have to investigate. Thanx again. JT Quote Link to comment Share on other sites More sharing options...
crazyspongebob Posted November 11, 2004 Author Report Share Posted November 11, 2004 I am the only power user of the system. My other two users just know to login the system to surf the web, chat, and play internet game. They don't know anything else, so I guess they did not delete or change anything. I wonder if they got compromised by using yahoo! messenger. They have nagged me to install it for them. It's just convenient for them not to have passwords. For my account, I do have password. I look into my Explanations log and it says that MandrakeUpdate was run on Nov 7 yet way later. I wonder if I can use live CD like ubuntu to fix the problem. Here is the content of the security.log: *** Diff Check, Sun Nov 7 04:04:17 EST 2004 *** Security Warning: Change in World Writable Files found : - No longer present writable file : /tmp/.ICE-unix/dcop3494-1099008396 Security Warning: the md5 checksum for one of your SUID files has changed, maybe an intruder modified one of these suid binary in order to put in a backdoor... - Checksum changed file : /usr/bin/chage - Checksum changed file : /usr/bin/expiry - Checksum changed file : /usr/bin/gpasswd - Checksum changed file : /usr/bin/newgrp - Checksum changed file : /usr/bin/sperl5.8.3 - Checksum changed file : /usr/bin/suidperl *** Security Check, Sun Nov 7 04:04:17 EST 2004 *** Security Warning: World Writable files found : - /lib/dev-state/dri/card0 - /tmp/.ICE-unix - /tmp/.X11-unix - /tmp/.X11-unix/X0 - /tmp/.font-unix - /tmp/.font-unix/fs-1 - /var/spool/postfix/dev/log - /var/spool/postfix/private/anvil - /var/spool/postfix/private/bounce - /var/spool/postfix/private/cyrus - /var/spool/postfix/private/cyrus-chroot - /var/spool/postfix/private/cyrus-deliver - /var/spool/postfix/private/cyrus-inet - /var/spool/postfix/private/defer - /var/spool/postfix/private/error - /var/spool/postfix/private/lmtp - /var/spool/postfix/private/lmtp-filter - /var/spool/postfix/private/local - /var/spool/postfix/private/maildrop - /var/spool/postfix/private/proxymap - /var/spool/postfix/private/relay - /var/spool/postfix/private/rewrite - /var/spool/postfix/private/smtp - /var/spool/postfix/private/smtp-filter - /var/spool/postfix/private/tlsmgr - /var/spool/postfix/private/trace - /var/spool/postfix/private/uucp - /var/spool/postfix/private/verify - /var/spool/postfix/private/virtual - /var/spool/postfix/public/cleanup - /var/spool/postfix/public/flush - /var/spool/postfix/public/pickup - /var/spool/postfix/public/qmgr - /var/spool/postfix/public/showq *** Diff Check, Wed Nov 10 04:04:32 EST 2004 *** Security Warning: Change in World Writable Files found : - Newly added writable file : /tmp/.ICE-unix/dcop2877-1100059156 *** Security Check, Wed Nov 10 04:04:33 EST 2004 *** Security Warning: World Writable files found : - /lib/dev-state/dri/card0 - /tmp/.ICE-unix - /tmp/.ICE-unix/dcop2877-1100059156 - /tmp/.X11-unix - /tmp/.X11-unix/X0 - /tmp/.font-unix - /tmp/.font-unix/fs-1 - /var/spool/postfix/dev/log - /var/spool/postfix/private/anvil - /var/spool/postfix/private/bounce - /var/spool/postfix/private/cyrus - /var/spool/postfix/private/cyrus-chroot - /var/spool/postfix/private/cyrus-deliver - /var/spool/postfix/private/cyrus-inet - /var/spool/postfix/private/defer - /var/spool/postfix/private/error - /var/spool/postfix/private/lmtp - /var/spool/postfix/private/lmtp-filter - /var/spool/postfix/private/local - /var/spool/postfix/private/maildrop - /var/spool/postfix/private/proxymap - /var/spool/postfix/private/relay - /var/spool/postfix/private/rewrite - /var/spool/postfix/private/smtp - /var/spool/postfix/private/smtp-filter - /var/spool/postfix/private/tlsmgr - /var/spool/postfix/private/trace - /var/spool/postfix/private/uucp - /var/spool/postfix/private/verify - /var/spool/postfix/private/virtual - /var/spool/postfix/public/cleanup - /var/spool/postfix/public/flush - /var/spool/postfix/public/pickup - /var/spool/postfix/public/qmgr - /var/spool/postfix/public/showq I wonder if these files need to be world writable for Mandrake 10 to function. Postfix was uninstalled this morning as I mentioned before. Thanx J.T. Quote Link to comment Share on other sites More sharing options...
arctic Posted November 11, 2004 Report Share Posted November 11, 2004 The two users that are affected have no login password. ARGH!!!!!!!!!!! Quote Link to comment Share on other sites More sharing options...
crazyspongebob Posted November 11, 2004 Author Report Share Posted November 11, 2004 The two users that are affected have no login password. ARGH!!!!!!!!!!! <{POST_SNAPBACK}> It's just that they are used to window$. So password is such an annoyance for them, and if they had a password, it would be very easy to guess. But writing this down, I think having password is better than none. So I will ask them to put passwords on their accounts then. I am thinking of using either knoppix or ubuntu live CD to delete those two accounts and creat new ones with password protection. Thanx J.T. Quote Link to comment Share on other sites More sharing options...
AussieJohn Posted November 12, 2004 Report Share Posted November 12, 2004 How can creating new accounts this time with passwords help to correct the situation ??? It would appear to me that these two users are either careless and irresponsible about what they connect to, or unknowingly have connected to contaminated sites. Surely the best response is to insist on blocking them from Yahoo crap and to educate them about what kind of sites to NOT connect to. Wanting to play games is not a really smart reason for justifying putting a computers integrity at risk regardless of player arguments. John. Quote Link to comment Share on other sites More sharing options...
Guest anon Posted November 12, 2004 Report Share Posted November 12, 2004 John, Having a computer connected to the net that you can login to without a password, is asking for trouble. As for the sites they visit, its highly unlikely Linux systems could get affected by any malicious content or viruses on websites. That kind of stuff is always aimed it windoze users with their .exe file extentions etc. Quote Link to comment Share on other sites More sharing options...
AussieJohn Posted November 12, 2004 Report Share Posted November 12, 2004 Hello Anon. I simply phrased badly. You are right about the password aspect, I wasn't meaning to not use passwords. It seemed to me that this not using of passwords surely wouldn't be the cause of the problem. The problem was caused after getting into and being in the account and I felt that would still be the case even if they had passworded in. Do you see the point I am getting at ?? Then I maybe missing something here. Ah well. Cheers. John. Quote Link to comment Share on other sites More sharing options...
crazyspongebob Posted November 16, 2004 Author Report Share Posted November 16, 2004 Thanx all for your help. I'm thinking of wiping the box clean and reinstalling Mandrake 10. This time there will be passwords for every accounts. Other than the two users losing KDE, other users still get their KDE and their stuff. I just wonder if it is just the two affected users' accounts got compromised but not the whole system. I don't know that for sure. What do you think if I should install Yahoo! Messenger again or do away with it? Since I have young kids come to my place and want to use it, plus Kopete is no longer working with Yahoo! Thanks again. J.T. Quote Link to comment Share on other sites More sharing options...
b Posted November 16, 2004 Report Share Posted November 16, 2004 Hi "I'm thinking of wiping the box clean and reinstalling Mandrake 10." Go for it for "best" peace of mind. "I just wonder if it is just the two affected users' accounts got compromised but not the whole system." As far as I know an updated firewalled linux is not trivial to break into. More checking and snooping before wiping? -rpm -V all shadow related installed packages (rpm -qa | grep -i shadow) -chkrootkit -q -rkhunter --checkall (HOMEPAGE="http://www.rootkit.org/") (new for me rootkit checker) -output of last and lastlog commands -files in /var/log/ -root's .bash_history -"compromised" users .bash_history Hope it's not a wipe but a fix and keep since I find it's much more fun! Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.