LinuxQuestions.org
LinuxAnswers - the LQ Linux tutorial section.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 02-10-2005, 08:05 PM   #1
Chuck23
Member
 
Registered: Jun 2004
Distribution: Fedora Core1
Posts: 63

Rep: Reputation: 15
Compromised? I can't tell.


I've noticed a few possibly strange things, and I wonder if anybody can help me to understand them.

First of all, I never get the failed ssh logins that everybody is talking about here. I mean never. Shouldn't I be seeing a little bit of that? My machine doesn't respond to pings, so maybe they're just not seeing me, but that seems unlikely since s_kiddies are constantly trying to crack apache.

Second, and more worrisome, is that I have both /etc/sshd and /etc/sshd2 (?) The sshd2.conf file seems pretty weak and differs from my carefully constructed file. What's going on here?

Third, and of even greater concern, rpm -V pam reveals that some files have been changed. The output is this:

S.5....T c /etc/pam.d/system-auth
S.?..... /lib/security/pam_filter/upperLOWER
S.?..... /sbin/pam_timestamp_check

What does this mean? Looks to me like something important has changed.

Fourth, in my /tmp directory there are a bunch of subdirectories like
ssh-M0(JFG)#K, many of which appear to be months old. Should these be there??? As far as I know, nobody has ever made an ssh connection to my machine.

Fifth, netstat is giving me this:

tcp 1 0 localhost.localdo:32789 localhost.localdoma:ipp CLOSE_WAIT

Why is localhost.localdomain showing up in the foreign column? Why is ipp showing up in the internet section? Doesn't ipp have something to do with printers?

Finally, users outputs this:
myusername myusername

Why are there two of me? I use strong passwords of 15 or more very random characters so I'm pretty sure that a brute force attack would be fruitless. It's the finesse attacks that worry me because I don't fully understand them.

There are other things, too. Why are there rc, rc0, rc1... rc6 in the /etc directory? I never noticed this before. I read somewhere that crackers often make copies of things, so could this, along with the two sshd programs be an indication of problems?

Everything seems to be running OK, and I don't have any super-sensitive data on the machine. Should I worry? If I'm just being paranoid, please let me know. I can take it.

Thanks.
 
Old 02-11-2005, 01:39 AM   #2
win32sux
Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 371Reputation: 371Reputation: 371Reputation: 371
run this ASAP: http://www.rootkit.nl/

good luck...


Last edited by win32sux; 02-11-2005 at 01:42 AM.
 
Old 02-11-2005, 08:16 AM   #3
Chuck23
Member
 
Registered: Jun 2004
Distribution: Fedora Core1
Posts: 63

Original Poster
Rep: Reputation: 15
Thanks. That program didn't find anything except a few hidden directories under /etc -- /.java /.aumixrc and /.pwd.lock

Should I be worried about any of these? Strangely, when I try to navigate to .pwd.lock, I get a "no such file or directory." What now?

[edit - add]

One thing that does concern me is the rpm -V pam that I ran that showed it had changed, but Rootkit Hunter didn't have anything to say about that. Anyone know what this could mean?

Last edited by Chuck23; 02-11-2005 at 08:23 AM.
 
Old 02-11-2005, 08:22 AM   #4
Cron
Member
 
Registered: Jun 2004
Location: Lithuania
Distribution: FreeBSD, Arch, Ubuntu
Posts: 145

Rep: Reputation: 15
.pwd.lock

In my fresh Arch machine (4 minutes online) I have /etc/.pwd.lock too, so I think you shouldn't worry about this.
 
Old 02-11-2005, 10:19 AM   #5
ugge
Senior Member
 
Registered: Dec 2000
Location: Gothenburg, SWEDEN
Distribution: OpenSUSE 10.3
Posts: 1,028

Rep: Reputation: 45
You can't find any failed ssh tries in the /var/log/messages file?
Are there any signs there of successful atempts?
 
Old 02-11-2005, 04:35 PM   #6
Chuck23
Member
 
Registered: Jun 2004
Distribution: Fedora Core1
Posts: 63

Original Poster
Rep: Reputation: 15
Except for the strange files in /tmp, there are no signs whatsoever of successful remote logins.
 
Old 02-12-2005, 03:02 AM   #7
frob23
Senior Member
 
Registered: Jan 2004
Location: Roughly 29.467N / 81.206W
Distribution: Ubuntu, FreeBSD, NetBSD
Posts: 1,449

Rep: Reputation: 47
rc[0-6]

DO NOT change these unless you know what you are doing. This is part of the bootup system of linux. Each one corresponds to the scripts that are run at each of the runlevels specified by their number. This is not to say they haven't been modified by someone but their existence is essential.

In my opinion, you are being a little paranoid -- which can be a good thing. I'm not sure what generated the temp files but they don't seem like a large concern to me (at the very least a cracker this competent would have made them hidden).

The reason there are two of you? Probably because you have a xterm window open or whatever. Anyway... it is not odd.

My only suggestion, if you don't use sshd yourself... turn it off.
 
Old 02-12-2005, 04:01 PM   #8
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Rep: Reputation: 57
Third, and of even greater concern, rpm -V pam reveals that some files have been changed. The output is this:
S.5....T c /etc/pam.d/system-auth
S.?..... /lib/security/pam_filter/upperLOWER
S.?..... /sbin/pam_timestamp_check

The RPM md5sums will be different if you've updated your system with security patches. For FC1 there have been a number of updates and therefore a number of files will fail the RPM check. This is entirely normal. I know that pam system-auth was updated, but if you want to be extra-thorough, check the contents and file attributes of upperLOWER and pam_timestamp_check using the strings command. Rootkit hunter likely doesn't complain because it uses md5sums that are constantly being updated with new values when updates are released. Unless you manually update the rpm database, then the original hash values will be retained.
.
Fifth, netstat is giving me this:
tcp 1 0 localhost.localdo:32789 localhost.localdoma:ipp CLOSE_WAIT
Why is localhost.localdomain showing up in the foreign column? Why is ipp showing up in the internet section? Doesn't ipp have something to do with printers?


This is entirely normal as well. IPP stands for "internet printing protocol" and is one of the linux printing daemons. When you print a document, netstat should show one or more connection from localhost to localhost. This is just how IPP works when you prinit a document locally.
 
Old 02-14-2005, 07:45 AM   #9
Chuck23
Member
 
Registered: Jun 2004
Distribution: Fedora Core1
Posts: 63

Original Poster
Rep: Reputation: 15
Thanks to all.

I kind of thought that pam had been changed during a normal update, but I guess I just needed reassurance. RK Hunter is a great little utility that will be most helpful. sshd will be turned on only when needed. I feel much better now.

But I still see two of me even in RL 3. Strange... but not worth worrying about.
 
Old 02-14-2005, 11:53 AM   #10
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Rep: Reputation: 57
But I still see two of me even in RL 3.

That's normal. It has to do with the way wtmp logging works. If you run 'who' instead of 'users' it shows which terminal those users are logged into. If you have multiple pseudo-terminals (pts) open you'll see multiple instances of that username. You can prove this to yourself by starting X and running 'users' and 'who' (you should see at least 2 sessions, 1 for the shell, 1 for the X session). Open a xterm and run 'who' and 'users' again, you'll see that another sessions has been added. Also failing to properly log out of a remote shell sessions (like ssh) can leave a pseudoterm open.
 
Old 02-15-2005, 03:25 AM   #11
rhoyerboat
Member
 
Registered: Feb 2005
Posts: 40

Rep: Reputation: 15
does X always run as root? it doesnt seem like a very good idea to let an unpriveledged user run a program that assumes root privleges.. i just noticed today with top that X had root priveleges
 
Old 02-15-2005, 07:33 AM   #12
win32sux
Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 371Reputation: 371Reputation: 371Reputation: 371
Quote:
Originally posted by rhoyerboat
does X always run as root? it doesnt seem like a very good idea to let an unpriveledged user run a program that assumes root privleges.. i just noticed today with top that X had root priveleges
i believe that only the X server is run as root... the X apps are executed as the unprivileged user... take a look at your processes and you should see something like this:

Code:
bash-3.00$ ps aux | grep X11
root       167  0.0  0.4  3196 1112 ?        Ss   Feb14   0:00 /usr/X11R6/bin/xdm -nodaemon
root       170  1.4 12.6 68504 32324 ?       RL   Feb14  17:47 /usr/X11R6/bin/X -auth
/usr/X11R6/lib/X11/xdm/authdir/authfiles/A:0-keyqKS
win32sux      182  0.0  0.4  2332 1220 ?        S    Feb14   0:00 /bin/sh /etc/X11/xinit/xinitrc
as you can see, the xinitrc is executed as the unprivileged user, hence the X apps will be run unprivileged... in my case i'm using the XFCE window manager, for example:

Code:
bash-3.00$ ps aux | grep xf 
win32sux      217  0.0  1.8 11376 4684 ?        Ss   Feb14   0:04 xfce-mcs-manager
win32sux      219  0.0  1.9  9808 4920 ?        S    Feb14   0:05 xfwm4 --daemon
win32sux      220  0.0  2.2 10112 5744 ?        S    Feb14   0:07 xftaskbar4
win32sux      221  0.0  1.9 11260 4956 ?        S    Feb14   0:04 xfdesktop
win32sux      222  0.0  2.0  9976 5336 ?        S    Feb14   0:01 xfcalendar
win32sux      224  0.0  2.7 11972 6924 ?        S    Feb14   0:01 /usr/bin/xfce4-panel

Last edited by win32sux; 02-15-2005 at 07:38 AM.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
My NTP has been compromised wylie1001 Linux - Networking 4 05-09-2005 07:24 PM
Sever compromised? Avatar33 Linux - Security 11 05-09-2005 09:19 AM
possibly compromised - what to do? TreeHugger Linux - Security 4 02-04-2005 11:03 PM
Server was compromised, need help Asiana Linux - Security 3 06-02-2004 12:39 PM
Am I compromised? dripter Linux - Security 5 01-27-2004 12:31 AM


All times are GMT -5. The time now is 05:21 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration