Hello again, Here is what I make of my evidence at the end of a quite anxious day. I would highly appreciate any comments on my conclusions!
> > Checking 'bindshell'... INFECTED [PORTS: 1524 31337] At this point I believe to be able to attribute this to portsentry running - '/etc/init.d/portsentry stop' makes it go away, '/etc/init.d/portsentry start' makes it reappear and I can create the message on a pristine system by installing portsentry (running in the default configuration). > Checksecurity reports this: > > > Security Violations for su > > =-=-=-=-=-=-=-=-=-=-=-=-=- > > Feb 2 06:33:11 server_name su[16863]: + ??? root:nobody As Javier Fernández-Sanguino Peña <[EMAIL PROTECTED]> pointed out in a branch thread : > That's normal, its been discussed here before. It > just needs to be added to logcheck patterns, a bug should be filed. Digging in the logs also showed this to be happening around 6:30 every morning - must be related t one of my cron jobs that are being triggered then, as /etc/crontab reads 25 6 * * * root test -e /usr/bin/anachron || run-parts --report /etc/cron.daily > 'tiger' also reports - while performing signature check of system > binaries, that /bin/ping, /usr/bin/chage, /usr/bin/at, /usr/bin/write > and /usr/bin/inetd don not match. This can not be confirmed by aide > (cd-burned database, unsafe binary) or debsums (unsafe binary). Javier stated as well: > Do _not_ rely on that if you are _not_ using a stable system.... (and > really, even then, unless you've regenerated the database yourself). This is a testing/unstable system. Now the conclusion: at this point there doesn't seem to be any real evidence for compromise over here. My current working hypothesis is that one of the packages involved had a update recently - I haven't really payed attention to what happened during my updates - and I started to see some log extracts I wasn't used to and couldn't make proper sense of and panicked. If you don't buy this: please let me know and why. Since We are talking 20+ systems being dependent on one of the machines in question, I'm considering myself biased due to installation anxiety. Hope to hear from you, Joh
