Re: Have I been hacked?
On Mon, Jan 01, 2001 at 12:46:55 -0600, Kenneth Stephen wrote:
> Looking at the system logs for my Potato system (it was Slink, but I
> apt-get upgraded), I see some unusual entries. From messages.0 :
>
> Dec 31 05:29:18 marvin 173>Dec 31 05:29:18 /sbin/rpc.statd[300]:
> gethostbyname error for ^X÷ÿ¿^X÷ÿ¿^Y÷ÿ¿^Y÷ÿ¿^Z÷ÿ¿^Z÷ÿ¿^[÷ÿ¿^[÷ÿ¿bffff6ec
> 804a174400f0078687465676274736f6d616e797265206520726f7220726f66
> bffff718
There have been various security issues with rpc.statd and related tools, in
particular
http://www.debian.org/security/2000/20000719a
http://www.debian.org/security/1999/19991111
http://www.debian.org/security/1998/19980904
> Would this be due to a hack attempt?
Quite likely. According to CERT, attempts to exploit rpc.statd
vulnerabilities are still quite popular
(http://www.cert.org/current/current_activity.html#statd)
> From setuid.changes :
>
> marvin changes to setuid programs and devices:
> --- setuid.today Fri Dec 29 06:32:04 2000
> +++ /var/log/setuid.new.tmp Sun Dec 31 06:32:01 2000
> @@ -1,5 +1,4 @@
> - 2 620 1 pgmr tty 0 Fri Dec 29 02:31:09
> 2000 /dev/pts/0
> - 3 620 1 pgmr tty 0 Fri Dec 29 01:43:39
> 2000 /dev/pts/1
> + 2 620 1 pgmr tty 0 Sun Dec 31 05:29:18
AFAIK, in and of themselves, these are not a problem.
> 2000 /dev/pts/0
> 4120 4755 2 root root 499916 Wed Mar 8 01:51:40
> 2000 /usr/bin/sperl5.00405
> 4120 4755 2 root root 499916 Wed Mar 8 01:51:40
> 2000 /usr/bin/suidperl-5.004
This seems fine as well.
> 4122 4755 1 root staff 4787 Sat Jan 15 09:30:29
> 2000 /usr/local/bin/dflt_routes
>
> I was logged on an had an xterm running from midnight 12/31 - but I
> definitely wasnt doing anything at 5:30 in the morning.
It only seems to be a timestamp change.
I see no clear signs of a successful crack attempt in what you've reported.
HTH,
Ray
--
Tevens ben ik van mening dat Nederland overdekt dient te worden.
Reply to: