LinuxQuestions.org
LinuxAnswers - the LQ Linux tutorial section.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 08-08-2006, 02:31 AM   #1
easy2bfree
LQ Newbie
 
Registered: Aug 2006
Posts: 2

Rep: Reputation: 0
Possible compromise of Debian (Knoppix) system?


I was on the net looking for a deal on tickets at Pricewatch.com. If you scroll to the bottom of the page there are a bunch of links to interesting news items, which is actually probably irrelevant here, but I followed a link and when it got to the page, my browser closed down (Opera 9.0). I opened it back up but it was running slower than usual. I thought that was odd, since everything else seemed to be normal, and I got suspicious and ran chkrootkit. the out put seemed normal except for the last line, which said: Checking `z2'... user root deleted or never logged from lastlog!

I have never seen this message before when running a rootkit check, so thought it odd. But I have done a little googling and no one seems to be able to confirm whether this is really something to worry about or not. does anyone have some info about this that might help me further my forensic search?
 
Old 08-08-2006, 06:27 AM   #2
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,666
Blog Entries: 54

Rep: Reputation: 2953Reputation: 2953Reputation: 2953Reputation: 2953Reputation: 2953Reputation: 2953Reputation: 2953Reputation: 2953Reputation: 2953Reputation: 2953Reputation: 2953
I followed a link and when it got to the page, my browser closed down (Opera 9.0).
Did you run as root or as unprivileged user?
Can you repeat the steps and still have Opera crash?
If it did, submit this as a possible bug to the Opera team.


I opened it back up but it was running slower than usual.
Did you check process (ps -ax), network connection (netstat -an) and user (w, last, lastb) listings?
If the box wasn't rebooted since noticing lastlog deletion run those commands now anyway.


I thought that was odd, since everything else seemed to be normal, and I got suspicious and ran chkrootkit.
Can you post the full output? Can you run "debsums -als 2>&1 | tee /tmp/debsums.log" to verify package contents are OK too?


the out put seemed normal except for the last line, which said: Checking `z2'... user root deleted or never logged from lastlog!
Did you ever log in as root? When was the last time you did that? Can you correlate this with entries from running "last" and syslog messages? What services do you provide (accessable from outside your box)? Are there any other users that are allowed access? Any other "weird" things happening earlier on you fixed or are worth mentioning?


I have never seen this message before when running a rootkit check, so thought it odd.
Sofar unclear: could be a sign but could also be a glitch. Still it's best to be prepared. Try and read these two docs for starters:
Intruder Detection Checklist (CERT): http://www.cert.org/tech_tips/intrud...checklist.html Steps for Recovering from a UNIX or NT System Compromise (CERT): http://www.cert.org/tech_tips/root_compromise.html LQ FAQ: Security references: http://www.linuxquestions.org/questi...threadid=45261

Last edited by unSpawn; 08-08-2006 at 06:30 AM. Reason: //Have keybd, can't type
 
Old 08-13-2006, 02:11 PM   #3
easy2bfree
LQ Newbie
 
Registered: Aug 2006
Posts: 2

Original Poster
Rep: Reputation: 0
Thanks for the info....

Sorry so long in responding, but my dsl connection is no longer (I was using an account setup by previous tenants and it expired), so until I get a new one, I have limited access. I will try the things you suggested and go from there. Thanks again. Easy
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
LXer: Debian Server restored after Compromise LXer Syndicated Linux News 0 07-14-2006 03:54 AM
Possible system compromise (slackware linux 10.2, apache 1.3.33, OpenSSL 0.9.7g) Noido Linux - Security 9 05-11-2006 04:07 PM
compromise linux system using non-root account? cynick Linux - Security 6 04-24-2006 05:32 AM
What's the difference between debian and other debian-based distro like knoppix? Akhran Debian 11 08-28-2005 07:07 PM
phpBB Compromise chris_yumm Linux - Security 6 07-22-2005 01:54 AM


All times are GMT -5. The time now is 04:01 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration