I was running gtk-gnutella last night and this afternoon. When I came home this evening and sat down at my computer I noticed that K3B was running (I didn't to my knowledge start it) and it was displaying this message:
cdrecord will be run with root privileges on kernel >= 2.6.8
Since Linux kernel 2.6.8 cdrecord will not work when run suid root for security reasons anymore.
Solution: Use K3bSetup to solve this problem.
So I checked my system logs and found this:
localhost msec changed mode of /var/log/clamav/freshclam.log from 644 to 640
localhost msec changed mode of /var/log/security/sgid.today from 644 to 640
localhost msec changed mode of /var/log/security/unowned_user.today from 644 to 640
localhost msec changed mode of /var/log/wtmp from 664 to 640
localhost msec changed group of /var/log/wtmp from utmp to root
localhost msec changed mode of /var/log/security/open_port.today from 644 to 640
localhost msec changed mode of /var/log/security/rpm-va-config.today from 644 to 640
localhost msec changed mode of /var/log/security/suid_root.today from 644 to 640
localhost msec changed mode of /var/log/security.log from 644 to 640
localhost msec changed mode of /var/log/security/suid_md5.today from 644 to 640
localhost msec changed mode of /var/log/security/writable.today from 644 to 640
localhost msec changed mode of /var/log/security/unowned_group.today from 644 to 640
localhost msec changed mode of /var/log/security/rpm-va.today from 644 to 640
localhost msec changed mode of /var/log/security/rpm-qa.today from 644 to 640
The log file indicates that these changes were made at 5:01am. I was asleep at 5:01am. I'm not sure if these are normal changes that occur automatically or what they mean. I Googled around a little bit and found someone who thought they had been compromised who had similar entries in their log file:
http://www.webservertalk.com/message421422.html
I'm pretty sure that I've been hacked, I found mldonkey running on one of
my systems. I had an open FTP port which I normally keep closed but I
opened for someone to do a download and then forgot to close. I have a
Linksys router which has open SSH ports and had an open FTP port (which
is now closed). The machine that was compromised with mldonkey is running
mandrake 9.2 as is the FTP machine. I ran chkrootkit-0.44 (the latest) on
all of my machines and it found nothing. There is a restart message in
the /var/log/messages on all of my systems that has the roughly the same
time stamp.
Oct 3 04:02:10 localhost syslogd 1.4.1: restart.
What else should I do and which logs should I check? Is there another port
besides FTP that is a likely entry point? Could SSH have been compromised?
Here are some suspicious entries in the log on the machine that had
mldonkey,
/var/log/auth.log
Oct 3 05:01:02 saratoga msec: set variable SystemMenu to true in /etc/X11/g
dm/gdm.conf
Oct 3 05:01:03 saratoga msec: changed mode of /var/log/security/open_port.t
oday from 644 to 640
Oct 3 05:01:03 saratoga msec: changed mode of /var/log/security/suid_root.t
oday from 644 to 640
Oct 3 05:01:03 saratoga msec: changed mode of /var/log/security/suid_md5.to
day from 644 to 640
Oct 3 05:01:03 saratoga msec: changed mode of /var/log/security/sgid.today
from 644 to 640
Oct 3 05:01:03 saratoga msec: changed owner of /var/log/mldonkey.log from m
ldonkey to root
Oct 3 05:01:03 saratoga msec: changed group of /var/log/mldonkey.log from m
ldonkey to adm
Oct 3 05:01:03 saratoga msec: changed mode of /var/log/security/unowned_gro
up.today from 644 to 640
Oct 3 05:01:03 saratoga msec: changed mode of /var/log/security/writable.to
day from 644 to 640
Oct 3 05:01:03 saratoga msec: changed mode of
/var/log/security/unowned_user.today from 644 to 640
Is this something normal or does anyone think my system has been compromised? Any help, thanks.