View Issue Details

IDProjectCategoryView StatusLast Update
0000748administrationsecurity-placeholderpublic2005-02-23 16:15
Reporterherrold 
PrioritylowSeverityminorReproducibilityalways
Status resolvedResolutionno change required 
PlatformOtherOSotherOS Version
Product Versionunspecified 
Target VersionFixed in Version 
Summary0000748: compromise report - centos-__
Descriptionplaceholder pending fixup of CC
TagsNo tags attached.

Activities

herrold

herrold

2005-01-12 22:32

reporter   ~0002260

Last edited: 1970-01-01 00:00

update CC, etc for proper visibility
herrold

herrold

2005-01-12 22:34

reporter   ~0002261

Last edited: 1970-01-01 00:00

Date: Wed, 12 Jan 2005 21:01:32 -0000
From: Gerrold Kuijpers <gkuijpers@gh3l.com>
To: security@centos.org
Subject: a cAos SECURITY] Tripwir report
Parts/Attachments:
   1 Shown 41 lines Text
   2 OK ~91 lines Text
----------------------------------------


L.S.,

On my Centos3 server I run tripwire to spot any changes to system files.
Last week I suddenly noticed the following changes which I can not explain.
They appeared over a period of 3 days, in which no updates where installed.

I host a website on the box, which is behind a firewall that only allow
traffic on port 80 to reach this box. I have installed all the patches using
yum.




Is it possible that someone has managed to 'hack' into the box using an (to
me) unknown vulnerability?

Any feedback would be greatly appreciated.

Kind regards,
Gerrold Kuijpers

Modified:
"/lib/ssa/gcc-lib/i386-redhat-linux-gnu/3.5-tree-ssa/include/c++/i386-redhat
-linux-gnu/bits/stdc++.h.gch/O2g"

Modified:
"/etc/httpd/conf"

Modified:"/usr/lib/openoffice/program/libsvx641li.so"
"/usr/lib/openoffice/program/libvcl641li.so"
"/usr/lib/mozilla-1.4.3/components"
"/usr/lib/mozilla-1.4.3/components/compreg.dat"
"/usr/lib/rpmdb/i386-redhat-linux/redhat"
"/usr/lib/rpmdb/i386-redhat-linux/redhat/__db.001"
"/usr/lib/rpmdb/i386-redhat-linux/redhat/__db.002"
"/usr/lib/rpmdb/i386-redhat-linux/redhat/__db.003"

Modified:
"/usr/sbin/postdrop"
"/usr/sbin/siggen"


====================================
Reply:

Date: Wed, 12 Jan 2005 17:29:11 -0500 (EST)
From: R P Herrold <herrold@owlriver.com>
To: Gerrold Kuijpers <gkuijpers@gh3l.com>
Cc: security@centos.org
Subject: a cAos SECURITY] Re: a cAos SECURITY] Tripwir report

On Wed, 12 Jan 2005, Gerrold Kuijpers wrote:

> Is it possible that someone has managed to 'hack' into the box using an
> (to
> me) unknown vulnerability?

Of course almost anything is possible, but ... Is the email reply going to
an address NOT in the network segment of the possibly compromised unit? Did
you harden the host (removing unneeded packages), and lock down ports? What
does nmap from outside that host toward it, and a snort in the network
segment say? Does tcpdump show any non-innbound port 80 traffic?

> Modified:
> "/lib/ssa/gcc-lib/i386-redhat-linux-gnu/3.5-tree-ssa/include/c++/i386-redh
> at
> -linux-gnu/bits/stdc++.h.gch/O2g"

I do not show this on my unit -- what package owns this? run:

  rpm -qf
/lib/ssa/gcc-lib/i386-redhat-linux-gnu/3.5-tree-ssa/include/c++/i386-redhat-
linux-gnu/bits/stdc++.h.gch

> Modified:
> "/etc/httpd/conf"

possibly from configuring a webserver?

> Modified:
> "/usr/lib/openoffice/program/libsvx641li.so"
> "/usr/lib/openoffice/program/libvcl641li.so"
> "/usr/lib/mozilla-1.4.3/components"
> "/usr/lib/mozilla-1.4.3/components/compreg.dat"

Why is open office on a webserver?

Why is mozilla on a webserver?

> "/usr/lib/rpmdb/i386-redhat-linux/redhat"
> "/usr/lib/rpmdb/i386-redhat-linux/redhat/__db.001"
> "/usr/lib/rpmdb/i386-redhat-linux/redhat/__db.002"
> "/usr/lib/rpmdb/i386-redhat-linux/redhat/__db.003"

probably normal RPM activity - these are lockfiles and should not be
auditted in most tripwire setups

> Modified:
> "/usr/sbin/postdrop"
> "/usr/sbin/siggen"

/usr/sbin/postdrop belongs to postfix -- what does:
         rpm -V postfix
say? I do not recognize siggen what does:
         rpm -qf /usr/sbin/siggen
say?

Please reply to
        security@caosity.org

thanks -0 Russ Herrold

herrold

herrold

2005-01-12 22:37

reporter   ~0002262

Last edited: 1970-01-01 00:00

Lance -- this guy is on your side of the Ocean

Registrant:
Gerrold Kuijpers
GH3L IT Ltd
35/12 Orchard Brae Avenue
Edinburgh, Scotland GB
EH4 2UP

Registrar: NameSecure.com
Domain: GH3L.COM
Created on 10-12-1999
Expires on 10-12-2005

Administrative Contact:
Gerrold Kuijpers
Phone: +44-7710-434641
E-mail: gkuijpers@compuserve.com

Technical Contact:
Gerrold Kuijpers
Phone: 07710-434641
E-mail: gkuijpers@compuserve.com

Name Servers:
DNS1.NAMESECURE.COM 64.62.166.88
DNS2.NAMESECURE.COM 206.169.98.34
lance@uklinux.net

lance@uklinux.net

2005-01-12 23:01

reporter   ~0002263

Last edited: 1970-01-01 00:00

Strange changes for rootkit ...

rpm -qf
/lib/ssa/gcc-lib/i386-redhat-linux-gnu/3.5-tree-ssa/include/c++/i386-redhat-linux-gnu/bits/stdc++.h.gch/O2g
libstdc++-ssa-devel-3.5ssa-0.20030801.48

would suspect memory or drive problems ...

/usr/sbin/siggen is part of tripwire ...

Lance

user7

2005-01-12 23:03

  ~0002264

Last edited: 1970-01-01 00:00

Add moi.
herrold

herrold

2005-02-23 16:15

reporter   ~0002265

Last edited: 1970-01-01 00:00

false report - closing

Issue History

Date Modified Username Field Change
2005-01-12 22:32 herrold CC => lance@uklinux.net
2005-01-12 22:32 herrold Status NEW => ASSIGNED
2005-01-12 22:32 herrold QAContact greg@caosity.org => herrold@owlriver.com
2005-01-12 22:32 herrold Summary placeholder => compromise report - centos-__
2005-01-12 22:34 herrold Status ASSIGNED => NEW
2005-01-12 23:03 user7 CC => mej@caosity.org
2005-02-23 16:15 herrold Status NEW => RESOLVED
2005-02-23 16:15 herrold Resolution => INVALID