From: Egorov Alexey <egorov@strat.chtts.ru>
To: mandrake-russian@altlinux.ru
Subject: [mdk-re] Меня взломали ?
Date: Sun Mar 24 22:37:00 2002
Message-ID: <3C9E2B87.7000204@strat.chtts.ru> (raw)
Народ, проконсултируйте плиз. Мне пришел лог:
Security Warning: the sha1 checksum for one of your SUID files has changed,
maybe an intruder modified one of these suid binary in order to put in a
backdoor...
- Checksum changed files : /usr/sbin/usernetctl -- ЧТО ЭТО ЗНАЧИТ ?
Security Warning: There is modifications for port listening on your
machine :
- Opened ports : tcp 0 0 *:www
*:* LISTEN 9935/httpd
- Opened ports : tcp 0 0 *:squid
*:* LISTEN 1298/(squid)
- Opened ports : tcp 0 0 *:smtp
*:* LISTEN 1267/master
- Opened ports : tcp 0 0 *:telnet
*:* LISTEN 921/xinetd
- Opened ports : tcp 0 0 *:pop3
*:* LISTEN 921/xinetd
- Opened ports : tcp 0 0 *:pop3s
*:* LISTEN 921/xinetd
- Opened ports : tcp 0 0 *:nntp
*:* LISTEN 921/xinetd
- Opened ports : tcp 0 0 *:ftp
*:* LISTEN 921/xinetd
- Opened ports : tcp 0 0 linux:domain
*:* LISTEN 904/named
- Opened ports : tcp 0 0 localhost:domain
*:* LISTEN 904/named
- Opened ports : udp 0 0 *:1027
*:* 1298/(squid)
- Opened ports : udp 0 0 *:3401
*:* 1298/(squid)
- Opened ports : udp 0 0 *:icp
*:* 1298/(squid)
- Opened ports : udp 0 0 *:1024
*:* 904/named
- Opened ports : udp 0 0 linux:domain
*:* 904/named
- Opened ports : udp 0 0 localhost:domain
*:* 904/named
- Closed ports : tcp 0 0 *:www
*:* LISTEN 10245/httpd
- Closed ports : tcp 0 0 *:squid
*:* LISTEN 1165/(squid)
- Closed ports : tcp 0 0 *:smtp
*:* LISTEN 1134/master
- Closed ports : tcp 0 0 *:telnet
*:* LISTEN 798/xinetd
- Closed ports : tcp 0 0 *:pop3
*:* LISTEN 798/xinetd
- Closed ports : tcp 0 0 *:pop3s
*:* LISTEN 798/xinetd
- Closed ports : tcp 0 0 *:nntp
*:* LISTEN 798/xinetd
- Closed ports : tcp 0 0 *:ftp
*:* LISTEN 798/xinetd
- Closed ports : tcp 0 0 linux:domain
*:* LISTEN 781/named
- Closed ports : tcp 0 0 localhost:domain
*:* LISTEN 781/named
- Closed ports : udp 0 0 *:1027
*:* 1165/(squid)
- Closed ports : udp 0 0 *:3401
*:* 1165/(squid)
- Closed ports : udp 0 0 *:icp
*:* 1165/(squid)
- Closed ports : udp 0 0 *:1024
*:* 781/named
- Closed ports : udp 0 0 linux:domain
*:* 781/named
- Closed ports : udp 0 0 localhost:domain
*:* 781/named
В syslog накопал следующее
Mar 24 04:02:02 host syslogd 1.4-0: restart.
Mar 24 04:08:12 host named[904]: Lame server on
'214.162.220.209.in-addr.arpa' (in '162.220.209.in-addr.arpa'?):
[207.155.183.72].53 'nameserver.concentric.net'
Mar 24 04:08:12 host named[904]: Lame server on
'214.162.220.209.in-addr.arpa' (in '162.220.209.in-addr.arpa'?):
[207.155.184.72].53 'nameserver2.concentric.net'
Mar 24 04:08:12 host named[904]: Lame server on
'214.162.220.209.in-addr.arpa' (in '162.220.209.in-addr.arpa'?):
[207.155.183.73].53 'nameserver1.concentric.net'
Mar 24 04:08:13 host named[904]: Lame server on
'214.162.220.209.in-addr.arpa' (in '162.220.209.in-addr.arpa'?):
[206.173.119.72].53 'nameserver3.concentric.net'
Mar 24 04:08:21 host syslogd 1.4-0: restart.
Mar 24 04:08:21 host syslogd 1.4-0: restart.
Mar 24 04:08:22 host syslogd 1.4-0: restart.
Mar 24 04:08:22 host syslogd 1.4-0: restart.
Mar 24 04:08:22 host syslogd 1.4-0: restart.
Mar 24 04:08:43 host syslogd 1.4-0: restart.
Mar 24 04:09:07 host syslogd 1.4-0: restart.
Mar 24 04:09:07 host syslogd 1.4-0: restart.
Mar 24 04:09:07 host syslogd 1.4-0: restart.
Mar 24 04:09:09 host syslogd 1.4-0: restart.
Mar 24 04:09:09 host syslogd 1.4-0: restart.
Mar 24 04:15:28 host syslogd 1.4-0: restart.
Mar 24 04:21:40 host syslogd 1.4-0: restart.
Mar 24 04:21:41 host syslogd 1.4-0: restart.
Mar 24 04:21:41 host syslogd 1.4-0: restart.
Mar 24 04:21:55 host syslogd 1.4-0: restart.
Mar 24 04:22:02 host anacron[30037]: Updated timestamp for job
`cron.weekly' to `2002-03-24 04:22:02'
Mar 24 04:24:25 host named[904]: Lame server on
'88.63.3.210.in-addr.arpa' (in '3.210.in-addr.arpa'?): [210.59.229.2].53
'dns.golden.net.tw'
Mar 24 04:24:25 host named[904]: Lame server on
'88.63.3.210.in-addr.arpa' (in '3.210.in-addr.arpa'?):
[210.59.228.11].53 'dns2.golden.net.tw'
Mar 24 04:27:11 host su(pam_unix)[939]: session opened for user news by
(uid=0)
Mar 24 04:27:12 host texpire[941]: can't stat
/var/spool/news/leaf.node/groupinfo: No such file or directory
Mar 24 04:27:12 host su(pam_unix)[939]: session closed for user news
Самое интересное, new на серваке никогда не использовался и в субботу на
этом сервере ни кто не работал !!
Серер ALTLinux Spring2001 + Updates
next reply other threads:[~2002-03-24 22:37 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2002-03-24 22:37 Egorov Alexey [this message]
2002-03-25 1:25 ` [mdk-re] " Mikhail Zabaluev
2002-03-25 11:31 ` Mikhail Zabaluev
2002-03-25 12:37 ` Egorov Alexey
2002-03-25 13:08 ` Igor Homyakov
2002-03-26 1:06 ` [mdk-re] Re: Меня взломал и ? Oleg N. Kayunov
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=3C9E2B87.7000204@strat.chtts.ru \
--to=egorov@strat.chtts.ru \
--cc=mandrake-russian@altlinux.ru \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
ALT Linux Community general discussions
This inbox may be cloned and mirrored by anyone:
git clone --mirror http://lore.altlinux.org/community/0 community/git/0.git
# If you have public-inbox 1.1+ installed, you may
# initialize and index your mirror using the following commands:
public-inbox-init -V2 community community/ http://lore.altlinux.org/community \
mandrake-russian@linuxteam.iplabs.ru community@lists.altlinux.org community@lists.altlinux.ru community@lists.altlinux.com
public-inbox-index community
Example config snippet for mirrors.
Newsgroup available over NNTP:
nntp://lore.altlinux.org/org.altlinux.lists.community
AGPL code for this site: git clone https://public-inbox.org/public-inbox.git