[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[cobalt-users] Signs That Your System May Have Been Compromised

Subject: [cobalt-users] Signs That Your System May Have Been Compromised
From: enrique <enriquevega@xxxxxxx>
Date: Fri Aug 10 08:51:31 2001
List-id: Mailing list for users to share thoughts on Cobalt products. <cobalt-users.list.cobalt.com>

I hope that I can get some advice from the folks that know the ins ofthe RaQ3. I was recently hacked and am in the process of trying to fixmy server. Note that I have basically set up a closed network while I amtrying to fix things. I basically entered "ALL: ALL" in host.deny andput my dialup ip address with a couple of other users in the host.allowfile. I've installed port sentry, ipchains, pmfirewire, and a couple ofother things to secure the site.

But after doing a reboot, I noticed some strange things in the log filewhich made me wonder. So after looking into an error on portmap, Idecided to look further and ended up at cert.org. So I hope that maybesomeone can help decipher some of the problems I am having.

First, is a partial listing of the log messages dealing with RPC andportmap after rebooting:

Aug  9 12:37:08 www kernel: portmap: RPC call returned error 111
Aug  9 12:37:08 www kernel: RPC: task of released request still queued!
Aug  9 12:37:08 www kernel: RPC: (task is on xprt_pending)
Aug  9 12:37:13 www kernel: portmap: RPC call returned error 111
Aug  9 12:37:13 www kernel: RPC: task of released request still queued!
Aug  9 12:37:13 www kernel: RPC: (task is on xprt_pending)
Aug  9 12:37:13 www kernel: lockd_up: makesock failed, error=-111
Aug  9 12:37:18 www kernel: portmap: RPC call returned error 111
Aug  9 12:37:18 www kernel: RPC: task of released request still queued!
Aug  9 12:37:18 www kernel: RPC: (task is on xprt_pending)

Aug 9 12:37:18 www rpc.statd[251]: unable to register (SM_PROG,SM_VERS, udp).

Aug  9 12:37:19 www modprobe: can't locate module block-major-22
Aug  9 12:37:19 www modprobe: can't locate module block-major-22
Aug  9 12:37:19 www modprobe: can't locate module block-major-33
Aug  9 12:37:19 www modprobe: can't locate module block-major-33
Aug  9 12:37:19 www modprobe: can't locate module block-major-34
Aug  9 12:37:19 www modprobe: can't locate module block-major-34
Aug  9 12:37:19 www modprobe: can't locate module block-major-8
Aug  9 12:37:19 www last message repeated 4 times
Aug  9 12:37:19 www modprobe: can't locate module block-major-13
Aug  9 12:37:20 www modprobe: can't locate module block-major-13

Then, some suspicious zones loaded that I am not familiar with:

Aug  9 12:37:21 www named[351]: hint zone "" (IN) loaded (serial 0)

Aug 9 12:37:21 www named[351]: master zone "34.100.207.in-addr.arpa"(IN) loaded (serial 2001071122)Aug 9 12:37:21 www named[351]: master zone "0.0.127.in-addr.arpa" (IN)loaded (serial 2001071122)Aug 9 12:37:21 www named[351]: Forwarding source address is[0.0.0.0].1024Aug 9 12:37:34 www PAM_pwdb[390]: (su) session opened for user postgresby (uid=0)

Aug  9 12:37:35 www PAM_pwdb[390]: (su) session closed for user postgres

----------------------------------------------------------------------

So, from looking into the above portmap errors, I ended up at cert.orgon the following url:


http://www.cert.org/tech_tips/intruder_detection_checklist.html#intro

I started reading and following the checks, and ended up stumped afterthe first check. Seems I have some files which have an incorrect set ofpermissions. The following files have -rwsr-xr-x set. Could someone on aRaQ3 enter the command "find / -user root -perm -4000 -print" and tellme if you are getting the same output? If these files have incorrectpermissions, then what should the command be to change them to thecorrect permission? Why would someone change the permissions? Is it sothey can see into the files? Can they also change them? Can I fix thiswithout reinstalling the RaQ3 software? I've heard horror stories aboutreinstalling and am wondering which is the worst of two evils.


find: /proc/6/fd: Permission denied
find: /proc/1726/fd/4: No such file or directory
/bin/su
/bin/login
/sbin/pwdb_chkpwd
/usr/bin/chage
/usr/bin/gpasswd
/usr/bin/passwd
/usr/bin/procmail
/usr/bin/rcp
/usr/bin/rlogin
/usr/bin/rsh
/usr/bin/chfn
/usr/bin/chsh
/usr/bin/crontab
/usr/bin/ssh
/usr/local/bin/ssh1
/usr/local/majordomo/wrapper
/usr/local/frontpage/version4.0/apache-fp/_vti_bin/fpexe
/usr/sbin/cmos
/usr/sbin/sendmail
/usr/sbin/traceroute
/usr/libexec/pt_chown
/usr/cgiwrap/cgiwrap
/usr/cgiwrap/cgiwrapd
/usr/cgiwrap/nph-cgiwrap
/usr/cgiwrap/nph-cgiwrapd

I have not run all the tests described to check the system, but since Igot the results above, I thought I would ask and see if I could learn alittle more before I go too far.


Thank you for your support!

enrique

Follow-Ups:
- Re: [cobalt-users] Signs That Your System May Have Been Compromised
  - From: Jeff Lasman
- Re: [cobalt-users] Signs That Your System May Have Been Compromised
  - From: Bradley Caricofe

Prev by Date: [cobalt-users] [RaQ3i] can't connect to restored machine!! ACK!
Next by Date: Re: [cobalt-users] MySQL and RaQ 1
Previous by thread: [cobalt-users] coldfusion and interbase Qs
Next by thread: Re: [cobalt-users] Signs That Your System May Have Been Compromised

Sun Cobalt Users Message Index

Sun Cobalt Users Thread Index