Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here. |
Notices |
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
|
|
09-28-2004, 12:31 PM
|
#1
|
LQ Newbie
Registered: Jul 2003
Posts: 10
Rep:
|
Compromised? Files "/usr/lib.hwm", "/usr/lib.pwd", "/usr/lib.pwi"
Hi,
I found 3 unknown files on a RH 7.2 system:
/usr/lib.hwm (1024 Byte)
/usr/lib.pwd (214540 Byte)
/usr/lib.pwi (11364 Byte)
The files are nearly the same like the "/usr/lib/cracklib_dict.*"-files.
These I have too.
rpm -q --whatprovides /usr/lib.hwm etc. has no result.
The system is uptodate.
Now my question:
Does anyone know these files?
Is this a sign of compromising?
What can I do to discover this?
I have chkrootkit installed on THIS machine, no result.
I have no physical access to the machine, only access via ssh.
Thanks for helping,
greetings from Germany, Black Forrest,
Klaus
|
|
|
09-28-2004, 12:47 PM
|
#2
|
Senior Member
Registered: Jul 2004
Distribution: Ubuntu 7.04
Posts: 1,994
Rep:
|
Are you saying that you have run chkrootkit on the possibly infected machine? If not, you should be able to use scp to copy chkrootkit onto it (which copies using files the same protocol as ssh).
These are not files that one would normally expect to see, so I think it's likely that you have been cracked. As a first step I'd make sure that root logins by ssh are disabled, and then change the passwords for all users, including root.
You may also want to rpm --verify --whatprovides /usr/lib/cracklib_dick.* to see if RPM reports any changes.
Then again, I'm not familiar with Red Hat, so it could just be normal files for an installation.
Hope that's of some help,
— Robert J. Lee
|
|
|
09-28-2004, 02:22 PM
|
#3
|
LQ Newbie
Registered: Jul 2003
Posts: 10
Original Poster
Rep:
|
Quote:
Originally posted by rjlee
Are you saying that you have run chkrootkit on the possibly infected machine? If not, you should be able to use scp to copy chkrootkit onto it (which copies using files the same protocol as ssh).
These are not files that one would normally expect to see, so I think it's likely that you have been cracked. As a first step I'd make sure that root logins by ssh are disabled, and then change the passwords for all users, including root.
You may also want to rpm --verify --whatprovides /usr/lib/cracklib_dick.* to see if RPM reports any changes.
Then again, I'm not familiar with Red Hat, so it could just be normal files for an installation.
Hope that's of some help,
� Robert J. Lee
|
I got the source of chkrootkit via wget and compiled it on this machine.
A mistake?
The files are not from the RH 7.2 installation.
I have a early backup and in this they are not present.
Root-Login via ssh is only possible with a pgp-key. Not very shure, I know.
I searched a lot and found that in the hour of creation of these files I compiled a new php (4.3.5) on this server.
So may be these files are part of this compilation or another compilation.
I compiled again php (only make) but I did not found the files fresh created in the compile-folder.
I think it must be a magic coincidence that an attack is in progress in the same moment when I just compile a new php.
But nobody knows these files...
Thanks!
Klaus
|
|
|
09-28-2004, 06:05 PM
|
#4
|
Moderator
Registered: May 2001
Posts: 29,415
|
The files are nearly the same like the "/usr/lib/cracklib_dict.*"-files.
Those hwm, pwd and pwi files can be the result of making dictionaries for cracking password (purpose good or bad).
What services run on the box? What version are they (IOW, are they patched)? Are they publicly accessable? Did you shut down all publicly accessable services while "investigating"? Did you check auth files, system, login and daemon logs for events before, at and after the modification or creation time of these files? Users shell history? Who owns these files? What access rights do they have? Any setuid root binaries around look strange? Anything else on the system that "doesn't feel right" or behaves "strange"?
|
|
|
09-29-2004, 12:33 AM
|
#5
|
LQ Newbie
Registered: Jul 2003
Posts: 10
Original Poster
Rep:
|
Quote:
Originally posted by unSpawn
The files are nearly the same like the "/usr/lib/cracklib_dict.*"-files.
Those hwm, pwd and pwi files can be the result of making dictionaries for cracking password (purpose good or bad).
What services run on the box? What version are they (IOW, are they patched)? Are they publicly accessable? Did you shut down all publicly accessable services while "investigating"? Did you check auth files, system, login and daemon logs for events before, at and after the modification or creation time of these files? Users shell history? Who owns these files? What access rights do they have? Any setuid root binaries around look strange? Anything else on the system that "doesn't feel right" or behaves "strange"?
|
Sorry, I forgot.
The files are owned by root and have 644 rights.
And:
You are completely right.
They are dictionaries of Cracklib. I found it later yesterday.
But they will be not used (no newer access times (ls- l --time=access)). It was an accidentely compiling of cracklib and (because it is long ago) I don't know why I did it and why I did not delete the files. I checked the usage of the files an deleted them yesterday evening.
The system feels o.k. No other signs of strange things. Really. I read books and forums and check the server logs daily.
In the last weeks we have problem with the stability but(!) we have much more web accesses (4 times more) AND much more spam (3 times more) (spamassassin need much RAM) on the server.
And 512 MB RAM are not enough at the moment. So in special situation the server freezes because of memory problems.
So I see in the logs only shortly before freezing httpd processes with killed because of memory problem.
Then the other services die slowly, around in 30 minutes.
I changed settings for less apache, MySQL and SpamAssassin resources (not easy). Now it ist better but not good.
Thanks for helping!
Klaus
|
|
|
All times are GMT -5. The time now is 08:54 PM.
|
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
|
Latest Threads
LQ News
|
|