Possible security exploit: debian-unstable

To: debian-user-digest@lists.debian.org
Subject: Possible security exploit: debian-unstable
From: Jose Barroca <jose.barroca@netcabo.pt>
Date: Tue, 12 Jul 2005 15:25:11 +0100
Message-id: <[🔎] 42D3D2C7.6030005@netcabo.pt>

Hello all,

likely as it is for the unstable branch to have such gaps in the fabric,
I'd like to post this experience of mine. I didn't find any match in
this list, though it might have slipped me.

My machine showed signs of corruption in my /usr/bin directory (EXT3
partition) last friday. The TOP, FREE, a series of DPKG-* commands and a
few others had their ownerid=32, considerably larger file size and
responded with "segmentation fault" or "attempt to access beyond end of
device" when called. I do have another machine running the same
configuration (the difference is the processor, but the architecture is
still the same).

Now, upon posting at gmane.linux.kernelnewbies (I thought the FS had
been corrupted through some improperly configured kernel of mine), I got
replies indicating two possible directions:

1) since SMARTMONTOOLS smartctl showed a huge value of
REALLOCATED_SECTOR_Ct, my disk was about to fail;

2) my machine had been compromised and the binaries changed. Well, but
would an hacked version of TOP show "segmentation fault"? If so, why?
Upon friendly suggestion I went through the logs, and did find some
peculiar things. I'm not completely certain the machine has been
compromised, though:
- I have two machines connected to the internet through a cable modem router
- one of the machines had a sshd running, which I used to access it from
the outside.
- over the course of one week, this machine suffered a series of
password/user attacks (it looks like someone tried to use some program
to gain access)
- the auth.log recorded the following lines on a day the second machine
(which had the files with owner 32) stayed on ininterruptly, without my
supervision (a very poor one, anyway):

Jul  8 06:25:04 abafado su[24024]: + ??? root:nobody
Jul  8 06:25:04 abafado su[24024]: (pam_unix) session opened for user
nobody by (uid=0)
Jul  8 06:25:04 abafado su[24024]: (pam_unix) session closed for user nobody
Jul  8 06:25:04 abafado su[24026]: + ??? root:nobody
Jul  8 06:25:04 abafado su[24026]: (pam_unix) session opened for user
nobody by (uid=0)
Jul  8 06:25:04 abafado su[24026]: (pam_unix) session closed for user nobody
Jul  8 06:25:04 abafado su[24028]: + ??? root:nobody
Jul  8 06:25:04 abafado su[24028]: (pam_unix) session opened for user
nobody by (uid=0)
Jul  8 06:27:18 abafado su[24028]: (pam_unix) session closed for user nobody

I'm still learning the ropes, and sys-forensics is not that easy.. Now,
would anyone be so kind as to give me some feedback, on whether this is
a security issue (or an hardware thing), and whether it is worth letting
the people doing the debian security know about? I'm most willing to
help anyone with the expertise (especially since I'll be on summer break
for two whole weeks, and am usually tinkering with my debian box on the
breaks from my summer break)

Regards,

Jose

Reply to:

Follow-Ups:
- Re: Possible security exploit: debian-unstable
  - From: Jacob S <stormspotter@6Texans.net>
- Re: Possible security exploit: debian-unstable
  - From: Dennis Stosberg <lists@stosberg.net>

Prev by Date: iptables natting
Next by Date: Re: metacity?
Previous by thread: Re: iptables natting
Next by thread: Re: Possible security exploit: debian-unstable
Index(es):
- Date
- Thread