You might consider keeping a digest of your system. I have a daily job that runs to track any changes to new/changed files. Specifically this compares gid, uid, size, # of hard links, if it is a symlink where it points to, it's SHA1 digest. Now on my system I have it easy since OpenBSD provides mtree which makes all that easy. You may want to get mtree, code something simple up (this *is* a pretty trivial application) or get something else like say, tripwire. I always got the impression that tripwire was for other blokes with more time to configure and manage things so the mtree way works wonders for me. Oh yeah, and unless I'm mistaken somehow - I get lot's of extra noise when I compare modification dates. By sticking to the digest it makes the daily noise go down. Joshua Jore Minneapolis Ward 3, precinct 10 On Fri, 19 Oct 2001, Jim Herrick wrote: > I normally take a look at ps -ef when I login to my "main" machine. It > functions as a server of DNS, HTTP, IMAP and SENDMAIL connected to the > Internet. When I did so tonight, I noticed a funny user id doing things... > > They were trying to run /bin/ping to WWW.YAHOO.COM and /bin/ftp to > somewhere... I removed both of these ASAP. > > >From an SSH shell, before which I manually started sshd, I got: > > [jim at host210 jim]$ su > Password: > [root at host210 jim]# ps -ef > PID TTY STAT TIME COMMAND > 545 1 S 0:00 login -- root > 607 2 S 0:00 /sbin/mingetty tty2 HOME=/ TERM=linux BOOT_IMAGE=linux > AUTOBOOT=YES PATH=/usr/local/sbin:/sbin:/bin:/usr/sbin:/ > 608 3 S 0:00 /sbin/mingetty tty3 HOME=/ TERM=linux BOOT_IMAGE=linux > AUTOBOOT=YES PATH=/usr/local/sbin:/sbin:/bin:/usr/sbin:/ > 609 4 S 0:00 /sbin/mingetty tty4 HOME=/ TERM=linux BOOT_IMAGE=linux > AUTOBOOT=YES PATH=/usr/local/sbin:/sbin:/bin:/usr/sbin:/ > 610 5 S 0:00 /sbin/mingetty tty5 HOME=/ TERM=linux BOOT_IMAGE=linux > AUTOBOOT=YES PATH=/usr/local/sbin:/sbin:/bin:/usr/sbin:/ > 611 6 S 0:00 /sbin/mingetty tty6 HOME=/ TERM=linux BOOT_IMAGE=linux > AUTOBOOT=YES PATH=/usr/local/sbin:/sbin:/bin:/usr/sbin:/ > > Wierd! When I ran the following command ( ps -aux ) the first time, I > noticed the commands referenced above (FTP and PING) even after rebooting > the machine twice. > > [root at host210 jim]# ps -aux > USER PID %CPU %MEM SIZE RSS TTY STAT START TIME COMMAND > nobody 497 0.1 3.2 43724 8504 ? S 02:07 0:01 httpd -DSSL > nobody 498 0.0 2.7 42528 7000 ? S 02:07 0:00 httpd -DSSL > nobody 499 0.1 3.4 44192 8900 ? S 02:07 0:01 httpd -DSSL > nobody 500 0.2 3.2 43720 8500 ? S 02:07 0:03 httpd -DSSL > nobody 501 0.0 2.7 42528 7000 ? S 02:07 0:00 httpd -DSSL > nobody 502 0.0 3.2 43596 8332 ? S 02:07 0:01 httpd -DSSL > nobody 503 0.1 3.5 44528 9248 ? S 02:07 0:01 httpd -DSSL > nobody 504 0.0 2.7 42528 6996 ? S 02:07 0:00 httpd -DSSL > nobody 789 0.0 2.7 42528 6992 ? S 02:20 0:00 httpd -DSSL > root 1 0.2 0.1 1104 460 ? S 02:06 0:03 init [3] > root 3 0.0 0.0 0 0 ? SW 02:06 0:00 (kupdate) > root 4 0.0 0.0 0 0 ? SW 02:06 0:00 (kpiod) > root 6 0.0 0.0 0 0 ? SW< 02:06 0:00 (mdrecoveryd) > root 342 0.0 0.2 1304 600 ? S 02:06 0:00 crond > root 358 0.0 0.1 1120 480 ? S 02:06 0:00 inetd > root 374 0.0 0.5 2272 1480 ? S 02:07 0:00 named > root 435 0.6 2.6 42412 6788 ? S 02:07 0:07 httpd -DSSL > root 545 0.0 0.4 2196 1148 1 S 02:08 0:00 login -- root > root 607 0.0 0.1 1076 384 2 S 02:08 0:00 /sbin/mingetty > tty2 > root 608 0.0 0.1 1076 384 3 S 02:08 0:00 /sbin/mingetty > tty3 > root 609 0.0 0.1 1076 384 4 S 02:08 0:00 /sbin/mingetty > tty4 > root 610 0.0 0.1 1076 384 5 S 02:08 0:00 /sbin/mingetty > tty5 > root 611 0.0 0.1 1076 384 6 S 02:08 0:00 /sbin/mingetty > tty6 > [root at host210 jim]# > > --- > > I started looking at recently modified files (this is the key to tracking > this problem down, I believe) and noticed the following few files. > > --- > > [root at host210 /etc]# more mtab > /dev/hda8 / ext2 rw 0 0 > none /proc proc rw 0 0 > /dev/hda1 /boot ext2 rw 0 0 > /dev/hda6 /home ext2 rw 0 0 > /dev/hda5 /usr ext2 rw 0 0 > /dev/hda7 /var ext2 rw 0 0 > /dev/hdb1 /www ext2 rw 0 0 > none /dev/pts devpts rw,gid=5,mode=620 0 0 *** Is this line weird? > > [root at host210 /etc]# more ftpaccess > #class all real,guest,anonymous * > > email root at localhost > > loginfails 5 > > readme README* login > readme README* cwd=* > > message /welcome.msg login > message .message cwd=* > > compress yes real > tar yes real > chmod no guest,anonymous > delete no guest,anonymous > overwrite no guest,anonymous > rename no guest,anonymous > > log transfers real,anonymous inbound,outbound > > shutdown /etc/shutmsg > > passwd-check rfc822 warn > tar no guest,anonymous > compress no guest,anonymous > chmod yes real > delete yes real > overwrite yes real > rename yes real > > --- > > When I found the following: > > /usr/bin/sourcemask > > on the last line of my /etc/rc.d/rc.sysinit I did a google search for it and > found two (non-english) references at google.com. Translated, from French, > the first is: > > http://translate.google.com/translate?hl=en&sl=fr&u=http://www.up.univ-mrs.f > r/wcri/d_serv/d_reseau/d_cert/certmsgSTAT013&prev=/search%3Fq%3D/usr/bin/sou > rcemask%26hl%3Den > > It's related to a known exploit in RedHat 6.1. Obviously, I'm reinstalling > this machine tonight (with RedHat 7.2 - beta, I guess) and installing > Bastille, PortSentry and Logcheck (I guess RedHat 7.2 has a logwatcher app > built-in) before I even connect it to the net!!! > > I basically backed up /etc and /home (including an "installs" directory) to > my Winders box. Hopefully this helps quite a bit. > > Could be a long night... > > Jim "BleedPurpleGuy" Herrick > > _______________________________________________ > Twin Cities Linux Users Group Mailing List - Minneapolis/St. Paul, Minnesota > http://www.mn-linux.org > tclug-list at mn-linux.org > https://mailman.mn-linux.org/mailman/listinfo/tclug-list >