* [mdk-re] Меня взломали ?
@ 2002-03-24 22:37 Egorov Alexey
2002-03-25 1:25 ` [mdk-re] " Mikhail Zabaluev
0 siblings, 1 reply; 6+ messages in thread
From: Egorov Alexey @ 2002-03-24 22:37 UTC (permalink / raw)
To: mandrake-russian
Народ, проконсултируйте плиз. Мне пришел лог:
Security Warning: the sha1 checksum for one of your SUID files has changed,
maybe an intruder modified one of these suid binary in order to put in a
backdoor...
- Checksum changed files : /usr/sbin/usernetctl -- ЧТО ЭТО ЗНАЧИТ ?
Security Warning: There is modifications for port listening on your
machine :
- Opened ports : tcp 0 0 *:www
*:* LISTEN 9935/httpd
- Opened ports : tcp 0 0 *:squid
*:* LISTEN 1298/(squid)
- Opened ports : tcp 0 0 *:smtp
*:* LISTEN 1267/master
- Opened ports : tcp 0 0 *:telnet
*:* LISTEN 921/xinetd
- Opened ports : tcp 0 0 *:pop3
*:* LISTEN 921/xinetd
- Opened ports : tcp 0 0 *:pop3s
*:* LISTEN 921/xinetd
- Opened ports : tcp 0 0 *:nntp
*:* LISTEN 921/xinetd
- Opened ports : tcp 0 0 *:ftp
*:* LISTEN 921/xinetd
- Opened ports : tcp 0 0 linux:domain
*:* LISTEN 904/named
- Opened ports : tcp 0 0 localhost:domain
*:* LISTEN 904/named
- Opened ports : udp 0 0 *:1027
*:* 1298/(squid)
- Opened ports : udp 0 0 *:3401
*:* 1298/(squid)
- Opened ports : udp 0 0 *:icp
*:* 1298/(squid)
- Opened ports : udp 0 0 *:1024
*:* 904/named
- Opened ports : udp 0 0 linux:domain
*:* 904/named
- Opened ports : udp 0 0 localhost:domain
*:* 904/named
- Closed ports : tcp 0 0 *:www
*:* LISTEN 10245/httpd
- Closed ports : tcp 0 0 *:squid
*:* LISTEN 1165/(squid)
- Closed ports : tcp 0 0 *:smtp
*:* LISTEN 1134/master
- Closed ports : tcp 0 0 *:telnet
*:* LISTEN 798/xinetd
- Closed ports : tcp 0 0 *:pop3
*:* LISTEN 798/xinetd
- Closed ports : tcp 0 0 *:pop3s
*:* LISTEN 798/xinetd
- Closed ports : tcp 0 0 *:nntp
*:* LISTEN 798/xinetd
- Closed ports : tcp 0 0 *:ftp
*:* LISTEN 798/xinetd
- Closed ports : tcp 0 0 linux:domain
*:* LISTEN 781/named
- Closed ports : tcp 0 0 localhost:domain
*:* LISTEN 781/named
- Closed ports : udp 0 0 *:1027
*:* 1165/(squid)
- Closed ports : udp 0 0 *:3401
*:* 1165/(squid)
- Closed ports : udp 0 0 *:icp
*:* 1165/(squid)
- Closed ports : udp 0 0 *:1024
*:* 781/named
- Closed ports : udp 0 0 linux:domain
*:* 781/named
- Closed ports : udp 0 0 localhost:domain
*:* 781/named
В syslog накопал следующее
Mar 24 04:02:02 host syslogd 1.4-0: restart.
Mar 24 04:08:12 host named[904]: Lame server on
'214.162.220.209.in-addr.arpa' (in '162.220.209.in-addr.arpa'?):
[207.155.183.72].53 'nameserver.concentric.net'
Mar 24 04:08:12 host named[904]: Lame server on
'214.162.220.209.in-addr.arpa' (in '162.220.209.in-addr.arpa'?):
[207.155.184.72].53 'nameserver2.concentric.net'
Mar 24 04:08:12 host named[904]: Lame server on
'214.162.220.209.in-addr.arpa' (in '162.220.209.in-addr.arpa'?):
[207.155.183.73].53 'nameserver1.concentric.net'
Mar 24 04:08:13 host named[904]: Lame server on
'214.162.220.209.in-addr.arpa' (in '162.220.209.in-addr.arpa'?):
[206.173.119.72].53 'nameserver3.concentric.net'
Mar 24 04:08:21 host syslogd 1.4-0: restart.
Mar 24 04:08:21 host syslogd 1.4-0: restart.
Mar 24 04:08:22 host syslogd 1.4-0: restart.
Mar 24 04:08:22 host syslogd 1.4-0: restart.
Mar 24 04:08:22 host syslogd 1.4-0: restart.
Mar 24 04:08:43 host syslogd 1.4-0: restart.
Mar 24 04:09:07 host syslogd 1.4-0: restart.
Mar 24 04:09:07 host syslogd 1.4-0: restart.
Mar 24 04:09:07 host syslogd 1.4-0: restart.
Mar 24 04:09:09 host syslogd 1.4-0: restart.
Mar 24 04:09:09 host syslogd 1.4-0: restart.
Mar 24 04:15:28 host syslogd 1.4-0: restart.
Mar 24 04:21:40 host syslogd 1.4-0: restart.
Mar 24 04:21:41 host syslogd 1.4-0: restart.
Mar 24 04:21:41 host syslogd 1.4-0: restart.
Mar 24 04:21:55 host syslogd 1.4-0: restart.
Mar 24 04:22:02 host anacron[30037]: Updated timestamp for job
`cron.weekly' to `2002-03-24 04:22:02'
Mar 24 04:24:25 host named[904]: Lame server on
'88.63.3.210.in-addr.arpa' (in '3.210.in-addr.arpa'?): [210.59.229.2].53
'dns.golden.net.tw'
Mar 24 04:24:25 host named[904]: Lame server on
'88.63.3.210.in-addr.arpa' (in '3.210.in-addr.arpa'?):
[210.59.228.11].53 'dns2.golden.net.tw'
Mar 24 04:27:11 host su(pam_unix)[939]: session opened for user news by
(uid=0)
Mar 24 04:27:12 host texpire[941]: can't stat
/var/spool/news/leaf.node/groupinfo: No such file or directory
Mar 24 04:27:12 host su(pam_unix)[939]: session closed for user news
Самое интересное, new на серваке никогда не использовался и в субботу на
этом сервере ни кто не работал !!
Серер ALTLinux Spring2001 + Updates
^ permalink raw reply [flat|nested] 6+ messages in thread
* [mdk-re] Re: Меня взломали ?
2002-03-24 22:37 [mdk-re] Меня взломали ? Egorov Alexey
@ 2002-03-25 1:25 ` Mikhail Zabaluev
0 siblings, 1 reply; 6+ messages in thread
From: Mikhail Zabaluev @ 2002-03-25 1:25 UTC (permalink / raw)
To: mandrake-russian
Hello Egorov,
On Sun, Mar 24, 2002 at 10:39:51PM +0300, Egorov Alexey wrote:
>
> Народ, проконсултируйте плиз. Мне пришел лог:
>
> Security Warning: the sha1 checksum for one of your SUID files has changed,
> maybe an intruder modified one of these suid binary in order to put in a
> backdoor...
> - Checksum changed files : /usr/sbin/usernetctl -- ЧТО ЭТО ЗНАЧИТ ?
Возможно, всё объясняется тем, что вы обновили пакет initscripts.
Если нет, продолжайте беспокоиться и искать причину...
Что выдаёт "rpm -y initscripts" ?
> В syslog накопал следующее
> Mar 24 04:02:02 host syslogd 1.4-0: restart.
> Mar 24 04:08:12 host named[904]: Lame server on
> '214.162.220.209.in-addr.arpa' (in '162.220.209.in-addr.arpa'?):
> [207.155.183.72].53 'nameserver.concentric.net'
Ух-х, опять этот concentric...
--
Stay tuned,
MhZ JID: mookid@jabber.org
___________
I just thought of something funny...your mother.
- Cheech Marin
^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2002-03-26 1:06 UTC | newest]
Thread overview: 6+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2002-03-24 22:37 [mdk-re] Меня взломали ? Egorov Alexey
2002-03-25 1:25 ` [mdk-re] " Mikhail Zabaluev
2002-03-25 11:31 ` Mikhail Zabaluev
2002-03-25 12:37 ` Egorov Alexey
2002-03-25 13:08 ` Igor Homyakov
2002-03-26 1:06 ` [mdk-re] Re: Меня взломал и ? Oleg N. Kayunov
ALT Linux Community general discussions
This inbox may be cloned and mirrored by anyone:
git clone --mirror http://lore.altlinux.org/community/0 community/git/0.git
# If you have public-inbox 1.1+ installed, you may
# initialize and index your mirror using the following commands:
public-inbox-init -V2 community community/ http://lore.altlinux.org/community \
mandrake-russian@linuxteam.iplabs.ru community@lists.altlinux.org community@lists.altlinux.ru community@lists.altlinux.com
public-inbox-index community
Example config snippet for mirrors.
Newsgroup available over NNTP:
nntp://lore.altlinux.org/org.altlinux.lists.community
AGPL code for this site: git clone https://public-inbox.org/public-inbox.git