Re: Hacked - is it my turn?

To: debian-security@lists.debian.org
Subject: Re: Hacked - is it my turn?
From: Johannes Graumann <graumann@caltech.edu>
Date: Mon, 2 Feb 2004 18:04:40 -0800
Message-id: <[🔎] 20040202180440.3b241356.graumann@caltech.edu>
In-reply-to: <[🔎] 20040202120856.24cc6b2a.graumann@caltech.edu>
References: <[🔎] 20040202120856.24cc6b2a.graumann@caltech.edu>

Hello again,

Here is what I make of my evidence at the end of a quite anxious day. I
would highly appreciate any comments on my conclusions!

> > Checking 'bindshell'... INFECTED [PORTS:  1524 31337]
At this point I believe to be able to attribute this to portsentry
running - '/etc/init.d/portsentry stop' makes it go away,
'/etc/init.d/portsentry start' makes it reappear and I can create the
message on a pristine system by installing portsentry (running in the
default configuration).

> Checksecurity reports this:
> 
> > Security Violations for su
> > =-=-=-=-=-=-=-=-=-=-=-=-=-
> > Feb 2 06:33:11 server_name su[16863]: + ??? root:nobody
As Javier Fernández-Sanguino Peña <jfs@computer.org> pointed out
in a branch thread :
> That's normal, its been discussed here before. It
> just needs to be added to logcheck patterns, a bug should be filed.
Digging in the logs also showed this to be happening around 6:30 every
morning - must be related t one of my cron jobs that are being triggered
then, as /etc/crontab reads
25 6 * * * root test -e /usr/bin/anachron || run-parts --report
/etc/cron.daily

> 'tiger' also reports - while performing signature check of system
> binaries, that /bin/ping, /usr/bin/chage, /usr/bin/at, /usr/bin/write
> and /usr/bin/inetd don not match. This can not be confirmed by aide
> (cd-burned database, unsafe binary) or debsums (unsafe binary).
Javier stated as well:
> Do _not_ rely on that if you are _not_ using a stable system.... (and
> really, even then, unless you've regenerated the database yourself).
This is a testing/unstable system.

Now the conclusion: at this point there doesn't seem to be any real
evidence for compromise over here. My current working hypothesis is that
one of the packages involved had a update recently - I haven't really
payed attention to what happened during my updates - and I started to
see some log extracts I wasn't used to and couldn't make proper sense of
and panicked.
If you don't buy this: please let me know and why. Since We are talking
20+ systems being dependent on one of the machines in question, I'm
considering myself biased due to installation anxiety.

Hope to hear from you, Joh

Reply to:

Follow-Ups:
- Re: Hacked - is it my turn?
  - From: Alvin Oga <aoga@ns.Linux-Consulting.com>

References:
- Hacked - is it my turn?
  - From: Johannes Graumann <graumann@caltech.edu>

Prev by Date: Re: Hacked - is it my turn? - interesting
Next by Date: Re: Hacked - is it my turn?
Previous by thread: Re: Hacked - is it my turn?
Next by thread: Re: Hacked - is it my turn?
Index(es):
- Date
- Thread