[mdk-re] Меня взломали ?
Egorov Alexey
=?iso-8859-1?q?egorov_=CE=C1_strat=2Echtts=2Eru?=
Вс Мар 24 22:37:00 MSK 2002
Народ, проконсултируйте плиз. Мне пришел лог:
Security Warning: the sha1 checksum for one of your SUID files has changed,
maybe an intruder modified one of these suid binary in order to put in a
backdoor...
- Checksum changed files : /usr/sbin/usernetctl -- ЧТО ЭТО ЗНАЧИТ ?
Security Warning: There is modifications for port listening on your
machine :
- Opened ports : tcp 0 0 *:www
*:* LISTEN 9935/httpd
- Opened ports : tcp 0 0 *:squid
*:* LISTEN 1298/(squid)
- Opened ports : tcp 0 0 *:smtp
*:* LISTEN 1267/master
- Opened ports : tcp 0 0 *:telnet
*:* LISTEN 921/xinetd
- Opened ports : tcp 0 0 *:pop3
*:* LISTEN 921/xinetd
- Opened ports : tcp 0 0 *:pop3s
*:* LISTEN 921/xinetd
- Opened ports : tcp 0 0 *:nntp
*:* LISTEN 921/xinetd
- Opened ports : tcp 0 0 *:ftp
*:* LISTEN 921/xinetd
- Opened ports : tcp 0 0 linux:domain
*:* LISTEN 904/named
- Opened ports : tcp 0 0 localhost:domain
*:* LISTEN 904/named
- Opened ports : udp 0 0 *:1027
*:* 1298/(squid)
- Opened ports : udp 0 0 *:3401
*:* 1298/(squid)
- Opened ports : udp 0 0 *:icp
*:* 1298/(squid)
- Opened ports : udp 0 0 *:1024
*:* 904/named
- Opened ports : udp 0 0 linux:domain
*:* 904/named
- Opened ports : udp 0 0 localhost:domain
*:* 904/named
- Closed ports : tcp 0 0 *:www
*:* LISTEN 10245/httpd
- Closed ports : tcp 0 0 *:squid
*:* LISTEN 1165/(squid)
- Closed ports : tcp 0 0 *:smtp
*:* LISTEN 1134/master
- Closed ports : tcp 0 0 *:telnet
*:* LISTEN 798/xinetd
- Closed ports : tcp 0 0 *:pop3
*:* LISTEN 798/xinetd
- Closed ports : tcp 0 0 *:pop3s
*:* LISTEN 798/xinetd
- Closed ports : tcp 0 0 *:nntp
*:* LISTEN 798/xinetd
- Closed ports : tcp 0 0 *:ftp
*:* LISTEN 798/xinetd
- Closed ports : tcp 0 0 linux:domain
*:* LISTEN 781/named
- Closed ports : tcp 0 0 localhost:domain
*:* LISTEN 781/named
- Closed ports : udp 0 0 *:1027
*:* 1165/(squid)
- Closed ports : udp 0 0 *:3401
*:* 1165/(squid)
- Closed ports : udp 0 0 *:icp
*:* 1165/(squid)
- Closed ports : udp 0 0 *:1024
*:* 781/named
- Closed ports : udp 0 0 linux:domain
*:* 781/named
- Closed ports : udp 0 0 localhost:domain
*:* 781/named
В syslog накопал следующее
Mar 24 04:02:02 host syslogd 1.4-0: restart.
Mar 24 04:08:12 host named[904]: Lame server on
'214.162.220.209.in-addr.arpa' (in '162.220.209.in-addr.arpa'?):
[207.155.183.72].53 'nameserver.concentric.net'
Mar 24 04:08:12 host named[904]: Lame server on
'214.162.220.209.in-addr.arpa' (in '162.220.209.in-addr.arpa'?):
[207.155.184.72].53 'nameserver2.concentric.net'
Mar 24 04:08:12 host named[904]: Lame server on
'214.162.220.209.in-addr.arpa' (in '162.220.209.in-addr.arpa'?):
[207.155.183.73].53 'nameserver1.concentric.net'
Mar 24 04:08:13 host named[904]: Lame server on
'214.162.220.209.in-addr.arpa' (in '162.220.209.in-addr.arpa'?):
[206.173.119.72].53 'nameserver3.concentric.net'
Mar 24 04:08:21 host syslogd 1.4-0: restart.
Mar 24 04:08:21 host syslogd 1.4-0: restart.
Mar 24 04:08:22 host syslogd 1.4-0: restart.
Mar 24 04:08:22 host syslogd 1.4-0: restart.
Mar 24 04:08:22 host syslogd 1.4-0: restart.
Mar 24 04:08:43 host syslogd 1.4-0: restart.
Mar 24 04:09:07 host syslogd 1.4-0: restart.
Mar 24 04:09:07 host syslogd 1.4-0: restart.
Mar 24 04:09:07 host syslogd 1.4-0: restart.
Mar 24 04:09:09 host syslogd 1.4-0: restart.
Mar 24 04:09:09 host syslogd 1.4-0: restart.
Mar 24 04:15:28 host syslogd 1.4-0: restart.
Mar 24 04:21:40 host syslogd 1.4-0: restart.
Mar 24 04:21:41 host syslogd 1.4-0: restart.
Mar 24 04:21:41 host syslogd 1.4-0: restart.
Mar 24 04:21:55 host syslogd 1.4-0: restart.
Mar 24 04:22:02 host anacron[30037]: Updated timestamp for job
`cron.weekly' to `2002-03-24 04:22:02'
Mar 24 04:24:25 host named[904]: Lame server on
'88.63.3.210.in-addr.arpa' (in '3.210.in-addr.arpa'?): [210.59.229.2].53
'dns.golden.net.tw'
Mar 24 04:24:25 host named[904]: Lame server on
'88.63.3.210.in-addr.arpa' (in '3.210.in-addr.arpa'?):
[210.59.228.11].53 'dns2.golden.net.tw'
Mar 24 04:27:11 host su(pam_unix)[939]: session opened for user news by
(uid=0)
Mar 24 04:27:12 host texpire[941]: can't stat
/var/spool/news/leaf.node/groupinfo: No such file or directory
Mar 24 04:27:12 host su(pam_unix)[939]: session closed for user news
Самое интересное, new на серваке никогда не использовался и в субботу на
этом сервере ни кто не работал !!
Серер ALTLinux Spring2001 + Updates
Подробная информация о списке рассылки community