[TriLUG] Suspicious behavior: have I been hacked?

Andrew Perrin clists at perrin.socsci.unc.edu
Sun Feb 23 22:26:17 EST 2003 

I use debian, not redhat, so I can't use the .rpm advice. I checked most
of the important binaries (top, ps, ls, bash) with an off-net debian
machine of the same generation and found no differences in date or
size.  netstat shows nothing very interesting either.

ap

----------------------------------------------------------------------
Andrew J Perrin - http://www.unc.edu/~aperrin
Assistant Professor of Sociology, U of North Carolina, Chapel Hill
clists at perrin.socsci.unc.edu * andrew_perrin (at) unc.edu


On Sun, 23 Feb 2003, Chris Hedemark wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> Also a lot of rootkits are not smart enough to cover their tracks in 
> the rpm database, so you can use rpm to compare what it thinks should 
> be there with what is really there.
> 
> On Sunday, February 23, 2003, at 10:08 PM, Jon Carnes wrote:
> 
> > boot with a rescue disk and check out your system.  In particular look
> > at the dates on your library files and on key binaries like top, ls, 
> > ps,
> > netstat, etc...  If you have another system running the same distro you
> > can check your binaries against those.
> >
> > Using an unhacked netstat is a good way to find out if you've started 
> > to
> > send/receive on ports that you shouldn't.
> >
> > This job is much easier if you have a back-up to compare with.
> > Personally I use an unmounted partition with a copy of my etc and my
> > /bin, /sbin, /usr/bin, /usr/sbin, and /lib directories.  I can mount 
> > the
> > partition read-only and run a automated checkup on my system using
> > scripts and binaries located on the partition.
> >
> > Good Luck - Jon Carnes
> >
> > On Sun, 2003-02-23 at 21:48, Andrew Perrin wrote:
> >> I came upstairs after a weekend mostly away from my computer to find 
> >> it in
> >> a nearly-hung state. Load (by top) was >10, and there were numerous
> >> /USR/SBIN/CRON entries which, from the logs, look like they were 
> >> trying to
> >> run exim sessions:
> >>
> >> Feb 23 07:38:01 joehill /USR/SBIN/CRON[13821]: (mail) CMD (  if [ -x
> >> /usr/sbin/exim -a -f /etc/exim/exim.conf ]; then /usr/sbin/exim -q ; 
> >> fi)
> >> Feb 23 07:53:01 joehill /USR/SBIN/CRON[13829]: (mail) CMD (  if [ -x
> >> /usr/sbin/exim -a -f /etc/exim/exim.conf ]; then /usr/sbin/exim -q ; 
> >> fi)
> >>
> >>
> >> (etc., etc.)
> >>
> >> The other thing in the ps listing were several (three I think) 
> >> instances
> >> of:
> >>
> >> modprobe -s -k -- net-pf-10
> >>
> >> I do not have such a module, either loaded or available on the disk.
> >>
> >> What's particularly worrisome is that this machine is behind another
> >> machine running NAT, so it has only a private (192.168.0.x) address. 
> >> The
> >> NAT machine has nothing particularly suspicious about it. last 
> >> commands on
> >> both machine show only me logging in.
> >>
> >> I would be a happier person if someone could provide a non-suspicious
> >> explanation for this.
> >>
> >>
> >> Thanks.
> >>
> >> ----------------------------------------------------------------------
> >> Andrew J Perrin - http://www.unc.edu/~aperrin
> >> Assistant Professor of Sociology, U of North Carolina, Chapel Hill
> >> clists at perrin.socsci.unc.edu * andrew_perrin (at) unc.edu
> >>
> >>
> >> _______________________________________________
> >> TriLUG mailing list
> >>     http://www.trilug.org/mailman/listinfo/trilug
> >> TriLUG Organizational FAQ:
> >>     http://www.trilug.org/~lovelace/faq/TriLUG-faq.html
> >
> >
> > _______________________________________________
> > TriLUG mailing list
> >     http://www.trilug.org/mailman/listinfo/trilug
> > TriLUG Organizational FAQ:
> >     http://www.trilug.org/~lovelace/faq/TriLUG-faq.html
> >
> >
> 
> Chris Hedemark
> PGP/GnuPG Public Key at http://yonderway.com/chris/hedemark.gpg
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.2.1 (Darwin)
> 
> iD8DBQE+WY/0YPuF4Zq9lvYRAlaHAKDbXzFt41zNf/PwXRfxwRVzwfQ7MwCfSv3u
> kQY1+gON2bjUQWsjxDBRWf0=
> =Jvbh
> -----END PGP SIGNATURE-----
> 
> _______________________________________________
> TriLUG mailing list
>     http://www.trilug.org/mailman/listinfo/trilug
> TriLUG Organizational FAQ:
>     http://www.trilug.org/~lovelace/faq/TriLUG-faq.html
>

More information about the TriLUG mailing list