LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (http://www.linuxquestions.org/questions/linux-security-4/)
-   -   Compromised? I can't tell. (http://www.linuxquestions.org/questions/linux-security-4/compromised-i-cant-tell-288721/)

Chuck23 02-10-2005 09:05 PM

Compromised? I can't tell.
 
I've noticed a few possibly strange things, and I wonder if anybody can help me to understand them.

First of all, I never get the failed ssh logins that everybody is talking about here. I mean never. Shouldn't I be seeing a little bit of that? My machine doesn't respond to pings, so maybe they're just not seeing me, but that seems unlikely since s_kiddies are constantly trying to crack apache.

Second, and more worrisome, is that I have both /etc/sshd and /etc/sshd2 (?) The sshd2.conf file seems pretty weak and differs from my carefully constructed file. What's going on here?

Third, and of even greater concern, rpm -V pam reveals that some files have been changed. The output is this:

S.5....T c /etc/pam.d/system-auth
S.?..... /lib/security/pam_filter/upperLOWER
S.?..... /sbin/pam_timestamp_check

What does this mean? Looks to me like something important has changed.

Fourth, in my /tmp directory there are a bunch of subdirectories like
ssh-M0(JFG)#K, many of which appear to be months old. Should these be there??? As far as I know, nobody has ever made an ssh connection to my machine.

Fifth, netstat is giving me this:

tcp 1 0 localhost.localdo:32789 localhost.localdoma:ipp CLOSE_WAIT

Why is localhost.localdomain showing up in the foreign column? Why is ipp showing up in the internet section? Doesn't ipp have something to do with printers?

Finally, users outputs this:
myusername myusername

Why are there two of me? I use strong passwords of 15 or more very random characters so I'm pretty sure that a brute force attack would be fruitless. It's the finesse attacks that worry me because I don't fully understand them.

There are other things, too. Why are there rc, rc0, rc1... rc6 in the /etc directory? I never noticed this before. I read somewhere that crackers often make copies of things, so could this, along with the two sshd programs be an indication of problems?

Everything seems to be running OK, and I don't have any super-sensitive data on the machine. Should I worry? If I'm just being paranoid, please let me know. I can take it.

Thanks.

win32sux 02-11-2005 02:39 AM

run this ASAP: http://www.rootkit.nl/

good luck...


Chuck23 02-11-2005 09:16 AM

Thanks. That program didn't find anything except a few hidden directories under /etc -- /.java /.aumixrc and /.pwd.lock

Should I be worried about any of these? Strangely, when I try to navigate to .pwd.lock, I get a "no such file or directory." What now?

[edit - add]

One thing that does concern me is the rpm -V pam that I ran that showed it had changed, but Rootkit Hunter didn't have anything to say about that. Anyone know what this could mean?

Cron 02-11-2005 09:22 AM

.pwd.lock
 
In my fresh Arch machine (4 minutes online) I have /etc/.pwd.lock too, so I think you shouldn't worry about this.

ugge 02-11-2005 11:19 AM

You can't find any failed ssh tries in the /var/log/messages file?
Are there any signs there of successful atempts?

Chuck23 02-11-2005 05:35 PM

Except for the strange files in /tmp, there are no signs whatsoever of successful remote logins.

frob23 02-12-2005 04:02 AM

rc[0-6]

DO NOT change these unless you know what you are doing. This is part of the bootup system of linux. Each one corresponds to the scripts that are run at each of the runlevels specified by their number. This is not to say they haven't been modified by someone but their existence is essential.

In my opinion, you are being a little paranoid -- which can be a good thing. I'm not sure what generated the temp files but they don't seem like a large concern to me (at the very least a cracker this competent would have made them hidden).

The reason there are two of you? Probably because you have a xterm window open or whatever. Anyway... it is not odd.

My only suggestion, if you don't use sshd yourself... turn it off.

Capt_Caveman 02-12-2005 05:01 PM

Third, and of even greater concern, rpm -V pam reveals that some files have been changed. The output is this:
S.5....T c /etc/pam.d/system-auth
S.?..... /lib/security/pam_filter/upperLOWER
S.?..... /sbin/pam_timestamp_check

The RPM md5sums will be different if you've updated your system with security patches. For FC1 there have been a number of updates and therefore a number of files will fail the RPM check. This is entirely normal. I know that pam system-auth was updated, but if you want to be extra-thorough, check the contents and file attributes of upperLOWER and pam_timestamp_check using the strings command. Rootkit hunter likely doesn't complain because it uses md5sums that are constantly being updated with new values when updates are released. Unless you manually update the rpm database, then the original hash values will be retained.
.
Fifth, netstat is giving me this:
tcp 1 0 localhost.localdo:32789 localhost.localdoma:ipp CLOSE_WAIT
Why is localhost.localdomain showing up in the foreign column? Why is ipp showing up in the internet section? Doesn't ipp have something to do with printers?


This is entirely normal as well. IPP stands for "internet printing protocol" and is one of the linux printing daemons. When you print a document, netstat should show one or more connection from localhost to localhost. This is just how IPP works when you prinit a document locally.

Chuck23 02-14-2005 08:45 AM

Thanks to all.

I kind of thought that pam had been changed during a normal update, but I guess I just needed reassurance. RK Hunter is a great little utility that will be most helpful. sshd will be turned on only when needed. I feel much better now.

But I still see two of me even in RL 3. Strange... but not worth worrying about.

Capt_Caveman 02-14-2005 12:53 PM

But I still see two of me even in RL 3.

That's normal. It has to do with the way wtmp logging works. If you run 'who' instead of 'users' it shows which terminal those users are logged into. If you have multiple pseudo-terminals (pts) open you'll see multiple instances of that username. You can prove this to yourself by starting X and running 'users' and 'who' (you should see at least 2 sessions, 1 for the shell, 1 for the X session). Open a xterm and run 'who' and 'users' again, you'll see that another sessions has been added. Also failing to properly log out of a remote shell sessions (like ssh) can leave a pseudoterm open.

rhoyerboat 02-15-2005 04:25 AM

does X always run as root? it doesnt seem like a very good idea to let an unpriveledged user run a program that assumes root privleges.. i just noticed today with top that X had root priveleges

win32sux 02-15-2005 08:33 AM

Quote:

Originally posted by rhoyerboat
does X always run as root? it doesnt seem like a very good idea to let an unpriveledged user run a program that assumes root privleges.. i just noticed today with top that X had root priveleges
i believe that only the X server is run as root... the X apps are executed as the unprivileged user... take a look at your processes and you should see something like this:

Code:

bash-3.00$ ps aux | grep X11
root      167  0.0  0.4  3196 1112 ?        Ss  Feb14  0:00 /usr/X11R6/bin/xdm -nodaemon
root      170  1.4 12.6 68504 32324 ?      RL  Feb14  17:47 /usr/X11R6/bin/X -auth
/usr/X11R6/lib/X11/xdm/authdir/authfiles/A:0-keyqKS
win32sux      182  0.0  0.4  2332 1220 ?        S    Feb14  0:00 /bin/sh /etc/X11/xinit/xinitrc

as you can see, the xinitrc is executed as the unprivileged user, hence the X apps will be run unprivileged... in my case i'm using the XFCE window manager, for example:

Code:

bash-3.00$ ps aux | grep xf
win32sux      217  0.0  1.8 11376 4684 ?        Ss  Feb14  0:04 xfce-mcs-manager
win32sux      219  0.0  1.9  9808 4920 ?        S    Feb14  0:05 xfwm4 --daemon
win32sux      220  0.0  2.2 10112 5744 ?        S    Feb14  0:07 xftaskbar4
win32sux      221  0.0  1.9 11260 4956 ?        S    Feb14  0:04 xfdesktop
win32sux      222  0.0  2.0  9976 5336 ?        S    Feb14  0:01 xfcalendar
win32sux      224  0.0  2.7 11972 6924 ?        S    Feb14  0:01 /usr/bin/xfce4-panel



All times are GMT -5. The time now is 05:12 AM.