Unreasonable setuid changes?! Am I hacked?
Prolog: Running Debian Potato 2.2 r2 with most recent security updates from
the security servers. *Any* suggestions or comments welcome.
I was checking my RADIUS server logs...just for the fun of it :-) and came
across this in my setuid.changes line:
***********************************************
radius changes to setuid programs and devices:
--- setuid.today Fri Mar 23 00:05:34 2001
+++ /var/log/setuid.new.tmp Sat Mar 24 00:06:07 2001
@@ -1,10 +1,10 @@
- 81 4755 1 root root 5668 Fri Jan 12 04:59:29 2001
/usr/lib/pt_chown
137 4755 1 root root 36188 Fri Jan 12 20:27:58 2001
/bin/login
138 4755 1 root root 23420 Fri Jan 12 20:27:58 2001
/bin/su
139 4755 1 root root 65404 Fri Jan 12 20:27:58 2001
/bin/mount
140 4755 1 root root 36572 Fri Jan 12 20:27:58 2001
/bin/umount
141 4755 1 root root 14896 Fri Jan 12 20:27:58 2001
/bin/ping
143 4755 1 root root 13808 Fri Jan 12 20:27:58 2001
/bin/ping6
+ 147 4755 1 root root 5668 Mon Jan 15 15:06:47 2001
/usr/lib/pt_chown
2088 666 1 root root 0 Fri Jan 12 20:51:00 2001
/dev/null
2089 640 1 root kmem 0 Fri Jan 12 20:51:00 2001
/dev/kmem
2092 666 1 root root 0 Fri Jan 12 20:51:01 2001
/dev/zero
@@ -810,10 +810,10 @@
2898 666 1 root tty 0 Wed Jul 5 12:43:52 2000
/dev/tty7
2899 600 1 root root 0 Wed Jul 5 12:43:53 2000
/dev/vcs7
2900 600 1 root root 0 Wed Jul 5 12:43:53 2000
/dev/vcsa7
- 2901 666 1 root tty 0 Fri Mar 23 00:05:01 2001
/dev/tty8
+ 2901 666 1 root tty 0 Sat Mar 24 00:05:01 2001
/dev/tty8
2902 600 1 root root 0 Wed Jul 5 12:43:53 2000
/dev/vcs8
2903 600 1 root root 0 Wed Jul 5 12:43:53 2000
/dev/vcsa8
- 2904 666 1 root tty 0 Fri Mar 23 00:05:01 2001
/dev/tty9
+ 2904 666 1 root tty 0 Sat Mar 24 00:05:01 2001
/dev/tty9
2905 600 1 root root 0 Wed Jul 5 12:43:53 2000
/dev/vcs9
2906 600 1 root root 0 Wed Jul 5 12:43:53 2000
/dev/vcsa9
2907 666 1 root tty 0 Wed Jul 5 12:43:53 2000
/dev/tty10
@@ -4122,7 +4122,6 @@
29236 4755 1 root root 25692 Fri Jan 12 20:27:47 2001
/usr/bin/passwd
29384 4755 1 root root 34480 Mon Apr 3 06:57:46 2000
/usr/bin/at
29415 2755 1 root tty 10004 Tue Jul 18 10:03:22 2000
/usr/bin/write
- 29501 2755 1 root mail 65660 Tue Aug 8 14:08:47 2000
/usr/bin/mail
30703 2755 1 root mail 8288 Mon Jun 21 12:48:03 1999
/usr/bin/dotlockfile
30707 2755 1 root mail 6212 Fri Sep 24 18:47:00 1999
/usr/bin/mail-lock
31232 4755 2 root root 536236 Sun Apr 30 11:14:04 2000
/usr/bin/sperl5.00503
************************************************
All of the previous setuid.changes.x (going back to 6) log files only have
the /dev/ttyxx and /dev/vcsxx files listed. This gives me great pause. I
checked the setuid.today and the setuid.yesterday and they both read the
same. I can list those if necessary and requested, but I've check them over
and over and *every* line is the same. Not to mention the fact that I
haven't installed or updated anything with regard to login, password, mount,
etc.
The question is this; Has the checksecurity program lost it's mind, or have
I been breached? This server is exposed at our firewall for only the radius
related ports and those coming from specific IP addresses. I understand that
IP's can be spoofed, so that isn't completely secure, but better than
nothing.
Is there anything that I can check to start seeing if I've been hacked? Any
way to check what might be going on? Has anyone seen anything like this?
Please help!
Reply to: