From: Egorov Alexey <egorov@strat.chtts.ru> To: mandrake-russian@altlinux.ru Subject: [mdk-re] Меня взломали ? Date: Sun Mar 24 22:37:00 2002 Message-ID: <3C9E2B87.7000204@strat.chtts.ru> (raw) Народ, проконсултируйте плиз. Мне пришел лог: Security Warning: the sha1 checksum for one of your SUID files has changed, maybe an intruder modified one of these suid binary in order to put in a backdoor... - Checksum changed files : /usr/sbin/usernetctl -- ЧТО ЭТО ЗНАЧИТ ? Security Warning: There is modifications for port listening on your machine : - Opened ports : tcp 0 0 *:www *:* LISTEN 9935/httpd - Opened ports : tcp 0 0 *:squid *:* LISTEN 1298/(squid) - Opened ports : tcp 0 0 *:smtp *:* LISTEN 1267/master - Opened ports : tcp 0 0 *:telnet *:* LISTEN 921/xinetd - Opened ports : tcp 0 0 *:pop3 *:* LISTEN 921/xinetd - Opened ports : tcp 0 0 *:pop3s *:* LISTEN 921/xinetd - Opened ports : tcp 0 0 *:nntp *:* LISTEN 921/xinetd - Opened ports : tcp 0 0 *:ftp *:* LISTEN 921/xinetd - Opened ports : tcp 0 0 linux:domain *:* LISTEN 904/named - Opened ports : tcp 0 0 localhost:domain *:* LISTEN 904/named - Opened ports : udp 0 0 *:1027 *:* 1298/(squid) - Opened ports : udp 0 0 *:3401 *:* 1298/(squid) - Opened ports : udp 0 0 *:icp *:* 1298/(squid) - Opened ports : udp 0 0 *:1024 *:* 904/named - Opened ports : udp 0 0 linux:domain *:* 904/named - Opened ports : udp 0 0 localhost:domain *:* 904/named - Closed ports : tcp 0 0 *:www *:* LISTEN 10245/httpd - Closed ports : tcp 0 0 *:squid *:* LISTEN 1165/(squid) - Closed ports : tcp 0 0 *:smtp *:* LISTEN 1134/master - Closed ports : tcp 0 0 *:telnet *:* LISTEN 798/xinetd - Closed ports : tcp 0 0 *:pop3 *:* LISTEN 798/xinetd - Closed ports : tcp 0 0 *:pop3s *:* LISTEN 798/xinetd - Closed ports : tcp 0 0 *:nntp *:* LISTEN 798/xinetd - Closed ports : tcp 0 0 *:ftp *:* LISTEN 798/xinetd - Closed ports : tcp 0 0 linux:domain *:* LISTEN 781/named - Closed ports : tcp 0 0 localhost:domain *:* LISTEN 781/named - Closed ports : udp 0 0 *:1027 *:* 1165/(squid) - Closed ports : udp 0 0 *:3401 *:* 1165/(squid) - Closed ports : udp 0 0 *:icp *:* 1165/(squid) - Closed ports : udp 0 0 *:1024 *:* 781/named - Closed ports : udp 0 0 linux:domain *:* 781/named - Closed ports : udp 0 0 localhost:domain *:* 781/named В syslog накопал следующее Mar 24 04:02:02 host syslogd 1.4-0: restart. Mar 24 04:08:12 host named[904]: Lame server on '214.162.220.209.in-addr.arpa' (in '162.220.209.in-addr.arpa'?): [207.155.183.72].53 'nameserver.concentric.net' Mar 24 04:08:12 host named[904]: Lame server on '214.162.220.209.in-addr.arpa' (in '162.220.209.in-addr.arpa'?): [207.155.184.72].53 'nameserver2.concentric.net' Mar 24 04:08:12 host named[904]: Lame server on '214.162.220.209.in-addr.arpa' (in '162.220.209.in-addr.arpa'?): [207.155.183.73].53 'nameserver1.concentric.net' Mar 24 04:08:13 host named[904]: Lame server on '214.162.220.209.in-addr.arpa' (in '162.220.209.in-addr.arpa'?): [206.173.119.72].53 'nameserver3.concentric.net' Mar 24 04:08:21 host syslogd 1.4-0: restart. Mar 24 04:08:21 host syslogd 1.4-0: restart. Mar 24 04:08:22 host syslogd 1.4-0: restart. Mar 24 04:08:22 host syslogd 1.4-0: restart. Mar 24 04:08:22 host syslogd 1.4-0: restart. Mar 24 04:08:43 host syslogd 1.4-0: restart. Mar 24 04:09:07 host syslogd 1.4-0: restart. Mar 24 04:09:07 host syslogd 1.4-0: restart. Mar 24 04:09:07 host syslogd 1.4-0: restart. Mar 24 04:09:09 host syslogd 1.4-0: restart. Mar 24 04:09:09 host syslogd 1.4-0: restart. Mar 24 04:15:28 host syslogd 1.4-0: restart. Mar 24 04:21:40 host syslogd 1.4-0: restart. Mar 24 04:21:41 host syslogd 1.4-0: restart. Mar 24 04:21:41 host syslogd 1.4-0: restart. Mar 24 04:21:55 host syslogd 1.4-0: restart. Mar 24 04:22:02 host anacron[30037]: Updated timestamp for job `cron.weekly' to `2002-03-24 04:22:02' Mar 24 04:24:25 host named[904]: Lame server on '88.63.3.210.in-addr.arpa' (in '3.210.in-addr.arpa'?): [210.59.229.2].53 'dns.golden.net.tw' Mar 24 04:24:25 host named[904]: Lame server on '88.63.3.210.in-addr.arpa' (in '3.210.in-addr.arpa'?): [210.59.228.11].53 'dns2.golden.net.tw' Mar 24 04:27:11 host su(pam_unix)[939]: session opened for user news by (uid=0) Mar 24 04:27:12 host texpire[941]: can't stat /var/spool/news/leaf.node/groupinfo: No such file or directory Mar 24 04:27:12 host su(pam_unix)[939]: session closed for user news Самое интересное, new на серваке никогда не использовался и в субботу на этом сервере ни кто не работал !! Серер ALTLinux Spring2001 + Updates
next reply other threads:[~2002-03-24 22:37 UTC|newest] Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top 2002-03-24 22:37 Egorov Alexey [this message] 2002-03-25 1:25 ` [mdk-re] " Mikhail Zabaluev 2002-03-25 11:31 ` Mikhail Zabaluev 2002-03-25 12:37 ` Egorov Alexey 2002-03-25 13:08 ` Igor Homyakov 2002-03-26 1:06 ` [mdk-re] Re: Меня взломал и ? Oleg N. Kayunov
Reply instructions: You may reply publicly to this message via plain-text email using any one of the following methods: * Save the following mbox file, import it into your mail client, and reply-to-all from there: mbox Avoid top-posting and favor interleaved quoting: https://en.wikipedia.org/wiki/Posting_style#Interleaved_style * Reply using the --to, --cc, and --in-reply-to switches of git-send-email(1): git send-email \ --in-reply-to=3C9E2B87.7000204@strat.chtts.ru \ --to=egorov@strat.chtts.ru \ --cc=mandrake-russian@altlinux.ru \ /path/to/YOUR_REPLY https://kernel.org/pub/software/scm/git/docs/git-send-email.html * If your mail client supports setting the In-Reply-To header via mailto: links, try the mailto: link
ALT Linux Community general discussions This inbox may be cloned and mirrored by anyone: git clone --mirror http://lore.altlinux.org/community/0 community/git/0.git # If you have public-inbox 1.1+ installed, you may # initialize and index your mirror using the following commands: public-inbox-init -V2 community community/ http://lore.altlinux.org/community \ mandrake-russian@linuxteam.iplabs.ru community@lists.altlinux.org community@lists.altlinux.ru community@lists.altlinux.com public-inbox-index community Example config snippet for mirrors. Newsgroup available over NNTP: nntp://lore.altlinux.org/org.altlinux.lists.community AGPL code for this site: git clone https://public-inbox.org/public-inbox.git