It looks like someone wasn't watching their Saturday morning cartoons yesterday and decided to crack my home Linux box instead. I have included the juicy bits from the tripwire report below. Now I have several questions for the security experts here. Is this attack a recognized one? Any suggestions for log analysis to track down the intruder? Is the only recovery here a complete re-install? And lastly, is there any place I should report the incident? ---------------------------------------------------------------------------- --- Rule Name: User binaries (/usr/sbin) Severity Level: 66 ---------------------------------------------------------------------------- --- Added: "/usr/sbin/..." Removed: "/usr/sbin/nscd" Modified: "/usr/sbin" "/usr/sbin/checkpc" "/usr/sbin/ckconfig" "/usr/sbin/ftprestart" "/usr/sbin/ftpshut" "/usr/sbin/in.ftpd" "/usr/sbin/lpc" "/usr/sbin/lpd" "/usr/sbin/lsof" "/usr/sbin/mailstats" "/usr/sbin/makemap" "/usr/sbin/monitor" "/usr/sbin/nmbd" "/usr/sbin/praliases" "/usr/sbin/privatepw" "/usr/sbin/samba" "/usr/sbin/sendmail" "/usr/sbin/smbd" "/usr/sbin/smrsh" "/usr/sbin/sshd" "/usr/sbin/xferstats" ---------------------------------------------------------------------------- --- Rule Name: Libraries (/usr/lib) Severity Level: 66 ---------------------------------------------------------------------------- --- Added: "/usr/lib/..." "/usr/lib/.../ls" "/usr/lib/.../netstat" "/usr/lib/.../lsof" "/usr/lib/.../bkit-ssh" "/usr/lib/.../bkit-ssh/bkit-shdcfg" "/usr/lib/.../bkit-ssh/bkit-shhk" "/usr/lib/.../bkit-ssh/bkit-pw" "/usr/lib/.../bkit-ssh/bkit-shrs" "/usr/lib/.../bkit-ssh/bkit-shd.pid" "/usr/lib/.../uconf.inv" "/usr/lib/.../psr" "/usr/lib/.../find" "/usr/lib/.../pstree" "/usr/lib/.../slocate" "/usr/lib/.../du" "/usr/lib/.../top" "/usr/lib/libssl.so.0" "/usr/lib/libssl.so.0.9.5a" "/usr/lib/libcrypto.so.0" "/usr/lib/libmilter.a" "/usr/lib/libsmutil.a" "/usr/lib/libcrypto.so.0.9.5a" Modified: "/usr/lib" "/usr/lib/sasl" "/usr/lib/sasl/Sendmail.conf" ---------------------------------------------------------------------------- --- Rule Name: User binaries (/usr/bin) Severity Level: 66 ---------------------------------------------------------------------------- --- Added: "/usr/bin/ntpsx" "/usr/bin/fetchmailconf" Modified: "/usr/bin" "/usr/bin/addtosmbpass" "/usr/bin/convert_smbpasswd" "/usr/bin/dir" "/usr/bin/du" "/usr/bin/fetchmail" "/usr/bin/find" "/usr/bin/findsmb" "/usr/bin/ftpcount" "/usr/bin/ftpwho" "/usr/bin/lpq" "/usr/bin/lpr" "/usr/bin/lprm" "/usr/bin/lpstat" "/usr/bin/make_printerdef" "/usr/bin/make_smbcodepage" "/usr/bin/mksmbpasswd.sh" "/usr/bin/nmblookup" "/usr/bin/pstree" "/usr/bin/rmail" "/usr/bin/scp" "/usr/bin/sftp" "/usr/bin/slocate" "/usr/bin/smbadduser" "/usr/bin/smbclient" "/usr/bin/smbmnt" "/usr/bin/smbmount" "/usr/bin/smbpasswd" "/usr/bin/smbprint" "/usr/bin/smbspool" "/usr/bin/smbstatus" "/usr/bin/smbtar" "/usr/bin/smbumount" "/usr/bin/ssh" "/usr/bin/ssh-add" "/usr/bin/ssh-agent" "/usr/bin/ssh-keygen" "/usr/bin/ssh-keyscan" "/usr/bin/testparm" "/usr/bin/testprns" "/usr/bin/top" "/usr/bin/vdir" ---------------------------------------------------------------------------- --- Rule Name: Critical Utility Sym-Links (/sbin/mount.smb) Severity Level: 100 ---------------------------------------------------------------------------- --- Modified: "/sbin/mount.smb" ---------------------------------------------------------------------------- --- Rule Name: Critical Utility Sym-Links (/sbin/mount.smbfs) Severity Level: 100 ---------------------------------------------------------------------------- --- Modified: "/sbin/mount.smbfs" ---------------------------------------------------------------------------- --- Rule Name: Critical configuration files (/var/lib/nfs/rmtab) Severity Level: 100 ---------------------------------------------------------------------------- --- Modified: "/var/lib/nfs/rmtab" ---------------------------------------------------------------------------- --- Rule Name: System boot changes (/var/lock/subsys/sendmail) Severity Level: 100 ---------------------------------------------------------------------------- --- Removed: "/var/lock/subsys/sendmail" ---------------------------------------------------------------------------- --- Rule Name: OS executables and libraries (/lib) Severity Level: 100 ---------------------------------------------------------------------------- --- Added: "/lib/libproc.a" "/lib/libproc.so" "/lib/libproc.so.2.0.6" Modified: "/lib" ---------------------------------------------------------------------------- --- Rule Name: Critical configuration files (/etc/rc.d) Severity Level: 100 ---------------------------------------------------------------------------- --- Modified: "/etc/rc.d/rc.local" "/etc/rc.d/rc.sysinit" "/etc/rc.d/rc0.d" "/etc/rc.d/rc0.d/K35smb" "/etc/rc.d/rc1.d" "/etc/rc.d/rc1.d/K35smb" "/etc/rc.d/rc2.d" "/etc/rc.d/rc2.d/K35smb" "/etc/rc.d/rc3.d" "/etc/rc.d/rc3.d/K35smb" "/etc/rc.d/rc4.d" "/etc/rc.d/rc4.d/K35smb" "/etc/rc.d/rc5.d" "/etc/rc.d/rc5.d/K35smb" "/etc/rc.d/rc6.d" "/etc/rc.d/rc6.d/K35smb" ---------------------------------------------------------------------------- --- Rule Name: Critical configuration files (/etc/rc.d/init.d) Severity Level: 100 ---------------------------------------------------------------------------- --- Modified: "/etc/rc.d/init.d" "/etc/rc.d/init.d/lpd" "/etc/rc.d/init.d/network" "/etc/rc.d/init.d/sendmail" "/etc/rc.d/init.d/smb" "/etc/rc.d/init.d/sshd" ---------------------------------------------------------------------------- --- Rule Name: Critical configuration files (/etc/profile.d) Severity Level: 100 ---------------------------------------------------------------------------- --- Removed: "/etc/profile.d/gnome-ssh-askpass.csh" "/etc/profile.d/gnome-ssh-askpass.sh" Modified: "/etc/profile.d" ---------------------------------------------------------------------------- --- Rule Name: Critical configuration files (/etc/sysconfig) Severity Level: 100 ---------------------------------------------------------------------------- --- Modified: "/etc/sysconfig" "/etc/sysconfig/samba" "/etc/sysconfig/sendmail" ---------------------------------------------------------------------------- --- Rule Name: Operating System Utilities (/bin/login) Severity Level: 100 ---------------------------------------------------------------------------- --- Modified: "/bin/login" ---------------------------------------------------------------------------- --- Rule Name: Operating System Utilities (/bin/ls) Severity Level: 100 ---------------------------------------------------------------------------- --- Modified: "/bin/ls" ---------------------------------------------------------------------------- --- Rule Name: Operating System Utilities (/bin/netstat) Severity Level: 100 ---------------------------------------------------------------------------- --- Modified: "/bin/netstat" ---------------------------------------------------------------------------- --- Rule Name: Operating System Utilities (/bin/ps) Severity Level: 100 ---------------------------------------------------------------------------- --- Modified: "/bin/ps" ---------------------------------------------------------------------------- --- Rule Name: System boot changes (/dev/log) Severity Level: 100 ---------------------------------------------------------------------------- --- Modified: "/dev/log" ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Mon Jan 14 2002 - 08:24:59 PST