Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here. |
| Notices |
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
|
 |
01-01-2006, 07:38 AM
|
#1
|
|
Member
Registered: Dec 2004
Location: Haifa
Distribution: Fedora Core 4, Kubuntu
Posts: 235
Rep: 
|
Root email frightening me
I haven't read root's email in about a month. Now that I get around to it, I am suprised to see things that I have never seen before, such as:
Code:
--------------------- pam_unix Begin ------------------------
kde-np:
Unknown Entries:
session opened for user dotancohen by (uid=0): 1 Time(s)
---------------------- pam_unix End -------------------------
--------------------- Smartd Begin ------------------------
**Unmatched Entries**
smartd received signal 15: Terminated
smartd is exiting (exit status 0)
---------------------- Smartd End -------------------------
--------------------- Selinux Audit Begin ------------------------
Number of audit daemon starts: 1
Number of audit daemon stops: 2
*** Logs which could mean a bug ***
major=252 name_count=0: freeing multiple contexts (1)
major=113 name_count=0: freeing multiple contexts (2)
---------------------- Selinux Audit End -------------------------
--------------------- SSHD Begin ------------------------
SSHD Killed: 1 Time(s)
SSHD Started: 1 Time(s)
---------------------- SSHD End -------------------------
--------------------- httpd Begin ------------------------
Requests with error response codes
404 Not Found
/cvs/index2.php?_REQUEST[option]=com_conte ... cho%20YYY;echo|: 1 Time(s)
/cvs/mambo/index2.php?_REQUEST[option]=com ... cho%20YYY;echo|: 1 Time(s)
/favicon.ico: 32 Time(s)
/javascript/HM_Arrays.js: 1 Time(s)
/javascript/HM_ScriptDOM.js: 1 Time(s)
/mambo/index2.php?_REQUEST[option]=com_con ... cho%20YYY;echo|: 1 Time(s)
/php/mambo/index2.php?_REQUEST[option]=com ... cho%20YYY;echo|: 1 Time(s)
---------------------- httpd End -------------------------
--------------------- pam_unix Begin ------------------------
kde:
Unknown Entries:
session closed for user dotancohen: 3 Time(s)
session opened for user dotancohen by (uid=0): 3 Time(s)
kde-np:
Unknown Entries:
session closed for user dotancohen: 3 Time(s)
session opened for user dotancohen by (uid=0): 2 Time(s)
su:
Sessions Opened:
(uid=500) -> root: 3 Time(s)
system-config-display:
Unknown Entries:
auth could not identify password for [root]: 1 Time(s)
---------------------- pam_unix End -------------------------
--------------------- httpd Begin ------------------------
Requests with error response codes
403 Forbidden
/cgi-bin/awstats.pl?configdir=|echo;echo%2 ... cho%20YYY;echo|: 1 Time(s)
/cgi-bin/awstats/awstats.pl?configdir=|ech ... cho%20YYY;echo|: 1 Time(s)
404 Not Found
/Forums/admin/admin_styles.php?phpbb_root_ ... cho%20YYY;echo|: 1 Time(s)
/Forums/admin/admin_styles.phpadmin_styles ... cho%20YYY;echo|: 1 Time(s)
/admin_styles.phpadmin_styles.php?phpbb_ro ... cho%20YYY;echo|: 1 Time(s)
/awstats/awstats.pl?configdir=|echo;echo%2 ... cho%20YYY;echo|: 1 Time(s)
/blog/xmlrpc.php: 2 Time(s)
/blog/xmlsrv/xmlrpc.php: 2 Time(s)
/blogs/xmlsrv/xmlrpc.php: 2 Time(s)
/cvs/index2.php?_REQUEST[option]=com_conte ... cho%20YYY;echo|: 1 Time(s)
/cvs/mambo/index2.php?_REQUEST[option]=com ... cho%20YYY;echo|: 1 Time(s)
/drupal/xmlrpc.php: 2 Time(s)
/mambo/index2.php?_REQUEST[option]=com_con ... cho%20YYY;echo|: 1 Time(s)
/modules/Forums/admin/admin_styles.php?php ... cho%20YYY;echo|: 1 Time(s)
/modules/Forums/admin/admin_styles.phpadmi ... cho%20YYY;echo|: 2 Time(s)
/modules/coppermine/themes/default/theme.p ... cho%20YYY;echo|: 2 Time(s)
/php/mambo/index2.php?_REQUEST[option]=com ... cho%20YYY;echo|: 1 Time(s)
/phpgroupware/xmlrpc.php: 2 Time(s)
/wordpress/xmlrpc.php: 2 Time(s)
/xmlrpc.php: 4 Time(s)
/xmlrpc/xmlrpc.php: 2 Time(s)
/xmlsrv/xmlrpc.php: 2 Time(s)
---------------------- httpd End -------------------------
--------------------- pam_unix Begin ------------------------
kde-np:
Unknown Entries:
session closed for user dotancohen: 2 Time(s)
session opened for user dotancohen by (uid=0): 1 Time(s)
su:
Sessions Opened:
(uid=500) -> root: 3 Time(s)
---------------------- pam_unix End -------------------------
These are the most suspicious. If anyone could crarify on them a bit, i would appreciate it. Thank you!
Dotan Cohen
http://technology-sleuth.com/short_a...t_is_hdtv.html |
|
|
|
|
01-02-2006, 12:20 AM
|
#2
|
|
Member
Registered: Aug 2004
Location: India
Distribution: Redhat 9.0,FC3,FC5,FC10
Posts: 257
Rep:
|
Hey Dotan,
If you've not checked root EMail in a month the chances are that you dont really care about it at all..now the thing is that there are a huge number of applications and processes which are configured in *nix that send mail to the administartor of that machine which by default is root@localhost whenever they start up , stop close with an error etc etc ... so I really wouldnt be bothered too much... Just a tip though if u really dont want those mails coming in and filling up your disk space...just stop the sendmail and sm-client services in runlevel 3 & 5 coz thats what you would be booting into...
chkconfig --level 35 sendmail off
chkconfig --level 35 sm-client off
I think this should solve your problem....wouldnt worry too much about those logs though...a better place to look for alerts , misconfigurations , hacks etc...would be /var/log/messages .
Post back if this doesnt help you...
Cheers
Arvind
|
|
|
|
|
01-02-2006, 01:52 AM
|
#3
|
|
Member
Registered: Dec 2004
Location: Haifa
Distribution: Fedora Core 4, Kubuntu
Posts: 235
Original Poster
Rep:
|
Thanks, the advise DOES help, but I am posting back nonetheless.
I do care about root email, but I am not a sysadmin and simply CANNOT give it higher priority than it already has in my life. I do intend on checming it, but not every day.
As for the logs, you are certainly right. I should have dug through there at the moment that I suspected trouble. Thats what I will do from now on. Thank you.
Dotan Cohen
|
|
|
|
|
01-02-2006, 04:48 AM
|
#4
|
|
Member
Registered: Aug 2004
Location: India
Distribution: Redhat 9.0,FC3,FC5,FC10
Posts: 257
Rep:
|
Thats cool...and ur welcome ..if u dont have enough time to go through logs everyday then you might want to make a list of whats really important to you in the Email you want to read(root Email) ...make a list of the same and configure syslog...no it isnt tough at all 
So say if you decide all ssh related stuff is important to you...add a line in syslog.conf saying...
sshd.* ur mail address ... just check up on the syntax..
Cheers
Arvind |
|
|
|
|
01-02-2006, 07:15 AM
|
#5
|
|
Member
Registered: Jun 2005
Location: Lilburn, Ga
Distribution: FC5
Posts: 175
Rep:
|
Another thought, please. for security reasons, root should NEVER get email. In /etc/aliases route root's email to a user on the box, and don't forget to run "newaliases" after you do that.
|
|
|
|
|
01-02-2006, 10:52 AM
|
#6
|
|
Member
Registered: Apr 2005
Location: Jordan
Distribution: Debian (Sarge), Ubuntu (6.06)
Posts: 271
Rep:
|
GL1800
Why is that?
|
|
|
|
|
01-02-2006, 02:20 PM
|
#7
|
|
Member
Registered: Jun 2005
Location: Lilburn, Ga
Distribution: FC5
Posts: 175
Rep:
|
Malicious email owned by root inherits root's privileges. Better that the "bad stuff" be limited in the scope of what and where it can go and do.
|
|
|
|
|
01-03-2006, 06:03 AM
|
#8
|
|
Member
Registered: Apr 2005
Location: Jordan
Distribution: Debian (Sarge), Ubuntu (6.06)
Posts: 271
Rep:
|
Thanx for the clarification.
|
|
|
|
|
01-09-2006, 04:29 AM
|
#9
|
|
Senior Member
Registered: Mar 2003
Location: Brisbane Queensland Australia
Distribution: Custom Debian Live ISO's
Posts: 1,291
Rep:
|
Quote:
|
Originally Posted by GL1800
Malicious email owned by root inherits root's privileges. Better that the "bad stuff" be limited in the scope of what and where it can go and do.
|
Nice tip never thought of that |
|
|
|
|
01-10-2006, 12:56 PM
|
#10
|
|
Member
Registered: Dec 2004
Location: Haifa
Distribution: Fedora Core 4, Kubuntu
Posts: 235
Original Poster
Rep:
|
Quote:
|
Originally Posted by GL1800
Malicious email owned by root inherits root's privileges. Better that the "bad stuff" be limited in the scope of what and where it can go and do.
|
I never realized that! Thank you. |
|
|
|
|
01-11-2006, 11:47 PM
|
#11
|
|
Senior Member
Registered: Aug 2004
Location: Munich, Germany
Distribution: Opensuse 11.2
Posts: 1,549
Rep:
|
Quote:
--------------------- pam_unix Begin ------------------------
kde-np:
Unknown Entries:
session opened for user dotancohen by (uid=0): 1 Time(s)
--------------------- pam_unix Begin ------------------------
kde:
Unknown Entries:
session closed for user dotancohen: 3 Time(s)
session opened for user dotancohen by (uid=0): 3 Time(s)
kde-np:
Unknown Entries:
session closed for user dotancohen: 3 Time(s)
session opened for user dotancohen by (uid=0): 2 Time(s)
su:
Sessions Opened:
(uid=500) -> root: 3 Time(s)
system-config-display:
Unknown Entries:
auth could not identify password for [root]: 1 Time(s)
---------------------- pam_unix End -------------------------
--------------------- pam_unix Begin ------------------------
kde-np:
Unknown Entries:
session closed for user dotancohen: 2 Time(s)
session opened for user dotancohen by (uid=0): 1 Time(s)
su:
Sessions Opened:
(uid=500) -> root: 3 Time(s)
---------------------- pam_unix End -------------------------
|
Various logins, logouts and su's by yourself and root. One time you tried to start system-config-display and input the wrong password in the 'please enter root password' box that comes up.
Quote:
--------------------- Smartd Begin ------------------------
**Unmatched Entries**
smartd received signal 15: Terminated
smartd is exiting (exit status 0)
---------------------- Smartd End -------------------------
|
The smartd program was terminated, seemingly with no errors (exit status 0). This is usually not a problem as you may not even have SMART on your hard drives, let alone be interested in monitoring them with it.
Quote:
--------------------- Selinux Audit Begin ------------------------
Number of audit daemon starts: 1
Number of audit daemon stops: 2
*** Logs which could mean a bug ***
major=252 name_count=0: freeing multiple contexts (1)
major=113 name_count=0: freeing multiple contexts (2)
---------------------- Selinux Audit End -------------------------
|
Don't know much about selinux but doesn't look like anything's wrong.
Quote:
--------------------- SSHD Begin ------------------------
SSHD Killed: 1 Time(s)
SSHD Started: 1 Time(s)
---------------------- SSHD End -------------------------
|
The ssh server was shutdown and restarted once.
Quote:
--------------------- httpd Begin ------------------------
Requests with error response codes
404 Not Found
/cvs/index2.php?_REQUEST[option]=com_conte ... cho%20YYY;echo|: 1 Time(s)
/cvs/mambo/index2.php?_REQUEST[option]=com ... cho%20YYY;echo|: 1 Time(s)
/favicon.ico: 32 Time(s)
/javascript/HM_Arrays.js: 1 Time(s)
/javascript/HM_ScriptDOM.js: 1 Time(s)
/mambo/index2.php?_REQUEST[option]=com_con ... cho%20YYY;echo|: 1 Time(s)
/php/mambo/index2.php?_REQUEST[option]=com ... cho%20YYY;echo|: 1 Time(s)
---------------------- httpd End -------------------------
--------------------- httpd Begin ------------------------
Requests with error response codes
403 Forbidden
/cgi-bin/awstats.pl?configdir=|echo;echo%2 ... cho%20YYY;echo|: 1 Time(s)
/cgi-bin/awstats/awstats.pl?configdir=|ech ... cho%20YYY;echo|: 1 Time(s)
404 Not Found
/Forums/admin/admin_styles.php?phpbb_root_ ... cho%20YYY;echo|: 1 Time(s)
/Forums/admin/admin_styles.phpadmin_styles ... cho%20YYY;echo|: 1 Time(s)
/admin_styles.phpadmin_styles.php?phpbb_ro ... cho%20YYY;echo|: 1 Time(s)
/awstats/awstats.pl?configdir=|echo;echo%2 ... cho%20YYY;echo|: 1 Time(s)
/blog/xmlrpc.php: 2 Time(s)
/blog/xmlsrv/xmlrpc.php: 2 Time(s)
/blogs/xmlsrv/xmlrpc.php: 2 Time(s)
/cvs/index2.php?_REQUEST[option]=com_conte ... cho%20YYY;echo|: 1 Time(s)
/cvs/mambo/index2.php?_REQUEST[option]=com ... cho%20YYY;echo|: 1 Time(s)
/drupal/xmlrpc.php: 2 Time(s)
/mambo/index2.php?_REQUEST[option]=com_con ... cho%20YYY;echo|: 1 Time(s)
/modules/Forums/admin/admin_styles.php?php ... cho%20YYY;echo|: 1 Time(s)
/modules/Forums/admin/admin_styles.phpadmi ... cho%20YYY;echo|: 2 Time(s)
/modules/coppermine/themes/default/theme.p ... cho%20YYY;echo|: 2 Time(s)
/php/mambo/index2.php?_REQUEST[option]=com ... cho%20YYY;echo|: 1 Time(s)
/phpgroupware/xmlrpc.php: 2 Time(s)
/wordpress/xmlrpc.php: 2 Time(s)
/xmlrpc.php: 4 Time(s)
/xmlrpc/xmlrpc.php: 2 Time(s)
/xmlsrv/xmlrpc.php: 2 Time(s)
---------------------- httpd End -------------------------
|
Failed attempts by script kiddies to exploit web server or script vulnerabilities that you don't have. |
|
|
|
|
01-12-2006, 11:45 AM
|
#12
|
|
Member
Registered: Dec 2004
Location: Haifa
Distribution: Fedora Core 4, Kubuntu
Posts: 235
Original Poster
Rep:
|
Quote:
|
Originally Posted by tkedwards
Various logins, logouts and su's by yourself and root. One time you tried to start system-config-display and input the wrong password in the 'please enter root password' box that comes up.
|
Well, that's something that I don't remember ever starting. But maybe the wife started it by accident- that would explain the wrong password! I see that system-config-display has a butoon in the K menu, so she could have hit it by accident.
Quote:
|
Originally Posted by tkedwards
The smartd program was terminated, seemingly with no errors (exit status 0). This is usually not a problem as you may not even have SMART on your hard drives, let alone be interested in monitoring them with it.
|
Could be, but again, that is something that I don't remember doing myself. That is why I was curious.
Quote:
|
Originally Posted by tkedwards
Don't know much about selinux but doesn't look like anything's wrong.
|
Thats reassuring.
Quote:
|
Originally Posted by tkedwards
The ssh server was shutdown and restarted once.
|
And why is that? If not by myself? An update?
Quote:
|
Originally Posted by tkedwards
Failed attempts by script kiddies to exploit web server or script vulnerabilities that you don't have.
|
Maniacs! |
|
|
|
All times are GMT -5. The time now is 06:22 PM.
|
|
|
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
|
|
 Latest Threads
LQ News
|
|
