freebsd security - Dec 2003 - possible compromise or just misreading logs

I am not sure if I had a compromise but I am not sure I wanted some other
input.

I noticed in this in my daily security run output:

pc1 setuid diffs:
19c19
< 365635 -rwsr-xr-x  1 root  wheel  204232 Sep 27 21:23:19 2003
/usr/X11R6/bin/xscreensaver
---
> 365781 -rwsr-xr-x  1 root  wheel  205320 Dec  4 07:55:59 2003
/usr/X11R6/bin/xscreensaver


It was the only file listed and I didn't remember changing anything on my pc
having to do with the screensaver and can't even remember for sure if I was
on my computer at that time.

I also noticed this message on my screen (I still have syslogd write some
messages there):

Dec  4 07:54:13 pc1 /kernel: pid 62069 (msgfmt), uid 0: exited on signal 6
(core dumped)
Dec  4 07:57:04 pc1 /kernel: pid 64543 (msgfmt), uid 0: exited on signal 6
(core dumped)



When looking in the /usr/X11/R6/bin I saw some other files that were
modified around this time.  I didn't have a reason to modify these other
files so I don't think it was me.

drwxr-xr-x   3 root  wheel    10752 Dec  4 09:18 ./
-r--r--r--   1 root  wheel     5324 Dec  4 09:18 qtrename140
-r--r--r--   1 root  wheel     8065 Dec  4 09:18 qt20fix
-r--r--r--   1 root  wheel   218708 Dec  4 09:18 moc2
-r--r--r--   1 root  wheel     4160 Dec  4 09:18 findtr
-r--r--r--   1 root  wheel   206044 Dec  4 09:18 uic
-r--r--r--   1 root  wheel    41964 Dec  4 07:57 xscreensaver-gl-helper
dr--r--r--   2 root  wheel     3584 Dec  4 07:57 xscreensaver-hacks/
-r--r--r--   1 root  wheel      988 Dec  4 07:56
screensaver-properties-capplet
-r--r--r--   1 root  wheel     4790 Dec  4 07:56 xscreensaver-getimage-video
-r--r--r--   1 root  wheel   116916 Dec  4 07:56 xscreensaver-getimage
-r--r--r--   1 root  wheel     7271 Dec  4 07:56 xscreensaver-getimage-file
-r--r--r--   1 root  wheel   168360 Dec  4 07:56 xscreensaver-demo
-r--r--r--   1 root  wheel   205320 Dec  4 07:55 xscreensaver
-r--r--r--   1 root  wheel    17624 Dec  4 07:55 xscreensaver-command


I have since made them all read only since I didn't want to run them in case
they had a trojan.


So, my question is did I have a break-in?  This machine is accessable only
as a web server through NAT and ipfw (if I configed my ipfw correctly).  I
had just installed the Apache 1.3.29.

Second, what are people using for intrusion detection?  This is something I
have thought about but never really thought I needed until now.


Thanks,
Craig

> So, my question is did I have a break-in?  This machine is accessable
only
> as a web server through NAT and ipfw (if I configed my ipfw correctly).
I
> had just installed the Apache 1.3.29.
>
> Second, what are people using for intrusion detection?  This is
something I
> have thought about but never really thought I needed until now.

Hi Craig,
Are you sure that you did not install any of the ports around this time?
Usually you would see this type activity when a program is installed.  You
should probably do a ps aux and sockstat -4 to see what is running and
open.

There are two programs that I am familiar with to monitor changes..
chkrootkit and tripwire. Chkrootkit is trivial to install but tripwire is
a much more complete package.

I am sure there are others here that can provide much more insight to
this.
Thanks.
Lewis

> Second, what are people using for intrusion detection?  This is something I
> have thought about but never really thought I needed until now.
No production environment should be without Tripwire (1.3 is my
favorite version).  With the right wrapper script
<http://www.roble.com/docs/twcheck> and off-line backups it's
impossible to compromise a system without being detected.

Nothing beats the relief you'll feel when tripwire gives your system
a clean bill of health after after finding some suspicious logs.

-- 
Roger Marquis
Roble Systems Consulting
http://www.roble.com/

On Sun, Dec 07, 2003 at 09:14:56AM -0800, Craig Riter
wrote:
> It was the only file listed and I didn't remember changing anything on
my pc
> having to do with the screensaver and can't even remember for sure if I
was
> on my computer at that time.
Try:

ls -l /var/db/pkg

and see if any ports were modified at that time.  

You can also use 'last' to check if you were logged in around that time.

-- 
Jez Hancock
 - System Administrator / PHP Developer

http://munk.nu/

Hi there,
About file integrity check (only one piece of the
puzzle, but a necessary one):

Use aide (last tripwire is yet to be updated -do not
compile-, see maintainer work).  
To prevent the mentioned attacks, keep your hashes OFF
your box. To compute/verify hashes, always boot from a
secure live cd. 
Downside: you have to do this at each update. To
maintain the level of security, try something like:

1. boot secure cd 
2. verify the hashes by comparing to the last version
from the external source (use a log, better than
override previous hashes).
3. If ok, do the update (have your sources downloaded
locally before and verified; the FreeBSD online update
system is yet to be secured: see list discussion)
[Paranoia: 4.boot again your safe cd and recompute &
save the new hashes]
4. Recompute the new hashes and save them externally.

Add-on. You should do this offline to remove the
window of opportunity in step 3, while updating the
tracked files.

Hope this helps,
/Dorin.

PS. If you have a Web server, I'd rather start by add
at least some kind of firewall and an external syslog
before thinking og the file integrity check anyway. 
> Second, what are people using for intrusion
> detection?  This is something I
> have thought about but never really thought I
> needed until now.
> 

__________________________________
Do you Yahoo!?
Free Pop-Up Blocker - Get it now
http://companion.yahoo.com/

>On that note, is there any way to disable LKM support in FreeBSD?  Or is
>that what NO_MODULES does?
Set the security level to one or above in rc.conf.
-- 
Cheers
Petri

GSM: (+358400 | 0400) 505 939