Strange events...
Hello! This morning I cheked mail and I found a strange message by logcheck from a my server...
Unusual System Events
=-=-=-=-=-=-=-=-=-=-=
***************
*** WARNING ***: Log file /var/log/mail.log is smaller than last time checked!
*************** This could indicate tampering.
Mhm... I'm logged in into that machine (a Debian Potato with latest security updates apt sources updated and upgraded - krnel Linux sgala2 2.2.20pre2aa1 #3 Thu Jun 14 12:24:53 CEST 2001 i586 unknown) to understand what is happened.
network connection at this moment was...
tcp 0 0 195.223.140.112:110 213.174.167.243:62621 TIME_WAIT
tcp 0 0 195.223.140.112:22 213.174.167.243:62620 ESTABLISHED
tcp 0 0 195.223.140.112:111 193.75.85.247:4714 ESTABLISHED
tcp 0 0 195.223.140.112:111 24.22.214.76:3756 ESTABLISHED
tcp 0 0 195.223.140.112:111 195.13.194.200:1272 ESTABLISHED
Strange connections at portmapper port... I don't use portmap but i forgot to disable it. is it possible that portmap is exploitable?
sgala2:/# ps afx
PID TTY STAT TIME COMMAND
1 ? S 0:09 init [2]
2 ? SW 0:07 [kflushd]
3 ? SW 0:03 [kupdate]
4 ? SW 0:32 [kswapd]
5 ? SW 0:00 [keventd]
147 ? S 2:36 /sbin/syslogd
149 ? SW 0:00 [klogd]
168 ? S 0:00 /usr/sbin/gpm -m /dev/psaux -t ps2 -Rms3
173 ? S 0:16 /usr/sbin/inetd
176 ? S 0:00 /usr/sbin/ippl
179 ? Z 0:00 \_ [ippl <defunct>]
194 ? S 0:05 /usr/lib/postgresql/bin/postmaster -b /usr/lib/postgr
esql/bin/postgres -B 128 -D /var/lib/postgres/data -i
245 ? S 0:58 /usr/sbin/sshd
8244 ? S 0:03 \_ /usr/sbin/sshd
8245 pts/1 S 0:00 | \_ -bash
8441 ? S 0:01 \_ /usr/sbin/sshd
8444 pts/2 S 0:00 | \_ -bash
9237 ? S 0:05 \_ /usr/sbin/sshd
9242 pts/3 S 0:00 \_ -bash
9610 pts/3 R 0:00 \_ ps afx
9611 pts/3 S 0:00 \_ more
250 ? S 0:00 proftpd (accepting connections)
253 ? S 0:00 /usr/sbin/atd
256 ? S 0:04 /usr/sbin/cron
270 tty2 SW 0:00 [getty]
271 tty3 SW 0:00 [getty]
272 tty4 SW 0:00 [getty]
273 tty5 SW 0:00 [getty]
274 tty6 SW 0:00 [getty]
565 tty1 SW 0:00 [getty]
2715 ? S 0:23 sendmail: accepting connections on port 25
4018 ? S 2:11 ./psybnc
20284 ? S 0:01 /usr/sbin/named
23169 ? S 0:01 /usr/sbin/apache
7770 ? S 0:00 \_ /usr/sbin/apache
7784 ? S 0:00 \_ /usr/sbin/apache
7829 ? S 0:00 \_ /usr/sbin/apache
7830 ? S 0:00 \_ /usr/sbin/apache
7831 ? S 0:00 \_ /usr/sbin/apache
7942 ? S 0:00 \_ /usr/sbin/apache
7944 ? S 0:00 \_ /usr/sbin/apache
9441 ? S 0:00 \_ /usr/sbin/apache
9443 ? S 0:00 \_ /usr/sbin/apache
8491 ? S 0:00 /usr/sbin/ippl
8492 ? S 0:00 \_ /usr/sbin/ippl
8493 ? S 0:00 \_ /usr/sbin/ippl
8494 ? S 0:00 \_ /usr/sbin/ippl
Is absolutely normal, no strange processes or something strange.
The logfile state is strange. maillog is small.. ippl/all.log is zero bytes... But is possible that is logrotate that have rotated logs.. i don't understand exactly the consistante of log because at the hour of strange log message there is no traffic.
Some examples...
-rw-r----- 1 root adm 0 Aug 26 06:48 user.log
-rw-r----- 1 root adm 0 Aug 19 06:48 user.log.0
-rw-r----- 1 root adm 0 Aug 26 06:48 mail.warn
-rw-r----- 1 root adm 0 Aug 26 06:47 all.log
-rw-r----- 1 root adm 0 Aug 19 06:47 all.log.0
Then i have made a debsums -a and it found this
md5sum: MD5 check failed for 'usr/share/consolefonts/lat1u-16.psf.gz'
md5sum: can't open usr/share/games/fortunes/off/zozzital
md5sum: can't open usr/share/doc/isapnptools/README.lib
md5sum: can't open sbin/ldconfig.new
md5sum: MD5 check failed for 'etc/pam.d/login'
md5sum: MD5 check failed for 'etc/pam.d/passwd'
md5sum: can't open usr/bin/perl-5.005.dist
md5sum: MD5 check failed for 'etc/ppp/options.ttyXX'
md5sum: MD5 check failed for 'var/lib/wwwcount/sample.dat'
I checked if there is difference between pam.d/login and pam.d/passwd with anothe debian potato but there is no difference.
finally i report the state port in listening
sgala2:/var/log/ippl# lsof -i |grep LISTEN
inetd 173 root 4u IPv4 86 TCP *:pop3 (LISTEN)
inetd 173 root 5u IPv4 87 TCP *:auth (LISTEN)
postmaste 194 postgres 3u IPv4 110 TCP *:postgres (LISTEN)
sshd 245 root 3u IPv4 143 TCP *:ssh (LISTEN)
proftpd 250 root 0u IPv4 158 TCP *:ftp (LISTEN)
sendmail 2715 root 4u IPv4 479994 TCP *:smtp (LISTEN)
psybnc 4018 sgala 3u IPv4 216645 TCP *:31337 (LISTEN)
apache 7770 root 25u IPv4 285676 TCP *:www (LISTEN)
apache 7784 root 25u IPv4 285676 TCP *:www (LISTEN)
apache 7829 root 25u IPv4 285676 TCP *:www (LISTEN)
apache 7830 root 25u IPv4 285676 TCP *:www (LISTEN)
apache 7831 root 25u IPv4 285676 TCP *:www (LISTEN)
apache 7942 root 25u IPv4 285676 TCP *:www (LISTEN)
apache 7944 root 25u IPv4 285676 TCP *:www (LISTEN)
sshd 8244 root 6u IPv4 537338 TCP *:6010 (LISTEN)
sshd 8441 root 6u IPv4 537997 TCP *:6011 (LISTEN)
sshd 9237 root 6u IPv4 539149 TCP *:6012 (LISTEN)
apache 9441 root 25u IPv4 285676 TCP *:www (LISTEN)
apache 9443 root 25u IPv4 285676 TCP *:www (LISTEN)
apache 9444 root 25u IPv4 285676 TCP *:www (LISTEN)
named 20284 root 21u IPv4 272353 TCP localhost:domain (LISTEN)
named 20284 root 23u IPv4 272355 TCP sgala.com:domain (LISTEN)
apache 23169 root 25u IPv4 285676 TCP *:www (LISTEN)
All data files of webserver/database server/mail server and whatever is not damaged, corrupt or modified. Therefore it seems to be...
Now I'm in doubt... what is happened?...
Sorry for my bad english... I'm a small italian guy...:))
Thanks in advance!
Matteo
--
Matteo Sgalaberni | Web : http://www.sgala.com
-- | E-Mail : matteo@sgala.com
System and Application Engineer |
-------------------------------------------------------------------------------
Reply to: