Security Incidents mailing list archives

nasty tripwire report

From: "Chester Jankowski" <chester_jankowski () hotmail com>
Date: Sun, 13 Jan 2002 12:49:09 -0500
It looks like someone wasn't watching their Saturday morning cartoons
yesterday and decided to crack my home Linux box instead. I have included
the juicy bits from the tripwire report below. Now I have several questions
for the security experts here. Is this attack a recognized one? Any
suggestions for log analysis to track down the intruder? Is the only
recovery here a complete re-install? And lastly, is there any place I should
report the incident?

----------------------------------------------------------------------------
---
Rule Name: User binaries (/usr/sbin)
Severity Level: 66
----------------------------------------------------------------------------
---

Added:
"/usr/sbin/..."

Removed:
"/usr/sbin/nscd"

Modified:
"/usr/sbin"
"/usr/sbin/checkpc"
"/usr/sbin/ckconfig"
"/usr/sbin/ftprestart"
"/usr/sbin/ftpshut"
"/usr/sbin/in.ftpd"
"/usr/sbin/lpc"
"/usr/sbin/lpd"
"/usr/sbin/lsof"
"/usr/sbin/mailstats"
"/usr/sbin/makemap"
"/usr/sbin/monitor"
"/usr/sbin/nmbd"
"/usr/sbin/praliases"
"/usr/sbin/privatepw"
"/usr/sbin/samba"
"/usr/sbin/sendmail"
"/usr/sbin/smbd"
"/usr/sbin/smrsh"
"/usr/sbin/sshd"
"/usr/sbin/xferstats"

----------------------------------------------------------------------------
---
Rule Name: Libraries (/usr/lib)
Severity Level: 66
----------------------------------------------------------------------------
---

Added:
"/usr/lib/..."
"/usr/lib/.../ls"
"/usr/lib/.../netstat"
"/usr/lib/.../lsof"
"/usr/lib/.../bkit-ssh"
"/usr/lib/.../bkit-ssh/bkit-shdcfg"
"/usr/lib/.../bkit-ssh/bkit-shhk"
"/usr/lib/.../bkit-ssh/bkit-pw"
"/usr/lib/.../bkit-ssh/bkit-shrs"
"/usr/lib/.../bkit-ssh/bkit-shd.pid"
"/usr/lib/.../uconf.inv"
"/usr/lib/.../psr"
"/usr/lib/.../find"
"/usr/lib/.../pstree"
"/usr/lib/.../slocate"
"/usr/lib/.../du"
"/usr/lib/.../top"
"/usr/lib/libssl.so.0"
"/usr/lib/libssl.so.0.9.5a"
"/usr/lib/libcrypto.so.0"
"/usr/lib/libmilter.a"
"/usr/lib/libsmutil.a"
"/usr/lib/libcrypto.so.0.9.5a"

Modified:
"/usr/lib"
"/usr/lib/sasl"
"/usr/lib/sasl/Sendmail.conf"

----------------------------------------------------------------------------
---
Rule Name: User binaries (/usr/bin)
Severity Level: 66
----------------------------------------------------------------------------
---

Added:
"/usr/bin/ntpsx"
"/usr/bin/fetchmailconf"

Modified:
"/usr/bin"
"/usr/bin/addtosmbpass"
"/usr/bin/convert_smbpasswd"
"/usr/bin/dir"
"/usr/bin/du"
"/usr/bin/fetchmail"
"/usr/bin/find"
"/usr/bin/findsmb"
"/usr/bin/ftpcount"
"/usr/bin/ftpwho"
"/usr/bin/lpq"
"/usr/bin/lpr"
"/usr/bin/lprm"
"/usr/bin/lpstat"
"/usr/bin/make_printerdef"
"/usr/bin/make_smbcodepage"
"/usr/bin/mksmbpasswd.sh"
"/usr/bin/nmblookup"
"/usr/bin/pstree"
"/usr/bin/rmail"
"/usr/bin/scp"
"/usr/bin/sftp"
"/usr/bin/slocate"
"/usr/bin/smbadduser"
"/usr/bin/smbclient"
"/usr/bin/smbmnt"
"/usr/bin/smbmount"
"/usr/bin/smbpasswd"
"/usr/bin/smbprint"
"/usr/bin/smbspool"
"/usr/bin/smbstatus"
"/usr/bin/smbtar"
"/usr/bin/smbumount"
"/usr/bin/ssh"
"/usr/bin/ssh-add"
"/usr/bin/ssh-agent"
"/usr/bin/ssh-keygen"
"/usr/bin/ssh-keyscan"
"/usr/bin/testparm"
"/usr/bin/testprns"
"/usr/bin/top"
"/usr/bin/vdir"

----------------------------------------------------------------------------
---
Rule Name: Critical Utility Sym-Links (/sbin/mount.smb)
Severity Level: 100
----------------------------------------------------------------------------
---

Modified:
"/sbin/mount.smb"

----------------------------------------------------------------------------
---
Rule Name: Critical Utility Sym-Links (/sbin/mount.smbfs)
Severity Level: 100
----------------------------------------------------------------------------
---

Modified:
"/sbin/mount.smbfs"

----------------------------------------------------------------------------
---
Rule Name: Critical configuration files (/var/lib/nfs/rmtab)
Severity Level: 100
----------------------------------------------------------------------------
---

Modified:
"/var/lib/nfs/rmtab"


----------------------------------------------------------------------------
---
Rule Name: System boot changes (/var/lock/subsys/sendmail)
Severity Level: 100
----------------------------------------------------------------------------
---

Removed:
"/var/lock/subsys/sendmail"

----------------------------------------------------------------------------
---
Rule Name: OS executables and libraries (/lib)
Severity Level: 100
----------------------------------------------------------------------------
---

Added:
"/lib/libproc.a"
"/lib/libproc.so"
"/lib/libproc.so.2.0.6"

Modified:
"/lib"

----------------------------------------------------------------------------
---
Rule Name: Critical configuration files (/etc/rc.d)
Severity Level: 100
----------------------------------------------------------------------------
---

Modified:
"/etc/rc.d/rc.local"
"/etc/rc.d/rc.sysinit"
"/etc/rc.d/rc0.d"
"/etc/rc.d/rc0.d/K35smb"
"/etc/rc.d/rc1.d"
"/etc/rc.d/rc1.d/K35smb"
"/etc/rc.d/rc2.d"
"/etc/rc.d/rc2.d/K35smb"
"/etc/rc.d/rc3.d"
"/etc/rc.d/rc3.d/K35smb"
"/etc/rc.d/rc4.d"
"/etc/rc.d/rc4.d/K35smb"
"/etc/rc.d/rc5.d"
"/etc/rc.d/rc5.d/K35smb"
"/etc/rc.d/rc6.d"
"/etc/rc.d/rc6.d/K35smb"

----------------------------------------------------------------------------
---
Rule Name: Critical configuration files (/etc/rc.d/init.d)
Severity Level: 100
----------------------------------------------------------------------------
---

Modified:
"/etc/rc.d/init.d"
"/etc/rc.d/init.d/lpd"
"/etc/rc.d/init.d/network"
"/etc/rc.d/init.d/sendmail"
"/etc/rc.d/init.d/smb"
"/etc/rc.d/init.d/sshd"

----------------------------------------------------------------------------
---
Rule Name: Critical configuration files (/etc/profile.d)
Severity Level: 100
----------------------------------------------------------------------------
---

Removed:
"/etc/profile.d/gnome-ssh-askpass.csh"
"/etc/profile.d/gnome-ssh-askpass.sh"

Modified:
"/etc/profile.d"

----------------------------------------------------------------------------
---
Rule Name: Critical configuration files (/etc/sysconfig)
Severity Level: 100
----------------------------------------------------------------------------
---

Modified:
"/etc/sysconfig"
"/etc/sysconfig/samba"
"/etc/sysconfig/sendmail"

----------------------------------------------------------------------------
---
Rule Name: Operating System Utilities (/bin/login)
Severity Level: 100
----------------------------------------------------------------------------
---

Modified:
"/bin/login"

----------------------------------------------------------------------------
---
Rule Name: Operating System Utilities (/bin/ls)
Severity Level: 100
----------------------------------------------------------------------------
---

Modified:
"/bin/ls"

----------------------------------------------------------------------------
---
Rule Name: Operating System Utilities (/bin/netstat)
Severity Level: 100
----------------------------------------------------------------------------
---

Modified:
"/bin/netstat"

----------------------------------------------------------------------------
---
Rule Name: Operating System Utilities (/bin/ps)
Severity Level: 100
----------------------------------------------------------------------------
---

Modified:
"/bin/ps"

----------------------------------------------------------------------------
---
Rule Name: System boot changes (/dev/log)
Severity Level: 100
----------------------------------------------------------------------------
---

Modified:
"/dev/log"



----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com
Current thread:

nasty tripwire report Chester Jankowski (Jan 14)
- Re: nasty tripwire report Gideon Lenkey (Jan 14)
  - Re: nasty tripwire report Patrick (Jan 15)
- Re: nasty tripwire report David Worth (Jan 16)