Re: Am I hacked?
Here are files you asked me for?
/etc/passwd
root:x:0:0:root:/root:/bin/bash
sashroot:x:0:0:root:/root:/bin/sash
daemon:x:1:1:daemon:/usr/sbin:/bin/sh
bin:x:2:2:bin:/bin:/bin/sh
sys:x:3:3:sys:/dev:/bin/sh
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/bin/sh
man:x:6:12:man:/var/cache/man:/bin/sh
lp:x:7:7:lp:/var/spool/lpd:/bin/sh
mail:x:8:8:mail:/var/mail:/bin/sh
news:x:9:9:news:/var/spool/news:/bin/sh
uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh
proxy:x:13:13:proxy:/bin:/bin/sh
www-data:x:33:33:www-data:/var/www:/bin/sh
backup:x:34:34:backup:/var/backups:/bin/sh
list:x:38:38:Mailing List Manager:/var/list:/bin/sh
irc:x:39:39:ircd:/var/run/ircd:/bin/sh
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh
nobody:x:65534:65534:nobody:/nonexistent:/bin/sh
Debian-exim:x:102:102::/var/spool/exim4:/bin/false
michal:x:1000:1000:Michal Sedlak,,,:/home/michal:/bin/bash
identd:x:100:65534::/var/run/identd:/bin/false
sshd:x:101:65534::/var/run/sshd:/bin/false
mysql:x:103:104:MySQL Server,,,:/var/lib/mysql:/bin/false
logcheck:x:105:105::/var/lib/logcheck:/bin/false
bind:x:104:106::/var/cache/bind:/bin/false
ingo:x:1001:1001:,,,:/home/ingo:/bin/bash
wps:x:108:108::/opt/wps2:/bin/false
ntop:x:107:107::/var/lib/ntop:/bin/false
clamav:x:109:109::/var/lib/clamav:/bin/false
/etc/group
root:x:0:
daemon:x:1:
bin:x:2:
sys:x:3:
adm:x:4:logcheck
tty:x:5:
disk:x:6:
lp:x:7:
mail:x:8:
news:x:9:
uucp:x:10:
man:x:12:
proxy:x:13:
kmem:x:15:
dialout:x:20:michal
fax:x:21:
voice:x:22:
cdrom:x:24:michal
floppy:x:25:michal
tape:x:26:
sudo:x:27:
audio:x:29:michal
dip:x:30:
www-data:x:33:
backup:x:34:
operator:x:37:
list:x:38:
irc:x:39:
src:x:40:
gnats:x:41:
shadow:x:42:
utmp:x:43:
video:x:44:michal
sasl:x:45:
plugdev:x:46:michal
staff:x:50:
games:x:60:
users:x:100:
nogroup:x:65534:
crontab:x:101:
Debian-exim:x:102:
michal:x:1000:
ssh:x:103:
mysql:x:104:
logcheck:x:105:
bind:x:106:
ingo:x:1001:
wps:x:108:
ntop:x:107:
clamav:x:109:
But I thing bigger problem is this
--WARN-- [sig004w] None of the following versions of /bin/bash (-rwxr-xr-x)
matched the /bin/bash on this machine.
Linux 2.4.17
--WARN-- [sig004w] None of the following versions of /bin/login (-rwsr-xr-x)
matched the /bin/login on this machine.
Linux 2.4.17
--WARN-- [sig004w] None of the following versions of /bin/ls (-rwxr-xr-x)
matched the /bin/ls on this machine.
Linux 2.4.17
and this
# Running chkrootkit (/usr/sbin/chkrootkit) to perform further checks...
--WARN-- [rootkit004w] Chkrootkit has detected a possible rootkit
installation
Warning: Possible LKM Trojan installed
Best regards
Michal sedlak
----- Original Message -----
From: "Laurent CARON" <lcaron@gw.unix-scripts.info>
To: "Michal Sedlak" <sedlak@dfx.sk>
Cc: <debian-user@lists.debian.org>
Sent: Thursday, June 16, 2005 7:07 AM
Subject: Re: Am I hacked?
Michal Sedlak a écrit :
Hi all,
I am nearly sure that my server was hacked, but I want to be sure. Can
anybody say me if it is true.
Here is tiger script output. Do you have any ideas how to repair it {no
mkfs funny stuff please}
There are some line interesting. I have one for every critical system
command like {login, su, etc}
--WARN-- [sig004w] None of the following versions of /bin/netstat
(-rwxr-xr-x) matched the /bin/netstat on this machine.
and something like this for some kernel modules
--FAIL-- [lin005f] Installed file
`/lib/modules/2.6.8-2-386/modules.symbols'
checksum differs from installed package 'kernel-image-2.6.8-2-386'.
Thank you very much for any recommendations
Login ID sashroot has uid == 0.
--WARN-- [pass002w] UID 0 exists multiple times (2) in /etc/passwd.
--WARN-- [pass012w] Home directory /root exists multiple times (2) in
/etc/passwd.
can you please post & copy of /etc/passwd and /etc/group
Thanks
--
Il est aussi vrai de dire que le sujet connaissant est un produit de la
matière que de dire que la matière est une simple représentation du
sujet connaissant.
-+- Arthur Schopenhauer (1788-1860) -+-
__________ Informace od NOD32 1.1141 (20050615) __________
Tato zprava byla proverena antivirovym systemem NOD32.
http://www.nod32.cz
Reply to: