LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (http://www.linuxquestions.org/questions/linux-security-4/)
-   -   Possible compromise of Debian (Knoppix) system? (http://www.linuxquestions.org/questions/linux-security-4/possible-compromise-of-debian-knoppix-system-471837/)

easy2bfree 08-08-2006 01:31 AM

Possible compromise of Debian (Knoppix) system?
 
I was on the net looking for a deal on tickets at Pricewatch.com. If you scroll to the bottom of the page there are a bunch of links to interesting news items, which is actually probably irrelevant here, but I followed a link and when it got to the page, my browser closed down (Opera 9.0). I opened it back up but it was running slower than usual. I thought that was odd, since everything else seemed to be normal, and I got suspicious and ran chkrootkit. the out put seemed normal except for the last line, which said: Checking `z2'... user root deleted or never logged from lastlog!

I have never seen this message before when running a rootkit check, so thought it odd. But I have done a little googling and no one seems to be able to confirm whether this is really something to worry about or not. does anyone have some info about this that might help me further my forensic search?

unSpawn 08-08-2006 05:27 AM

I followed a link and when it got to the page, my browser closed down (Opera 9.0).
Did you run as root or as unprivileged user?
Can you repeat the steps and still have Opera crash?
If it did, submit this as a possible bug to the Opera team.


I opened it back up but it was running slower than usual.
Did you check process (ps -ax), network connection (netstat -an) and user (w, last, lastb) listings?
If the box wasn't rebooted since noticing lastlog deletion run those commands now anyway.


I thought that was odd, since everything else seemed to be normal, and I got suspicious and ran chkrootkit.
Can you post the full output? Can you run "debsums -als 2>&1 | tee /tmp/debsums.log" to verify package contents are OK too?


the out put seemed normal except for the last line, which said: Checking `z2'... user root deleted or never logged from lastlog!
Did you ever log in as root? When was the last time you did that? Can you correlate this with entries from running "last" and syslog messages? What services do you provide (accessable from outside your box)? Are there any other users that are allowed access? Any other "weird" things happening earlier on you fixed or are worth mentioning?


I have never seen this message before when running a rootkit check, so thought it odd.
Sofar unclear: could be a sign but could also be a glitch. Still it's best to be prepared. Try and read these two docs for starters:
Intruder Detection Checklist (CERT): http://www.cert.org/tech_tips/intrud...checklist.html Steps for Recovering from a UNIX or NT System Compromise (CERT): http://www.cert.org/tech_tips/root_compromise.html LQ FAQ: Security references: http://www.linuxquestions.org/questi...threadid=45261

easy2bfree 08-13-2006 01:11 PM

Thanks for the info....
 
Sorry so long in responding, but my dsl connection is no longer (I was using an account setup by previous tenants and it expired), so until I get a new one, I have limited access. I will try the things you suggested and go from there. Thanks again. Easy


All times are GMT -5. The time now is 12:48 AM.