LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 06-01-2006, 06:40 PM   #1
foodhater
Member
 
Registered: Jul 2004
Distribution: Vector 5.9
Posts: 89

Rep: Reputation: 15
Has my system been compromised?


I was running gtk-gnutella last night and this afternoon. When I came home this evening and sat down at my computer I noticed that K3B was running (I didn't to my knowledge start it) and it was displaying this message:

cdrecord will be run with root privileges on kernel >= 2.6.8
Since Linux kernel 2.6.8 cdrecord will not work when run suid root for security reasons anymore.
Solution: Use K3bSetup to solve this problem.

So I checked my system logs and found this:

localhost msec changed mode of /var/log/clamav/freshclam.log from 644 to 640
localhost msec changed mode of /var/log/security/sgid.today from 644 to 640
localhost msec changed mode of /var/log/security/unowned_user.today from 644 to 640
localhost msec changed mode of /var/log/wtmp from 664 to 640
localhost msec changed group of /var/log/wtmp from utmp to root
localhost msec changed mode of /var/log/security/open_port.today from 644 to 640
localhost msec changed mode of /var/log/security/rpm-va-config.today from 644 to 640
localhost msec changed mode of /var/log/security/suid_root.today from 644 to 640
localhost msec changed mode of /var/log/security.log from 644 to 640
localhost msec changed mode of /var/log/security/suid_md5.today from 644 to 640
localhost msec changed mode of /var/log/security/writable.today from 644 to 640
localhost msec changed mode of /var/log/security/unowned_group.today from 644 to 640
localhost msec changed mode of /var/log/security/rpm-va.today from 644 to 640
localhost msec changed mode of /var/log/security/rpm-qa.today from 644 to 640

The log file indicates that these changes were made at 5:01am. I was asleep at 5:01am. I'm not sure if these are normal changes that occur automatically or what they mean. I Googled around a little bit and found someone who thought they had been compromised who had similar entries in their log file:

http://www.webservertalk.com/message421422.html


I'm pretty sure that I've been hacked, I found mldonkey running on one of
my systems. I had an open FTP port which I normally keep closed but I
opened for someone to do a download and then forgot to close. I have a
Linksys router which has open SSH ports and had an open FTP port (which
is now closed). The machine that was compromised with mldonkey is running
mandrake 9.2 as is the FTP machine. I ran chkrootkit-0.44 (the latest) on
all of my machines and it found nothing. There is a restart message in
the /var/log/messages on all of my systems that has the roughly the same
time stamp.
Oct 3 04:02:10 localhost syslogd 1.4.1: restart.

What else should I do and which logs should I check? Is there another port
besides FTP that is a likely entry point? Could SSH have been compromised?

Here are some suspicious entries in the log on the machine that had
mldonkey,


/var/log/auth.log

Oct 3 05:01:02 saratoga msec: set variable SystemMenu to true in /etc/X11/g
dm/gdm.conf
Oct 3 05:01:03 saratoga msec: changed mode of /var/log/security/open_port.t
oday from 644 to 640
Oct 3 05:01:03 saratoga msec: changed mode of /var/log/security/suid_root.t
oday from 644 to 640
Oct 3 05:01:03 saratoga msec: changed mode of /var/log/security/suid_md5.to
day from 644 to 640
Oct 3 05:01:03 saratoga msec: changed mode of /var/log/security/sgid.today
from 644 to 640
Oct 3 05:01:03 saratoga msec: changed owner of /var/log/mldonkey.log from m
ldonkey to root
Oct 3 05:01:03 saratoga msec: changed group of /var/log/mldonkey.log from m
ldonkey to adm
Oct 3 05:01:03 saratoga msec: changed mode of /var/log/security/unowned_gro
up.today from 644 to 640
Oct 3 05:01:03 saratoga msec: changed mode of /var/log/security/writable.to
day from 644 to 640
Oct 3 05:01:03 saratoga msec: changed mode of
/var/log/security/unowned_user.today from 644 to 640


Is this something normal or does anyone think my system has been compromised? Any help, thanks.
 
Old 06-01-2006, 06:51 PM   #2
gilead
Senior Member
 
Registered: Dec 2005
Location: Brisbane, Australia
Distribution: Slackware64 14.0
Posts: 4,123

Rep: Reputation: 151Reputation: 151
Mandriva provides a tool called msec to configure security levels on your box. There's some info at http://mandriva.vmlinuz.ca/index.php.../Security/msec about what it can do. I'd look through your cron jobs to see if it's running at 5:01am.

It would be odd if crackers were tightening the permissions of files on your system, but you never know. I recommend reading the articles at http://www.linuxquestions.org/questi...ad.php?t=45261, they'll give you an idea of where to look to get a better idea of whether your system has been compromised.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Has my system been compromised? Palula Linux - Security 2 02-03-2006 09:09 AM
do these symptoms mean my system is compromised? jimlaur Linux - Security 10 03-18-2004 12:20 PM
System compromised BruceCadieux Linux - Security 20 09-29-2003 08:24 PM
System compromised? Comatose51 Linux - Security 3 07-11-2003 08:28 AM
Help: I think my system has been compromised! Comatose51 Linux - General 2 06-29-2003 05:00 PM


All times are GMT -5. The time now is 02:44 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration