You might consider keeping a digest of your system.  I have a daily job
that runs to track any changes to new/changed files. Specifically this
compares gid, uid, size, # of hard links, if it is a symlink where it
points to, it's SHA1 digest. Now on my system I have it easy since
OpenBSD provides mtree which makes all that easy. You may want to get
mtree, code something simple up (this *is* a pretty trivial application)
or get something else like say, tripwire. I always got the impression that
tripwire was for other blokes with more time to configure and manage
things so the mtree way works wonders for me.

Oh yeah, and unless I'm mistaken somehow - I get lot's of extra noise when
I compare modification dates. By sticking to the digest it makes the daily
noise go down.

Joshua Jore
Minneapolis Ward 3, precinct 10

On Fri, 19 Oct 2001, Jim Herrick wrote:

> I normally take a look at ps -ef when I login to my "main" machine.  It
> functions as a server of DNS, HTTP, IMAP and SENDMAIL connected to the
> Internet.  When I did so tonight, I noticed a funny user id doing things...
>
> They were trying to run /bin/ping to WWW.YAHOO.COM and /bin/ftp to
> somewhere...  I removed both of these ASAP.
>
> >From an SSH shell, before which I manually started sshd, I got:
>
> [jim at host210 jim]$ su
> Password:
> [root at host210 jim]# ps -ef
>   PID TTY STAT  TIME COMMAND
>   545   1 S    0:00 login -- root
>   607   2 S    0:00 /sbin/mingetty tty2 HOME=/ TERM=linux BOOT_IMAGE=linux
> AUTOBOOT=YES PATH=/usr/local/sbin:/sbin:/bin:/usr/sbin:/
>   608   3 S    0:00 /sbin/mingetty tty3 HOME=/ TERM=linux BOOT_IMAGE=linux
> AUTOBOOT=YES PATH=/usr/local/sbin:/sbin:/bin:/usr/sbin:/
>   609   4 S    0:00 /sbin/mingetty tty4 HOME=/ TERM=linux BOOT_IMAGE=linux
> AUTOBOOT=YES PATH=/usr/local/sbin:/sbin:/bin:/usr/sbin:/
>   610   5 S    0:00 /sbin/mingetty tty5 HOME=/ TERM=linux BOOT_IMAGE=linux
> AUTOBOOT=YES PATH=/usr/local/sbin:/sbin:/bin:/usr/sbin:/
>   611   6 S    0:00 /sbin/mingetty tty6 HOME=/ TERM=linux BOOT_IMAGE=linux
> AUTOBOOT=YES PATH=/usr/local/sbin:/sbin:/bin:/usr/sbin:/
>
> Wierd!  When I ran the following command ( ps -aux ) the first time, I
> noticed the commands referenced above (FTP and PING) even after rebooting
> the machine twice.
>
> [root at host210 jim]# ps -aux
> USER       PID %CPU %MEM  SIZE   RSS TTY STAT START   TIME COMMAND
> nobody     497  0.1  3.2 43724  8504  ?  S   02:07   0:01 httpd -DSSL
> nobody     498  0.0  2.7 42528  7000  ?  S   02:07   0:00 httpd -DSSL
> nobody     499  0.1  3.4 44192  8900  ?  S   02:07   0:01 httpd -DSSL
> nobody     500  0.2  3.2 43720  8500  ?  S   02:07   0:03 httpd -DSSL
> nobody     501  0.0  2.7 42528  7000  ?  S   02:07   0:00 httpd -DSSL
> nobody     502  0.0  3.2 43596  8332  ?  S   02:07   0:01 httpd -DSSL
> nobody     503  0.1  3.5 44528  9248  ?  S   02:07   0:01 httpd -DSSL
> nobody     504  0.0  2.7 42528  6996  ?  S   02:07   0:00 httpd -DSSL
> nobody     789  0.0  2.7 42528  6992  ?  S   02:20   0:00 httpd -DSSL
> root         1  0.2  0.1  1104   460  ?  S   02:06   0:03 init [3]
> root         3  0.0  0.0     0     0  ?  SW  02:06   0:00 (kupdate)
> root         4  0.0  0.0     0     0  ?  SW  02:06   0:00 (kpiod)
> root         6  0.0  0.0     0     0  ?  SW< 02:06   0:00 (mdrecoveryd)
> root       342  0.0  0.2  1304   600  ?  S   02:06   0:00 crond
> root       358  0.0  0.1  1120   480  ?  S   02:06   0:00 inetd
> root       374  0.0  0.5  2272  1480  ?  S   02:07   0:00 named
> root       435  0.6  2.6 42412  6788  ?  S   02:07   0:07 httpd -DSSL
> root       545  0.0  0.4  2196  1148   1 S   02:08   0:00 login -- root
> root       607  0.0  0.1  1076   384   2 S   02:08   0:00 /sbin/mingetty
> tty2
> root       608  0.0  0.1  1076   384   3 S   02:08   0:00 /sbin/mingetty
> tty3
> root       609  0.0  0.1  1076   384   4 S   02:08   0:00 /sbin/mingetty
> tty4
> root       610  0.0  0.1  1076   384   5 S   02:08   0:00 /sbin/mingetty
> tty5
> root       611  0.0  0.1  1076   384   6 S   02:08   0:00 /sbin/mingetty
> tty6
> [root at host210 jim]#
>
> ---
>
> I started looking at recently modified files (this is the key to tracking
> this problem down, I believe) and noticed the following few files.
>
> ---
>
> [root at host210 /etc]# more mtab
> /dev/hda8 / ext2 rw 0 0
> none /proc proc rw 0 0
> /dev/hda1 /boot ext2 rw 0 0
> /dev/hda6 /home ext2 rw 0 0
> /dev/hda5 /usr ext2 rw 0 0
> /dev/hda7 /var ext2 rw 0 0
> /dev/hdb1 /www ext2 rw 0 0
> none /dev/pts devpts rw,gid=5,mode=620 0 0      *** Is this line weird?
>
> [root at host210 /etc]# more ftpaccess
> #class   all   real,guest,anonymous  *
>
> email root at localhost
>
> loginfails 5
>
> readme  README*    login
> readme  README*    cwd=*
>
> message /welcome.msg            login
> message .message                cwd=*
>
> compress        yes     real
> tar             yes     real
> chmod           no      guest,anonymous
> delete          no      guest,anonymous
> overwrite       no      guest,anonymous
> rename          no      guest,anonymous
>
> log transfers   real,anonymous  inbound,outbound
>
> shutdown /etc/shutmsg
>
> passwd-check rfc822 warn
> tar             no      guest,anonymous
> compress        no      guest,anonymous
> chmod           yes     real
> delete          yes     real
> overwrite       yes     real
> rename          yes     real
>
> ---
>
> When I found the following:
>
> /usr/bin/sourcemask
>
> on the last line of my /etc/rc.d/rc.sysinit I did a google search for it and
> found two (non-english) references at google.com.  Translated, from French,
> the first is:
>
> http://translate.google.com/translate?hl=en&sl=fr&u=http://www.up.univ-mrs.f
> r/wcri/d_serv/d_reseau/d_cert/certmsgSTAT013&prev=/search%3Fq%3D/usr/bin/sou
> rcemask%26hl%3Den
>
> It's related to a known exploit in RedHat 6.1.  Obviously, I'm reinstalling
> this machine tonight (with RedHat 7.2 - beta, I guess) and installing
> Bastille, PortSentry and Logcheck (I guess RedHat 7.2 has a logwatcher app
> built-in) before I even connect it to the net!!!
>
> I basically backed up /etc and /home (including an "installs" directory) to
> my Winders box.  Hopefully this helps quite a bit.
>
> Could be a long night...
>
> Jim "BleedPurpleGuy" Herrick
>
> _______________________________________________
> Twin Cities Linux Users Group Mailing List - Minneapolis/St. Paul, Minnesota
> http://www.mn-linux.org
> tclug-list at mn-linux.org
> https://mailman.mn-linux.org/mailman/listinfo/tclug-list
>