Thank you everyone for your responses.... I'm not so sure I was comprimised anymore unless this person is *really* good... no new ports are open the box according to a nmap scan from outside the box, chkrootkit found nothing, all other binaries in /sbin/ /bin/ /lib and the /usr equivalents match their signatures... so unless this guy has some vested interest in owning my particular box (i.e. beyond a script kiddie), I'm fairly certain something else awry happened... but here's what I do know and maybe someone will see something... at 10:30 monday night /sbin had a new file added to it, a.out. I was logged in at the time but no one else was either. the file, a.out is an invalid executable.. put on a safe boxen it just segfaults and it looks to contain just an elf executable header (I've attached the hex dump and strings etc below). About said time on the system smbd (only bound to the intranet interface) had one drive exported as I was updating web pages, but the logs show (and I remember) compiling no c code.. much less compiling alternative programs... much less what program would place said binary in that location? and not even complete binary... Given the only evidence I have of anything suspicious is that file, I'm going to assume that I was no broken into but if anyone has ssen anything here that raises a flag I'd love to know and I'll pull the box off the net again till tonight... tia people and thanks for all the advice so far nick [nick@kajim ~]$ strings a.out __bss_start _edata _end [nick@kajim ~]$file a.out file: Using regular magic file `/usr/share/magic' a.out: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), statically linked , stripped [nick@kajim ~]$ hexdump a.out 0000000 457f 464c 0101 0001 0000 0000 0000 0000 0000010 0002 0003 0001 0000 0000 0000 0034 0000 0000020 0028 0000 0000 0000 0000 0000 0000 0000 0000030 0000 0000 0000 0000 0000 0000 0000 0000 * 0000050 001b 0000 0001 0000 0001 0000 9074 0804 0000060 0000 0000 0000 0000 0000 0000 0000 0000 0000070 0001 0000 0000 0000 0021 0000 0001 0000 0000080 0001 0000 9074 0804 0000 0000 0000 0000 0000090 0000 0000 0000 0000 0001 0000 0000 0000 00000a0 0011 0000 0003 0000 0000 0000 0000 0000 00000b0 0000 0000 0026 0000 0000 0000 0000 0000 00000c0 0001 0000 0000 0000 0001 0000 0002 0000 00000d0 0000 0000 0000 0000 0118 0000 0090 0000 00000e0 0005 0000 0006 0000 0004 0000 0010 0000 00000f0 0009 0000 0003 0000 0000 0000 0000 0000 0000100 01a8 0000 0019 0000 0000 0000 0000 0000 0000110 0001 0000 0000 0000 0000 0000 0000 0000 0000120 0000 0000 0000 0000 0000 0000 9074 0804 0000130 0000 0000 0003 0001 0000 0000 9074 0804 0000140 0000 0000 0003 0002 0000 0000 0000 0000 0000150 0000 0000 0003 0003 0000 0000 0000 0000 0000160 0000 0000 0003 0004 0000 0000 0000 0000 0000170 0000 0000 0003 0005 0001 0000 9074 0804 0000180 0000 0000 0011 fff1 000d 0000 9074 0804 0000190 0000 0000 0011 fff1 0014 0000 9074 0804 00001a0 0000 0000 0011 fff1 5f00 625f 7373 735f 00001b0 6174 7472 5f00 6465 7461 0061 655f 646e 00001c0 0000 00001c1 ----- Original Message ----- From: "Ken Pfeil" <Kenat_private> To: "Nick Lange" <nlangeat_private>; <Forensicsat_private> Sent: Thursday, August 02, 2001 5:51 Subject: RE: Rooted Linux Box Foresensics Questions > http://www.trinux.org > > > > > -----Original Message----- > > From: Nick Lange [mailto:nlangeat_private] > > Sent: Wednesday, August 01, 2001 9:05 AM > > To: Forensicsat_private > > Subject: Rooted Linux Box Foresensics Questions > > > > > > Well, I thought I was all patched up but I guess I was wrong (or > > maybe I was > > right and this is something new) > > but as of two days ago I apparently got rooted as this mornings status > > report I have a nice /sbin/a.out waiting for me upon my return from work > > tonight... > > > > anyone know of any single floppy disk distro's designed for forensics > > containing such things as network drivers and fs stuff for mounting and > > transferring information off the machine so I can figure out exactly what > > happneed w/o screwing up evidence? I'm curious how exactly this > > happened and > > my pseudo-tripwire didn't cover all directories [assuming there's even > > evidence left, I didn't notice it for two days...] but I can't > > find out till > > tonight when I return from work...(pulled it off the inet this > > morning tho). > > TIA > > nick > > > > > > ----------------------------------------------------------------- > > This list is provided by the SecurityFocus ARIS analyzer service. > > For more information on this free incident handling, management > > and tracking system please see: http://aris.securityfocus.com > > ----------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Thu Aug 02 2001 - 12:20:33 PDT