[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Am I hacked?

Hi all,
I am nearly sure that my server was hacked, but I want to be sure. Can anybody say me if it is true.
Here is tiger script output. Do you have any ideas how to repair it {no mkfs funny stuff please} There are some line interesting. I have one for every critical system command like {login, su, etc} --WARN-- [sig004w] None of the following versions of /bin/netstat (-rwxr-xr-x) matched the /bin/netstat on this machine. 
and something like this for some kernel modules
--FAIL-- [lin005f] Installed file `/lib/modules/2.6.8-2-386/modules.symbols'
checksum differs from installed package 'kernel-image-2.6.8-2-386'.

Thank you very much for any recommendations

Best regards
Michal Sedlak

tiger script output:
Security scripts *** 3.2.1, 2003.10.10.18.00 ***
Wed Jun 15 18:26:19 CEST 2005
18:26> Beginning security report for localhost.localdomain (i686 Linux 2.6.8-2-686-smp). 
# Performing check of passwd files...
# Checking entries from /etc/passwd.
--WARN-- [pass014w] Login (backup) is disabled, but has a valid shell.
--WARN-- [pass014w] Login (list) is disabled, but has a valid shell.
--WARN-- [pass014w] Login (nobody) is disabled, but has a valid shell.
--WARN-- [pass017w] Login ID sashroot has uid == 0.
--WARN-- [pass002w] UID 0 exists multiple times (2) in /etc/passwd.
--WARN-- [pass012w] Home directory /root exists multiple times (2) in
/etc/passwd.
--WARN-- [pass006w] Integrity of password files questionable (/usr/sbin/pwck
-r).
# Performing check of group files...
# Performing check of user accounts...
# Checking accounts from /etc/passwd.
--WARN-- [acc006w] Login ID bind's home directory (/var/cache/bind) has group 
`bind' write access.
--WARN-- [acc021w] Login ID bind appears to be a dormant account.
--WARN-- [acc021w] Login ID identd appears to be a dormant account.
--WARN-- [acc023w] Login ID ingo's parent directory (/home/) has group `staff' 
write access.
--WARN-- [acc023w] Login ID michal's parent directory (/home/) has group
`staff' write access.
--WARN-- [acc022w] Login ID nobody home directory (/nonexistent) is not
accessible.
--WARN-- [acc021w] Login ID sshd appears to be a dormant account.
# Performing check of /etc/hosts.equiv and .rhosts files...
# Checking accounts from /etc/passwd...
# Performing check of .netrc files...
# Checking accounts from /etc/passwd...
# Performing common access checks for root (in /etc/default/login, /securetty, and /etc/ttytab... 
--WARN-- [root003w] Root user has message capability turned on.
# Performing check of PATH components...
--WARN-- [path009w] /etc/csh.login does not setenv an initial setting for
PATH.
# Only checking user 'root'
# Performing check of anonymous FTP...
# Performing checks of mail aliases...
# Checking aliases from /etc/aliases.
# Performing check of `cron' entries...
--WARN-- [cron005w] Use of cron is not restricted
# Performing check of 'inetd'...
# Checking inetd entries from /etc/inetd.conf
# Performing check of services with tcp wrappers...
# Analysing inetd entries from /etc/inetd.conf
# Performing check of 'services' ...
# Checking services from /etc/services.
--WARN-- [inet003w] The port for service postgres is also assigned to service 
postgresql.
--WARN-- [inet003w] The port for service postgres is also assigned to service 
postgresql.
--WARN-- [inet003w] The port for service sane is also assigned to service
sane-port.
# Performing NFS exports check...
# Performing check of system file permissions...
# Performing signature check of system binaries...
--WARN-- [sig004w] None of the following versions of /bin/bash (-rwxr-xr-x)
matched the /bin/bash on this machine.

Linux 2.4.17

--WARN-- [sig004w] None of the following versions of /bin/login (-rwsr-xr-x)
matched the /bin/login on this machine.

Linux 2.4.17

--WARN-- [sig004w] None of the following versions of /bin/ls (-rwxr-xr-x)
matched the /bin/ls on this machine.

Linux 2.4.17

--WARN-- [sig004w] None of the following versions of /bin/mount (-rwsr-xr-x)
matched the /bin/mount on this machine.

Linux 2.4.17
--WARN-- [sig004w] None of the following versions of /bin/netstat (-rwxr-xr-x) 
matched the /bin/netstat on this machine.

Linux 2.4.17

--WARN-- [sig004w] None of the following versions of /bin/ping (-rwsr-xr-x)
matched the /bin/ping on this machine.

Linux 2.4.17

--WARN-- [sig004w] None of the following versions of /bin/ps (-rwxr-xr-x)
matched the /bin/ps on this machine.

Linux 2.4.17

--WARN-- [sig004w] None of the following versions of /bin/su (-rwsr-xr-x)
matched the /bin/su on this machine.

Linux 2.4.17

--WARN-- [sig004w] None of the following versions of /bin/tcsh (-rwxr-xr-x)
matched the /bin/tcsh on this machine.

Linux 2.4.17
--WARN-- [sig004w] None of the following versions of /bin/umount (-rwsr-xr-x) 
matched the /bin/umount on this machine.

Linux 2.4.17
--WARN-- [sig004w] None of the following versions of /usr/bin/at (-rwsr-xr-x) 
matched the /usr/bin/at on this machine.

Linux 2.4.17

--WARN-- [sig004w] None of the following versions of /usr/bin/chage
(-rwxr-sr-x) matched the /usr/bin/chage on this machine.

Linux 2.4.17

--WARN-- [sig004w] None of the following versions of /usr/bin/chfn
(-rwsr-xr-x) matched the /usr/bin/chfn on this machine.

Linux 2.4.17

--WARN-- [sig004w] None of the following versions of /usr/bin/chsh
(-rwsr-xr-x) matched the /usr/bin/chsh on this machine.

Linux 2.4.17

--WARN-- [sig004w] None of the following versions of /usr/bin/crontab
(-rwxr-sr-x) matched the /usr/bin/crontab on this machine.

Linux 2.4.17

--WARN-- [sig004w] None of the following versions of /usr/bin/gpasswd
(-rwsr-xr-x) matched the /usr/bin/gpasswd on this machine.

Linux 2.4.17

--WARN-- [sig004w] None of the following versions of /usr/bin/lockfile
(-rwxr-sr-x) matched the /usr/bin/lockfile on this machine.

Linux 2.4.17
--WARN-- [sig004w] None of the following versions of /usr/bin/lpq (-rwsr-sr-x) 
matched the /usr/bin/lpq on this machine.

Linux 2.4.17
--WARN-- [sig004w] None of the following versions of /usr/bin/lpr (-rwsr-sr-x) 
matched the /usr/bin/lpr on this machine.

Linux 2.4.17

--WARN-- [sig004w] None of the following versions of /usr/bin/lprm
(-rwsr-sr-x) matched the /usr/bin/lprm on this machine.

Linux 2.4.17

--WARN-- [sig004w] None of the following versions of /usr/bin/mutt
(-rwxr-xr-x) matched the /usr/bin/mutt on this machine.

Linux 2.4.17

--WARN-- [sig004w] None of the following versions of /usr/bin/newgrp
(-rwsr-xr-x) matched the /usr/bin/newgrp on this machine.

Linux 2.4.17

--WARN-- [sig004w] None of the following versions of /usr/bin/passwd
(-rwsr-xr-x) matched the /usr/bin/passwd on this machine.

Linux 2.4.17

--WARN-- [sig004w] None of the following versions of /usr/bin/procmail
(-rwsr-sr-x) matched the /usr/bin/procmail on this machine.

Linux 2.4.17
--WARN-- [sig004w] None of the following versions of /usr/bin/ssh (-rwxr-xr-x) 
matched the /usr/bin/ssh on this machine.

Linux 2.4.17

--WARN-- [sig004w] None of the following versions of /usr/bin/traceroute
(lrwxrwxrwx) matched the /usr/bin/traceroute on this machine.

Linux 2.4.17

--WARN-- [sig004w] None of the following versions of /usr/bin/wall
(-rwxr-sr-x) matched the /usr/bin/wall on this machine.

Linux 2.4.17

--WARN-- [sig004w] None of the following versions of /usr/bin/write
(lrwxrwxrwx) matched the /usr/bin/write on this machine.

Linux 2.4.17

--WARN-- [sig004w] None of the following versions of /usr/sbin/inetd
(-rwxr-xr-x) matched the /usr/sbin/inetd on this machine.

Linux 2.4.17

--WARN-- [sig004w] None of the following versions of /usr/sbin/lpc
(-rwxr-sr-x) matched the /usr/sbin/lpc on this machine.

Linux 2.4.17

--WARN-- [sig004w] None of the following versions of /usr/sbin/lpd
(-rwxr-xr-x) matched the /usr/sbin/lpd on this machine.

Linux 2.4.17

--WARN-- [sig004w] None of the following versions of /usr/sbin/sshd
(-rwxr-xr-x) matched the /usr/sbin/sshd on this machine.

Linux 2.4.17

--WARN-- [sig004w] None of the following versions of /usr/sbin/tcpd
(-rwxr-xr-x) matched the /usr/sbin/tcpd on this machine.

Linux 2.4.17

# Checking for known intrusion signs...
# Testing for promiscuous interfaces with /bin/ip
# Testing for backdoors in inetd.conf
# Performing check of files in system mail spool...
# Performing check for rookits...
# Running chkrootkit (/usr/sbin/chkrootkit) to perform further checks...
--WARN-- [rootkit004w] Chkrootkit has detected a possible rootkit installation 
Warning: Possible LKM Trojan installed
# Performing system specific checks...
# Performing checks for Linux/2...
# Checking for single user-mode password...
# Checking boot loader file permissions...
--WARN-- [boot02] The configuration file /boot/grub/menu.lst has group
permissions. Should be 0600
--FAIL-- [boot02] The configuration file /boot/grub/menu.lst has world
permissions. Should be 0600
--WARN-- [boot06] The Grub bootloader does not have a password configured.
# Checking for vulnerabilities in inittab configuration...
--FAIL-- [lin007w] Normal users can reboot the system through ctrl+alt+del in 
runlevels 12345
# Checking for correct umask settings for init scripts...
--WARN-- [misc021w] There are no umask entries in /etc/csh.login
# Checking Logins not used on the system ...
# Checking network configuration
--FAIL-- [lin010f] The system is configured to answer to ICMP broadcasts
--WARN-- [lin012w] The system accepts ICMP redirection messages
--FAIL-- [lin013f] The system is not protected against Syn flooding attacks
--WARN-- [lin017w] The system is not configured to log suspicious (martian)
packets
# Verifying system specific password checks...
--WARN-- [pass19w] Login ID root does not have password aging enabled.
--WARN-- [pass19w] Login ID sashroot does not have password aging enabled.
--WARN-- [pass19w] Login ID bin does not have password aging enabled.
--WARN-- [pass19w] Login ID michal does not have password aging enabled.
--WARN-- [pass19w] Login ID ingo does not have password aging enabled.
# Checking OS release...
# Checking installed packages vs Debian Security Advisories...
# Checking md5sums of installed files
--FAIL-- [lin005f] Installed file `/lib/modules/2.6.8-2-386/modules.pcimap'
checksum differs from installed package 'kernel-image-2.6.8-2-386'.
--FAIL-- [lin005f] Installed file `/lib/modules/2.6.8-2-386/modules.dep'
checksum differs from installed package 'kernel-image-2.6.8-2-386'.
--FAIL-- [lin005f] Installed file
`/lib/modules/2.6.8-2-386/modules.ieee1394map' checksum differs from
installed package 'kernel-image-2.6.8-2-386'.
--FAIL-- [lin005f] Installed file `/lib/modules/2.6.8-2-386/modules.usbmap'
checksum differs from installed package 'kernel-image-2.6.8-2-386'.
--FAIL-- [lin005f] Installed file `/lib/modules/2.6.8-2-386/modules.isapnpmap' 
checksum differs from installed package 'kernel-image-2.6.8-2-386'.
--FAIL-- [lin005f] Installed file `/lib/modules/2.6.8-2-386/modules.alias'
checksum differs from installed package 'kernel-image-2.6.8-2-386'.
--FAIL-- [lin005f] Installed file `/lib/modules/2.6.8-2-386/modules.symbols'
checksum differs from installed package 'kernel-image-2.6.8-2-386'.
--FAIL-- [lin005f] Installed file
`/lib/modules/2.6.8-2-686-smp/modules.pcimap' checksum differs from
installed package 'kernel-image-2.6.8-2-686-smp'.
--FAIL-- [lin005f] Installed file `/lib/modules/2.6.8-2-686-smp/modules.dep'
checksum differs from installed package
'kernel-image-2.6.8-2-686-smp'.
--FAIL-- [lin005f] Installed file
`/lib/modules/2.6.8-2-686-smp/modules.ieee1394map' checksum differs
from installed package 'kernel-image-2.6.8-2-686-smp'.
--FAIL-- [lin005f] Installed file
`/lib/modules/2.6.8-2-686-smp/modules.usbmap' checksum differs from
installed package 'kernel-image-2.6.8-2-686-smp'.
--FAIL-- [lin005f] Installed file
`/lib/modules/2.6.8-2-686-smp/modules.isapnpmap' checksum differs
from installed package 'kernel-image-2.6.8-2-686-smp'.
--FAIL-- [lin005f] Installed file `/lib/modules/2.6.8-2-686-smp/modules.alias' 
checksum differs from installed package
'kernel-image-2.6.8-2-686-smp'.
--FAIL-- [lin005f] Installed file
`/lib/modules/2.6.8-2-686-smp/modules.symbols' checksum differs from
installed package 'kernel-image-2.6.8-2-686-smp'.
--FAIL-- [lin005f] Installed file
`/opt/wps2/lib/python/Products/WPSRedirector/WPSRedirector.py'
checksum differs from installed package 'wps-base'.
# Checking installed files against packages...
# Performing check of root directory...
# Checking device permissions...
--WARN-- [dev003w] The directory /dev/cpu resides in a device directory.
--WARN-- [dev003w] The directory /dev/i2o resides in a device directory.
--FAIL-- [dev002f] /dev/log has world permissions
# Checking for existence of log files...
--FAIL-- [logf005f] Log file /var/log/wtmp permission should be 664
--FAIL-- [logf005f] Log file /var/log/btmp permission should be 660
# Checking for correct umask settings...
--WARN-- [misc021w] There are no umask entries in /etc/csh.login
# Checking listening processes
--WARN-- [lin003w] The process `exim4' is listening on socket 25 (TCP on
loopback interface) is run by Debian-exim.
--WARN-- [lin003w] The process `mysqld' is listening on socket 3306 (TCP on
loopback interface) is run by mysql.
--WARN-- [lin003w] The process `named' is listening on socket 53 (TCP on
loopback interface) is run by bind.
--WARN-- [lin003w] The process `named' is listening on socket 953 (TCP on
loopback interface) is run by bind.
--WARN-- [lin003w] The process `named' is listening on socket 53 (TCP on
217.67.26.86 interface) is run by bind.
--WARN-- [lin003w] The process `named' is listening on socket 32768 (UDP on
every interface) is run by bind.
--WARN-- [lin003w] The process `named' is listening on socket 53 (UDP on
loopback interface) is run by bind.
--WARN-- [lin003w] The process `named' is listening on socket 53 (UDP on
217.67.26.86 interface) is run by bind.
--WARN-- [lin002i] The process `python2.2' is listening on socket 9672 (TCP)
on every interface.
--WARN-- [lin002i] The process `python2.2' is listening on socket 9673 (TCP)
on every interface.
--WARN-- [lin002i] The process `python2.2' is listening on socket 9674 (TCP)
on every interface.
# Checking sshd_config configuration files...
# Checking printer configuration files...
# Performing common access checks for root...
--FAIL-- [netw020f] There is no /etc/ftpusers file.
# Checking ntpd configuration...
# Checking unusual file names...
# Looking for unusual device files...
# Checking symbolic links...
--WARN-- [xxxxx] The following files are unowned:
/home/ingo/ssl.conf
--WARN-- [xxxxx] The following files have undefined groups ownership:
/home/ingo/ssl.conf
# Performing check of embedded pathnames...
18:28> Security report completed for localhost.localdomain.
Reply to: