LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (http://www.linuxquestions.org/questions/linux-security-4/)
-   -   Compromised? Files "/usr/lib.hwm", "/usr/lib.pwd", "/usr/lib.pwi" (http://www.linuxquestions.org/questions/linux-security-4/compromised-files-usr-lib-hwm-usr-lib-pwd-usr-lib-pwi-236232/)

Klaus Pforte 09-28-2004 11:31 AM

Compromised? Files "/usr/lib.hwm", "/usr/lib.pwd", "/usr/lib.pwi"
 
Hi,

I found 3 unknown files on a RH 7.2 system:

/usr/lib.hwm (1024 Byte)
/usr/lib.pwd (214540 Byte)
/usr/lib.pwi (11364 Byte)

The files are nearly the same like the "/usr/lib/cracklib_dict.*"-files.
These I have too.

rpm -q --whatprovides /usr/lib.hwm etc. has no result.

The system is uptodate.

Now my question:

Does anyone know these files?
Is this a sign of compromising?

What can I do to discover this?
I have chkrootkit installed on THIS machine, no result.
I have no physical access to the machine, only access via ssh.

Thanks for helping,
greetings from Germany, Black Forrest,
Klaus

rjlee 09-28-2004 11:47 AM

Are you saying that you have run chkrootkit on the possibly infected machine? If not, you should be able to use scp to copy chkrootkit onto it (which copies using files the same protocol as ssh).

These are not files that one would normally expect to see, so I think it's likely that you have been cracked. As a first step I'd make sure that root logins by ssh are disabled, and then change the passwords for all users, including root.

You may also want to rpm --verify --whatprovides /usr/lib/cracklib_dick.* to see if RPM reports any changes.

Then again, I'm not familiar with Red Hat, so it could just be normal files for an installation.

Hope that's of some help,

Robert J. Lee

Klaus Pforte 09-28-2004 01:22 PM

Quote:

Originally posted by rjlee
Are you saying that you have run chkrootkit on the possibly infected machine? If not, you should be able to use scp to copy chkrootkit onto it (which copies using files the same protocol as ssh).

These are not files that one would normally expect to see, so I think it's likely that you have been cracked. As a first step I'd make sure that root logins by ssh are disabled, and then change the passwords for all users, including root.

You may also want to rpm --verify --whatprovides /usr/lib/cracklib_dick.* to see if RPM reports any changes.

Then again, I'm not familiar with Red Hat, so it could just be normal files for an installation.

Hope that's of some help,

� Robert J. Lee

I got the source of chkrootkit via wget and compiled it on this machine.
A mistake?

The files are not from the RH 7.2 installation.
I have a early backup and in this they are not present.

Root-Login via ssh is only possible with a pgp-key. Not very shure, I know.

I searched a lot and found that in the hour of creation of these files I compiled a new php (4.3.5) on this server.
So may be these files are part of this compilation or another compilation.
I compiled again php (only make) but I did not found the files fresh created in the compile-folder.

I think it must be a magic coincidence that an attack is in progress in the same moment when I just compile a new php.
But nobody knows these files...

Thanks!
Klaus

unSpawn 09-28-2004 05:05 PM

The files are nearly the same like the "/usr/lib/cracklib_dict.*"-files.
Those hwm, pwd and pwi files can be the result of making dictionaries for cracking password (purpose good or bad).

What services run on the box? What version are they (IOW, are they patched)? Are they publicly accessable? Did you shut down all publicly accessable services while "investigating"? Did you check auth files, system, login and daemon logs for events before, at and after the modification or creation time of these files? Users shell history? Who owns these files? What access rights do they have? Any setuid root binaries around look strange? Anything else on the system that "doesn't feel right" or behaves "strange"?

Klaus Pforte 09-28-2004 11:33 PM

Quote:

Originally posted by unSpawn
The files are nearly the same like the "/usr/lib/cracklib_dict.*"-files.
Those hwm, pwd and pwi files can be the result of making dictionaries for cracking password (purpose good or bad).

What services run on the box? What version are they (IOW, are they patched)? Are they publicly accessable? Did you shut down all publicly accessable services while "investigating"? Did you check auth files, system, login and daemon logs for events before, at and after the modification or creation time of these files? Users shell history? Who owns these files? What access rights do they have? Any setuid root binaries around look strange? Anything else on the system that "doesn't feel right" or behaves "strange"?

Sorry, I forgot.

The files are owned by root and have 644 rights.

And:
You are completely right.
They are dictionaries of Cracklib. I found it later yesterday.
But they will be not used (no newer access times (ls- l --time=access)). It was an accidentely compiling of cracklib and (because it is long ago) I don't know why I did it and why I did not delete the files. I checked the usage of the files an deleted them yesterday evening.

The system feels o.k. No other signs of strange things. Really. I read books and forums and check the server logs daily.
In the last weeks we have problem with the stability but(!) we have much more web accesses (4 times more) AND much more spam (3 times more) (spamassassin need much RAM) on the server.
And 512 MB RAM are not enough at the moment. So in special situation the server freezes because of memory problems.

So I see in the logs only shortly before freezing httpd processes with killed because of memory problem.
Then the other services die slowly, around in 30 minutes.
I changed settings for less apache, MySQL and SpamAssassin resources (not easy). Now it ist better but not good.


Thanks for helping!
Klaus


All times are GMT -5. The time now is 01:08 PM.