nasty tripwire report

From: Chester Jankowski (chester_jankowskiat_private)
Date: Sun Jan 13 2002 - 09:49:09 PST

  • Next message: Dmitri Smirnov: "Matt Wright FormMail Attacks"

    It looks like someone wasn't watching their Saturday morning cartoons
    yesterday and decided to crack my home Linux box instead. I have included
    the juicy bits from the tripwire report below. Now I have several questions
    for the security experts here. Is this attack a recognized one? Any
    suggestions for log analysis to track down the intruder? Is the only
    recovery here a complete re-install? And lastly, is there any place I should
    report the incident?
    
    ----------------------------------------------------------------------------
    ---
    Rule Name: User binaries (/usr/sbin)
    Severity Level: 66
    ----------------------------------------------------------------------------
    ---
    
    Added:
    "/usr/sbin/..."
    
    Removed:
    "/usr/sbin/nscd"
    
    Modified:
    "/usr/sbin"
    "/usr/sbin/checkpc"
    "/usr/sbin/ckconfig"
    "/usr/sbin/ftprestart"
    "/usr/sbin/ftpshut"
    "/usr/sbin/in.ftpd"
    "/usr/sbin/lpc"
    "/usr/sbin/lpd"
    "/usr/sbin/lsof"
    "/usr/sbin/mailstats"
    "/usr/sbin/makemap"
    "/usr/sbin/monitor"
    "/usr/sbin/nmbd"
    "/usr/sbin/praliases"
    "/usr/sbin/privatepw"
    "/usr/sbin/samba"
    "/usr/sbin/sendmail"
    "/usr/sbin/smbd"
    "/usr/sbin/smrsh"
    "/usr/sbin/sshd"
    "/usr/sbin/xferstats"
    
    ----------------------------------------------------------------------------
    ---
    Rule Name: Libraries (/usr/lib)
    Severity Level: 66
    ----------------------------------------------------------------------------
    ---
    
    Added:
    "/usr/lib/..."
    "/usr/lib/.../ls"
    "/usr/lib/.../netstat"
    "/usr/lib/.../lsof"
    "/usr/lib/.../bkit-ssh"
    "/usr/lib/.../bkit-ssh/bkit-shdcfg"
    "/usr/lib/.../bkit-ssh/bkit-shhk"
    "/usr/lib/.../bkit-ssh/bkit-pw"
    "/usr/lib/.../bkit-ssh/bkit-shrs"
    "/usr/lib/.../bkit-ssh/bkit-shd.pid"
    "/usr/lib/.../uconf.inv"
    "/usr/lib/.../psr"
    "/usr/lib/.../find"
    "/usr/lib/.../pstree"
    "/usr/lib/.../slocate"
    "/usr/lib/.../du"
    "/usr/lib/.../top"
    "/usr/lib/libssl.so.0"
    "/usr/lib/libssl.so.0.9.5a"
    "/usr/lib/libcrypto.so.0"
    "/usr/lib/libmilter.a"
    "/usr/lib/libsmutil.a"
    "/usr/lib/libcrypto.so.0.9.5a"
    
    Modified:
    "/usr/lib"
    "/usr/lib/sasl"
    "/usr/lib/sasl/Sendmail.conf"
    
    ----------------------------------------------------------------------------
    ---
    Rule Name: User binaries (/usr/bin)
    Severity Level: 66
    ----------------------------------------------------------------------------
    ---
    
    Added:
    "/usr/bin/ntpsx"
    "/usr/bin/fetchmailconf"
    
    Modified:
    "/usr/bin"
    "/usr/bin/addtosmbpass"
    "/usr/bin/convert_smbpasswd"
    "/usr/bin/dir"
    "/usr/bin/du"
    "/usr/bin/fetchmail"
    "/usr/bin/find"
    "/usr/bin/findsmb"
    "/usr/bin/ftpcount"
    "/usr/bin/ftpwho"
    "/usr/bin/lpq"
    "/usr/bin/lpr"
    "/usr/bin/lprm"
    "/usr/bin/lpstat"
    "/usr/bin/make_printerdef"
    "/usr/bin/make_smbcodepage"
    "/usr/bin/mksmbpasswd.sh"
    "/usr/bin/nmblookup"
    "/usr/bin/pstree"
    "/usr/bin/rmail"
    "/usr/bin/scp"
    "/usr/bin/sftp"
    "/usr/bin/slocate"
    "/usr/bin/smbadduser"
    "/usr/bin/smbclient"
    "/usr/bin/smbmnt"
    "/usr/bin/smbmount"
    "/usr/bin/smbpasswd"
    "/usr/bin/smbprint"
    "/usr/bin/smbspool"
    "/usr/bin/smbstatus"
    "/usr/bin/smbtar"
    "/usr/bin/smbumount"
    "/usr/bin/ssh"
    "/usr/bin/ssh-add"
    "/usr/bin/ssh-agent"
    "/usr/bin/ssh-keygen"
    "/usr/bin/ssh-keyscan"
    "/usr/bin/testparm"
    "/usr/bin/testprns"
    "/usr/bin/top"
    "/usr/bin/vdir"
    
    ----------------------------------------------------------------------------
    ---
    Rule Name: Critical Utility Sym-Links (/sbin/mount.smb)
    Severity Level: 100
    ----------------------------------------------------------------------------
    ---
    
    Modified:
    "/sbin/mount.smb"
    
    ----------------------------------------------------------------------------
    ---
    Rule Name: Critical Utility Sym-Links (/sbin/mount.smbfs)
    Severity Level: 100
    ----------------------------------------------------------------------------
    ---
    
    Modified:
    "/sbin/mount.smbfs"
    
    ----------------------------------------------------------------------------
    ---
    Rule Name: Critical configuration files (/var/lib/nfs/rmtab)
    Severity Level: 100
    ----------------------------------------------------------------------------
    ---
    
    Modified:
    "/var/lib/nfs/rmtab"
    
    
    ----------------------------------------------------------------------------
    ---
    Rule Name: System boot changes (/var/lock/subsys/sendmail)
    Severity Level: 100
    ----------------------------------------------------------------------------
    ---
    
    Removed:
    "/var/lock/subsys/sendmail"
    
    ----------------------------------------------------------------------------
    ---
    Rule Name: OS executables and libraries (/lib)
    Severity Level: 100
    ----------------------------------------------------------------------------
    ---
    
    Added:
    "/lib/libproc.a"
    "/lib/libproc.so"
    "/lib/libproc.so.2.0.6"
    
    Modified:
    "/lib"
    
    ----------------------------------------------------------------------------
    ---
    Rule Name: Critical configuration files (/etc/rc.d)
    Severity Level: 100
    ----------------------------------------------------------------------------
    ---
    
    Modified:
    "/etc/rc.d/rc.local"
    "/etc/rc.d/rc.sysinit"
    "/etc/rc.d/rc0.d"
    "/etc/rc.d/rc0.d/K35smb"
    "/etc/rc.d/rc1.d"
    "/etc/rc.d/rc1.d/K35smb"
    "/etc/rc.d/rc2.d"
    "/etc/rc.d/rc2.d/K35smb"
    "/etc/rc.d/rc3.d"
    "/etc/rc.d/rc3.d/K35smb"
    "/etc/rc.d/rc4.d"
    "/etc/rc.d/rc4.d/K35smb"
    "/etc/rc.d/rc5.d"
    "/etc/rc.d/rc5.d/K35smb"
    "/etc/rc.d/rc6.d"
    "/etc/rc.d/rc6.d/K35smb"
    
    ----------------------------------------------------------------------------
    ---
    Rule Name: Critical configuration files (/etc/rc.d/init.d)
    Severity Level: 100
    ----------------------------------------------------------------------------
    ---
    
    Modified:
    "/etc/rc.d/init.d"
    "/etc/rc.d/init.d/lpd"
    "/etc/rc.d/init.d/network"
    "/etc/rc.d/init.d/sendmail"
    "/etc/rc.d/init.d/smb"
    "/etc/rc.d/init.d/sshd"
    
    ----------------------------------------------------------------------------
    ---
    Rule Name: Critical configuration files (/etc/profile.d)
    Severity Level: 100
    ----------------------------------------------------------------------------
    ---
    
    Removed:
    "/etc/profile.d/gnome-ssh-askpass.csh"
    "/etc/profile.d/gnome-ssh-askpass.sh"
    
    Modified:
    "/etc/profile.d"
    
    ----------------------------------------------------------------------------
    ---
    Rule Name: Critical configuration files (/etc/sysconfig)
    Severity Level: 100
    ----------------------------------------------------------------------------
    ---
    
    Modified:
    "/etc/sysconfig"
    "/etc/sysconfig/samba"
    "/etc/sysconfig/sendmail"
    
    ----------------------------------------------------------------------------
    ---
    Rule Name: Operating System Utilities (/bin/login)
    Severity Level: 100
    ----------------------------------------------------------------------------
    ---
    
    Modified:
    "/bin/login"
    
    ----------------------------------------------------------------------------
    ---
    Rule Name: Operating System Utilities (/bin/ls)
    Severity Level: 100
    ----------------------------------------------------------------------------
    ---
    
    Modified:
    "/bin/ls"
    
    ----------------------------------------------------------------------------
    ---
    Rule Name: Operating System Utilities (/bin/netstat)
    Severity Level: 100
    ----------------------------------------------------------------------------
    ---
    
    Modified:
    "/bin/netstat"
    
    ----------------------------------------------------------------------------
    ---
    Rule Name: Operating System Utilities (/bin/ps)
    Severity Level: 100
    ----------------------------------------------------------------------------
    ---
    
    Modified:
    "/bin/ps"
    
    ----------------------------------------------------------------------------
    ---
    Rule Name: System boot changes (/dev/log)
    Severity Level: 100
    ----------------------------------------------------------------------------
    ---
    
    Modified:
    "/dev/log"
    
    
    
    ----------------------------------------------------------------------------
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management 
    and tracking system please see: http://aris.securityfocus.com
    



    This archive was generated by hypermail 2b30 : Mon Jan 14 2002 - 08:24:59 PST