|
Home > Archive > alt.os.linux > July 2002 > Possible intrusion?
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
| Author |
Possible intrusion?
|
|
| =?ISO-8859-1?Q?Xos=E9?= 2002-07-25, 1:25 pm |
| Today I found this in /var/log/security.log:
Security Warning: the md5 checksum for one of your SUID files has changed,
maybe an intruder modified one of these suid binary in order to pu
t in a backdoor...
- Checksum changed files : /usr/X11R6/bin/Xwrapper
Looking through the file I found the same message again logged a week aga.
It's my home computer and it's connected to the Net only a few hours a day.
I have apache running but I haven't set up any firewalls.
Comments?
Xosé
| |
| Anthony M. Saffer 2002-07-25, 1:25 pm |
| > Comments?
Have you performed a thorough system audit?
If not, I would suggest you do.
I would also suggest you get a firewall right away.
| |
|
| In article <IwX%8.311656$uo6.2928645@telenews.teleline.es>, Xosé wrote:
> Today I found this in /var/log/security.log:
>
> Security Warning: the md5 checksum for one of your SUID files has changed,
> maybe an intruder modified one of these suid binary in order to pu
> t in a backdoor...
> - Checksum changed files : /usr/X11R6/bin/Xwrapper
>
>
> Looking through the file I found the same message again logged a week aga.
> It's my home computer and it's connected to the Net only a few hours a day.
> I have apache running but I haven't set up any firewalls.
>
> Comments?
Exactly a week? Are you running Mandrake 8.? with the msec package
installed?
rpm -qa | grep msec
will tell you the answer if your running that distro
| |
| Michael Lee Yohe 2002-07-25, 3:25 pm |
| > - Checksum changed files : /usr/X11R6/bin/Xwrapper
I'm assuming your watchdog program simply calculates the MD5 checksum
value for SUID root executables. When one of these files changes, it
flags it and lets you know.
So, this file can change if:
1) An application overwrites the file with a newer version but fails to
let the watchdog know of this change. (likely)
2) Someone replaces their own program over your installed program.
(somewhat likely)
3) A virus has modified the file to include its own execution stuff in
your installed program. (unlikely)
So...
Have you recently made changes to your XFree86 installation (updates,
etc.)? Are you using a package management system (i.e. RPM, apt, etc.)?
--
Michael Lee Yohe (aksansai+USENET@bellsouth.net)
QUIPd 1.03: (96 of 817)
-> Go to Heaven for the climate, Hell for the company.
-> - Mark Twain (1835-1910)
| |
| =?ISO-8859-1?Q?Xos=E9?= 2002-07-25, 4:25 pm |
| Anthony M. Saffer wrote:
>> Comments?
>
> Have you performed a thorough system audit?
Yes, I've used chkrootkit. It hasn't found anything.
Xosé
| |
| =?ISO-8859-1?Q?Xos=E9?= 2002-07-25, 4:25 pm |
| 3) is unlikely, 2) is impossible (I'm the only person who uses this
computer). 1) is highly possible. I use RPM and have upgraded to KDE 3 and
done other installations recently (I haven't kept a log of when, so I can't
tell), but if this is the reason for the checksum changes, that'll relieve
my anxiety.
Thanks, Michael.
Michael Lee Yohe wrote:
>> - Checksum changed files : /usr/X11R6/bin/Xwrapper
>
> I'm assuming your watchdog program simply calculates the MD5 checksum
> value for SUID root executables. When one of these files changes, it
> flags it and lets you know.
>
> So, this file can change if:
>
> 1) An application overwrites the file with a newer version but fails to
> let the watchdog know of this change. (likely)
> 2) Someone replaces their own program over your installed program.
> (somewhat likely)
> 3) A virus has modified the file to include its own execution stuff in
> your installed program. (unlikely)
>
> So...
>
> Have you recently made changes to your XFree86 installation (updates,
> etc.)? Are you using a package management system (i.e. RPM, apt, etc.)?
>
| |
|
| -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
NotDashEscaped: You need GnuPG to verify this message
Xosé wrote:
> Today I found this in /var/log/security.log:
> Security Warning: the md5 checksum for one of your SUID files has changed,
> maybe an intruder modified one of these suid binary in order to pu
> t in a backdoor...
> - Checksum changed files : /usr/X11R6/bin/Xwrapper
>
> Looking through the file I found the same message again logged a week aga.
> It's my home computer and it's connected to the Net only a few hours a day.
> I have apache running but I haven't set up any firewalls.
the x server has to run with root permission; however, regular
users sometimes need to use it, so xwrapper is used to give root
permission, instead of the x server itself setuid root.
http://project.honeynet.org/challen.../peter/rkit.txt
http://linux-sxs.org/scheck.html
--
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~~~~~~~~~
Michael J. Tobler: motorcyclist, surfer, # Black holes result
skydiver, and author: "Inside Linux", # when God divides the
"C++ HowTo", "C++ Unleashed" # universe by zero
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org
iD8DBQE9QZpotTveLPAHcDIRAqL6AJ
sHxu0Sg29fOI8gqqPUzPgeDK1RTgCe
NQTQ
84AJmLnLIrF6dH+c7qz1vYs=
=IxPV
-----END PGP SIGNATURE-----
|
|
|
|
|