Re: Suspicious behavior: cracked or just a dying machine?

To: "Karsten M. Self" <kmself@ix.netcom.com>
Cc: debian-user@lists.debian.org
Subject: Re: Suspicious behavior: cracked or just a dying machine?
From: Alvin Oga <aoga@Maggie.Linux-Consulting.com>
Date: Wed, 15 Aug 2001 19:09:08 -0700 (PDT)
Message-id: <[🔎] Pine.LNX.3.96.1010815190254.13031B-100000@Maggie.Linux-Consulting.com>
In-reply-to: <[🔎] 20010815094625.D12850@navel.introspect>

hi ya andrew

if you wanna know if you were cracked/hacked... 
its too late if you did not save the state of your machine before you went
live....
	- if you can compare your binaries to the live cdrom install 
	than you can still check if the binaries were replaced...

	- lots of stuff gets replaced ... just need to know which files to
	look for and which directories...

	- tripwire is the simple answer to see anything "new/changed"
	( though its too slow ...

if you wanna see if someone has backdoors and trojans...
i think some of the online auditing places might help ??? 
( donno, never used um ...fear of them installing their own trojan and not
  tell ya ...

	http://www.Linux-Sec.net/Audit


since you are having problems wiht top and man, and probably ps...
and segfaulting...

i'd guess you've been hacked since your load is too high if it supposed
to be just idling...
	- or just bad memory.... 

-- backup your data onto a new disk/cdrom and appply all patches
   and see if it fixes things...
	- keep your previous set of backup intact... since thats a good
	verion prior to noticing all these "hardware problems"


have fun
alvin
http://www.Linux-Sec.net ... security stuff...


On Wed, 15 Aug 2001, Karsten M. Self wrote:

> on Wed, Aug 15, 2001 at 11:49:12AM -0400, Andrew Perrin (aperrin@email.unc.edu) wrote:
> > Folks-
> > 
> > I just logged in (from work) to my home machine to copy a file I
> > needed. It's behaving very weirdly, and I'd love some advice as to whether
> > you think I've been cracked or it's likely just a hardware issue. I'd
> > strongly prefer not to shutdown remotely, but will do so rather than
> > waiting until I get home tonight if y'all think that's what's appropriate.
> 
> Looks suspicious based on what you post, though I wouldn't put it past
> bad memory.  The log is IIRC an old portmapper crack attempt.  Things to
> do:
> 
>   - If you've got the sash shell (preferably a copy from known good
>     media), use it and its builtins to test your system.
> 
>   - As soon as possible, get the system offline.
> 
>   - Boot known good media (I like the LinuxCare BBC or a similar
>     linux-on-CD live system), and see what it takes to try to get
>     debsums running.  Make sure the debsums database is up-to date.  Or
>     check for other obvious discrepencies.
> 
>   - If you find you have been cracked, a restore of all system
>     directories is strongly advised.
> 
> > The machine is a (rather old) Pentium 200, 92MB RAM, with lots of stuff
> > plugged in(nVidia graphics, Adaptec SCSI running a CD-ROM and a Zip drive,
> > and four IDE hard drives of various sizes).  It's running deiban 2.2r3,
> > kernel 2.2.19pre17 with all current patches.
> 
> > 1.) There's nobody doing anything on the machine, and yet I get the
> > following load averages:
> >  11:43am  up 6 days, 22:06,  6 users,  load average: 1.42, 1.50, 1.31
> 
> Highish.  Could be, say, disk problems hitting the kernel.
> 
> > 2.) top segfaults:
> > nujoma:~> top
> > Segmentation fault
> 
> Bad.
> 
> > 3.) man doesn't work:
> > nujoma:~> man ps
> > /usr/bin/man: Input/output error.
> 
> This points to HW issues IMO.
> 
> > 5.) Can't write my / filesystem (/home):
> > nujoma:~> touch foo
> > touch: foo: Read-only file system
> 
> > However, mount shows it as rw:
> 
> How about /proc/mounts?  /etc/mtab is often out-of-date when other
> issues exist with a system.  Particularly if / is mounted ro.
> 
> Note that most fstabs will remount / readonly if there are disk errors,
> as the line below shows.
> 
> > nujoma:~> mount
> > /dev/hdb3 on / type ext2 (rw,errors=remount-ro,errors=remount-ro)
> 
> > 6.) shutdown -r also segfaulted, so I can't reboot remotely.
> 
> umount all partitions but root.  Then try halt -n.
> 
> It's not friendly, but it may kill the system.
> 
> > I don't see anything suspicious in the logs, with the exception of the
> > following that I seem to get at least once a day:
> > 
> > Aug 14 17:38:43 nujoma /sbin/rpc.statd[257]: gethostbyname error for
> > ^X<F7><FF>
> 
> portmapper thing.  Drop the packets with a firewall.
> 
> -- 
> Karsten M. Self <kmself@ix.netcom.com>          http://kmself.home.netcom.com/
>  What part of "Gestalt" don't you understand?             There is no K5 cabal
>   http://gestalt-system.sourceforge.net/               http://www.kuro5hin.org
>    Free Dmitry! Boycott Adobe! Repeal the DMCA!    http://www.freesklyarov.org
> Geek for Hire                        http://kmself.home.netcom.com/resume.html
>

Reply to:

References:
- Re: Suspicious behavior: cracked or just a dying machine?
  - From: "Karsten M. Self" <kmself@ix.netcom.com>

Prev by Date: Re: gnome/mouseroller
Next by Date: Re: Disaster Recovery files
Previous by thread: Re: Suspicious behavior: cracked or just a dying machine?
Next by thread: Re: Suspicious behavior: cracked or just a dying machine?
Index(es):
- Date
- Thread