LinuxQuestions.org
View the Most Wanted LQ Wiki articles.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 04-24-2005, 02:06 PM   #1
ddaas
Member
 
Registered: Oct 2004
Location: Romania
Distribution: Ubuntu server, FreeBsd
Posts: 452

Rep: Reputation: 30
cracked or not cracked (tripwire & chrootkit)


I ran tripwire --init after I installed my FC3. After that I've made a lot of updates with synaptic , yup. Now I checked my system with tripwire --check. I am concerned about the output. Very sensitive files have been changed. I don't if they where replaced by yum or synaptic. I 've just update/remove/add daemons like httpd, named etc and not /sbin/adduser etc.
I don't know if I can trust this host again.

Here are some output from tripwire:

Modified object name: /usr/sbin/groupmod

Property: Expected Observed
------------- ----------- -----------
* Inode Number 672362 436533
* Size 25884 26000
* Modify Time Thu 21 Oct 2004 08:35:13 PM CEST
Sat 04 Dec 2004 02:59:45 AM CET
* Blocks 64 56
* CRC32 AnpqbV D8Vfdt
* MD5 AYpl9SQwEMxp+Vmd43r9LJ BQTDdEraBtrFNFP689S3Bc


Modified object name: /usr/sbin/lsof

Property: Expected Observed
------------- ----------- -----------
* Inode Number 435720 428789
* Size 107352 107320
* Modify Time Fri 30 Jul 2004 06:52:50 PM CEST
Wed 23 Mar 2005 01:19:25 PM CET
* Blocks 232 224
* CRC32 CVgyaD DQ739X
* MD5 D2v5xSbiRKN0a4J2JQDI0b DN/RjvvSHOBA1zs2JgC11n


There are a lot of such modifications.


I am also concerned about ttys.

Tripwire says:
Rule Name: System boot changes (/dev/tty5)
Severity Level: 100
-------------------------------------------------------------------------------
----------------------------------------
Modified Objects: 1
----------------------------------------

Modified object name: /dev/tty5

Property: Expected Observed


(all the tty from 1 to 5 were modified).

chkrootkit:
The tty of the following user process(es) were not found
in /var/run/utmp !
! RUID PID TTY CMD
! root 2791 tty1 /sbin/mingetty tty1
! root 2804 tty2 /sbin/mingetty tty2
! root 2806 tty3 /sbin/mingetty tty3
! root 2820 tty4 /sbin/mingetty tty4
! root 2833 tty5 /sbin/mingetty tty5


How are these ttys modified?

There is no suspect activity, unknown service or open ports etc.

What do you thing? How can I check further for a compromise??
 
Old 04-27-2005, 07:29 AM   #2
johnnydangerous
Member
 
Registered: Jan 2005
Location: Sofia, Bulgaria
Distribution: Fedora Core 4 Rawhide
Posts: 431

Rep: Reputation: 30
maybe check with chkrootkit .. don't know I have also tripwire but guess never checked with it but anti-rootkit is good for a cron-job
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Possible Cracked.... Aeiri Linux - Security 4 02-22-2005 08:15 AM
Does this mean I have been cracked? BajaNick Linux - Security 4 08-13-2004 10:10 PM
i am cracked :-( adme Linux - Security 20 07-19-2003 12:37 PM
This just cracked me up! CragStar General 2 04-19-2002 11:13 PM
!!! THEMES.ORG gets cracked... rabidundead Linux - General 0 06-10-2001 03:03 AM


All times are GMT -5. The time now is 08:51 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration