Strange system events
I am hoping someone here can help shed some light on some strange system
events that I saw between snort and logcheck on my firewall/router.
After seeing the following log, I opened my logcheck.sh file and saw the
garbage in the file that shows up in my log. I closed it and went to my
other box to try to do some research, and when I went back and opened
the file again it was fine. I hadn't even saved it, much less fixed it.
I've checked all of the files involved against known good copies and all
are currently fine.
I rebooted and nmapped the router's IP and it showed 25 smtp and 1417
timbuktu (- a Mac remote control program?) open.
I closed 25 and nmapped again and 1417 was closed without my doing
anything.
I just wondered if anyone had any thoughts on whether this looks like a
file/disk corruption could have caused all of this, or if it looks like
an exploit of some sort.
Thanks very much to anyone for any input or references to further
investigate.
Steve
log snip********************
Unusual System Events
=-=-=-=-=-=-=-=-=-=-=
Jun 1 06:25:03 router su[31003]: + ??? root-nobody
Jun 1 06:25:03 router PAM_unix[31003]: (su) session opened for
user nobody by (uid=0)
From root@router Sat Jun 02 06:25:12 2001
Envelope-to: root@router
Received: from root by router with local (Exim 3.12 #1 (Debian))
id 1569Wg-0008F8-00
for <root@router>; Sat, 02 Jun 2001 06:25:12 -0500
From: root@router (Cron Daemon)
To: root@router
Subject: Cron <root@router> test -e /usr/sbin/anacron // run-parts
--report /etc/cron.daily
X-Cron-Env: <SHELL=/bin/sh>
X-Cron-Env:
<PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin>
X-Cron-Env: <HOME=/root>
X-Cron-Env: <LOGNAME=root>
Message-Id: <E1569Wg-0008F8-00@router>
Date: Sat, 02 Jun 2001 06:25:12 -0500
/etc/cron.daily/5snort:
Useless use of a constant in void context at /usr/sbin/snort-stat
line 135.
run-parts: /etc/cron.daily/find exited with return code 2
/etc/cron.daily/standard:
/usr/sbin/checksecurity: /bin/rm: cannot execute binary file
/etc/cron.daily/sysklogd:
/usr/bin/savelog: line 151: syntax error near unexpected token `&'
/usr/bin/savelog: line 151: `5F(Y,4F?�Ä&¾o¾��üè8½¾oô�V ¢þÿ��
¢ÿÿ:¾'
/usr/bin/savelog: line 151: syntax error near unexpected token `&'
/usr/bin/savelog: line 151: `5F(Y,4F?�Ä&¾o¾��üè8½¾oô�V ¢þÿ��
¢ÿÿ:¾'
/usr/bin/savelog: line 151: syntax error near unexpected token `&'
/usr/bin/savelog: line 151: `5F(Y,4F?�Ä&¾o¾��üè8½¾oô�V ¢þÿ��
¢ÿÿ:¾'
From root@router Sat Jun 02 07:02:01 2001
Envelope-to: root@router
Received: from root by router with local (Exim 3.12 #1 (Debian))
id 156A6T-0008Hj-00
for <root@router>; Sat, 02 Jun 2001 07:02:01 -0500
From: root@router (Cron Daemon)
To: root@router
Subject: Cron <root@router> test -x /usr/sbin/logcheck.sh && nice
-n10 /usr/sbin/logcheck.sh
X-Cron-Env: <SHELL=/bin/sh>
X-Cron-Env: <HOME=/root>
X-Cron-Env: <PATH=/usr/bin:/bin>
X-Cron-Env: <LOGNAME=root>
Message-Id: <E156A6T-0008Hj-00@router>
Date: Sat, 02 Jun 2001 07:02:01 -0500
/usr/sbin/logcheck.sh: ��p??´C¯I?{{??swz?�?b4�fÃ�: command not
found
/usr/sbin/logcheck.sh: �n,±¥g?vz: command not found
/usr/sbin/logcheck.sh: �?b4�f�: command not found
/usr/sbin/logcheck.sh: }??rt: command not found
/usr/sbin/logcheck.sh: ��o?£´¥?{z?~wu?�?b4�?Ã�: command not found
/usr/sbin/logcheck.sh: ��n? ¥S°W?x?x£?h{?�?b4�?Ã�: command not
found
/usr/sbin/logcheck.sh: ��o-Y´T©N?ufz??oxS�?b4�?Ã�: command not
found
/usr/sbin/logcheck.sh: ��n ª´W¯N??}-*ov: command not found
/usr/sbin/logcheck.sh: ~�?b4�?�: command not found
/usr/sbin/logcheck.sh: ��n?£¥TµS^}e{??xw}�?b4�fÃ�: command not
found
/usr/sbin/logcheck.sh: ��o?¡´O¿F?z?¢Sj?w^?b4�fÃ�: command not
found
/usr/sbin/logcheck.sh: ��n: command not found
/usr/sbin/logcheck.sh: ©¥b?hf?z*?pyw?�?b4�^Ã�: command not found
/usr/sbin/logcheck.sh: �m*¨-G¹S: command not found
/usr/sbin/logcheck.sh: *v-?tu~�?b4�?�: command not found
/usr/sbin/logcheck.sh: ��m?§-V«[??X??~wr~�?b4�?Ã�: command not
found
/usr/sbin/logcheck.sh: ��os¡ÃJÅ:*lyY?hzy?: command not found
/usr/sbin/logcheck.sh: ?b4�?�: command not found
/usr/sbin/logcheck.sh: ��n? ´Q¯Q-t???nx{??b4�?Ã�: command not
found
/usr/sbin/logcheck.sh: �m?¨´V®Z??,~?ox}? ?b4�?Ã�: command not
found
/usr/sbin/logcheck.sh: ��m?¦´T¶N?y??vu{f ?b4�?Ã�: command not
found
/usr/sbin/logcheck.sh: ��m: command not found
/usr/sbin/logcheck.sh: ®¥V¥^f^r,¡Sl{? ?b4�?Ã�: command not found
/usr/sbin/logcheck.sh: ��ny«Ã[«U*h?}~??p? ?b4�^Ã�: command not
found
/usr/sbin/logcheck.sh: ��k?¯xL cvSk~s?px? Yb4�?Ã�: command not
found
/usr/sbin/logcheck.sh: ��m*§ÃTÀD?,rz-?mx?�?b4�?Ã�: command not
found
/usr/sbin/logcheck.sh: ��n?¥ÒPÂO?ww~??oz?�?b*�?Ã�: command not
found
/usr/sbin/logcheck.sh: ��k?¨?J?q???~?kxy? ?b*�^Ã�: command not
found
/usr/sbin/logcheck.sh: �kª?M£d?k??qu}? ?b*�?Ã�: command not
found
/usr/sbin/logcheck.sh: ��m?¡Ò_ÂF?p^}?-ru?�?b*�^Ã�: command not
found
/usr/sbin/logcheck.sh: ��l^§¥OÀO??u¥?h{y-�?b*�^Ã�: command not
found
/usr/sbin/logcheck.sh: ��l?¦¥V£b???~?mzys�?b*�^Ã�: command not
found
/usr/sbin/logcheck.sh: �l?¢ÃVÀD¡tY?ny??�?b*�^Ã�: command not
found
/usr/sbin/logcheck.sh: ��k?¬-O³M?{mz~?vx?�?b*�?Ã�: command not
found
/usr/sbin/logcheck.sh: ¡l?b/�?Ã�: No such file or directory
/usr/sbin/logcheck.sh: ��m^¬´J»P^?k?£yo: command not found
/usr/sbin/logcheck.sh: ��m?¬´R«]fSf: command not found
/usr/sbin/logcheck.sh: ???o¤o?b/�?Ã�: No such file or directory
/usr/sbin/logcheck.sh: ��k?®´Y£h??j? }n}?o?b/�?Ã�: No such file or
directory
/usr/sbin/logcheck.sh: ��m-¯ÒQÆC*{p???p{~i?b/�?Ã�: No such file or
directory
/usr/sbin/logcheck.sh: line 134: syntax error near unexpected
token `/'
/usr/sbin/logcheck.sh: line 134: ` ��m?¥´H»P?/}/¦?h/¦j?b/�?Ã�'
*********the above repeats every hour until I discovered
it**************************
From root@router Sat Jun 02 21:02:05 2001
Envelope-to: root@router
Received: from root by router with local (Exim 3.12 #1 (Debian))
id 156NDQ-0008UI-00
for <root@router>; Sat, 02 Jun 2001 21:02:04 -0500
To: root@router
Subject: router 06/02/01:21.02 system check
Message-Id: <E156NDQ-0008UI-00@router>
From: root <root@router>
Date: Sat, 02 Jun 2001 21:02:04 -0500
Unusual System Events
=-=-=-=-=-=-=-=-=-=-=
Jun 2 19:59:32 router /usr/sbin/gpm[290]: Skipping a data packet
(?)
Jun 2 19:59:32 router /usr/sbin/gpm[290]: Skipping a data packet
(?)
From root@router Sun Jun 03 07:02:03 2001
Envelope-to: root@router
Received: from root by router with local (Exim 3.12 #1 (Debian))
id 156Wa3-0001s5-00
for <root@router>; Sun, 03 Jun 2001 07:02:03 -0500
To: root@router
Subject: router 06/03/01:07.02 system check
Message-Id: <E156Wa3-0001s5-00@router>
From: root <root@router>
Date: Sun, 03 Jun 2001 07:02:03 -0500
Unusual System Events
=-=-=-=-=-=-=-=-=-=-=
***************
*** WARNING ***: Log file /var/log/messages is smaller than last
time checked!
*************** This could indicate
tampering.=-=-=-=-=-=-=-=-=-=-=
Reply to: